Botnet activity inside organisations predicts likelihood of future data breach

Those with highest activity 2.2 times more likely to have been breached

Organisations showing evidence of botnets inside their networks are not only more likely to suffer a data breach, the level of botnet activity correlates directly to increased risk, security analytics firm BitSight has suggested after analysing incidents at more than 6,000 companies.

That botnets augur badly for an organisation's chances of suffering a data breach sounds obvious - botnets are often designed to pillage the credentials used in attacks after all - but the fact that greater botnet activity increases risk still further is still an intriguing finding.

BitSight spent the year up to March 2015 looking at the security ratings it had handed out to 6,273 mostly US-based firms of 1,000 employees and larger using a range of worrying security symptoms to calculate grades from A (best) to F (worst)

In total, 199 (3.3 percent) had suffered a disclosed data breach and 96.7 hadn't, which were then both checked to see whether security symptoms (spam, compromised servers, botnets, malware) lined up with a higher risk of being in the former group.

The 1,536 organisations with the lowest grade of botnet activity (grade A) turned out to have suffered breaches on 26 occasions (1.7 percent of the total) while the 4,536 organisations showing higher levels of botnets (grade B) had suffered breaches on 172 occasions (a 3.7 percent incidence).

Although not a massive difference in absolute terms, the figures suggest that firms with higher botnet activity were on the basis of this sample 2.2 times more likely to have suffered a data breach, a statistically significant contrast.

Breaking this down by sector showed that education was the poorest performer, perhaps not a surprise. This sector had the smallest number of grade A networks (the best) and the highest number of grade F networks (the worst).

Utilities was the next worst performer, ahead of data breach hotspot healthcare, retail, in that order. Finance was the best performing sector, differences BitSight has commented on before.

Much of the botnet data was fed into the analysis from sensors deployed by Portuguese security firm AnubisNetworks, acquired by BitSight last October.

One detail from the education figures is that it is not only PCs and servers that are at risk of generating botnet traffic. One of the prime causes of high botnet activity at US universities turned out to be Mac malware such as the Flashback Trojan, something BitSight reported in a previous analysis.

But what in the end an be inferred from this correlation apart from the obvious point that botnets are bad news?

Logically, if we follow that botnets stand out above other negative security measurements, detecting botnets offers a new way of predicting the likelihood of a future breach.

"The implications for organisations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks," said BitSight's researchers in its report.

This doesn't mean that the botnets themselves are causing the increased risk, although that remains possible. More likely, said BitSight, their presence was indicative of the failure of security controls inside the affected organisation.

BitSight has also reported on the effect data breaches are having on a variety of US sectors, most recently recording a dip in performance on the basis of its own security metrics. Some sectors are also more at risk of breaches than others.

It remains an intriguing possibility (one that BitSight would welcome for commercial reasons) that organisations might one day be assessed for security risk on the basis of independent ratings such as BitSght's.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityBitSight

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts