Defensive Cyber Operations for the Internet of Things
Jennifer Ellis
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
1
Operating in an IoT environment
‘War amongst the People’
becomes
‘War amongst the Devices’
‘20 billion devices by 2020’
(Gartner)
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
2
Exploitation of IoT devices
• As Weapon (DDoS) Mirai
• As Vector (MFDs)
• As Physical Target (PLCs for Centrifuges - Natanz) Stuxnet
• As Surveillance Asset (Smart TVs) Vault 7
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
3
Targeted Attacks
Targeted Attacks Shift from Economic Espionage to Politically Motivated
Sabotage and Subversion
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
4
Timeline of notable targeted attack incidents during 2016
SABOTAGE
Destructive malware
used in cyberattacks
against power
stations in Ukraine
SUBVERSION
Microsoft patches IE zero day
which was being used in
targeted attacks in South Korea
Buckeye begins
campaign against
targets in Hong Kong
JAN
FEB
MA
R
APR
Equation Breach—
exploits and malware
dumped online
MAY
Seven Iranians charged in
relation to cyberattacks
against US targets
2017 Internet Security Threat Report | Volume 22
JUN
JUL
AUG
Data stolen from
Democratic National
Committee (DNC)
intrusion released
online
SEP
Symantec
uncovers Strider
cyberespionage
group
OCT
Disk-wiping malware
Shamoon reappears
after four years
NOV
Data stolen from
World Anti-Doping
Agency (WADA)
intrusion released
DEC
Power outages in
Ukraine suspected
to be linked to
cyberattack
Copyright 2017, Symantec Corporation
5
Resurgence of sabotage
Sabotage campaigns represent another form of politicized and disruptive attack
Shamoon
est. 2012
Possible region of origin:
Middle East
Possible region of origin:
Russia
est. 2014
Aliases / Distrack
Tools, tactics & procedures
(TTP)
 Stage one: Spearphishing, credential theft
 Stage two: Disk-wiping
payload
Target categories &
regions
 Energy
 Saudi Arabia
2017 Internet Security Threat Report | Volume 22
Sandworm
Aliases / Quedagh, BE2 APT
Motives
 Aggressive and highly
disruptive campaigns
 Political: payload
includes political
imagery
Tools, tactics & procedures
(TTP)
Motives
 Killdisk disk-wiping threat
 Stealth: deletes logs,
removes attack artifacts
 Maximum disruption: blocks
access to recovery systems
 Political, military:
cyber wing of
ongoing Russian
activity against
Ukraine
Known for
Target categories & regions
Known for
 2012 campaign
against Saudi and
Qatari energy sector
 Critical infrastructure,
energy, media, finance
 Late 2015 power
outage in Ukraine
 Ukraine
 War-dialing of
energy companies
 Reappearance with
broader campaign in
2016
Copyright 2017, Symantec Corporation
6
Internet of Things
IoT Devices Attacked Within Two Minutes of Connecting to the Internet
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
7
In 2004 security researchers
put a PC on the internet
o Without any patches installed
It was attacked
within
o Without any security software
4 minutes
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
8
In 2016 Symantec researchers put
an IoT device on the internet
It was attacked
within
2 minutes
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
9
Attacks against Symantec IoT honeypots doubled
from January to December 2016
DEC | 2016
JAN | 2016
9/hour
5/hour
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
10
The security shortcomings of IoT
o No system hardening
Top 10 passwords used by malware to break
into IoT devices
o No update mechanism
o Default/hardcodes
passwords
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
11
Top 10 countries where attacks on the Symantec
IoT honeypot were initiated
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
12
The Consequences of Poor IoT Security
o
o
o
o
o
Mirai source code has been released into the wild
Variants appeared within two months
Estimates of Mirai bots – 493,000
Gartner estimates 20 Billion IoT devices in world by 2020
At least 17 other malware families targeting IoT (including home routers)
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
13
Defensive Options
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
14
Inoculation/Counter Infection
• Hajime is currently fighting it out with Mirai for control.
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
15
Boundary Security
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
16
The War of the Standards
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
17
Baselining and Machine Learning (Anomaly Detection)
2017 Internet Security Threat Report | Volume 22
Copyright 2017, Symantec Corporation
18
Thank you!
Jennifer Ellis
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All
warranties relating to the information in this document, either express or implied, are disclaimed to the
maximum extent allowed by law. The information in this document is subject to change without notice.