Defending Against Attacks on Vulnerable IoT DevicesDefending Against Attacks on Vulnerable IoT Devices
Organizations must approach cybersecurity as if they are defending themselves in a cyberwar.
November 14, 2023
Cyber warfare is increasingly used as an attack method in international conflicts, because of the flexibility, impact, and, often, deniability it offers attackers. Governments leverage powerful technologies to conduct operations against geopolitical adversaries and internal dissidents, and to supplement active military engagements. Threat actors will want to gain control of powerful systems without tipping off their opponent that they have control to achieve wartime objectives. That's why the ideal points of entry for a cyberattack are vulnerable, neglected Internet of Things (IoT) devices — a threat surface that constitutes the largest unsecured attack surface for most organizations today.
The Story So Far
Early examples like the Stuxnet worm that was deployed as a weapon against Iran's nuclear program starting around 2005 (and only discovered in 2010) reveal that these attack vectors are nothing new to modern, global security forces. Since Stuxnet, there has been an explosion in the use of powerful IoT/operational technology (OT) devices in organizations of all kinds, ranging from network-attached storage systems, building automation, physical security, and office equipment. Powerful IoT devices are no longer under the control of governments or the military; they've been democratized. The large number of IoT devices within an organization makes attacks easier to scale, and the wide variety of device types have diversified attack angles.
Attacks that resemble special operations in their scope and target continue, but now private organizations ranging from entertainment conglomerates to more strategically important enterprises like energy providers must protect themselves as if they were in the crosshairs of a nation-state (as Sony Pictures was when hacked by North Korea).
The Ukraine–Russia conflict is another example of nation-state cyberattacks exploiting IoT devices. Since the beginning of the war, reports have circulated of both sides exploiting unremediated vulnerabilities, specifically critical infrastructure and unsecured IoT devices. Because of the function of these devices — as sensors, parts of camera networks, and so on — adversaries that obtain access gain highly sensitive data, including video and live feeds, which they can subsequently modify, use for intelligence or sabotage, or hold for ransom. Compromised IoT security networks have already led to real-world harm in this conflict and provided attackers with more efficient methods of getting intelligence and battlefield surveillance.
Before and during the conflict, hackers on both sides seeded botnet armies in networks waiting to be deployed. Vulnerable IoT devices are not hard to find if you know where to look for them. New forms of discovery, such as context discovery, will provide details on how the devices function, what applications they are tied to, and the overall data flow across the network. These devices are easy to infect because they are viewed as "set it and forget it" equipment that lack regular cyber hygiene. Because there is almost no effort on "bot eradication," and instead organizations rely on "bot mitigation," there are an untold number of bot armies lying in wait. The evidence of this can be found in the price listings available on the Dark Web that feature tens of thousands of compromised devices.
According to Check Point, nation-state actors are increasingly compromising edge devices to target US critical infrastructure. In May 2023, Microsoft warned that Chinese state-sponsored hackers, also known as Volt Typhoon, had gained access to government and communications critical cyber infrastructure. The group's main goal was to gather intelligence and gain a foothold in US networks for future planned attacks.
Here are the three essential lessons for businesses that hope to protect against nation-state attacks:
Bad actors now know that IoT represents the most vulnerable attack surface today. Malicious hackers worldwide are shifting to "living on the edge" when launching cyberattacks, as seen with Russia and Ukraine. Any firm that depends on IoT devices (as many do) should be careful to take those into account when assessing its overall risk and security posture.
Organizational size is irrelevant. Adversaries target smaller businesses like coffee shops, apartment complexes, and TV stations because they often fail to implement proper IoT device management practices, like firmware patching, password rotation, and certificate rollout. Most of these devices are left vulnerable because the ongoing maintenance required to secure them puts a huge strain on small businesses' internal resources. Automation is essential for companies looking to deploy IoT security solutions at scale.
Bad actors rely on an organization's poor cyber hygiene to gain unauthorized access. Their ability to foster a botnet army within IoT devices reflects weak cybersecurity posture. Rather than just minimizing the damage caused by bots and malware, IT teams should focus on vulnerability remediation to stop devices from serving as a "safe haven" for hackers to hide in.
The typical enterprise may not consider itself to be a target in a conflict like the one between Russia and Ukraine. However, it's increasingly evident that the usual targets — critical economic, social, and civil institutions — are not the only victims. Every day, organizations with seemingly innocuous IoT systems are even more susceptible to cyberattacks because they least expect it.
Organizations must approach cybersecurity as if they are defending themselves in a cyberwar. Businesses that fail to apprehend the scale of this problem and take steps to proactively defend themselves are facing unacceptable and unbounded risk. At the same time, forward-looking organizations that leverage all the technologies available will stay ahead of threats in the emerging landscape.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023