Using deception to gain enterprise IoT attack visibility

The main lessons from attacks against Internet of Things (IoT) devices are to change default usernames and passwords, use longer passphrases to avoid brute force attacks, and make sure devices have enough memory for firmware and kernel updates to remove vulnerabilities or service backdoors, plus implement strong encryption for communications.

Also, having IoT devices connected to standard PC platforms is not advised given endpoints are often the foothold in most attacks. Case in point with the Stuxnet attack impacting uranium enrichment in nearly 1,000 centrifuges by compromising programmable logic controllers (PLCs) connected to a PC platform a few years ago.

IoT security advice is easier said than done with the wide array of doorbells, smart locks, thermostats, sprinklers, home assistant speakers, lighting, toasters, appliances, and smart TVs people quickly set up.

The more connected devices we enable, the more opportunity for attacks against these devices where security can be an afterthought in design. For consumers, price or cost is a key factor and security can be expensive in small devices. For enterprise IoT the scope can be narrower focusing on insecure routers, printers, cameras, and automated lighting as first concerns open to IoT attacks.

However, IoT devices make easy targets for automated scanning to develop large botnets when default access remains unchanged or open vulnerabilities exist. For example, a Mirai IoT botnet launched DDoS attacks against a leading DNS provider to impact major websites and web access in major cities. Today, there are over 500,000 known Mirai botnets. No surprise given the popularity and growth of consumer IoT devices out numbering humans on the planet today and expected to surpass 20 billion devices by 2020.

Consumer IoT device botnets are going to further enable email spam, distributed denial of service attacks and other cyber nuances for years to come. For enterprises, email spam and phishing from IoT botnets is a concern as they often lead to an initial point of infection for attacks to then expand their footprint. For this reason, enterprise IoT devices (printers, cameras, smart lighting, etc.) should not be exposed to the internet or enabled on networks with end user PC platforms. Many IoT devices run the Busybox operating system still maturing for open vulnerabilities and security concerns.

Even away from the internet and end user systems, enterprise IoT devices if accessed are very likely open to attack and compromise. For this reason, providing attackers what they desire is an opportunity for a proactive defense to lure, detect and defend. IoT devices are not open to agents for direct prevention and detection defenses and communications should be encrypted. This makes deception defenses with decoys and services for IoT devices a logical choice. Internal post-breach attacks scanning and use known IoT device access credentials or service backdoors are lured to decoys and services for detection.

One good piece of news is that capture the flag exercises with a variety of deception defense decoys and breadcrumbs show that IoT devices are a low priority for post breach initial attacks. Human attackers prefer files, email and unstructured data while automated malware prefers applications and web browser structured data. In both cases for man or machine they initially seek credentials for expanded access and lateral movement, which may eventually lead to enterprise IoT devices.