According to recent research from Gartner, it is forecasted that there will be 200 billion connected IoT devices by the end of 2020. And while connected, autonomous technology will clearly increase efficiency and productivity, businesses and individuals alike should not underestimate the risks posed by IoT.
One of the major issues with IoT devices in businesses is that, after initial installation, the devices are often forgotten and left to run on their own. This allows major threats to IoT security, like distributed denial-of-service (DDoS) attacks via botnets – the tactic used to attack the Domain Name System (DNS) Dyn in 2016 – and kill chain attacks.
The concept of a kill chain attack has been around for several years. Originally a military term, computer scientists at Lockheed-Martin Corporation began to use it with cybersecurity in 2011 to describe a framework used to defend computer networks. Its relevance has taken on new meaning in the current security landscape of IoT devices and botnet attacks.
The “kill chain” lays out the stages of a cyber attack, starting from early reconnaissance to completion of the attack, with the ultimate goal of data theft and enabling more attacks. These stages are:
- Reconnaissance: The intruder selects its target device and begins searching it for vulnerabilities.
- Weaponization: The intruder uses a remote access malware weapon, such as a virus or worm, to address the vulnerability.
- Delivery: The intruder transmits cyber weapons to the target device, whether through email attachments, websites, USB drives, etc.
- Exploitation: The malware weapons code is used to trigger the attack, taking action on the target network to exploit the vulnerabilities identified above.
- Installation: Malware weapon installs access points for the intruder’s use.
- Command and Control: Malware then enables the intruder to gain “hands on the keyboard” persistent access to the target network, enabling future attacks.
IoT devices including wearables, TVs in the boardroom, and security cameras are all easy targets for kill-chain intruders; the IoT device owner is not necessarily always at fault. For the manufacturers of IoT devices, security mechanisms are usually an afterthought — many companies employ weak security practices like having little to no encryption for information and coding passwords directly into the device. In fact, last year, 80 Sony IP security camera models were found to have back doors, which could give hackers easy access to extremely private security footage.
Steps to prevent and respond to a kill chain attack
The best way to prevent a kill chain from infiltrating enterprise IoT security is to invest in a layered approach. There are four steps to applying this approach.
The first step is assessment, or starting with a network discovery process of all of the existing IoT devices connected to the network, including managed and partially managed devices. It is important to understand the classification of each device, which operating system it runs on, and which applications are installed on it.
After conducting an assessment, the next step is segmentation. IoT devices should not be included in the same network segment as other devices, or within reach of the organization’s mission critical systems and data. The best practices for ensuring security include deploying a firewall between IoT and non-IoT segments to minimize the risks to the “crown jewels” of your network.
Following segmentation, the next step is detection or making sure to regularly analyze network behavior, so that if new IoT devices are added, it is possible to ascertain whether their behavior is in pattern with other similar devices. A compromised device or fake device might look the same as other IoT device but behave differently.
The final step is response. Because manual alerts can be hours or even days to process, businesses should involve a backup plan that will immediately limit access to a device with irregular behavior patterns.
This layered approach is designed to both prevent the likelihood of a kill chain attack, and perform damage control during live attacks. Using this inventory, people will be able to understand device behavior on networks and to be alerted to irregular behavior. If, despite all of these steps, an attack does occur, people will be able to effectively respond based on a previously devised back-up plan.
Take, for example, a smart refrigerator that has been installed in your company’s office. Besides cooling your favorite refreshments and reporting on electricity usage, smart refrigerators connect to the wireless network to fetch data, and as a result, it also has the ability to infiltrate other devices in its immediate vicinity, such as laptops, desktop computers, and mobile phones. Because access to the refrigerator isn’t password protected, hackers can easily access and carry out a lateral attack, not only on smart devices but on all devices under a company’s roof.
In a connected environment, only smart, layered approach technology that can see, control, react and manage risk will be effective in securing corporate networks and IoT devices from the next great kill chain attack.