Thursday, September 16, 2021

Navigating the IoT Threat Landscape: Smart Attack and Insider Threat Detection

Kate Scarcella is the chief cybersecurity architect for CyberRes, a Micro Focus line of business. She has been in technology for over two decades, with her primary focus being cybersecurity. The majority of Scarcella’s career was at IBM, where she sat on the Security Board of Advisors, helping Fortune 50 clients. She holds a master of science in information security from Nova Southeastern University.

We have been able to respond and have a good handle on known cybersecurity threats, but adapting to unknown threats will make your organization cyber-resilient. 

Is the cybersecurity market in a place where it can truly protect the billions of devices that are connected and transmitting data via the Internet of Things (IoT)? This is a critical question underlined by the basic understanding that we can trust the connected devices so interconnected to our lives.  

Adding to the question is the fact that increasingly more and more of these devices are connecting to the cloud, and more direct utilization of cloud-based storage creates new targets for exploitation. 

Furthermore, in the very near future these devices will be 5G-enabled — if they are not already — making monitoring and protection even more difficult for organizations connected to a network instead of a Wi-Fi router.

Traditional Cybersecurity Leaves IoT Devices Vulnerable

The traditional approaches in handling information security threats when it comes to IoT are simply inadequate. The conventional defensive perimeter that has been relied on for so long in the traditional security strategy is no longer capable of properly maintaining security, because organizations are increasingly moving to distributed environments. 

Traditional information security approaches also lack the agility to cope with the expanded attack surface created by the almost incalculable number of IoT devices in the wild. In the conventional approach to information security, defenders try to build the best fortification possible around their treasure or data. This approach not only lacks flexibility, but also creativity, because once that defensive perimeter is breached and the castle is raided — and today, castles are getting raided just about daily — an aggressor is free to move laterally, horizontally, vertically, or just about any direction they please through the system. As recently as January of this year, there was an attempt to poison a water treatment plant in San Francisco by a threat actor that utilized the username and password of a former employee’s TeamViewer account, which enables remote access and control, to delete the drinking water treatment programs. Once access was gained, the infiltrator was able to move in any direction they wanted within the system, going undetected until the following day. Luckily no failures or illnesses occurred, but it is just one of many attack examples on critical infrastructure.

Complicating the matter, and really where flexibility and creativity come into play, is the fact that organizations require the ability for information to be shared in many locations, by many different people and devices, securely. Keeping the focus on critical infrastructure, there are apps in use today by remote workers in various industries that bypass all controls and work directly with relevant systems. Mobile devices have become a key access point for operators in the field. And while they help workers make adjustments in real-time without having to be tethered to a desk, they also open up more penetration vector opportunities for threat actors to attack. 

In order to create a critical shift in cybersecurity mindset, the first step must involve a move away from the traditional strategy that depends upon reaction. This includes reactions to events and incidents that are built upon applications, identity and access managers, and databases that show up on a console and provide information — to react. 

See more: Best Threat Intelligence Platforms for 2021

How Behavioral Analysis Can Protect Devices

The new, more effective method for dealing with threats is through behavioral analysis. With behavioral analysis, companies can identify rogue devices, privilege-escalation attempts, lateral movement, malware command-and-control events, and other kinds of threat-actor behavior.

For example, in the case of an attacker engaged in lateral movement on a system, suspicious behaviors can be identified and appropriately analyzed. Examples of lateral movement that can be flagged and assessed include attempts to access a shared drive that few of the user’s peers access, accessing resources not accessed by anyone recently, or accessing a shared drive more frequently than has been accessed by the user in the past. 

A data-related behavior that can be flagged, assessed, and responded to is data exfiltration, in which an above-average amount of data is sent by a machine to a certain destination or used to make an above-average number of attempts to exfiltrate the data.

Alerts can also be set off when a user tries to use a service or privileged process not recently used by the user, a machine, or anyone else.

Key Ways to Secure Devices Through Behavioral Analysis and Monitoring 

With an approach that prioritizes agility, the treasure is kept in plain sight — much like how valuable objects are exposed in a museum — but access to the treasure is tightly controlled, and activity around the treasure is closely monitored. Implementing access controls allows an organization to change who or what has access to the treasure as conditions change. For example, a new hire will require some access, and an exiting employee’s access will need to be revoked. By closely monitoring activity around valuable intellectual property, anomalous behavior can be detected.

Tools available today enable defenders to not only monitor the behavior of people, but also of things. The models developed to control user access to resources can simultaneously be used to control the access of things to resources as well as to expose compromised devices.

Unusual commands being issued by a device? That could potentially be an indicator that the device has been compromised. So, too, could an unusual spike in events emanating from the device or an unusual number of failed authentication attempts. Device activity at unusual times, connection to an unusual destination, or an unusual number of network connections are all examples of anomalous behaviors that can be monitored and assessed. 

As more organizations embrace IoT behavior intelligence, they will move beyond the traditional “defend the perimeter” strategy and be better equipped to thwart advanced attacks, while detecting insider threats. Up to this point, responding to known threats has been relatively easy, but adopting this new paradigm will help organizations better adapt to unknown threats and help them to become more resilient in doing so. Cybersecurity problems have a solution. The final hurdle lies in shifting the collective mindset. 

See more: Top Cloud Security Companies & Solutions

Similar articles

Latest Articles