Why Advanced Persistent Threats Are Targeting the Internet of Things

IoT devices are only increasing in popularity. Unfortunately, IoT cyber attacks are also growing in popularity. IoT attacks:

• Are easy to start thanks to publicly available code, both on the Dark Web and in code repositories like GitHub
• Have a high success rate
• Are difficult to detect and remediate, enabling APTs
• Can allow an attacker to gain a foothold inside an organization’s network
• Can allow an attacker to add more devices to their botnet (botnets can be used for DDoS attacks, spamming, etc.)

The number of vulnerabilities is growing overall, and Internet of Things vulnerabilities in particular are on the rise.

Internet of Things Attack Surfaces

Attackers begin by looking for vulnerable IoT devices and trying to compromise them. Attackers can do this en masse. They can afford to fail to hack devices over and over again, but IoT devices only have to succumb to an attack once to be compromised.

Making matters worse, IoT devices often have a number of vulnerabilities, both known and unknown. The number of IoT vulnerabilities is increasing, and users often fail to apply patches or install updates in a timely fashion, making it that much easier for attackers to compromise devices.

Another area of concern is that IoT devices often come with default credentials that are never updated. This renders the issue of vulnerabilities and patching practically moot: If an attacker can just brute-force the credentials, or obtain them from a publicly available list, then the device might as well be already compromised.

Some Characteristics of IoT Advanced Persistent Threats

Evasion techniques

Advanced persistent threats are often designed to evade detection – via code obfuscation, virtual environment detection, and many other methods.

Concealment techniques

Cyber criminals are getting better all the time at hiding the malware infecting a system.

Self-propagating

Many APTs, in addition to remaining on a system persistently, seek out other systems to infect.

Resource efficiency

This is a factor that separates IoT APTs from the traditional APT on a regular computer. IoT APTs need less than 5% of the computing power of an average device in order to operate, and sometimes, the malware is smart enough to adjust itself after detecting the device’s memory capacity.

The New IoT Cyber Kill Chain

The cyber kill chain is the series of steps carried out by threat actors. Each step can in theory be identified and blocked by cyber defenses. Lockheed Martin described the “Cyber Kill Chain” for APTs thusly:

Click to expand

However, for IoT devices, there are additional steps in the kill chain that make IoT APTs all the more threatening. The new IoT kill chain looks like this:

Click to expand

IoT APTs do not merely want to infect a single device or network; they want to proliferate to other devices and conceal themselves so that they can remain persistent.

IoT Defense Strategies

System upgrades are essential for patching vulnerabilities, but they are often either unfeasible or not carried out for other reasons. Once the patch is released, attackers may just be able to reverse-engineer the exploit – making non-updated devices vulnerable. Additionally, vendors often cannot or will not keep up with patching all the vulnerabilities that are discovered in their products.

Quarantining is a possible solution when infections occur. But again, because of real-world constraints, it may be impossible or impractical to quarantine devices. For instance, it may be difficult to quarantine a security camera that shows signs of being compromised but is essential for monitoring building security.

IoT APT: OPSWAT’s Recommended Defense Strategies

To stop IoT APTs, blocking all threats hidden in data – not just most threats, but all threats – is necessary. Again, cyber criminals can easily afford to fail, but cyber defenses have to be successful at all times.

Detection-based defenses are vulnerable to malware concealment techniques. Advanced threats can even fool sandboxes by executing randomly, or by detecting whether or not it is in a virtual environment before executing. Additionally, even the best anti-malware detection technology may not see a zero-day threat coming.

OPSWAT believes in combining detection-based strategies with advanced threat prevention. Our data sanitization (CDR) technology neutralizes threats in any documents or images entering a network by disarming and reconstructing the files with potentially malicious content removed. Any file can and should go through this process, whether or not a threat is detected.

In addition to leveraging data sanitization (CDR), organizations that use IoT devices should follow security best practices as much as possible by updating devices regularly and resetting default login credentials. Finally, network-enabled devices should only be connected to the larger internet if it is absolutely necessary to do so.