In 2017, President Donald Trump issued an executive order focused on cybersecurity that specifically called out the need for a federal response to internet-of-things-based botnet attacks. That led to a botnet “roadmap” being developed by late 2018 and a series of federal efforts to reduce the risks that IoT devices can be co-opted into botnets, provide guidance to enterprises on how to manage their IoT devices, recommend improvements to infrastructure security, establish guidelines on secure software development and more.
The federal efforts are not expected to be a panacea for the problem, however. “The botnet challenge will not be resolved quickly. This as an ecosystemwide problem that requires sustained collaboration across industry, government, academia, and civil society,” concludes a recently published update to the Botnet Roadmap. Two related research reports commissioned by the Department of Homeland Security — one on technical approaches to implementing botnet-related recommendations, and a second one around trends related to botnet growth — “suggest that botnets will continue to be a threat for the foreseeable future, and in largely predictable fashion.”
If a botnet operator can compromise a device, they generally will — and botnet operators are competing with each other for target devices, according to the updated roadmap report. “Observation of current botnets seems to suggest that virtually any compromised device is seen as having some benefit by a botnet operator, and if the opportunity for compromise is there, the botnet operator usually takes it,” the report says. “At the same time, different botnets often end up competing with each other for resources. Certain popular software products with known vulnerabilities are often targeted by multiple botnets, and botnets have been seen removing competing bots and even patching systems once they have installed their own malware to prevent other botnets from gaining access.”
The two DHS reports outlined a number of predictions for how IoT botnets will evolve in the coming years. Those include:
-Botnets will leverage new types of connected devices, that will “likely lead to even more types of consumer IoT products being coopted into botnets, and potentially greater utilization of mobile/wearable devices and other classes of IoT (such as industrial devices).”
-Smaller but more powerful botnets. The botnet trend report commissioned by DHS said that there is a good likelihood that rather than get ever-larger, botnets will be smaller but advanced. “There appear to be multiple factors that limit the size of modern botnets, including limited targets, competition from other botnets, and the desire to avoid triggering coordinated responses by defenders. While it is true that botnets are growing ever more powerful (as evidenced by the steady increase in the magnitude of Distributed Denial of Service (DDoS) attacks), that seems to have more to do with better tools and techniques than raw size,” according to the Botnet Roadmap update.
-Botnet operations will be “enhanced and extended,” including the continued use of social media botnets both as a means of making money from social media communities an ” as a way to try to influence the opinions and politics of these communities.”
-Botnets will get more sophisticated to sidestep efforts to disrupt them, with likely development of new ways to evade detection, get control of target systems and increased resilience.
-More state-sponsored botnet attacks. “It is likely that an increasing number of state actors will see operations in cyberspace as a means to further their national agendas and will see botnets as a powerful tool towards those ends,” the roadmap report says.
-Continued uneven global distribution, due to language and cultural familiarity, not wanting to draw law enforcement attention in the region in which the botnet operators physically reside and factors such as targeting certain types or models of devices that have greater penetration in specific regions.
The BotNet Roadmap report update is available here (pdf).