There are a lot of misconceptions within the IT industry when it comes to botnets and their criminal operators, but perhaps the most significant is the assumption that bot agents and their participation within a botnet is just a permutation of the malware threat.
Looking purely at the bot agent from a malware perspective really misses the point. Sure, from a feature/functionality perspective their evolutionary trails are clear to all who bother to look. However, membership within a botnet isn’t a linear scalar in a risk calculation – it fundamentally changes the risk to an enterprise and, even more importantly, has a regulatory impact.
While malware can be treated as an inconvenience, a host infected with a bot agent is technically a compromised asset. If the bot agent has successfully registered itself as a member of a botnet and its C&C is functioning, the enterprise network has been breached.
Let me restate that more succinctly – host membership within a botnet is a corporate data breach.
What that means for the enterprise security team is that they (depending upon which country/state the company is registered in) have a legal regulatory obligation to follow data breach notification requirements.
Therefore, as a consequence of a bot agent compromise, corporate entities will have to figure out precisely what data was held within the host and what other systems and data it could have had access too. Then they’ll need to notify the appropriate third-party authorities of the data breach. And, if there was a specter of personal data being exposed, notifications will need to be made to the affected parties.
This all amounts to a costly exercise. More importantly, a data breach attracts a lot of negative press and has substantial brand depreciation connotations.
- Gunter Ollmann, VP Research