Security

How DARPA Plans to Disable Botnets Before They Strike

The agency’s Harnessing Autonomy for Countering Cyberadversary System aims to identify and neutralize botnets ahead of attacks.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

The federal government recognizes the clear and present danger posed by botnets, as evidenced by a thorough report the departments of Commerce and Homeland Security issued on the topic in May.

Now the Defense Advanced Research Projects Agency is taking steps to stop such attacks before they occur. On Aug. 30, DARPA awarded a $1.2 million contract to cybersecurity firm Packet Forensics to create new ways to detect and stop botnet attacks. The contract is part of a DARPA program known as the Harnessing Autonomy for Countering Cyberadversary System, a DARPA spokesperson tells Nextgov.

Created in 2017, HACCS is designed to make defenses against botnets more efficient and less time-consuming, and do so on a large scale without negatively affecting neutral networks, according to DARPA. The program aims to “investigate the feasibility of creating safe and reliable autonomous software agents that can effectively counter malicious botnet implants and similar large-scale malware.” Essentially, DARPA wants to hack the hackers, without human involvement, and stop botnets before they attack.

What Is a Botnet?

What is a botnet attack? As FedTech recently reported, botnets are built on top of distributed denial of service attacks. A DDoS attack is a cyberattack in which multiple compromised systems attack a given target, such as a server or website, to deny users access to that target.

Attackers often use compromised devices — desktops, laptops, smartphones or Internet of Things devices — to command them to generate traffic to a website in order to disable it, in ways that the user does not even detect.

Not all botnets are malicious; a botnet is a simply a group of connected computers working together to execute repetitive tasks, and they can keep websites up and running. However, malicious botnets use malware to take control of internet-connected devices and then use them as a group to attack. Malicious botnets are often used to amplify DDoS attacks, as well as sending out spam, generating traffic for financial gain and scamming victims.

DARPA Wants to Stop Botnets in Their Tracks

DARPA says that improving the security posture of Defense Department networks alone is not enough to counter botnets and the threats they pose to national security. That is because most botnet nodes sit on so-called neutral networks or in “gray space.”

The current methods that network defenders use to guard against botnets are too resource-intensive and time-consuming to mount an effective defense on a large scale, according to DARPA. “Active defense methods are insufficiently precise and predictable in their behavior, posing a risk that they may cause processing issues or other side effects,” the agency says.

DARPA has been seeking ways to “identify and neutralize botnets and other large-scale malware from compromised devices and networks in a scalable, timely, safe, and reliable manner, in accordance with appropriate privacy and other legal authorities.” DARPA also notes that, to truly be effective, this must be done even if “the owners of botnet conscripted networks are unaware of the infection and are not actively participating in the neutralization process.”

The HACCS program aims to “develop the techniques and algorithms necessary to measure the accuracy of identifying botnet-infected networks, the accuracy of identifying the type of devices residing in a network, and the stability of potential access vectors.” The program takes an experimental approach to verifying the implementation of such autonomous agents and the rules under which they operate, “to measure the effectiveness of denying, degrading, and disrupting botnets and individual botnet implants without affecting the systems and networks on which they reside.”

At its heart, HACCS aims to accurately identify and fingerprint botnet-conscripted networks to determine if botnets are present, the number and types of devices on such networks, and the software running on those devices to such an extent that the solutions can infer the presence of known vulnerabilities. Packet Forensics’ technology falls under this category, the DARPA spokesperson told Nextgov.

Then, HACCS is designed to generate “non-disruptive software exploits for a large number of known vulnerabilities that can be used to establish initial presence in each botnet-conscripted network without affecting legitimate system functionality.” Basically, once HACCS identifies a botnet-infected network, it aims to hack into the network without disrupting it.

Finally, HACCS is designed to “create high-assurance software agents that safely, reliably, and autonomously navigate within botnet-conscripted networks, identify botnet implants, and neutralize them or otherwise curtail their ability to operate, while minimizing side effects to these neutral systems and infrastructure.” HACCS aims to disrupt botnets without harming the networks they have infected.