Securing IoT through deception
Carolyn Crandall of Attivo Networks
The momentum of IoT adoption is showing no signs of slowing, and with it comes increasingly material risk for both businesses and households.The quest for innovation has allowed for security to fall behind, and as a result, these devices have infiltrated our lives while creating an environment where attackers can exploit these solutions for anything from ransomware to extensive denial of service attacks, says Carolyn Crandall, chief deception officer at Attivo Networks.
Statistics from Gartner show that the number of connected devices in use will hit 14.2 billion in 2019, and grow to 25 billion by 2021, which means there will be at least 25 billion potential entry points for security breaches.
The UK government took notice and recently launched a consultation on a raft of new IoT security laws and standards. Proposals include mandatory labelling telling consumers how secure a particular connected device is and making it compulsory to include several elements of the “Secure by Design” code of practice. The code offers guidelines about what is considered good practice in IoT security, including monitoring device data for security anomalies, using encryption, and ensuring software is updated. These are all steps in the right direction but should only be used as a baseline and not as a guarantee.
Businesses will need to adopt more sophisticated protection strategies than simply relying on device-based security. Security measures on any device can be worked around, meaning that the attempts to attack an organisation’s network through the IoT can be as varied and numerous as those on more conventional connected devices, such as mobiles, tablets and PCs. In fact, IoT devices can often offer even more opportunities for attackers by simply seeking out and exploiting well known vulnerabilities. They can also go after a large number of targets with the same exploit, increasing their probability of success and potential payout.
Traditional perimeter defences – firewalls, network filtering, etc – are falling short in defending enterprises from sophisticated cyber-attacks using the IoT. The vast number of entry points creates unprecedented levels of complexity in identifying and maintaining the security of these devices, and as we have seen, even the most rigorous perimeter security can eventually be compromised.
These breaches often occur through cyber criminals convincing a network they are someone or something they are not. However, enterprises can beat attackers at their own game by using deception technology as a key weapon in their own defensive arsenal.
Protection through deception
Deception is now recognised as one of the most effective methods for detecting threats across all attack surfaces, including difficult-to-secure IoT. The key is to convince cyber criminals that they are in an organisation’s IT network, when in fact they are engaging with decoys and lures designed to derail their efforts. By establishing a deception network that blends in with production connected devices, organisations can divert attackers away from their real IoT infrastructure without any disruption to availability or operations.
Using a deception solution has numerous advantages, in addition to slowing and derailing the efforts of an attacker. The most notable is that a cybercriminal immediately makes themselves known when with the lightest touch of a deception lure or decoy, their activity can be monitored and recorded. By observing what the attacker is trying to access as well as their Tactics, Techniques and Procedures (TTP), security teams can respond decisively and bolster system defences in these target areas.
There is also the benefit that the intruder wastes time and resources trying to get further and further into systems that will yield nothing in the way of a reward. In the event that they realise the game is up, a cybercriminal will either have to start all over again or move on to an easier target.
Modern deception uses the latest in machine-learning to maintain authenticity and attractiveness to an attacker. It is now easy to create and manage a deception fabric that blends seamlessly in with the environment and is based on the same operating systems, services, ports, and system characteristics, as what is being used in production. The combination of attractive decoys and enticing lures will efficiently derail everything from automated attacks to advanced attacks on IoT and other Internet-connected devices.
While IoT will continue to gain traction with businesses and consumers alike, attackers will increasingly use these difficult-to-secure devices as an entry point into organisations’ networks. Deception technology reduces an organisation’s risk by effectively fooling attackers, while allowing businesses to reap the full value of the Internet of Things and the new enabling services that they bring.
The author is Carolyn Crandall, chief deception officer at Attivo Networks
Comment on this article below or via Twitter @IoTGN