Stopping Botnet C&C on the Wire
Posted by Gunter Ollmann on February 21, 2007 at 2:39 PM EST.

The security world can be a funny world sometimes. 

The expectations of a network management team are often at odds with the security management team, which are in turn at further odds with the audit and compliance teams.  You can sometimes see these different expectations materialize within enterprise-level RFI and RFP’s that look like they could have come from a schizophrenic Dr Frankenstein.

That being said, regardless of how confused the stated requirements may appear, a lot of the time security solutions are already available – but need to be implemented in an ‘unexpected’ way.  One example I’ve seen several times is when people (including security professionals) talk about stopping botnets by blocking their command & control channels (C&C) at the network layer.  Yes, it can be done – in some cases it is pretty easy, in others it’s nigh on impossible (think of covert channels over cached DNS lookup requests).  But, at the end of the day, if you’re focusing on stopping the botnet C&C on the wire you’ve probably missed the rather important strategic security step of making sure bot agents didn’t actually get installed in your network – e.g. by investing in behavior-based anti-malware detection at the mail gateway and at the desktop.

Perhaps an analogy will clarify this kind of security thinking.  Consider a corporation that is about to refresh its fleet of corporate cars.  The accounting team says that they want the 2007 cars to be more economical, while the sales team says they need the cars to drive faster, the heath and safety team needs them to have a kitchen sink (they’re worried about unclean hands and avian flu), and finally the human resources team requires the cars to have beds so that drivers can rest properly and not fall afoul of some new compliance issues.

So the RFP comes out seeking a car that meets all these requirements.

The car dealers look at the requirements and can see the corporation isn’t really after a car, what they really need (and what they’ve just defined) is a fast motorhome (colored red with go-fast racing lines).  So, the car dealer explains to the fleet manager that they’ve just asked for a fleet of motorhomes.  Perhaps the fleet manager is between a rock and a hard place – being pressured to deliver a ‘car’ that meets all these requirements –regardless, any solution the dealer comes up with has to be a car or they don't get the business.

So, what’s a car dealer going to do?  I guess three options will likely to spring to mind.
(1) Respond with a car ‘package’ consisting of a cheap car and a caravan – and position it as a flexible solution.
(2) Custom design a super-small camper van so it looks like a car.
(3) Reinvent the market.  Stick with the motorhome, but rename it something like “Car™” or “Car 2.0”.

Whatever the security threat, there is probably an existing solution – it may just not look the way you expect it to (and be weary of 2.0's).
    Copyright 2001-2007 © Gunter Ollmann