Detecting "bot rot" using log management or SIEM

Current Job Listings

There are many kinds of tools that can help detect the presence of a bot. Log management and SIEM tools are helpful in detecting the communication that is a hallmark of a botnet. Experts provide their advice on how to use such tools to determine if a bot is at work on your network.

In last week's newsletter, I talked about the growing sophistication of botnets and how easily they can invade your network. For this week's article, I reached out to a number of experts in the logging and security incident and event management (SIEM) market to get their advice on how such tools can aid in the detection of a bot infestation.

There are many kinds of tools that can help detect the presence of a bot. I started with the logging/SIEM experts because of the communication nature of bots. Once a PC has been turned into a bot, it will begin exhibiting specific behaviors that include communicating with a command and control (C&C) master. This communication typically follows a pattern that is detectable by analyzing and/or correlating logs and looking for activities that stand out as "not the norm."

10 of the worst moments in network security history

According to A. N. Ananth, CEO of Prism Microsystems, we are in a state of "asymmetrical warfare" when it comes to battling botnets. He says the good guys are doing all they can to secure their networks, but all the bad guys need is one "win" to establish a foothold on someone's network. Fortunately, Ananth says, we have a reasonable shot of finding that foothold using technology. "We can't give up the homeland," he says.

He suggests several ways of detecting the presence of bots on your network (assuming you didn't detect it at the time of infection). One method is file integrity monitoring, a technique that allows you to look at what has changed on your system from one day to the following. You can compare the state of one PC to its earlier "clean" self, or compare that PC to a "golden baseline" configuration that you know is clean. You'd be looking for any additions or changes in executable files or DLLs, in particular. A botnet's malware will sometimes modify or rename a legitimate executable file in an attempt to hide.

Ananth suggests turning on process auditing on Windows-based systems. This tells you what processes are running. You can look for a process that never ran before and is now running. This indicates a new, possibly nefarious executable on the PC.

Another bot detection technique for Windows systems is network connection monitoring. An agent can look at all traffic coming in/going out and flag anything suspicious. You'd also want to look for communication to unusual ports, although Ananth cautions that botnets will try to "hide in plain sight" by using the normal communication ports.

Ananth says these techniques are all tedious unless you have automation. You wouldn't want to expend human time to dig through logs or compare files. His company's tool, EventTracker, automates these and other common tasks to help you find anomalous behavior on your network.

My next expert is Dimitri McKay, a security architect at LogLogic who works closely with customers facing issues with botnets. LogLogic's Security Event Manager can help automate the tasks McKay recommends below.

"Traditionally botnets are detected locally on a machine via spyware/malware and antivirus detection software or by using IDS programs that may download a fingerprint of a botnet program or message type," McKay says. "However, there is one big downside to this approach: they can only detect known botnet activity, since they rely on a known signature or fingerprint."

McKay suggests that a simpler and more reliable alternative to reveal botnet activity is to monitor your firewall log data. It works like this: "Botnets communicate in a highly synchronized fashion," he says. "The first step in botnet detection is blocking SMTP Port 25 for both incoming and outgoing traffic. Route mail only through your own mail server, but block it everywhere else. From there your firewall logs can be used to display any intruder machines trying to send spam from your network. What for a large number of DNS queries. Botnets normally do a ton more DNS lookups than normal. This can be a big indicator as well."

Owing to the fact that botnet C&C servers are often outside the United States, McKay adds this advice: "Look for MX lookups going to .ru, .cn and .info domains. These illustrate communication with the master node in order to receive updates and instructions. ALL botnets, regardless of function, communicate with a central server."

Matt Petersen, head of the knowledge engineering team at LogRhythm, also weighed in on the subject of using logs to detect the presence of bots. LogRhythm's technology enriches device logs with metadata that can be using in searching for bot activity. For example, the metadata can tell you the direction of traffic (inbound/outbound), the size of a message or an attachment, the frequency of a type of activity from a specific source, and more. Canned report categories in the logging product can be set to look for this metadata; for example, an unusually high amount of outbound traffic might be indicative of denial-of- service activity.

Petersen also recommends looking for multiple successive attempts to access sensitive data such as account records. Whether the attempts are successful or failed, just the fact that they are happening frequently can indicate that a bot – or perhaps a rogue employee – is trying to get at the data. And like Prism's Ananth,Petersen says that file integrity monitoring can help find bot-related malware that hides inside legitimate applications such as Notepad.

I've always maintained that log data contains a wealth of information. Training your log management and SIEM applications on specific kinds of log data can help you discover the "bot rot" within your network.

Coming next week: still more signs that point to botnet activity on your network.

Learn more about this topic

Top 4 tips to fight off botnet denial-of-service atacks

Botnet economy runs wild

10 of the worst moments in network security history
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT