Botnets continue to spread to places never dreamed of a few years ago. But you can fight them off, and these tips can help.

Botnets have been around for over two decades, and with the rise of the Internet of Things (IoT), they have spread further to devices no one imagined they would: routers, mobile devices, and even toasters.

Some botnets are legions of bot-soldiers waiting for a command to attack a target server, generally to overwhelm the server with a distributed denial-of-service (DDoS) attack. Other botnets target specific devices by stealing passwords or mining cryptocurrency. Cryptocurrency mining, in particular, has been a dramatically growing threat for organizations recently, with botnets such as Coinhive and CryptoLoot enabling cybercriminals to make as much as $100 million a year at the expense of victims’ computing power. Smominru, among the largest cryptocurrency-mining botnets, has infected over half a million machines using the infamous EternalBlue exploit leaked from the NSA.

To prevent botnet infections, organizations must be able to detect them. But botnet detection isn’t easy. Let’s explore some of the top techniques and challenges in botnet detection.

Methods for Botnet Detection
So, what’s a botnet? Simply put, it’s a cluster of bots — compromised computers and devices — that perform commands given by the botnet owner. Usually, the botnet owner will dedicate a command and control server (C2), a compromised server for communicating with the bots, usually via Internet Relay Chat commands. The botnet owner uses the C2 server to order botnets to execute attacks, whether that’s DDoS attacks, data theft, identity theft, or another type of attack. Thus, the smoking gun that points to a botnet is its C2 server.

Unfortunately, finding the C2 isn’t usually a simple task. Many botnet commands emerge from multiple servers or take hidden forms, masking the malicious commands as harmless activity such as Tor network traffic, social media traffic, traffic between peer-to-peer services, or domain-generation algorithms. Further complicating matters, the commands are often very subtle, making it difficult to detect any anomalies.

One method for attempting to detect C2s is breaking down and analyzing the malware code. Organizations can try to disassemble the compiled code, from which they can sometimes identify the root source of the botnet’s commands. However, since botnet creators and administrators increasingly are using integrated encryption, this technique is less and less effective.

Generally, C2 detection requires visibility into the communication between a C2 server and its bots, but only security solutions that specifically protect C2 servers will have this kind of visibility. A more common approach for detecting botnets is tracking and analyzing the attacks themselves — into which standard security solutions provide visibility — and determining which attacks originated from botnets.

When looking at exploit attempts, there are a few possible indications for a botnet. For example, if the same IP addresses attack the same sites, at the same time, using the same payloads and attack patterns, there’s a good chance they’re part of a botnet. This is especially true if many IPs and sites are involved. One prominent example is a DDoS attempt by a botnet on a web service.

Source: Johnathan Azaria

Source: Johnathan Azaria

False Positives
The likelihood of false positives makes botnet detection particularly difficult. Some payloads are widely used, raising the probability of a randomly occurring pattern triggering a false positive. Additionally, attackers can change their IP addresses by using a virtual private network or a proxy, making it look like many attackers or bots are involved when there’s really only one.

Hacking tools and vulnerability scanners also behave similarly enough to botnets to often return false positives. This is because hacking tools generate the same payloads and attack patterns, and many hackers use them, regardless of the color of their hat. And, if different players happen to conduct a penetration test on the same sites at the same time, it may look like a botnet attack.

Organizations can often identify false positives by Googling the payload and referencing any documented information around it. Another technique involves simply gleaning any information readily available within the raw request in the security solution. For example, if a vulnerability scanner is to blame, most security solutions will reveal that by identifying it, especially if it’s one of the more common vulnerability scanners.

False positives are an unavoidable challenge in botnet detection given the enormous amount of potential incidents; recent research shows that 27% of IT professionals receive over 1 million security alerts every day, while 55% receive more than 10,000. But with the right techniques and diligence, organizations can discern the harmless traffic from the malicious, botnet-driven traffic.


Hackers are targeting airlines as never before, and this could affect your next flight. That’s the conclusion of a troubling new study of airline IT outages by Netscout, a provider of application and network performance management products.

Attacks against passenger air travel increased by more than 15,000% between 2017 and 2018, according to Netscout’s research.

That’s no decimal point error. 15,000%.

Why? Airlines are easier targets.

“Cybercriminals have traditionally concentrated attacks on internet service providers, telecoms, and cable operators,” says Hardik Modi, Netscout’s senior director for threat intelligence. “While those categories still represent prime targets, they are now relatively well protected”. Subsequently, cybercriminals are now targeting the enterprise market, including passenger air travel, with real venom.

Sungard Availability Services, a provider of IT production and recovery services, tracks the major airline IT outage incidents. It shows that their numbers steadily increasing.

Last year, the domestic airline industry had 10 major outages, the most since 2015, according to Sungard. It’s unknown what role, if any, cyberattacks played in these outages.

The trend appears to be accelerating in 2019. Southwest Airlines suffered a computer outage on Friday that temporarily grounded flights across the country. The airline said it suspended operations for about 50 minutes to ensure the performance of software systems that had been upgraded overnight. The airline also had a smaller outage in January that affected flights to and from Baltimore-Washington International Airport.

In January, 27 Alaska Airlines flights were delayed after the airline suffered a power outage in Seattle.

The incidents trigger an avalanche of consumer complaints to my nonprofit advocacy organization.

airline it outages

What’s going on with airline IT outages?

What’s happening? Distributed denial of service (DDoS) attacks are to blame for some of the outages, according to Netscout. DDoS attacks disrupt services of a host connected to the Internet. You can see some of these attacks in real time on a service like (here’s Southwest Airlines and here’s Alaska Airlines.)

“Disruptions to air travel are felt immediately,” explains Modi. “We’re all used to seeing images of grounded flights on the evening news, while delayed passengers make their frustrations known over social media channels.”

airline it outages

But not all of the attacks directly affect passengers. Netscout’s analysis also reveals a spike in attacks which passengers might not notice, with volumes reaching levels not seen since 2016.

“Our analysis also indicated that the size of attacks grew at an alarming rate during 2018,” Modi adds. “The maximum attack size recorded last year reached a staggering 245 Gbps (billions of bits per second, a measure of internet bandwidth). When comparing this to the maximum attack sizes recorded in 2016, which reached 124 Gbps, you begin to understand the increasing severity of these attacks.”

In other words, the flight disruptions you’re feeling are only a small part of a much bigger problem that are keeping airline IT workers busy this year. Data trends point to even more outages in the coming weeks, which also happen to be among the busiest for air travel.

airline it outages

How to prevent hackers from ruining your next flight

Airline IT outages can affect your next flight, as I pointed out in my Washington Post column last year.

No one knows when the next IT outage will happen, but there are steps you can take to protect yourself from the worst effects.

Consider travel insurance. The major carriers offer coverage for flight disruptions, which include any information-systems problems that cause delays or force an airline to cancel flights. Cast a broad net when you’re researching coverage. A company like Etherisc allows you buy insurance up to 24 hours before your flight, track it in real time and receive an instant payout if your flight is delayed or canceled. There’s no formal claims process. I have an annual travel insurance policy through Allianz Travel Insurance that covers flight disruption.

Choose your airline carefully. Carriers that have been through multiple mergers are most likely to suffer an IT outage, due to the merged patchwork of systems, components and staffing. All of the major legacy airlines, plus Southwest Airlines, have recently completed mergers. Some are aggressively upgrading their aging IT equipment, which has led to a few hiccups.

Schedule your flight early and book it as a nonstop. Many IT outages happen in the afternoon or evening, as server loads spike. Passengers on early-morning flights aren’t affected. And flying nonstop lessens the chance that you’ll be stuck somewhere on a connection.

Know your rights. If you’re flying in the United States, your rights are outlined in the contract of carriage, the legal agreement between you and the airline. It’s a dense and often difficult-to-understand contract, but it contains several provisions that promise an airline will offer meal vouchers, phone cards and overnight hotel accommodations during a service disruption. While there’s no requirement that an airline must rebook you on a different carrier (known as endorsing the ticket), airlines are known to consider doing that on a case-by-case basis.

Could this be the year of the airline IT outage? Perhaps. Even if the first two months of the year are a fluke, you need to know the extent of the problem — and the fixes.


US and EMEA security professionals interviewed by the Neustar International Security Council (NISC) in January 2019 said that DDoS attacks are perceived as the highest threat to their organizations, with roughly half of their companies having been attacked in 2018.

Another 75% of all professionals who took part in NISC’s study said that they are deeply concerned about “bot traffic (bot robots and scrapers) stealing company information, despite the same number already deploying a bot traffic manager solution.”

NISC uses a Cyber Benchmark Index to track the mounting threat concerns as “a reflection of the current international cybersecurity landscape,” While at the beginning of 2018 the index reached 10.5, in January 2019 it hit 19.4, the highest value recorded since NISC started charting threat levels in May 2017.

International Cyber Benchmarks Index for January 2019,

“Unfortunately, bot traffic makes up a large proportion of the Internet,” said NISC Chairman and Neustar SVP and Fellow Rodney Joffe. “So it is key that organizations make sure incoming data is scrubbed in real-time, while also identifying patterns of good and bad traffic to help with filtering. [..] Implementing a Web Application Firewall (WAF) is crucial for preventing bot-based volumetric attacks, as well as threats that target the application layer.”

According to NISC, 48% of respondents stated the threats posed by DDoS attacks have increased during November and December 2018, while 42% said that they have increased their ability to respond to DDoS attacks.

“Fears around bot traffic and bot-powered DDoS attacks are extremely valid but by no means new. However, with the rapid rise of the Internet of Things – whether that be across smart cities, banking or a nation’s critical infrastructure – the ability for bots to cause havoc at a global level has increased significantly,” also stated Joffe.

Besides the 23% of the ones who considered that DDoS attacks are the highest threat, NISC’s research found that:

System Compromise – 21% stated this was the highest threat to their enterprise
Ransomware – 15% stated this was the highest threat to their enterprise
Financial Theft – 15% stated this was the highest threat to their enterprise

Cyber threats ranked in order of level of concern
Cyber threats ranked in order of level of concern

“Without the appropriate detection, data scrubbing and mitigation tools in place, IoT devices have the potential to become part of a malicious botnet, whereby hackers essentially weaponize these devices to launch more powerful DDoS attacks,” continued Joffe. “Worryingly, as more and more devices continue to connect to the Internet, these types of attack pose an increased risk to not only the defenses of an enterprise, but also to a whole nation.”

NISC conducted 300 interviews in January 2019 to collect the data for this report, focused on security professionals from organizations in five countries across EMEA (i.e., France, Germany, Italy, Spain, and the UK), as well as from the US.

The survey respondents currently hold senior positions such as CTO, Director of IT, security consultants, and a number of other positions related to enterprise security responsibilities.



Could 2019 be a turning point for enterprise cybersecurity?

From the largest DDoS attacks ever seen and record-breaking numbers of data breaches, to the implementation of the General Data Protection Regulation (GDPR) in May, 2018 will be remembered as an extraordinary year for the cybersecurity industry.

With hackers developing increasingly sophisticated ways to attack enterprises every day, one of the most important lessons from this year is how crucial it is to stay one step ahead of cybercriminals at all times. In order to continuously protect company and customer data, businesses need to have an understanding of not only cybersecurity threats now, but also in the far future.

Although no one can say for certain what 2019 will bring, we can look to the past to understand the trends of tomorrow. As technology has evolved, it’s been accompanied by smarter, more malicious and much harder to detect threats. With the ever-increasing intelligence of bots, the increasing complexity of clouds and rising IoT risks, as well as the impact of data regulations, cybersecurity will dominate boardroom conversations.

  • Keep your devices protected from the latest cyber threats with the best antivirus
  • Browse public Wi-Fi securely with the best VPN
  • This is everything you need to know about GDPR

With this in mind, here are eight trends that will make the year ahead as turbulent as the one just passed:

Cyber-attacks will grow – and go slow

Organisations will see an increase in cyberattacks but these will be “low and slow”, rather than “noisy” incidents such as DDoS attacks. Launched by botnets, “low and slow” attacks aim to remain under the radar for as long as possible, to steal as much data as they can.

Often these take the form of credential stuffing attacks, where stolen credentials are used to access associated accounts and steal further personal data such as addresses and payment details.

To protect themselves, businesses will need to adopt bot management solutions, which identify, categorise and respond to different bot types. The technology uses behaviour-based bot detection and continuous threat analysis to distinguish people from bots.

Bots will overtake human web traffic

As bots become more sophisticated, they will be responsible for more than 50% of web traffic. Already, Akamai has found that 43% of all login attempts come from malicious botnets – and this is set to increase as credential stuffing and “low and slow” attacks grow in popularity.

More sophisticated bots will become capable of accurately mimicking human behaviour online – making it harder for bot solutions to detect and block their activities. Effective bot management tools are crucial for addressing this threat. They are able to use contextual information, such as IP addresses and past user behaviour data (neuromuscular interaction), to determine whether a visitor is a bot or human and respond accordingly.

Multi-cloud strategies will complicate security management across platforms

Businesses adopting multi-cloud strategies will face increasingly complex challenges to ensure that security is consistently, and effectively, deployed across them all. With Gartner predicting that multi-cloud will be the most common cloud strategy next year, organisations that have successfully secured one cloud will need to replicate this across all their cloud portfolio to ensure that vulnerabilities are patched and nothing slips through the cracks.

With many businesses already experiencing ‘leaks’ or breaches of their single-vendor solutions, we expect companies to seek out cloud-agnostic security solutions to simplify deployment and management across the enterprise.

Consumers will continue to put convenience ahead of security

Even though awareness of the insecurity of IoT devices is growing, millions of consumers will continue to ignore the risks, purchasing and using devices that lack comprehensive security solutions – from fitness trackers to smart-home appliances.

This could swell the armies of bots, which are already being used to target enterprises. It’s predicted that by 2020 more than 25% of identified enterprise attacks will involve the Internet of Things (IoT), despite IoT accounting for only 10% of IT security budgets.

While some governments have begun to introduce security standards for connected devices, the industry is still a long way from providing adequate protection.

Asian markets will follow cybersecurity suit

Following the launch of GDPR last May, as well as PSD2 (revised Payment Services Directive) and wider security reform, the European Union has been a leader in advocating for stronger cyber regulations and this is likely to continue.

Some Asian countries have already started to follow suit, implementing their own regulations, and we expect their number to grow in 2019. As countries such as China flex their muscles as digital rivals to the West, issues around data regulation and protection are climbing government agendas. Notably, some Asian countries have resisted data regulations in the past, but high-profile breaches are encouraging a more proactive approach to data regulations.

Cybersecurity will be replaced by cyber resilience

In 2019, smart organisations will stop thinking of cyber security as a separate function of the IT department, and instead adopt it as a posture throughout the entire business.

Known as “cyber resilience”, this concept brings the areas of information security, business continuity and resilience together and intends to make systems secure by design, rather than as an afterthought. This helps organisations focus on their ability to continuously deliver business operations in spite of any cyber-attacks or incidents.

Zero Trust will march towards killing off corporate VPNs

For years, virtual private networks (VPNs) have been the mainstay of remote, authenticated access.  However, as applications move to the cloud, threat landscapes expand, and access requirements diversify; the all-or-nothing approach to security needs to change.

Zero Trust, where each application is containerised and requires separate authentication, is stepping in to provide security fit for the 21st Century. In 2019, companies will increasingly turn to a cloud framework for adaptive application access based on identity and cloud-based protection against phishing, malware and ransomware, helping to improve the user experience and sounding the death knell for VPNs.

Blockchain technology will move from cryptocurrencies to mainstream payments

Today, most people associate blockchain with cryptocurrencies and the less-legitimate end of online payments.However, in 2019, blockchain-based payment networks will properly make it into the mainstream as they enable next-generation payment transactions to evolve rapidly. The inherent security built into blockchain can streamline the online payments process, reducing friction, increasing speed and improving the user experience.

In the coming year, we expect to see more and more blockchain-powered payment platforms, with high scalability and speed, being adopted by brand-name banks and consumer finance companies.

A time for change

No matter what happens in 2019, it will certainly match, if not surpass, what we’ve seen this year. Regulations such as GDPR will remain a hot topic, as will concerns around cybercriminals discovering innovative ways to attack organisations. Furthermore, threats from bots are going to come to the forefront of the cybersecurity world as they become more sophisticated.

Business leaders need to do more to ensure cybersecurity is communicated from the boardroom to the rest of the organisation, helping staff understand the threats they face.

Perhaps, between the arrival of GDPR and increasingly large data breaches and DDoS attacks, 2019 will be the year we see this change.


75% of organisations are worried about bot traffic posing a security threat, according to new research by the Neustar International Security Council

Thanks to the proliferation of the Internet of Things, the ability for bots to cause havoc at a global level has increased significantly.

IoT devices are susceptible to becoming part of a malicious botnet, and it’s possible for hackers to weaponise IoT devices to launch powerful DDoS attacks. As more devices are connected to the Internet, these types of attack pose an increased risk to not only the defences of an enterprise but also to a whole nation.

As such, 75% of organisations surveyed by the Neustar International Security Council (NISC) are concerned about bot traffic posing a threat to data security.

Security professionals perceived DDoS attacks to be the highest threat to their enterprise, 52% admitting to being on the receiving end of an attack. This was followed by system compromise, ransomware and financial theft.

“Fears around bot traffic and bot-powered DDoS attacks are extremely valid but by no means new,” said Rodney Joffe, Head of the NISC and Neustar Senior Vice President and Fellow. “Unfortunately, bot traffic makes up a large proportion of the Internet.”

Alarmingly, these fears persist even though the same number of enterprises already have bot traffic management solutions in place – implying a continuing gap between attack sophistication and organisational readiness.

“It is key that organisations make sure incoming data is scrubbed in real-time, while also identifying patterns of good and bad traffic to help with filtering. While it is encouraging to see that more organisations are implementing bot traffic management solutions, it is imperative that businesses employ a holistic protection strategy across every layer for the best level of protection. Implementing a Web Application Firewall (WAF) is crucial for preventing bot-based volumetric attacks, as well as threats that target the application layer.”

For the study, the NISC interviewed 200 senior position holders such as CTOs. IT directors and security consultants across the EMEA region.