In the last year, we’ve all heard of the Mirai malware, but did you know that Mirai is Japanese for ‘the future’? And that’s what I believe we are seeing: The future of cyber-attacks.
This doesn’t mean that everything else goes away. There will still be phishing attacks, socially engineered access and advanced persistent threats, but these are costly to develop and with distributed denial of service (DDoS) in IoT, the bad guys seem to have found a simple and successful business model to raise needed funds: Develop malware à Use in high profile attack à Monetise threats with service model.
There’s no law of supply and demand on the Dark Net; threats exist as code and can be downloaded, modified and used by any number of people. This was demonstrated successfully with the DDoS attacks in late 2016, where major attacks were almost immediately followed by hundreds of ‘copy-cat’ attacks. There were wasted, precious cycles as incident response teams needed to spend time on identification – creating a smokescreen which allowed the original attackers to quietly disappear.
So, what do I mean by this blog title: “DDoS via IoT – the first wave of attacks?”
I’m not saying that we are going to see millions of DDoS attacks in 2017. Rather, I think that the malware groups are now at the monetisation stage, selling botnets-as-a-service (BaaS) on the Dark Net, making license revenue for further research.
The hacker who developed and recently released the Mirai source code subsequently blogged, “I made my money, there’s lots of eyes looking at IoT, so it’s time to go.” This statement is the basis for my prediction: The DDoS and Botnet attacks in 2016 were the first wave, gathering intelligence and generating revenue which will now be used to develop and propagate advanced and complex IoT Next Generation malware.
What might we see next? We’re starting to see new developments already. Just in the last months, we have seen an American university’s network disrupted by a combination of vending machines and lightbulbs! Next could easily be a botnet with embedded ransomware taking control of an office building and delivered as an automated attack – holding business to ransom – demanding payment literally to turn the lights back on.
These attacks are coming and until security for IoT catches up, they will remain a risk. So, what can we do to become safer and not come home to find the espresso maker that made coffee at breakfast has become a cyber-mastermind by dinner?
- Think about regularly power-cycling for IoT around the home and office – this will include network routers, bulbs and that coffee machine. You should at least perform the classic IT ‘switch it off and on again’ every week or so, but if you feel that things are slowing down, consider a full configuration reset which, if infected, will delete the malware.
- Strong passwords. I cannot say this enough. The default password is not strong because it is the default. Neither is your car registration or cat’s name, both of which are probably available on social media. Create strong passwords, and change them every 60-90 days.
- Create separate Wi-Fi networks for IoT. For business, the adoption of SDSN (Software-Defined Secure Networks) allows granular control of both the network and the traffic flow. When combined with automation, this means that, should a breach occur, it’s simple to quarantine and without putting business data at risk.
- Keep protecting endpoints. I cannot over-emphasise the importance of advanced anti-virus software. However, for IoT, this is not currently feasible as these devices do not have the capability or power to run A/V. So, in addition to endpoint protection, understand what data you have on the network and run Sky Advanced Threat Prevention for the fastest identification and mitigation against a threat when it occurs.
Finally – be vigilant. In a conversation with a colleague at RSA 2017 recently, we mused over the story of the university being taken offline when there had been multiple, but ignored, reports of network performance problems. If your network slows down, if applications seem to be misbehaving, don’t put this down to ‘Monday/Friday’ traffic, as it could be the next big national news-worthy breach infiltrating your network!