Is whack-a-mole the right paradigm for combating botnets?

There is little question that botnets have become a huge problem for abuse and security professionals. In many cases to date, experts that are attempting to provide relief from the activities of the botnets have focused on dismantling the botnet command and control systems. The question that I raise here is whether doing anything beyond identifying the command and control systems is productive? I recognize that valid arguments exist from multiple perspectives, and also believe that no one answer is universally best for all situations. That said, I am leaning in the direction that combating the effects of botnets would benefit given robust identification of but not the dismantling of command and control systems.

This recent evaluation of the McColo take-down illuminates in part why I raise the question. When botnetĀ  command-and-control information is well identified, I assert that the efficiency of the counter-actions will be high. Essentially, when you know where your adversary is and how your adversary operates, your ability to conduct your mission is better than when the information that you have about your adversary is poor. When the anti-abuse industry chooses to destroy elements of that knowledge, it should only do so when the anticipated gain improves the overall efficiency of combating the adversary. Yes, there can be considerable knowledge gained by observing the actions/reactions that an adversary may or may not take which may improve the overall knowledge of the adversary. I don’t honestly believe however that the majority of the actors in the industry look at the overall situation with these perspectives. In fact I believe that a much more narrow perspective is what is entrenched today, with minimal attention given to the large picture and the cause-and-effect impacts. As a result, my opinion is that efficiency of battling the adversaries is poor and that the overall situation will not improve to any meaningful degree.

It would be unfair of me to make the above statements without also offering suggested solution(s). Ideally I believe that those people / entities which are centrally involved in the battle need to become formal allies, coordinating the overall war. The mode whereby for-profit entities are most concerned with maximizing shareholder returns is in conflict with this suggestion, though that is not to say that the war could not be profitable for those involved. The entities that choose to become allies do however need to consciously agree that the most important goal is that of containing the adversaries, which can then be used to layer profit-generating products and services on top. My opinion is that there are some informal organizations in existence today which could evolve to serve the purpose that I describe. Observations of the adversaries indicate that they are already moving in a similar direction and my opinion is that a failure by the anti-abuse and security industry to organize as I suggest will directly facilitate the adversaries continued success.

- Marc

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>