Mitigating IoT security risks through the use of deception technology

New attack surfaces call for new defense measures

IoT presents an unconventional attack surface, opening additional access points where attackers can establish a foothold and exploit corporate networks — often undetected by traditional perimeter defenses. A recent Kaspersky Labs report confirmed that these weaknesses are being exploited with alarming regularity. In the first half of 2018 alone, researchers identified three times as many malware samples attacking IoT-enabled devices than in all of 2017 — and 10 times the 2016 total. Not only are attackers aware of these vulnerabilities, they are targeting them at an accelerating rate.

Recognition of this threat is growing, not just within the industry, but within law enforcement as well. This August, the FBI issued a public service announcement titled “Cyber Actors Use Internet of Things as Proxies for Anonymity and Pursuit of Malicious Cyber Activities.” The PSA warned both manufacturers and users of IoT-enabled devices of the vulnerabilities inherent to the network and common ways that attackers attempt to exploit them. While the PSA also made a number of suggestions regarding how to address these vulnerabilities, these recommendations are neither comprehensive nor enforceable.

States, too, have begun to take notice, and this year California became the first state in the U.S. to pass a bill regulating IoT security. The bill, SB-327, will require manufacturers to equip connected devices with a “reasonable security feature or features that are appropriate to the nature and function of the device” when it takes effect in January 2020. The bill also includes specific security measures, including a mandate that smart devices must come preprogrammed with a password “unique to each device manufactured”– a statute aimed at addressing one of the most well-known IoT vulnerabilities, and one famously exploited by malware such as the Mirai botnet.

Don’t Just React to Regulations. Take Proactive Measures.

While California SB-327 is a good first step, the language in the bill is vague, leaving a lot to interpretation. For example, what constitutes a “reasonable security feature”? How does the government decide what measures are “appropriate to the nature and function of the device”? While specific password management guidelines serve to address certain vulnerabilities, the regulations feel far from complete — especially when compared to other industries. There are clearly defined Federal oversights and regulations for something as simple as a lightbulb, for which customers can easily find UL Ratings, energy efficiency listings and more.

With that in mind, security teams and business leaders will need to take their own proactive steps to protect their environments from harmful attacks, especially those originating from these and other emerging attack surfaces. For many, this will require a shift in thinking, as traditional cybersecurity measures have focused on perimeter defense and the assumption that they can apply security controls such as antimalware or other policies to prevent a compromise. Today, those actions are no longer sufficient. Security professionals must accept that they may not know when these devices are introduced into their networks, and understand that this creates additional security risks that require additional security measures. To prepare for attacks on these devices and to further fortify their networks, security teams will need a new approach that includes a comprehensive set of detection and response tools that are designed to identify infected systems before they can inflict harm.

Deception technology is now recognized as one of the most effective methods for detecting in-network threats across all attack surfaces — including difficult-to-secure IoT, industrial control systems, point-of-sale terminals and other devices. Capable of detecting threats that have bypassed traditional security controls, deception technology is a particularly powerful tool for reducing “dwell time,” or the amount of time an attacker spends in the network before being detected. The technology works to effectively detect, isolate and defend against network attacks by deploying a sophisticated network of lures and traps, designed to draw intruders into an authentic-looking deception environment where a high-fidelity alert is raised and intelligence about the attack is gathered and can be shared with other security controls for accelerated incident response.

“As the attack surface continues to expand, organizations are increasingly seeking solutions that provide early detection and visibility for specialty environments,” explained Rik Turner, principal analyst at Ovum. “Because of its efficacy, deception technology is now entering the mainstream and will soon be in the armory of most businesses.”

Security regulations continue to lag woefully behind the pace of IoT innovation as both Federal and state governments struggle to define enforceable policies for unsecured smart devices. Given the Federal delays in defining governance, other states will soon join California in imposing new regulations, creating a patchwork quilt for both suppliers and organizations to stitch together to create their compliance and maintain their IoT policies. That said, organizations are wise not to wait and should start taking immediate steps to protect themselves as these devices creep more and more into their environments. The use of deception technology along with proactive defense measures will keep organizations prepared for IoT attacks and from falling victim to attacks on their own infrastructure or in the indirect use of their devices to attack others.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.