I am at a conference this week speaking and participating. An individual asked about BotNet detection for a particular product. Specifically they highlighted several vendors that have solutions that detect BotNets. I find this concept amusing and more of a marketing or positioning type of thing. Stating “We detect BotNets” is like stating “We do security”.
Anyone doing security research or investigations today realizes that almost all attacks are part of a botnet. Most botnets are really just advanced shell programs that allow you to deploy whatever exploit or attack you want. Botnet software usually takes care of the control, messaging, encryption requirements, exploit updates and allow the author to use other code or ‘plugins’ to create the BotNet behaviour they wish.
It is rare you will detect a Bot, rather you will detect the existence of a bot via the behaviour it exhibits. This behaviour is usually in the form of spam, a D/DoS attack, phishing scam for personal data are examples. It is important when assessing vendors for security that you go deeper than “We detect Botnets”. How do you detect Botnets? How do you ensure it is a valid BotNet and not just a P2P application? The answer to questions such as these will tell you if a vendor honestly understands and knows security. Good vendors of security will respond with responses that highlihgt the concept that a product detects bots and/or botnets but via intelligence gathered by behaviour patterns, subscriber or network history, chronology and external data.
