Botnet Detection Advances With the Use of Big Data Analysis in Europe

Steven Wilson, who has lead the European Cybercrime Center at Europol since January of this year, knows cybercriminals. According to Europol, he is a 30-year veteran of Police Scotland and oversaw all cyber-related crime investigations.

Europol has recently fought malicious actors with botnet detection techniques. The organization was part of the group that took down Dorkbot in December 2015, according to an official agency press release.

How Botnet Detection Affects Cybercriminals

Wilson has seen how cybercriminals are adapting to the latest law enforcement efforts. At the recent International Conference on Big Data in Cyber Security, hosted by Scotland’s Edinburgh Napier University, he noted that these actors are following their own twisted version of best practices for security. For instance, they often have incident response plans and updated backups of their botnets, so they can bounce back quickly from takedowns, BankInfoSecurity reported. He also added that keeping the fully functional backup botnets small gives them a better chance of evading detection.

Wilson said that disrupting botnets via sinkholing can give law enforcement agencies insights into how the latest threats are being built and deployed. Sinkholing means forcibly redirecting infected endpoints to secure servers controlled by authorities. This blocks attackers’ access to the bots and gives security experts an opportunity to study the threats, Dark Reading explained.

“In the last two to three years, we’ve seen significant developments with botnets — 3 million, 4 million, 5 million controlled computers,” BankInfoSecurity quoted Wilson as saying. “The important thing for us is to look at this and say, ‘How can we actually more effectively analyze that data?’ But [it’s] volumes beyond the comprehension of what we’ve ever dealt with before. And for me … big data analytics is the way to go forward regarding this.”

Read the IBM Research Report: The inside story on botnets

Fighting Cybercrime Through Cooperation

Wilson pointed out an emerging conundrum affecting many enforcement efforts: This process is not just obtaining the data about a criminal method. It is also about analyzing just what that data means.

Wilson is positive about European cooperation activities regarding cybercrime. He pointed to the success of the Joint Cybercrime Action Taskforce (J-CAT). Comprised of representatives from nine of the EU’s biggest member states and a dedicated prosecutor, this new agency handles cross-border judicial cooperation relating to criminal matters.

J-CAT will help member organizations share information in a much more effective manner than was previously possible. It is tasked to find roadblocks, document them and, where appropriate, seek changes in EU legislation to overcome them.

Right now, cybercriminals can find a safe haven in countries that are hostile or unmotivated to cooperate. Greater cooperation between the U.S. and the EU can expedite any action against these criminals before they can operate their botnets from these havens and hide their ill-gotten gains.

That new evolving agency has Wilson excited. According to BankInfoSecurity, he said it “has allowed us to actually cut through the bureaucracy, the differences in legislation, to actually tackle cybercriminality.”

Coordination Catches Crooks Faster

The European Parliament recently adopted new regulations for Europol that increase its ability to effectively fight cybercrime. Europol has said these will allow it to function as a hub of data. It should also make it easier to coordinate between law enforcement agencies in Europe and across the world.

Removing the friction from the investigative process can only make it stronger. Enterprises can look to these revisions to help defend them against the predators that have taken advantage of these conditions for far too long. They can also mimic these techniques on a smaller scale: Opportunities like threat intelligence sharing allow entities to proactively fight cyberthreats and improve their security posture.

Share this Article:
Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He wrote for IBM's DeveloperWorks site for seven years and has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange.