IoT security needs zero trust to face new botnet trends
The growing threat of botnets that target IoT devices means that organizations must extend their perimeter access controls, including the use of zero trust.
The past 18 months have seen an unprecedented explosion in malware and botnet activity, which implies that traditional security strategies are not stemming the tide of cyberthreats.
Indeed, 35% of organizations detected botnet activity at the beginning of 2021, according to the "FortiGuard Labs Global Threat Landscape Report." Just six months later, it was 51%. Botnet activity is a post-intrusion indicator. Mirai continues to dominate when it comes to botnets, due at least in part to cybercriminals' interest in exploiting IoT devices used by work-from-home or learn-from-home individuals. Let's take a closer look at what this means for protecting networks and applications.
Botnets thrived with the remote work shift
There was a sharp rise in botnet activity during June 2021, mainly because of a significant uptick in TrickBot activity. This malware was initially a banking Trojan, but bad actors have transformed it into a complex, multistage toolkit that can perform various nefarious actions.
Mirai took the lead as the top botnet, displacing Gh0st at the beginning of the year and maintaining its place. While Mirai isn't new, it has continued to evolve and remain in use. Malicious actors trying to exploit consumer IoT devices are most likely responsible for its ongoing reign.
Initially, Mirai infected consumer devices, and many people did not consider it an enterprise security issue. However, one of the key challenges with this type of malware is that it doesn't just infect an individual's system. Attackers can use botnets as a beachhead for assaults on systems outside that person's network or organization. They often use botnets to launch distributed denial-of-service attacks.
Today's malware is more complex and pervasive than ever before. With Mirai and other malware, authors released its source code years ago. Other attackers have been continuously using and improving the code in an open source development model. Likewise, attackers can now use botnets as content delivery networks that act as platforms to launch other types of malware attacks.
Gh0st is no longer the top botnet but remains active. Gh0st is a remote access botnet that enables attackers to fully control the systems it infects, download files, or capture live microphone and webcam feeds. The rapid shift to remote work and away from traditional perimeter security creates an expanded attack surface rife with opportunities for threat actors, leading to less use of Gh0st versus Mirai.
The need for zero trust
Organizations should consider the zero-trust approach to providing least privilege access control to protect networks and applications. The philosophy of zero trust is that the network does not automatically trust any user or entity to connect to corporate resources. Instead, all people and entities that request network access must be identified and authenticated and have the request validated. Once validated, the user or entity only has permission to access the fewest resources necessary to carry out their job role or function. Because all unauthenticated access is denied automatically, illegitimate lateral movement is mitigated. Attackers and compromised devices aren't able to explore the network and its resources. Enterprises need to seriously consider adopting the two essential elements of a zero-trust approach: zero-trust access and zero-trust network access (ZTNA).
Organizations need a mix of zero-trust access and ZTNA
Zero-trust access extends and expands on the perimeter access controls that an organization already uses, such as next-generation firewalls and identity and access management tools. It includes more verification and risk assessment levels, such as geolocation, role-based access controls, and date and time. A posture check examines all devices to see whether they are corporate or noncorporate properties, what software they run, and if they have the latest proper configurations, patches and required security solutions.
Network access control technology should be part of a zero-trust model for devices that are connected to the network but lack an end user. Examples include secured entryways, security cameras, HVAC systems, printers and IoT devices. In addition to enabling discovery, authentication and control, network access control also applies the least access principle. When IT teams authenticate every user and device, they get updated network visibility and control, enabling them to identify suspicious activity and mitigate it.
ZTNA, the latest addition to the zero-trust model, is specifically designed to control application access per session. Users who want access to the network, regardless of the device they're using or where they are, go through ZTNA for authentication and access according to their roles on a per-session basis. This process creates secure application access, both for those residing in an organization's data centers and those in the cloud.
Time for an access upgrade
Cybercriminals will continue to exploit every opportunity, and currently, that involves masses of people working and learning from home and remote locations. Attackers have stepped up their use of Mirai, which is not new or groundbreaking. Still, it is indicative of the continuing weakness of legacy products and services, as well as the increase in automated, IoT-focused botnets with destructive capabilities. Organizations should take a serious look at zero-trust approaches for least privilege access that secure remote workers, locations, IoT devices and the growing number of other network edges.
About the author
Jonathan Nguyen-Duy is vice president of strategic programs at Fortinet, where he focuses on emerging technologies and key partnerships. He has unique global government and commercial experience with a deep understanding of threats, technology, compliance and business issues. Previously, Nguyen-Duy was security CTO at Verizon Global Security Services. Before joining Verizon, he served with the U.S. Foreign Service, gaining more than 15 years of security, business continuity, disaster recovery and continuity of operations planning experience around the world.
Nguyen-Duy holds a B.A. in international economics and an MBA in IT marketing and international business from George Washington University.