Market Brief

A Multifaceted Approach to Detecting Botnets

Download Market Brief

Botnets have unfortunately become a ubiquitous issue for government and enterprise networks, with single botnets known to infect hundreds of thousands and even millions of machines. In a recent study by the Ponemon Institute, 71 percent of firms surveyed found computers in their networks that were part of a botnet.1 By taking over the computers of internal users and directing them to spread attacks and steal data via command-and-control (C&C) servers, botnets pose a particularly nefarious threat.

Botnet \ noun;
A group of “zombie” or “robot” computers that have been
hijacked by online criminals to spread spam/malware or
steal data and resources

Since they are a fast-moving target, botnets are difficult to detect with conventional security tools like firewalls, antivirus and IDS/IPS. Additionally, the spread of botnets and other malware across the internal network cannot be uncovered by perimeter defenses. Through sophisticated behavioral analysis and cutting-edge threat research, Lancope delivers unparalleled internal visibility and security context, preventing botnets and other cyber-attacks from taking over corporate and government networks.

StealthWatch Botnet Detection

  • Detection of either attempted or successful C&C communications
  • Reporting on the specific botnet name responsible for the infection
  • Detection of C&C servers operating within a network
  • In-depth traffic reporting and analysis of the C&C communications
  • Accelerated priority of other suspicious network activity from infected hosts
  • Visual tagging of malicious hosts for fast identification
  • Correlation of user and device information for the infected hosts to add context
  • Utilization of application metadata such as HTTP URLs from the StealthWatch FlowSensor™ to increase accuracy of detection

Lancope’s StealthWatch System can detect C&C communications between botnet attackers and compromised hosts within the network.Lancope’s StealthWatch System can detect C&C communications between botnet attackers and compromised hosts within the network.

In-depth, Internal Network Visibility

Lancope’s StealthWatch® System takes a multifaceted approach to botnet detection by combining indepth, internal visibility and global threat intelligence. Not relying on signature updates to detect attacks, StealthWatch conducts sophisticated behavioral analysis on NetFlow, IPFIX and other types of flow data to provide a comprehensive picture of what is happening inside the network at any given time. This insight enables IT administrators to quickly discover and track the spread of an attack between internal hosts, as well as identify when users are conducting suspicious communications with external C&C servers.

Knowing what is going on inside a network is now just as critical as knowing what threats lurk on the outside. According to Forrester Consulting, “Today, information security success is no longer defined by preventing attacks, but instead by how quickly organizations can detect and contain breaches.”2

In addition to protecting Global 2000 and government customers worldwide, Lancope is also part of the Cisco Cyber Threat Defense Solution, designed to combat the most stealthy, sophisticated cyber-attacks infiltrating enterprise networks. As part of its inclusion in the solution, StealthWatch provides a specialized dashboard for tracking communications between C&C servers and compromised hosts within the network to detect botnets before they wreak havoc on network assets.

Advanced Threat Intelligence

Lancope’s StealthWatch Labs research team conducts inhouse research and taps into a broad community of thirdparty experts to aggregate emerging threat information from around the world. The mission of StealthWatch Labs is to protect Lancope customers by building innovative, robust capabilities into StealthWatch that can detect, analyze and remediate advanced security threats. Members of the StealthWatch Labs research team have decades of combined experience at the forefront of computer security. Lancope also maintains a vast network of partnerships with third-party organizations – including Cisco, Team Cymru and the Georgia Institute of Technology, to name a few – in order to remain on the cutting edge of worldwide developments in networking and security.

The StealthWatch Labs team leverages global threat intelligence to reproduce and study real-world attack activity in its laboratories in Atlanta, GA. Studying realworld attacks and evasions, and keeping abreast of the latest developments in malicious software, enables StealthWatch Labs to:

  • Develop and refine the behavioral anomaly detection algorithms that are at the core of StealthWatch’s security capabilities
  • Inform customers and the public of top security threats through the StealthWatch Labs Intelligence Center (SLIC) (slic)
  • Deliver an advanced threat feed that customers can choose to incorporate into their StealthWatch deployment

With the SLIC Threat Feed, data on known botnets is automatically incorporated into StealthWatch.With the SLIC Threat Feed, data on known botnets is
incorporated into StealthWatch.

The SLIC Threat Feed

The SLIC Threat Feed offers advanced botnet detection capabilities, continuously monitoring customer networks for thousands of known C&C servers and automatically adding new botnets to its radar as they are identified in the wild. From there, StealthWatch generates alarms and Concern Index™ events to flag these communications for administrators so they can be prioritized and swiftly mitigated. By correlating flow data with global threat intelligence, Lancope provides enhanced detection capabilities for botnets and other advanced malware. Combining real-time data on threats from criminal organizations with insight on suspicious network activity allows StealthWatch to uniquely provide information around the full security incident. StealthWatch pinpoints the specific port, protocol and URL used for suspicious communications to increase accuracy of detection. The system can also identify the exact users and devices that are communicating with malicious IP addresses, helping to further pinpoint infected machines on the network.


1 – Ponemon Institute, “2012 Cost of Cyber Crime Study: United States,” October 2012

2 – “Responding To New Threats Requires A New Approach,” a commissioned study conducted by Forrester Consulting on behalf of Cisco Systems and Lancope, August 2012