In the world of DDoS when cybercriminals take control of a Botnet, they will issue commands to the bots so that they launch attacks on victims with a specific vector at a particular time. When a potential customer provides Corero with information about a traffic anomaly, a surprising amount of additional data can be correlated, and insights can be provided to the potential customer without even seeing their traffic.
For example, a hypothetical Tier1 ISP called “BigISP” is unintentionally hosting 10,000+ bots (mostly IoT) sending outbound traffic to Victim X. BigISP is NOT being attacked, but it has so many bots that the attack traffic is clogging the outbound pipes of BigISP and causing harm. Neither BigISP nor Victim X are current Corero customers. For DDoS, the odds are quite slim that BigISP is the only host with bots under the control of this particular cybercriminal botmaster and part of the the same attacking Botnet. This means there is a realistic chance that there are observations of this same botnet activity from Corero customers.
Corero SecureWatch can also use this indirect analysis to determine if the traffic is something that the Corero SmartWall solution can block.
In summary, the process steps are as follows:
- Collect any traffic anomaly information from potential prospect/customer
- Search SecureWatch for commonalities or correlations with given information
- If information match is found, determine other sites that are part of the suspected botnet
- Pivot on the Source IP addresses and search in detail to find all vectors and occurrences as the potential prospect/customer may not have known there are additional vectors or attacker events that also exist in their network
- Check SourceIP addresses to see if they are likely compromised bots and if they share a botnet or device family resemblance
Without direct observation and analysis there is nothing that can be proven without doubt but as the amount of collected information increases and continues to match the indirect analysis, the statistical chance of correctness approaches 100%. Certain anomaly attributes like victim IP address and time window make detecting a correlation easier. Potential sources of inaccuracy include multiple botnet types participating at the same time or perhaps some unique host technology that is only deployed at the potential customer’s site (e.g. BigISP has custom routers for a subset of their subscribers, and they are infected with a unique botnet).
This information will help prospective customers isolate the bots and realize the need for in depth analytics. By leveraging advanced analytics and a diverse customer base, Corero is able to perform DDoS analysis on traffic it technically cannot see to gain stronger insight. Aside from providing prospects with insight, Corero can also show the prospect how Corero’s SmartWall solution could have mitigated the attack in real-time, preventing collateral damage.