Botnets: Financial Impacts and Mitigation Strategies for Small Businesses
Table of Contents
Imagine what would happen if your company website went down. Or if critical business apps were suddenly unavailable. Productivity would suffer, customer orders would be lost, and your brand would be tarnished, perhaps irrevocably. These are some of the outcomes of a botnet attack.
Recently, a massive network botnet named Eleven11bot, comprising over 30,000 infected webcams and video recorders, delivered the largest ever distributed denial-of-service (DDoS) attack. Eleven11bot sent out vast amounts of data (6.5 terabits per second), overwhelming services and causing mayhem for companies worldwide.
What is a Botnet and What Can it Do?
A botnet is a group of malware-infected distributed devices, like computers and other internet-connected devices, controlled by a cybercriminal or "Botnet Herder". The botnet-infected devices become zombie bots or zombie devices. The Botnet Herder controls all of the infected devices from a central server known as a Command and Control (C&C) center.
Using a remote control, the Botnet Herder can modify the capabilities of a botnet, for example, changing the function from sending spam to collecting data (or both). Most botnets are centrally controlled. However, you can get peer-to-peer (P2P) decentralized botnets that don't use C&C, but these are more limited in scope.
Phishing is the typical method used to initiate a botnet infection of a device.
Botnet attacks are becoming increasingly accessible through a service known as "Rent a Botnet". This is a SaaS offering by cybercriminals on the dark web. Wannabe attackers can rent botnets to carry out DDoS attacks, mine cryptocurrency, and so on.
Another type of botnet is a RAT botnet, which is a combination of a botnet and a Remote Access Trojan (RAT). RATs are used to escalate access control privileges to give an attacker access to sensitive areas of a device or network. They work by stealth and are built to evade detection by conventional anti-virus software. The combination of a distributed controllable botnet with a RAT means that infected devices come under the control of cybercriminals for long periods, causing damage, data theft, and financial losses.
The Two-Pronged Impact of Botnets
Botnets cause problems for affected companies in two ways: either machines become infected by botnet malware, or a company is damaged by the impact of cyberattacks from botnets, such as a Distributed Denial of Service (DDoS) attack.
Botnets are used to carry out:
- Distributed Denial of Service (DDoS) attacks
- Mass distribution of spam
- Data theft, e.g., employee credentials
- Pop-up spoof ads on your browser
- Renting out your company infrastructure via the dark web
- Using your computers to mine cryptocurrency
The Financial Implications of a Botnet Attack
If your computer or device becomes part of a botnet or is affected by a DDoS attack, you must be aware of the financial implications. Attacks are persistent, and botnets are designed to work by stealth, making it difficult to identify an infection. This means your devices could be infected for long periods without detection. The following costs are incurred when your company becomes part of a botnet:
Productivity Losses and Downtime
Attacks like DDoS affect web servers, causing your company website to become unavailable and leading to lost revenue. However, the general downtime of the server also causes a financial impact. The ITIC Hourly Cost of Downtime report surveyed businesses of all sizes, from micro to large enterprises. The survey captured the cost of downtime. The results show that even a single affected server costs $167 per minute of downtime.
Monetary Cost of Hourly Downtime Per Server / Per Minute
| Hourly Cost of Downtime | Per Minute / Per 1 Server | Per Minute, 10 Servers | Per Minute, 100 Servers | Per Minute, 1,000 Servers |
|---|---|---|---|---|
| $10,000 | $167 | $1,670 | $16,700 | $167,000 |
| $100,000 | $1,670 | $16,700 | $167,000 | $1,667,000 |
| $300,000 | $4,998 | $49,980 | $499,800 | $4,999,800 |
| $400,000 | $6,670 | $66,670 | $667,000 | $6,667,000 |
| $500,000 | $8,333 | $83,330 | $833,300 | $8,333,300 |
| $1,000,000 | $16,700 | $167,000 | $1,670,000 | $16,670,000 |
| $2,000,000 | $33,333 | $333,330 | $3,333,300 | $33,333,000 |
| $3,000,000 | $49,998 | $499,980 | $4,999,800 | $49,998,00 |
| $5,000,000 | $83,333 | $833,330 | $8,333,300 | $83,333,000 |
| $10,000,000 | $167,000 | $1,670,000 | $16,700,000 | $167,000,000 |
Source: ITIC Reliability and Hourly Cost of Downtime Survey
Botnets also impact productivity by causing infected devices to work more slowly and constantly pop up unwanted spam ads.
DDoS Costs
DDoS attacks caused by botnets take down websites and can make web apps and infrastructure unavailable. The result is lost revenue and customers going elsewhere. A botnet DDOS attack works by using all of the infected computers to send out massive amounts of internet traffic to a targeted server, causing the server to fail.
DDOS attacks cost an SMB $6,000 per minute, with attacks lasting 39 minutes on average. Therefore, the average cost per DDoS incident is $234,000
Sensitive Data Theft
Botnets can result in breaches of employee PII (Personally Identifiable Information) and login credentials. The average cost per compromised record is $189. However, a single compromised record could lead to much larger data breaches.
How To Avoid Financial Damage from a Botnet Infection
Botnets can be hard to detect because they are designed to evade detection by conventional anti-virus software. This allows the malware to lie undetected for long periods. Prevention of botnet malware infection or the impact of a DDoS attack can be mitigated using the following measures:
Phishing Awareness
Botnet malware is typically distributed using phishing and social engineering. Security awareness training helps prevent employees from unwittingly infecting devices with bot malware by educating staff on how to spot a phishing email.
Dark Web Monitoring
Botnet Herders use the dark web to identify target organizations and locate employee email addresses for phishing. By using a dark web monitoring service, like Sentinex, an SMB can see if its brand and company details are held on dark web forums and marketplaces. This knowledge allows the SMB and its employees to be prepared for cyberattacks.
Monitor Network Traffic
By monitoring network traffic, you can detect signs of suspicious activity, such as spikes in data usage or unauthorized connections. Network monitoring is like an early warning system, allowing you to respond quickly to a possible attack.
VPN and Safe Internet Use
A VPN ensures that any data exchanged between a browser and a web server is encrypted. This helps to prevent credential theft using Man-in-the-Middle (MitM) attacks. Safe internet use is part of a security awareness training program that helps educate your employees on spotting signs that a website may be malicious and using secure internet connections.
Robust Identity Management and Access Control
Identity management is an essential measure for both humans and non-humans (devices, APIs, etc.). Access should be controlled using the principle of least privilege (PoLP). Enforcing least privilege access helps prevent unauthorized access to devices. Robust authentication, such as multi-factor authentication (MFA), to enforce least privilege, helps prevent botnet malware from spreading. This should be applied to devices, ensuring that device passwords are robust and changing default passwords.
Reduce Vulnerabilities
Patch software and systems to prevent botnet malware from exploiting vulnerabilities. Also, close any unused ports to prevent malware exploitation.
Botnet FAQ
Is There a Difference Between a Botnet and a Bot?
A botnet is a vast array, sometimes millions of devices, infected by botnet malware and under the control of a cybercriminal. A bot is a software program that automates tasks; bots can be malicious or legitimate.
What's the Biggest Botnet Attack to Date?
Botnet attacks are increasingly testing defenses. Most recently, the Eleven11bot was a 6.4 terabits per second DDoS (Tbps) attack. Before that, a Mirai botnet was behind a 5.6 Tbps
Can You Get Good Bots?
Yes, a web crawler and chatbot are examples of good bots.
Are Botnets Illegal?
Botnets are used to carry out illegal activities, like a DDoS attack or controlling another person's device without consent. These activities are considered acts of cybercrime and are illegal in most countries. However, in some cases, botnets may be used by penetration testers to test a system's security. This use case of botnets is not illegal.
How do I Know if My Computer is Part of a Botnet?
There are various signs that your device may be infected with botnet malware. Signals of botnet activity include slow internet, unexpected shutdowns, certain programs that cannot be closed, an inability to update your operating system, and the start of your device's fan even when your computer is idle.