Building an IoT Immune System

Building an IoT Immune System
(Image credit: KAUST)

Billions of moving parts constantly talking to one another; a living network open to foreign invaders and viruses, all connected to a supercomputer housing a wealth of information. I’m referring to the human body, although you’d be forgiven for seeing the obvious parallels with the Internet of Things (IoT).

Luckily for us, our bodies house a millennia-old, tried-and-tested immune system to defend us against viruses, identify and destroy malicious intruders and keep us, for the most part, running smoothly. But the same can’t be said for the evolving world of IoT.

About the author

Caleb Fenton, Research and Innovation Lead, SentinelOne.

And it is evolving - rapidly. Gartner predicts that the number of IoT devices is expected to triple from seven billion to 21.5 billion, with 25% of cyber attacks targeting the IoT by the year 2025. 

While these are staggering statistics, they shouldn’t come as a shock; cybercriminals are clever, careful and considered, and as such will identify and target any obvious vulnerabilities before them. In its current state then, the IoT may as well have a target painted on its back.

The IoT blindspot

Currently, many IoT devices are a security blindspot. Cheaper devices aren’t built to withstand attackers nor protect the information they house, yet we’re increasingly owning more of them every day. As every new device joins the network, so too comes another potential vulnerability.

Take IP security cameras for example. Many organisations house these for security, sitting on their corporate network. Because it shares that network, if an employee in a separate department has their machine infected with malware, any criminal intruders will be able to scan the network for connected devices, find the camera, and suddenly have eyes in your organisation - a frightening and potentially damaging prospect.

This is just one example of the vulnerabilities, but with so many IoT devices providing audio and visual feeds, as well as access to sensitive information, it’s not difficult to imagine similar attacks. 

In fact, some of these attacks have already happened. Take the Mirai botnet, which in 2016 targeted smart home devices, in particular IP cameras and basic wireless routers. The botnet was utilised in some of the most disruptive DDoS attacks to date, including an attack on French web host OVH, and the Dyn cyber attack, which resulted in the inaccessibility of numerous high-profile websites, such as Twitter, Netflix and Airbnb. 

Similarly, in 2017, an IoT botnet dubbed ‘Persirai’ threatened to hijack over 120,000 IP cameras, with most at-risk devices found in China, Thailand, and the US. In both cases a large majority of those who owned such basic home consumer devices were unaware of their threat potential. Suddenly, the possible detrimental impact of a seemingly innocent device, such as an IP camera, became startlingly clear.

A necessary evil

Just like our immune systems, cyber security follows a certain pattern. When any new system or device enters the market, hackers always find a way to exploit them. Developers then learn and patch them up, and the cycle would continue, hardening its security each time. Just as we need colds and flus to strengthen us as we grow, hackers are a vital part of evolving and improving security measures.

For further proof, turn your eyes to today’s industrial control systems. Having lived in bubbles with no exposure to the internet and the hackers that come with it, they haven’t had chance to develop an immune system. Now that they’re becoming a part of the network, we’re seeing an onslaught of cyber attacks against them, as they rarely have developed security measures in place.

Think like the enemy

Of course, just as we wouldn’t willingly offer ourselves up to a serious disease for the betterment of our health, we still need to do all we can to deter would-be attackers - as necessary as they may ultimately be. So, what is the answer to bolstering your organisation’s IoT immune system?

Thinking like an attacker is a great place to start. By looking at your network and all its connected components - from printers to cameras and more - and identifying how you would likely attempt a breach, you will begin to see the same vulnerabilities and gaps that criminals would target.

Another route I would strongly recommend is compartmentalising your network, otherwise known as taking a Software Defined Perimeter approach to your endpoint security. Most networks, even those belonging to large organisations with impressive security tools in place, are flat. This means that if an intruder successfully breaches their network, they can see a broad slough of almost everything. With a compartmentalised network, the intruder would only have access to the devices that specific machine is authenticated to talk to, thereby limiting the potential damage outcome.

Beyond this, much better visibility into the network is required. With this type of asset management, organisations will be able to visualise their networks, see what’s happening in real time and stop attacks in their tracks. 

Ultimately security measures need to, and will, improve. We’re currently at the low point of the cycle I mentioned earlier, but with the right procedures, tools and education in place, we can give the IoT the immune system it needs to survive.

Caleb Fenton

Caleb Fenton is the Research and Innovation Lead at SentinelOne where he and his team analyze threats and research new ways to detect malware and anomalies, map networks, find vulnerabilities, and so on. He's been active in security research for over 15 years and maintains several open source malware analysis tools. His current focus of research is using machine learning and other analysis techniques to find attacks and suspicious activity in endpoint and network behavioral data.