Persistence of IoT botnets requires a security-driven network

Botnets continue to plague IoT devices, resulting in a range of criminal activity from denial of service attacks and dropping malicious payloads such as ransomware to hijacking unused IoT device CPU cycles for things like crypto mining. One of the most interesting aspects of botnets is their longevity and persistence.

Botnets persist quarter after quarter

According to Fortinet’s most recent threat landscape report, today’s top botnets tend to carry over with little change from quarter to quarter or from region to region, more so than for any other type of threat. For example, Mirai –active since 2016 — still sits in the top five of the most prevalent botnets identified in Q3 of 2019. That provides an interesting window into modern cybercrime, especially given the damage caused when Mirai was first released.

First, it suggests that the underlying control infrastructure is more permanent than any particular tools or capabilities. This is due, in part, to the fact that the traffic to and from IoT devices in many organizations is not being identified or tracked. As a result, communications back and forth from compromised IoT devices and their criminal control systems tend to continue uninterrupted. As the saying goes — as least as far as these cybercriminals are concerned — “if it ain’t broke, don’t fix it.”

One of the reasons botnets remain a common issue is that the OSes of many IoT devices cannot be patched or updated. This means that if a connected IoT device is vulnerable, it is at risk of being exploited. Because IoT communications traffic is not being tracked, too many organizations have little to no idea that the IoT devices attached to their networks pose a risk.

Perhaps most importantly, the prevalence of botnets indicates that far too many organizations either do not understand the risk that compromised IoT devices represent or simply feel that there is little they can do to protect themselves. Of course, even if deployed IoT devices can’t be patched or upgraded, there are plenty of things organizations can do to reduce the risk that such devices introduce. This begins by adopting a strategy that some cybersecurity professionals refer to as zero trust network access.

Steps to secure connected IoT resources

The basic idea is to assume two things. The first is that every device on your network, including your IoT devices, may have already been compromised. The second is to assume that users cannot necessarily be trusted and can be spoofed. As a result, the ability to see and communicate with connected devices needs to be explicitly authorized and strictly controlled. Achieving this zero trust network access includes the following elements:

Multi-factor authentication (MFA): Users need to validate themselves to the network using MFA before they can access, deploy, manage or configure any device anywhere on the network.

Network access control: Any device seeking access to networked resources — whether inside or outside the network — needs to go through a network access control system. This ensures that devices are identified and authenticated based on several criteria and then dynamically assigned to predetermined segments of the network.

Intent-based segmentation: Dividing the network into functional segments is essential to manage today’s expanding networked environments and to limit the damage caused by a compromised device or rogue user. By interfacing with a next-generation firewall, segments can be dynamically created based on the business objectives of devices seeking access to networked resources.

Inventory management: One of the Achilles’ heels of an IoT-based infrastructure is that many organizations have lost visibility into what devices are connected to their network, where they are located, or what other devices they can communicate with. Inventory management is essential in keeping track of your IoT devices and can be connected to your network access control system and segmentation solutions to know what devices are actively connected to your network and where in your network they have been deployed.

Threat intelligence: IT teams need to be able to map ongoing threat information about active compromises and vulnerable systems to existing IoT inventory. This mapping process enables network administrators to prioritize things like patching devices that support that process and to strengthen proximity controls and segmentation rules for devices that can’t be updated.

Behavioral analytics: Finally, a system needs to be put in place that can baseline normal IoT device behavior and then alert on anything out of the ordinary. For example, digital cameras broadcast specific types of data to specific destinations. But they should rarely if ever request data, and they should never transmit any data to other devices or destinations. And if they do, your network should immediately recognize such unauthorized behavior, quarantine the device and provide an alert to a systems administrator.

A security-first networking strategy is the best place to start

IoT devices have become an essential component of any organization looking to succeed in today’s digital marketplace. However, malicious actors continue to aggressively target these devices because they tend to be easy to exploit, and once they have been compromised they tend to remain compromised. Organizations that increasingly deploy and rely on IoT devices — especially as they begin to develop complex, integrated systems such as smart buildings — need an effective strategy in place to see, monitor, control and alert on every connected device in their digital infrastructure. That begins with an integrated, systemic approach that ties critical security and networking systems together into a single, security-driven networking strategy that can enable and ensure zero trust network access.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Data Center
Data Management