beebright - stock.adobe.com
How to detect a botnet infecting IoT devices
Detecting IoT botnets can be extremely difficult, but with this expert advice, organizations can take steps to detect and prevent attackers from hijacking IoT devices.
Although researchers and security vendors focus their business on finding and stopping the malware that turns IoT devices into botnets, chief information security officers and their own teams must also be diligent about spotting and blocking such attacks.
That's no easy feat, said Philip Chan, an adjunct associate professor in the computer science and cyber security department at the University of Maryland Global Campus.
"There is no direct way or a simple task to detect botnet attacks," Chan said, noting that most botnets' commands are subtle and not easy to pinpoint as anomalies.
IoT devices face a rising wave of attacks aimed at enlisting them into botnets. Early in 2020, researchers with the group MalwareMustDie and the security firm Intezer identified a new botnet, dubbing it Kaiji, and warned that it was targeting IoT devices. In April, researchers at Bitdefender, a security software company, announced they had identified a new IoT botnet, which they named dark_nexus. Around the same time, tech company CenturyLink announced that its Black Lotus Labs found the new Mozi malware amassing IoT bots. Kaspersky Lab, the security software maker, detected more than 100 million attacks on smart devices during the first half of 2019, up from 12 million during the first half of 2018.
Chan and other experts offered several steps that organizations can and should take so they're able to detect and defend against a botnet attack.
Implement standard cybersecurity practices
Organizations must extend established cybersecurity best practices to their IoT environment, including routers, endpoint devices and networking equipment. Chief information security officers (CISOs) should ensure that all equipment is capable of being updated and patched; that those updates and patches are applied when available; and that antivirus, intrusion detection and other security tools are deployed.
CISOs can also implement segmentation to help prevent successful malware attacks against IoT devices, said Gregory J. Touhill, an adjunct faculty member at Carnegie Mellon University's Heinz College of Information Systems and Public Policy. He is also a retired U.S. Air Force brigadier general and was previously selected as the first federal CISO in the U.S. CISOs can create software-defined parameters wrapped around segments and then establish rigorous authentication requirements to limit what can access the IoT devices. For example, CISOs could limit access to IoT devices to only systems within the corporate network on a specific IP address and block everything going out except that communication.
Look for suspicious communications and code
Compromised devices that are part of a botnet communicate back to a command-and-control point -- typically initiating that communication when first compromised. Compromised devices may send out other communication as well. CISOs should monitor activity to spot outgoing packets and pay attention if they align with suspicious incoming activity, said Christopher McElroy, a senior consultant at management consulting firm Swingtide.
Security experts can also dissect and scrutinize malware code to find signatures, Chan said.
"Decompilers and disassemblers to reverse-engineer the compiled code may help to identify the root source of the botnet's possible program code and execute commands," he said.
This approach, however, may be beyond what many CISOs and security teams can handle on their own, given their resources and the steps hackers take to obfuscate the malware.
"Botnet writers and creators are stopping investigators [from] following their tracks by using integrated encryption techniques, which makes the reverse process much more difficult," Chan said.
David MonnierFellow and director of client success, Team Cymru
Because botnet detection requires visibility into the communication between a malicious server and deployed bots, another way for detecting botnets is tracing and analyzing the used attacks.
"Some published standard security solutions may provide visibility like the botnet attack's origination," Chan said. "During a botnet's exploitations, there are telltale signs of its footprints. The same IP addresses may connect to the same sites while using the same payloads and similar attack patterns. distributed denial-of-service attack attempts by a botnet on a web service are one typical scenario."
Another way to detect botnets is to use existing security reference solutions and obtain up-to-date information from conventional vulnerability scanners, he said. Such steps help organizations continually learn and discern ordinary traffic flows from malicious, botnet-driven traffic.
If possible, remove the compromised device
If a CISO suspects a compromised IoT device, security should first determine what impact removing the device will have, said David Monnier, a fellow and director of client success at Team Cymru, an internet security and threat intelligence firm. That's why CISOs need a full understanding of and visibility into their IoT ecosystem.
"In the case of IoT, it can sometimes have major impacts like power not being delivered or infrastructure like water pumps not working," he said. "Given the potential massive impact an IoT compromise can have, it's absolutely wise to leverage the network, and even the internet, as part of a prevention, monitoring and detection strategy. Using things like specific [virtual LANs] on the local network, specific and restrictive access policy at the boarders, and external intelligence and monitoring services are all wise and necessary to ensure adequate security."