Advanced persistent threat (APT) groups are showing no signs of slowing down despite the global coronavirus pandemic and they appear keen on exploiting the Internet of Things (IoT) for their attacks.
Recently, the Russian group APT28 has recently been reported to have been scanning and exploiting vulnerable email servers for over a year. This group is known for hacking into IoT devices to gain a foothold into networks. IoT adoption is rising in organizations and enterprises. Gartner estimates that 5.8 billion enterprise and automotive endpoints will go online by this year. This trend is affecting cybersecurity as well. Each IoT device that gets added to a network expands the attack surface. Because of this, hackers now include attacks against IoT devices as part of their kill chains.
In response, organizations must treat their IoT components as potential attack vectors in their respective security strategies. Since IoT devices are varied and can be found across a wide network, the testing of all deployed controls has become even more critical to ensure that organizations are protected across the APT kill chain. To cope, IT teams can look into using security validation platform to perform various cyber threat tests needed to cover the entirety of their defenses.
IoT in the APT kill chain
The cyber kill chain outlines the various stages of a cyberattack campaign. Hacks carried out by APTs are deliberate and methodical. The kill chain starts with reconnaissance activities such as probing networks for vulnerable and exploitable components before actually breaching a network. Once they gain a foothold into the network, APTs would lurk inside for extended periods of time to achieve their purpose—whether it’s to steal or destroy data.
APTs will exploit any part of the infrastructure that they can and IoT devices have become a convenient target. IoT devices could be in the form of smart thermostats, IP cameras, wireless printers, and sensors found in different areas of the infrastructure. Many even directly connect to the public internet which readily exposes them to probing by APTs. These devices also have varying security features and capabilities that most usually rely on security controls such firewalls to protect them from being reached by malicious traffic.
Once breached or taken over, these devices can be used to enable the other stages of the kill chain. Recently discovered threats such as the Kaiji malware and the dark_nexus botnet both point at the attempts by APTs to further weaponize IoT devices for their campaigns. Kaiji performs SSH brute-force attacks in attempts to take over devices while dark_nexus has been able to pool together compromised devices to launch distributed denial-of-service (DDoS) attacks and spread malware.
Protecting multiple attack vectors
Due to the varying uses of IoT devices, they may play a role in different stages of the kill chain. There is no real one-size-fits-all security solution to secure IoT devices therefore, organizations need to have comprehensive strategies and employ stringent security controls that protect across the kill chain.
Networks and web applications must be protected by firewalls, workstations must be equipped with endpoint security, and email servers must be kept safe by capable filters and disarm solutions. Staff members should also be educated on the proper use of computing resources and how to avoid falling victim to social engineering and phishing attacks.
As for IoT devices, all of them must be properly configured. Most exploited IoT devices use default administrator usernames and passwords which are widely known and accessible to anyone. Direct internet connectivity and peer-to-peer features may also be disabled. Changing these settings are considered essential in IoT security.
Continuous testing is a must
Most importantly, the key to a strong security posture is testing. No matter how many security solutions are deployed on the network, if any of them fall short due to ineffectiveness, misconfiguration, or bugs, APTs will still be able to breach the network and pull off successful attacks.
Network components, devices, and software are also bound to introduce changes due to updates and patches. Any change that happens within the network may affect the security posture. For example, Windows updates have been known to inadvertently introduce vulnerabilities to endpoints. Thus, testing must be done routinely and, preferably, every time changes are made to the infrastructure.
There are various ways testing can be done. Vulnerability scanners can be used to profile potential exploitable systems. Organizations can also launch their own attacks on their networks through penetration tests. Newer approaches such as the use of breach and attack simulation (BAS) platforms, which basically combine vulnerability scanning and penetration tests, allow for this continuous testing. BAS can automate tests on specific security measures. They can even simulate the real-world tactics used by APTs for a more comprehensive sweep of the defenses.
Through continuous testing, organizations will be able to guarantee that their controls work and that the gaps in the security, including those that may be caused by IoT adoption, are covered.
Security with IoT in mind
As their name suggests, APTs pose lingering risks to organizations. Now that hackers include attacks on IoT devices as part of their kill chain, organizations must be able to adjust their respective strategies to include protection for these potentially vulnerable devices.
Fortunately, it is possible to employ measures and controls that could create cohesive security strategies that can mitigate APT attacks. But for these to work, organizations must continuously test these controls. This way, organizations will be able to continue benefiting from their IoT use while keeping their infrastructure safe and secure.