Botnet takedowns: are they worth it?

Botnet takedowns make good headlines and earn kudos for law enforcement and companies like Microsoft but are they worth the time and effort, asks Dan Holden.

Dan Holden
Dan Holden

The number of botnets has grown rapidly over the last decade. From Gameover Zeus leveraging encrypted peer-to-peer command and control servers, to Conflicker, infecting millions of computers across the world – botnets are continuing to infiltrate many internet-based services and causing mass disruption, and it's getting worse.

The main reason for botnets being so successful is the command and control of these threats can be so dynamic. Botnets are easily capable of changing size and adapting, making it more difficult to detect. The older and larger the botnet, the more likely that organisations are prepared to deal with the threat. It takes serious energy and cooperation to combat.

A botnet takedown is one solution that has been used to combat these threats and is a method occurring more often these days. A botnet takedown is when an organisation looks to takeover or sever the command and control infrastructure, to deny the botnet control of the enslaved machines. However, one of the biggest issues with botnet takedowns is that they are never 100 percent successful.

When organisations find a way to damage a botnet, it's almost like flattening tyres in a car – technically you can still drive but you are seriously hindered. For a cyber-criminal, once a botnet has been detected, it's a question of whether it can be salvaged or whether they should look to steal another car. In most cases, criminals will rebuild the botnet or create a completely new one. It's not a case of solving the problem but temporarily crippling the criminal.

One organisation taking this threat seriously is Microsoft. Microsoft hasn't just implemented a marketing campaign to show that it is aware of botnets – like others have – but instead has gone out of its way to protect its customers, working with law enforcement to takedown botnets involved in fraud targeting end users. Interestingly, most botnet takedowns don't affect enterprises but end users.

Microsoft is learning more over time as these takedowns occur, but organisations need to realise that the more they do learn, it is never going to be enough. One of the most recent botnet takedowns was of the Ramnit Botnet, which is a great example of how multiple organisations and governments can work together to combat cybercrime. This operation was co-ordinated by Europol, Microsoft and other organisations across multiple countries to takedown the botnet that had infected 3.2 million computers globally. However, this botnet is still there, at least to some extent – so was all of this investment trying to take down this botnet worth it?

The real question around botnet takedowns is one of return on investment (ROI). The resources to orchestrate a takedown aren't negligible, and the effectiveness of the takedown not always immediate or measurable.

Microsoft has increasingly invested more in this effort and as a result, it is getting better at protecting its customers. But it's never as simple as “I've solved the problem” and instead organisations should focus on raising the cost for the cyber-criminal. There's always an expense on the defensive side of this equation, so now it's got to increase from the attacker's side so it becomes more expensive to attack. If attackers are questioning their own ROI of a given attack or attack type then this is beginning to tip the scales in the defenders' favour.

Are botnet takedowns really winning the war? No, but increasing the cost to the attacker and winning a particular battle that hopefully provides enough value – and defending a particular set of victims as a part of that ROI – can be a good thing.

Contributed by Dan Holden, director of ASERT at Arbor Networks.