Battling Botnets with Apache Metron

A botnet is a network of malware-infected devices. Cyber criminals can then direct the botnet to (among other actions) send phishing emails, engage in click fraud, steal information, and launch distributed denial of service (DDOS) attacks. Frighteningly, infected hosts may show no signs or symptoms of infection, simply lying in wait for months or years until their eventual call into service.

Infections aren't limited to only laptops and phones. Consider also the existence of billions of network-enabled IOT devices, many of them running unpatched micro-kernels, often vulnerable to infection. In 2016, an army of Mirai infected routers, cameras, and even baby monitors attacked a domain name service provider, interrupting popular internet sites for several hours.

Botnets employ different tricks such as peer to peer communications and fast flux DNS to evade detection. Sadly, botnets are a reality, not something out of a sci-fi series. Worse, their numbers and sizes are growing larger every day. Thankfully, we have an architecture for fighting back!

Apache Metron is a horizontally scalable cyber security analytics platform that ingests, enriches and triages events in real-time. This presentation details how to use the unique features of Apache Metron, Zeppelin, and Spark to detect, investigate, visualize, and respond to botnets.