From coffee machines and fridges, to virtual assistants and video cameras, consumers and businesses alike are embracing a new wave of connected devices, with Gartner estimating that 20.4 billion IoT devices will be in use worldwide by 2020. Yet this massive proliferation and the imminent vulnerabilities that go with it have not seen businesses adapt their security measures to this new reality. In fact, companies are forecasted to spend only 10% of their IT security budgets on defending IoT devices. The discrepancy is alarming.
What is more, security teams routinely underestimate the number of devices on their network – in Darktrace’s experience, by an average of 7,000 devices – and this difference is often down to interconnected devices. The office staff might roll out a new swipe card system to regulate access to the building, or a new air conditioning unit might be installed, without so much as a mention to the IT team.
For all their ease of use and quick time to market, the reality is that interconnected devices weren’t created with security in mind. At Darktrace, we are seeing an increasing number of attacks that are using non-traditional devices as an inroad to the network, including printers, thermostats, and even a connected smoke detector.
The abundance of IoT devices means that it is no longer reasonable to expect security teams to keep an accurate, up-to-date asset list that includes all the devices on the network. Instead, organizations need a security tool which provides 100% network visibility.
Traditional security approaches build a wall around the corporate network and use rules and signatures in an attempt to pre-define cyber-threats, and stop them at the border. However, in today’s evolving threat landscape, it is simply no longer possible to know what ‘bad’ looks like in advance.
Darktrace’s approach to cyber security is fundamentally different. Instead of guarding the perimeter, the Enterprise Immune System uses AI algorithms that self-learn what’s ‘normal’ for a network and can detect and respond to threatening anomalies in real time. Much like the human immune system, which builds an understanding of what is a part of ‘self’ and what is not a part of ‘self’, the Enterprise Immune System builds an evolving baseline of the normal ‘pattern of life’ within a network. Leveraging this understanding, the AI algorithms automatically detect alarming anomalies that could be indicative of emerging threats, and respond to them in real time, mitigating threats before they escalate into crises.
To date, the technology has detected over 30,000 serious in-progress threats. Some of the most varied attacks that we have seen at Darktrace used IoT devices as an easy route into the corporate network, and in some cases, IoT devices were themselves the attackers’ targets.
One example involved the infiltration of a video conferencing system.
A large sporting firm began to use a new video conferencing system in order to communicate between internationally travelling team members. Soon after Darktrace had been installed on the network, the Enterprise Immune System detected some unusual patterns, based on what it had learnt to be normal for similar devices, and alerted the security team. An investigation into this anomalous pattern showed that a back-door had been uploaded to the device months before Darktrace had been installed. Further attack software was uploaded and the video conferencing platform was now streaming everything that happened in the board room to an unknown criminal outside of the network. It was also connecting to other computers as the attacker explored the network, probably in an attempt to locate further valuable information.
The privacy of the firm’s sporting tactics, and its negotiations for hiring new players, were under threat.
In the network of another customer, a major fast-food chain, Darktrace found that outsiders on the internet had the ability to change the temperature of the fridges in the company’s food storage units globally.
Although no data was being maliciously changed, anybody could have caused wide-spread food spoilage, and even poisoning, across this organization’s global locations. This would have had major implications, both reputational and legal, for the organization. Once Darktrace had alerted the company’s security team to this issue, they were able to address the threat directly and mitigate any further damage.
Attackers did take advantage of a flaw, however, in a third example involving the infiltration of a fingerprint scanner which was used to restrict access to an Asian company’s luxury goods.
The Enterprise Immune System spotted unusual external connections to and from the biometric scanner – an attacker had managed to compromise the device through legacy software vulnerabilities and network misconfigurations. Having accessed the biometric scanner, the criminal had started to use it to remove copies of legitimate fingerprint data from the central database, and also added new fingerprints, seemingly in an attempt to gain physical access to the company’s restricted logistic facilities.
No signature existed for this type of threat, and it went completely unnoticed by the legacy controls that the company had in place. Fortunately, Darktrace detected this anomalous behaviour, and alerted the organization in time to avoid a physical intrusion and potential real-world theft.
The proliferation of IoT devices means too many organizations now have multiple blind spots in their networks, making it impossible to properly defend the network. More and more companies are deploying machine learning cyber defence tools with 100% network visibility, which can detect anomalies in real time. That way, regardless of whether it's the office coffee machine or the CEO’s laptop that has been breached, inevitable attacks can be detected when they emerge and be mitigated before inflicting harm.
Dave Palmer, Director of Technology at Darktrace
Image Credit: Chesky / Shutterstock