How to deal with IoT device proliferation
“This crap is killing me,” has become a turn of phrase used all too often by security pros when talking about IoT. IoT devices are proliferating everywhere, and defenders are being overwhelmed by the need to protect them and control their access. It doesn’t help that attacks targeting IoT devices are up a staggering 50% compared to this time last year.
With the abundance of IoT devices proliferating into just about every aspect of life, it has become much harder to control their unwanted access. When a new device connects to the network — by design or mistake — it can become complicated for security professionals to monitor these endpoints and devices. It’s no longer realistic to assume that security teams can identify and defend every network endpoint.
These unsecured devices are making it easier for attackers to infect networks with ransomware and other malware, leaving many defenders frustrated with the insurmountable task of controlling their access. Unfortunately, turning to traditional security tools will not help, as many of these devices can’t run antivirus software, nor do they generate logs that can be monitored for abnormal behavior. Security teams have now turned to new measures, such as deceptive techniques, to more effectively draw out their attackers.
The challenges of IoT devices for InfoSec teams
Connected devices are beneficial for businesses and come in a wide range of forms, from traffic management systems helping smart cities operate to industrial control systems keeping factories and plants running smoothly. Connected cameras and smart locks keep facilities secure, wireless inventory trackers keep shelves stocked and autonomous farming equipment helps keep people fed. No matter the industry, there is almost certainly an example of it leveraging IoT technology.
The proliferation of connected devices has made identifying them and controlling their access exponentially more difficult. This already challenging task became even more problematic: This year, the COVID-19 crisis forced record numbers of employees to work from home, remotely accessing corporate networks using personal devices of which businesses have little control. With so many other remote devices being added to the network, IoT has become a new challenge for many security experts.
Tools such as endpoint protection platforms (EPPs) and endpoint detection and response (EDR) systems have become commonplace, and they play an essential role in preventing cyberattacks. EPP tools essentially serve as antivirus protection that identify and prevent known threat signatures, while EDR systems can observe process flows and chains for unusual behavior, providing useful insights into attack signatures after the fact.
These tools are good at stopping the types of attacks they are designed to derail, but they aren’t a silver bullet. With the network perimeter constantly shifting and endpoints quickly multiplying, organizations increasingly need stronger in-network protections to detect threats that have bypassed these perimeter controls.
Attackers that manage to compromise an IoT device and get on the IoT network segment face few hurdles as they move laterally to other devices. IoT devices don’t have the computing power to run endpoint security, let alone EDR solutions. They have very few built-in security mechanisms and may rarely get patched.
Organizations are also finding themselves reliant on a vast number of manufacturers to release patches. Even when patches are released, taking down IoT devices for patching can be troublesome if they’re essential to daily operations. Best practices dictate that organizations isolate the IoT network segments from the reset of the operational IT network. However, mistakes can cause bridging between the two, enabling attackers’ access across both environments.
Mitigating IoT’s biggest vulnerabilities
Network visibility is critical, but that means more than discovering unprotected endpoints. It’s also vital to identify exposed credentials and make sure that application and data access are only granted to authorized users. This year’s Verizon Data Breach Investigations Report indicated that credential theft is the primary driver of a significant share of cybersecurity incidents, so keeping those credentials protected is crucial.
IoT devices tend to have poor credential security because of their limited computing capacity, and they often contain static or hard-coded passwords from the manufacturer. To combat IoT credential security limitations, defenders can use visibility tools for identifying exposed credentials and reducing the attack surface, along with deception lures that obfuscate real credentials and prevent Active Directory (AD) privilege escalation.
Attempted use of false credentials will lead attackers to decoys that look like other systems, even IoT devices. If an attacker attempts to use those credentials, they give away their presence and can be studied within the deception environment, where defenders can gather adversary intelligence by observing their tactics and strategies.
The use of modern deception and data concealment techniques doesn’t stop with only identifying exposed credentials; it can also be used to hide production shares, files and AD objects, efficiently stopping attackers from finding and accessing the things they desire. For security teams that want to engage and control the path of the attacker, decoys can also be used for engagement and collection of company-centric threat intelligence.
With so many files and objects hidden from view and only decoys to choose from, an attacker would have to be very lucky to avoid triggering an alarm. In-network protections of this kind will help turn the tide against attackers, giving defenders not only effective new strategies for derailing attacks, but new ways to gather adversary intelligence to better prepare for future attackers.
Addressing IoT security in a comprehensive manner
Safeguarding and controlling the access of IoT devices poses many new and unique challenges to security teams. Fortunately, there are multiple ways to mitigate their vulnerabilities. Segmenting the network these devices connect to is critical, but not 100% failproof.
To reduce risk further, security teams should also deploy protections that provide visibility to credential exposures, prevent privilege escalation and are capable of tracking in-network lateral movement. Together, these controls can help IoT remain a modern convenience rather than a security liability, and keep it from being synonymous with choice four-letter words.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.