Dear Mirai, how thou shall plan for thee
- 15 November, 2016 04:02
If you've seen Macbeth, you know the tragedy of Lady Macbeth who realizes in the final act that, "What's done cannot be undone." Overcome with guilt, she is unable to erase the image of blood stained on her hands, and she commits suicide.
What makes Macbeth one of the most famed tragedies of Shakespeare is that he and his wife made rash decisions without thinking about the consequences of their actions. They didn't plan ahead.
For centuries, audiences have loved to hate Macbeth and Lady Macbeth. They were ambitious, but their blind ambition proved to be their tragic flaw. Certainly, the tech industry must be able to relate to these human weaknesses in the wake of Mirai and Dyn.
No one needed a crystal ball to see these large style attacks coming. Amid the pressure to get products to market, developers put security on the back burner. They didn't want to think about the potential consequences inherent in hard coded passcodes.
It was easier for everyone to bury their heads in the sand and hope that the inevitable might magically be avoided.
If they've heard it once, they've heard it a thousand times. In security, hope is not a strategy. Rather than deciding where to point the finger of blame, security practitioners and developers alike are better served if they put their heads together and strategically plan for the future.
According to a 2016 Q3 threat report from Nexusguard, DDoS threats will rise in Q4 to impact holiday shopping traffic. On the heels of the massive Dyn DDoS attack, there’s a pattern of attacks using connected devices to exploit default vulnerabilities and overwhelm networks.
The recent attacks that took businesses offline are only the beginning. "Unfortunately, I don't have good news," said John Michener, chief scientist, Casaba Security.
"Devices have to be updatable, but in many respects, you ship it first and then worry about security after," Michener continued. As the number of devices continues to grow, enterprises need to reevaluate their security strategies in order to maintain business continuity in the face of these massive attacks.
"There are vast computational resources, but that's going to cost money, and smaller organizations or individuals can't really do anything. These devices need to have a way to be updated in the field, and you have to plan for that," Michener said.
While there is some potential that these IoT attacks will get ugly, there is also some good news. "If this happened five years from now, it would have been a catastrophe," Michener said.
The focus now should be on learning from these events. "That's how we learn things. When bridges fall down, we look at the structural flaws. Now we go back to change the codes. We've had a warning that hasn't cost us too much. Nobody got killed, which could happen with connected medical devices like pace makers and insulin pumps," Michener said.
In addition to examining the flaws in order to go back and correct them, Rob Simon, senior security consultant at TrustedSec, said, "DDoS mitigation services can remove some risk."
Still, in IoT, if thousands of connected devices are all sending traffic at the same time, even those service providers can be overwhelmed by that traffic. "Getting one of those services isn't necessarily a guarantee," Simon said.
What allowed many of the devices to get pulled into the botnet was default passwords, default systems, and hard-coded credentials in the firmware. "If the botnet scans the internet and hits one device and is able to login successfully, it then connects onto that device and continues scanning," Simon said.
Many people hadn't changed the default username and password, because it's something that people don't change as often as they should. Again, human error seems to be the greatest risk to security. Not only are developers using hard-coded passwords, but end users aren't changing their default passwords.
If the concern for organizations is keeping websites available, "From the past attacks we’ve seen where they can directly attack, overwhelm and take down, the best way to mitigate that is by getting behind a denial of service mitigation provider," Simon said.
"Monitoring that your DNS is resolving and having an alternate DNS provider can also help you work through an attack," Simon said.
[ RELATED: DDoS attack on Dyn could have been prevented ]
Most organizations don't have insight into the upstream provider, said Jeremiah Talamantes, managing partner at RedTeam Security. "They can leverage a third party that is designed to detect and report suspicious traffic. DDoS is designed to overwhelm, but the middle man is in line with your ISP and organization."
The traffic first hits that middle man, and in an ideal world, they detect the flood of traffic and send alerts. "Some have ways to mitigate the flood of traffic. They can effectively blacklist the particular IP or IPs that are doing the denial of service," Talamantes said.
Many of the traditional lines of defense that organizations started putting in place for DDoS attacks, like firewalls and IDS, continue to protect the environment, but "DYN changes the game," said Talamantes.
The difference today is that several systems are leveraging with Mirai botnet. First, they are taking advantage of known weak passwords--default passwords that were devised or programs with ineffective security controls--and second, they are relying on those that have implemented and not changed default passwords," Talamantes said.
The upstream is what Talamantes called, "The first line of defense. Second is the organization's perimeter. Going even further, some organizations will have internal firewalls to make sure there aren't any things coming through the firewall."
Enterprises should also start thinking about other services beyond internet connectivity. "When administrators set up a website, they use different DNS servers but all with the same provider. That's introducing a single point of failure. The servers are all on the same network," said Talamantes.
Certainly, there is much to consider in planning for these continued attacks, but accepting that there is a danger is the most critical starting point. Many companies don't want to face this reality because the problem seems so overwhelming.
Make IoT part of the security awareness training. Alan Brill, senior managing director within Kroll's cyber security practice, said, "Talk to IT and determine whether they have scanned to have positive knowledge of everything that is connected."
Whether it's a lightbulb that people can operate from their phones or baby monitors at home, it's likely that people within the organization have connected IoT devices to their corporate networks without even considering that they might pose a threat.
Taking steps to prevent people from putting devices on the network will also mitigate risk. "Unless it is allowed, it doesn't go on the network," said Brill.
"At the same time, you want to work with human resources people so that if there is a violation, there will be appropriate action. It needs to be something that they are aware of," Brill said.
As long as people are able to field things that connect to the internet where they don't think about security, enterprises remain at risk. So, planning for the future of IoT attacks comes down to two things, said Brill, "Don't panic and don't ignore it."