The Internet of Everything is Here
•Transferir como PPTX, PDF•
1 gostou•872 visualizações
The idea of a more connected world is an exciting prospect. The proliferation of Internet-enabled cars, appliances, medical devices, thermostats, and so on has already changed the way we live and will only continue grow. Unfortunately, these devices are expanding an already large attack surface, and cybercriminals are eager to exploit them. If we do not prepare for this influx of new, specialized devices on our networks, the Internet of Things (IoT) will leave gaping holes in our cybersecurity practices. But securing these many devices is a daunting task for even the bravest security professional. Join Keith Wilson of Cisco Security for a webinar to discuss the security challenges related to IoT. Topics covered include: -Why IoT devices can be difficult to secure -Industries already affected by this trend such as health care, manufacturing, financial services and retail -The various approaches to securing these devices -How you can best keep IoT devices from becoming a security liability
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (18)
Destaque
Destaque (20)
Semelhante a The Internet of Everything is Here
Semelhante a The Internet of Everything is Here (20)
Mais de Lancope, Inc.
Mais de Lancope, Inc. (19)
Último
Último (20)
The Internet of Everything is Here
- 1. Keith Wilson Systems Engineer How Do We Secure It? The Internet of Everything Is Here
- 2. IoT Security Challenges The Ever Expanding Attack Surface
- 4. SHODAN – Google Dorking The IoT
- 5. Defining The Aggressors Activists Organized Crime Competition Nation States
- 6. Health Care All Your Medical Devices Are Belong To Us • IoT is made up of life saving and life sustaining devices • Most devices have weak passwords, hard coded password, and/or insecure embedded web servers • Health care companies are a huge target due to the value of personal medical information.
- 7. The Michael Weston Theory of Security vs. Accessibility
- 8. Health Care All Your Medical Devices Are Belong To Us
- 9. Manufacturing All Your Assembly Lines Are Belong To Us • IoT has existed for a long time in manufacturing • SCADA Systems are hard to protect due to product interference • Compromise can lead to physical destruction • Manufacturers are a target because of value of IP and M&A Data.
- 10. Financial Services All Your Insurance Data Are Belong To Us • Insurance companies are embracing IoT • Currently auto insurance companies, but will soon see health & life insurance companies • Targeted for detailed customer information
- 11. Retail All Your Point of Sale Are Belong To Us • Retail has been a target by organized crime for years. • More detailed customer information = more attacks from other groups • IoT could provide pivot points for access to PoS or manipulation of inventory
- 12. IoT Security Challenges These Aren’t Your Traditional Devices
- 13. • Lacks update interface or update mechanism at all • Can be a black box • No encryption or poor encryption Not Traditional For Admins
- 14. • Not security experts • Traditional development accounted for patching and updates, IoT does not Not Traditional For Developers
- 15. IoT Security Challenges Protecting The Consumer
- 16. Tobias Zillner, Cognosec “… security is very often sacrificed or neglected due to fear of reduced or limited usability or fear of breaking backwards compatibility.”
- 17. Hacking Nest
- 18. The Human SCADA System
- 19. Focus Areas Where Do We Start?
- 20. • Username enumeration • Account lockout • Weak passwords • Unencrypted services • Poorly implemented encryption • Updates are sent without encryption • Lack of two-factor authentication Secure At The Application Working with OWASP
- 21. Secure At The Network
- 22. Secure At The Network
- 23. Secur At The Network Recon Exploit Command & Control Pivot Data Staging Data Exfiltration Recon Exploit Command & Control Pivot Data Staging Data Exfiltration Recon Exploit Command & Control Pivot Data Staging Data Exfiltration
- 24. • Helps to maintain security & network performance • Limit access to and from IoT devices • Logical segmentation is a “soft” approach that helps with planning and validation Secure At The Network Segmentation
- 25. Secure At The Network Segmentation
- 26. Secure At The Network User Activity Monitoring
- 27. Securing At The Network User Activity Monitoring
Notas do Editor
- Hi, My name is Keith Wilson. I’m a systems engineer for Cisco. I’ve been in the security for just over 10 years. Previous to Cisco, I worked for IBM as part of the Internet Security Systems acquisition. My focus there was on intrusion detection and prevention systems and vulnerability scanners. At Cisco, I specialize in a product called. StealthWatch is a network behavioral and anomaly detection tool. We use the metadata from your existing network infrastructure to turn your network into a sensor. Most of my time is spent in pre-sales engagements, discussing security needs with customers and providing them complete east/west and north/south visibility into their network so that we can pinpoint security issues….. I’m going to show some screen shots of our product in action a little later, but it’s really just to illustrate some points for the talk The Internet of Things or the Internet of everything was always an exciting prospect. I remember being in school and hearing that one day all of your appliances will have an IP address. We spoke about all of the cool things we might be able to do with all of these appliances and gadgets if they actually could talk to one another. We talked about the need for IPV6 because of all of the additional IP addresses that would be needed, but we never really discussed what this would do to the world of security, what an immense challenge it would be to secure all of these devices. Just like this slide – the announcement of The Internet of Everything Is Here is loud and clear, but the background question of “How Do We Secure It” is something that we are all trying to address.
- What are the challenges for IoT? There are a lot of them. I’m sure that you will probably even be able to think of some that I couldn’t. The biggest problem that I currently see is an ever expanding attack surface.
- Security is already hard enough…. We get to be the unpopular guys… restricting access, saying “no”, and reminding our co-workers how to work securely…. I don’t’ know about you, but I get a lot of eye rolls every time I start preaching about proper password creation and management. Attackers have hundreds, if not thousands of entry points into networks already. Every single person that has access to your network is a risk. They are each a new access point into the network, but the business has to expand. So, we add new employees, new servers, new workstations, new phones….. All of these new things have to be secured. The thought of having to account for that much to me is already overwhelming enough. But what if you have to start adding new devices that are headless. Whether they are sensors for a SCADA system, medical devices, HVAC controls, or even just lighting automation for your office. What if you are a company that is also responsible for the security of the internet enabled devices that you sell? Now you have to secure vehicles, smart phones, thermostats, refrigerators, toasters…. What if those devices communicate directly with your company? You’ve now just multiplied your attack surface. What if your company is doing well? Now you’ve just infinitely expanded your attack surface.
- If you’re not familiar with Shodan – Shodan is the Google for IoT connected devices. Most people get lost in a YouTube loop for hours. I’ve found myself lost in a Shodan loop for hours. It allows you to specify types of systems you are looking for in the search, while also searching the banners those systems provide. This is everything from routers, to thermostats, to home automation devices, to web cameras, red light cameras, and SCADA systems. The way that Shodan works is by probing ports and grabbing the banners. Those banners are indexed, kind of the same way that Google indexes web content. That index is then searchable from the Shodan website. Shodan helps in passive reconnaissance. So, I don’t have to alert your company that I’m probing your network for intel. So, if you are an attacker that is casting a wide net. Say you know of a particular vulnerability against a certain type of SCADA system. Or you know the default credentials for a home automation system. You can use Shodan to gather a list of the specific devices or systems you are looking for. Another fairly common search on Shodan is also a search for the term “default password” because there are still plenty of devices that will show this in their banner when a default password is in use. If you are an attacker that is performing a targeted attack, you could use the ‘net’ filter in Shodan to refine your search to a target’s specific public IP block. Shodan also provides a service called Shodan exploits. Shodan exploits allows me to take the list of devices I’ve found that are publicly accessible on your network, and easily find available exploits that are mapped to them. So the workflow goes like this – I look at your IP block, see what information your banners are offering, and then I pivot to see which exploits match those banners. This has gotten much easier than it should be. But, now that you’re armed with that information, you can now use Shodan to look at the same data attackers are when they are researching your network.
- So let’s define the aggressors - Attacks against IoT will more than likely be perpetrated by one of these groups of attackers. Each with their own motivations. Activists are motivated by ideology. Most activist like attacks come in the form of denial of service or defacement. The group Anonymous is usually the first that comes to mind when the term “hactivism” is used. Organized crime and business competition are both motivated by money. Business competition is going to also focus on theft of intellectual property or M&A data. Nation States tend to have geo-political motives. Worrying about an attack from a foreign government used to be something that only our government had to worry about. It wasn’t a concern for private enterprises. Now, the scope has expanded. When a socialist government is looking to expand an industry, it is much easier for them to steal the data from an existing titan of that industry than do their own R&D. In many ways, they are much like business competition. Let’s go ahead and take a look at some of the industries that are being attacked from all of these groups, and how the internet of things is expanding that attack surface.
- The Internet of Things in the Medical community takes on a whole new world of importance since the network connected devices in these environments can be responsible for assisting or sustaining a life. A 2014 Wired.com Article titled “It’s Insanely Easy To Hack Hospital Equipment” discussed how devices like Drug Infusion Pumps – think morphine drips, chemotherapy, and antibiotic delivery Bluetooth-enabled devices like defibrillators and pacemakers that are used to regulate heartbeat. Refrigerators – the kind that have to be temperature specific for blood and drug storage Are all vulnerable, and frankly, not that hard to exploit. Most of the devices tested had several security holes in common like Weak passwords Default or hardcoded easy vendor passwords Embedded insecure webservers Healthcare companies also have a large target painted on them because healthcare records have a much higher dollar amount tied to them than credit cards. Credit card numbers can only be used a handful of times before they are shut down, so they are worth only about $1 each. But because medical records can be used to file fraudulent insurance claims, obtain prescriptions, and can be used over and over for identity theft to open new credit cards, they can be worth up to $50 each. In my experience, hospitals tend to lack segmentation and security procedures. That’s not to say that they don’t want them…. It’s just an overwhelming task that hospitals haven’t traditionally had to deal with. On the 1st of January, last year a key provision of the American Recovery and Reinvestment Act of 2009 went into place – that provision being that all public and private healthcare providers were mandated to begin using electronic medical records. This added even more information on to the network that had to be secured. Hospitals are dealing with attackers that have a large monetary motivation trying to obtain those high worth electronic medical records - while at the same time fighting the balance between accessibility and security. http://www.wired.com/2014/04/hospital-equipment-vulnerable/
- I used to love to watch the show Burn Notice. There was ton of super-spy action set to a South Florida back drop. Michael Weston was the main character, a former spy who had fallen out of the good graces of the U.S. Government, and was trying to reclaim them. There was an episode, where Michael explained that whenever you make something more secure, you are also making it less accessible. You have to find a compromise that suits your needs. He demonstrated this by smashing the dry wall in the house of a competing spy to find an object he was looking for. For the person hiding the object, it was a compromise of security and accessibility to hide it in the wall. Hospitals are dealing with this balance all of the time because if a doctor doesn’t have access to the right information or tools at the right time, people lose their lives. If the devices they are using aren’t secure people could also lose their lives, or at the very least their identity.
- Here’s an example from a healthcare provider I worked with while doing a security evaluation of their network with StealthWatch. This is just one of several flow records that all had uniformed, low byte counts go to and from a host in China. This healthcare provider does absolutely no business with China. The device that we are seeing the connectivity to is a medical device within the hospital’s network. The low, bi-directional, uniformed byte count, to me, indicates a command and control channel has been established To date, all of the cases that I’ve personally seen of compromised medical devices haven’t been as severe as what was described in the Wired article where they were able to compromise devices in a way that could harm a human life. What I’m used to seeing is medical devices being used as pivot points or bots. The devices themselves aren’t necessarily the targets of the attack. The targets are the patient information. The medical devices are just the entrance point or the pivot point on the network because they are much harder to secure… they have increased the attack surface.
- Manufacturing has been doing IoT since before IoT was a thing. As it stands now, the Internet of Everything is comprised mostly of sensors. Manufacturers and utility companies have been using SCADA systems for a long time, and when you talk to them about securing those systems we are usually faced with the challenge of being able to secure them without touching them, or only touching them within a short window with something that is non-intrusive. Manufacturers have to worry about availability of their systems in very much the same way that hospitals do. This is where network based monitoring solutions, that are out of band come in extremely handy. The way that I do this with StealthWatch is through NetFlow. If NetFlow isn’t an option, we look to a network SPAN or TAP to put an out of band probe in place. A compromise of the control system in a manufacturing plant can at best shut the system down for a period of time, costing money in lost productivity – or at worst, break or destroy components of the system. We saw this with Stuxnet, when the worm caused the Iranian nuclear centrifuges to tear themselves apart. Manufacturers don’t only have to worry about these control systems staying secure and operational, they have to be conscious of these systems being used as entry or pivot points to their crown jewels, their intellectual property or mergers and acquisitions data. For manufacturers - loss of intellectual property can be a loss of over a million dollars, and loss of M&A data can equate to a loss of over 50 million dollars.
- Insurance companies are beginning to embrace the idea of IoT in order to make better decisions on the premiums they charge and defend denied claims. Right now we are seeing this in the form of devices like the Progressive Snapshot. The insurance company offers their customers a discount on their premiums in exchange for the customer allowing the insurer to collect data on their driving habits. The driver monitoring devices are plugged into the OBD II port of your vehicle and then data is transmitted to the insurance company un-encrypted over a cellular connection using FTP. This not only puts the consumer at risk, but also provides an access point to the networks of large insurers that didn’t exist previously. It’s been hypothesized that insurance companies will also use IoT devices to collect health information on their customers. In much the same way that you plug the car monitoring device into you car so that insurance companies get an accurate account of your driving, you will do the same for life and health insurance companies that want to gather as much data as they can on their customers to make the best business decisions. Not only does this scenario provide new areas for attacking the insurance companies, it also creates the liability of protecting the health data that is being transmitted to the insurers. If improper protocols or encryption aren’t in place, this extremely personal information can be much more accessible by people that shouldn’t have it.
- Retail operations have been a target for years. Generally, the target of the attack is the point of sale machine. However, vendor contracts and customer data are still coveted by competitors. I can see this customer data becoming even more of a prize as IoT begins to grow. One of the main benefits of the internet of everything is that companies are able to collect more data about the consumers they service. Although a company knowing everything about you is a bit unsettling for the consumer, it’s a massive win for retailers. The more detailed customer data gets the more valuable it becomes to not just competitors, but also organized crime. Controlling inventory is becoming more and more difficult, but is becoming increasingly important as retailers are trying to extract more profit from their stores. To help cope with this, retailers are looking to the IoT for devices like shelf sensors, smart displays, and digital price tags. The downside of adding all of these new devices is that you are, again, expanding the attack surface. Being able to exploit a smart display could give me an entry point into the network to eventually pivot to PCI data on the point of sale machines or other sensitive areas of the network. Being able to manipulate digital price tags could allow an attacker to manipulate the price of items, at the very least, causing a loss in productivity or customer satisfaction. At the worst, the company will end up taking a loss on items sold. Having the ability to manipulate the input of inventory control sensors could trigger an order of more merchandise that is not needed by the store, which could result in a monetary loss for the retailer.
- The majority of IoT devices aren’t what administrators are used to dealing with on the network. Also, the software that runs on the devices is created by people who are used to traditional software/firmware development – not security
- Network and security administrators are used to having some sort of interface that they are able to update through. Usually there is even some sort of centralized update mechanism in which updates can be pushed. The majority of IoT devices are either very difficult or impossible to update. These devices can tend to be a bit of a black box. You just have to trust that the manufacturer secured them properly. If there is an interface, it will most likely be web based. This introduces security concerns around authentication and web application exploits. If you have a program and tools in place for testing applications, more specifically web applications, this will give you a leg up when implementing these devices. Encryption is another concern. Some IoT devices have enough hardware resources to perform encryption. However, most of them are lacking. If you are implementing devices that provide encryption, you’ll want to verify from the manufacturer what standards are being used for encryption. Is it something they just made up – yes this can happen, or is it an industry standard? If it’s an industry standard, is it an updated version?
- Now, just a minute ago I had hit on testing the web interface of the IoT devices that you bring into your enterprise. The device manufacturers aren’t security experts, and they don’t think like security experts. They have code deadlines to meet, and products need to be developed and delivered to market. In traditional software development, this mindset wasn’t ideal, but it was okay because updates and patches could be pushed later. However, as we’ve already discussed. IoT devices tend to lack a mechanism for updates. So, if you’ve performed your own vulnerability tests on the web front ends of the devices, you can at least be aware of security issues that the devices might present and chose how to protect them another way – maybe by enabling specific signatures on your network IDS or blocking certain protocols or applications at the firewall.
- Another security challenge that has been raised by the Internet of Things is the ability to protect the consumer. New devices, especially those that don’t have any sort of way for the user to update them, especially those that aren’t thought about as a computer, especially those that have an interaction with the physical safety of a consumer present many new issues of their own. These issues are going to fall on the backs of the manufacturers… whether it’s fair or not, and that’s because the manufacturers reputation and liability is on the line. The only real way to address these issues is by doing more thorough vulnerability testing before the product is shipped and by providing the user with a means to know when updates are available and then be able to perform those updates.
- One of the most widely used standards to connect IoT devices wirelessly is ZigBee. The ZigBee Alliance that developed this standard include companies like Samsung, Philips, Motorola, and Texas Instruments. Devices that implement the ZigBee standard are objects used for remote control, home automation, and smart energy. The Zigbee stack consist of four layers – Physical, Medium Access Control, Network, and Application. The ZigBee protocol is based on an “open trust” model – meaning that each layer trusts the others. Because of the open trust model, encryption only occurs between devices. ZigBee networks use two types of encryption keys. The network key is used to secure broadcasts, it’s shared among all devices in the network. There may be multiple network keys, but only one key will be active at a time. There are two ways for a device to acquire a key either key-transport or pre-installation. The second key, the link key is used to secure unicast communication and is only shared between two devices. The link keys are acquired through key-transport, key-establishment, or pre-installation Tobias Zillner from Cognosec spoke at Black Hat last year about his assessment of the security behind the operations of the Zigbee stack. Overall, the encryption was strong, but the protocol relied heavily on the secrecy of the encryption keys as well as their secure initialization and distribution. Meaning, access to the digital keys could give me physical access to a house and the ability to control lighting and HVAC systems. Essentially we’ve replaced having to obtain the physical key to unlock a door with having to obtain a copy of the digital key to unlock a door. If you’re interested in learning more about Tobias’ study, which goes much more in depth than what I’ve discussed here today, I’ll have a reference slide with a link at the end https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly-wp.pdf
- I do a lot of traveling, and a few month’s back I stayed at a hotel that was using Nest thermostats. Nest thermostats are pretty neat, they are self learning and I can see why they might be beneficial for a hotel that is trying to save on it’s energy costs. The problem is, Nest thermostats are internet connected devices with their own operating systems. Of course, when I saw this, the first thing I did was open my laptop and Google “Nest Exploits.” A Forbes article from early last year discusses the research done by TrapX security which was built upon research done by professor Yier Jin at the University of Central Florida. The group found that they were able to load custom software onto the device during boot up. Aside from just being able to use the data provided by the thermostat to tell when the user was home, TrapX was able to use ARP spoofing from the thermostat to get other devices on the network to talk to it and then exploit those devices – essentially turning the device into a pivot point in the network. This is not an attack that has been seen out in the wild yet since it does require physical access to the device. This made me think about what a huge problem this could be for the hotel because I could easily have complete, uninterrupted physical access to this device. Essentially, giving me a plant into their network that I could use as a pivot point to more devices like customer information or point of sale machines. http://www.forbes.com/sites/aarontilley/2015/03/06/nest-thermostat-hack-home-network/
- Changing the temperature of someone’s room or turning off the lights in their house from a different country is unsettling. However, affecting medical devices that have a direct interaction with the health and safety of a human is probably the largest concern of the consumer when dealing with IoT devices. Back in 2011 Jerome Radcliffe gave a Black Hat talk entitled “Hacking Medical Devices for Fun and Insulin: Braking the Human SCADA System” A previous Defcon talk about hacking smart parking meters inspired Jerome to look into hacking his insulin pump. In his talk, he equates how his insulin pump behaves much like a SCADA system. A level is read from an input sensor and then some adjustment is made by the control to change the level if needed. By manipulating the input, you can change the output. In the case of the insulin pump, if the sensor data falsely reported blood sugar as being too high, too much insulin would be administered which could lead to coma or death. However, in the case of insulin pumps, changing the input through the continuous glucose monitoring function is actually rather difficult. The first problem is proximity – the wireless transmission is only good for about 100 – 200 feet. Second, a CGM device will prompt a user for a calibration measurement. Intervening of the calibration test is highly unlikely. Finally, The manipulation of sensor data would have to continue for hours to actually have an effect on the user. A theoretical attack that Mr. Radcliffe proposed was to manipulate that configuration settings for the pump. These are the settings that are used for deciding the amount of insulin that is dispensed. You can purchase the wireless device used for talking to the pump from eBay or a medical supply store. Command codes and message format can be found published online even though it was not disclosed directly by the manufacturer. This device would then be used to change the amount of insulin delivered vs the nutrients they are eating and can be significant enough to cause a diabetic to become hypoglycemic within an hour to an hour and a half after eating. https://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf
- Securing a new or emerging technology can be a daunting task, so it’s best to have several categories to focus on. Using these focus areas we can plan our security strategy and attack the weaknesses before our adversaries do. When I’m attacking a problem, any problem, I try to start at a high level and then address my focus to details as needed. So, we are going to discuss two overarching categories and then dive deeper into each of those.
- First, we’ll start with securing the application. Unfortunately, most of you aren’t writing the software or firmware that your IoT devices are using. This means you have to work with your vendors and test the software yourself to verify that these areas are locked down. Prioritizing focus areas will help us to determine where budget and time spent will allow us to enhance our network security programs efficiently. For this, I look to the OWASP Internet of Things project. I’m sure most of you are familiar with OWASP, but for those that aren’t – OWASP is the Open Web Application Security Project, a not for profit organization focused on improving the security of software. Now, this is only going to help us at the application level. At the same time we will also want to consider network security options, but for now, let’s talk about Application Security. The current, top IoT Application Level security vulnerabilities, as defined by OWASP are: Username Enumeration – identifying a set of valid usernames by interacting with the authentication mechanism. This can usually be mitigated by implementing number two on the list. Account Lockout – validating that there is some sort of account lockout mechanism in place can help prevent both username enumeration and number three on the list, which is Weak Passwords – many of the default or maintenance passwords used on IoT devices are weak, and in a lot of cases they can’t be changed. If the passwords can be changed there probably isn’t a way to enforce a policy that requires strong passwords Unencrypted Services is number four on the list – earlier we talked about the ZigBee stack and how communication between devices was encrypted. Unfortunately, this isn’t always the case with IoT devices. If there is encryption, we usually see if fall into the category of what is number 5 on our list and that is Poorly implemented encryption – A lot of developers will try to implement their own encryption standard instead of industry accepted standards. If they are using an industry standard, it may be an outdated version of the standard. Number 6 is Updates sent without encryption – Are you starting to notice the poor encryption theme we are seeing here? If we can find a way to encrypt the traffic once it enters the network, that helps. However, that could easily be unmanageable. Two-Factor Authentication is number 7, and it’s really more of the lack of two factor authentication. With the ease of compromising credentials, especially those that are hardcoded into the devices, two-factor authentication becomes even more important. There are a few more on the list, but this is a good starting point. Remember, that when evaluating new IoT devices for your enterprise to question the vendor about the security of the application, how are passwords set and secured, and what type of encryption is being used between devices. https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_IoT_Vulnerabilities
- The second overarching category we’re going to look at is network security. The thing about IoT devices is that at some point they will have to interact with your existing infrastructure. This means that if you already have a strong network security posture you have a good head start, but new attacks will emerge and having a process setup to detect network changes or anomalies can help in the decision making process of how to best defend your network. Detection on the network level, or on the end point can really be broken out into three categories – Signature, Behavior, and Anomaly. Now, since installing some third party software to do these things for you on the endpoint of an IoT device is almost never possible, we are going to talk specifically about using them as a network solution. Signature based tools are best for detecting known exploits. This filters out a number of attacks, but aren’t going to help much with more advanced or targeted attacks. A signature based alert would be like if John had an APB out and along with that is a mugshot from his prior arrests. Matching that picture to the suspect is sort of like signature matching. Behavioral based detection is looking for known bad behavior. If John is walking through a store in a large coat in the middle of the summer and is seen by security sticking items into the coat before he walks out and triggers the alarm at the door, he is exhibiting known bad behavior even if John has never been in trouble before. Behavior based detection is best for detecting 0-day exploits. And then there anomaly based detection tools. This is where the known good behavior of an individual host is whitelisted, and any behavior that is different than that triggers an alert. If John has shown up to work every day at 7 am for the past 15 years, we may not care if he shows up at 7:30 or even 8. However, if John shows up at 3 in the afternoon wearing no pants and meatloaf as a hat, John has started exhibiting behavior that isn’t normal for him. StealthWatch is both a behavior based and anomaly based detection tool.
- In the world of IoT anomaly detection works extremely well, that’s because most IoT devices are very predictable in the jobs they perform. With an anomaly detection tool we don’t care if it’s a medical device or a toaster, because when a toaster is compromised it will not longer act like a toaster. When an x-ray machine starts doing things other than taking x-rays, it’s probably something worth looking into. Anomaly detection is great for getting an overview of changes to network behavior, but it’s only a piece of the overall security solution.
- Most advanced attacks follow the same process. First there is reconnaissance. This could be passive recon like a look up on Shodan, reviewing the target’s website for information that can be used in social engineering, or reviewing IT job postings for a listing of skills needed which translates into the types of systems used. This could also be active recon like ping sweeps, port scans or banner probes. Exploitation is the actual running of the initial exploit that gains the first foot hold in the network. In the context of IoT, this could be many places on our ever expanding attack surface. Once a foothold has been gained, command and control channels are established so that access to the network can remain open for the attacker. After command and control has been established the attacker continues recon and exploitation to pivot until they reach the servers they are actually trying to get to. I always reference those as the “crown jewels”, or the data people would lose their jobs over if it was compromised. This could be health records, M&A, customer records, PCI data, IP data. Whatever is important to your enterprise. Once those servers are reached, the attacker will start to hoard or stage the data either on the server itself, or more likely, on a compromised host that leaves the network. What we’ve been seeing is malware that will look at the SSID history of a host. If possible, when the attacker finds a host that has an SSID history of access points it can determine outside of the network… thinks like HHONORS or Starbucks, the attacker will start storing data on that host. Once the compromised host connects to an access point outside of the network, data is exfiltrated outside of the protection of the network. CLICK In the world of IoT we should focus on the parts of the attack progression that are highlighted. There are plenty of ways to exploit IoT devices. We’ve talked about a handful of them today, and we will only see more as these devices become more pervasive in the enterprise. CLICK The product I work with, StealthWatch, does both anomaly and behavioral detection. Detecting events in this manner gives us really good coverage for everything on this list, with the exception of exploitation. CLICK Making it the one area of overlap that we need to look to another area of our security stack to address. In my world, this is Cisco’s AMP products. That’s because I work closely with cisco. If you have another product that will analyze the traffic of the actual exploit, this is where you would plug that tool in, making not only your network security program strong by using multiple layers, but also providing full coverage for network based detection and remediation for attacks against IoT devices.
- Aside from improved network performance, network segmentation can also help to maintain the security of your network. I’m sure most of you are segmenting your network, which is great. If you aren’t already doing this, start planning it out now. You’ll want to make sure that access to IoT devices is only available to the users and hosts on the network that need access. Limiting access to IoT devices greatly reduces an attackers ability to compromise those devices. In StealthWatch, we use host groups that can help us define logical segmentation. This is a nice “soft” approach that can be beneficial to planning actual segmentation. By viewing which host groups are talking to which other host groups we can make decisions on how we believe the network should be segmented. We can then set policies or alerts in the software to baseline the communication between these host groups or notify us if unauthorized or unexpected communication is occurring. By getting this sort of insight into what is actually occurring on the network vs. what we hope or think is occurring can help us to verify that implemented segmentation is working the way that it was planned, or if segmentation is still a project your team hasn’t started, this can help answer questions about the network that will help you effectively and efficiently segment your network.
- When I’m working with customers, I like to ask them to define some key areas of their network. This could be servers that contain HIPPA information, different branch offices, different organizations in the network. I ask them how they would like to segment the network in a perfect world and then we build out some groups based on that. Eventually, we translate that into a map within StealthWatch that we can use to monitor who is accessing what, and get a nice visual on it.
- Even if there is no user authentication to IoT devices, it’s a good idea to monitor the users on the devices that are making connections to the IoT devices. Having the ability to correlate user information to network traffic allows you to look for compromised credentials, privilege escalation, or unauthorized access. Much like segmenting your network, you can use some sort of monitoring tool to plan out your network access control implementation. When I’m working with customers, we will use StealthWatch to look for things like geographical anomalies in user accounts. In this case, we can see that the user ethel is currently connected to a machine in Atlanta when just a bit over an hour before she was logged into a host in Boston.
- If we look at user accounts through the eyes of an anomaly detection tool, we can see when users are logged into machines that are behaving abnormally and prioritize the accounts we want to monitor based on this data. Digging into the events and the machines these user accounts are tied to can help us look for network compromises. If we pivot this into a filtered list of users that accessed our logical segment of IoT devices we have quick insight into any connections we should be concerned about.
- Thank you all for attending and listening to me speak about securing The Internet of Everything, but more importantly – Thank you all for hacking the planet and securing the world. It’s a tough job, and you’re all fighting the good fight. I’m always up for a good security discussion, so if you have any questions or thoughts on today’s talk, Cisco’s StealthWatch, or just want to grab a drink the next time I’m in town – my contact information is here along with a link that contains information on the resources and talks I discussed today.