Over a year ago, RSA front man Amit Yoran likened “stumbling around in the dark as a pretty good metaphor for everyone who’s trying to defend a digital infrastructure today”. Those words couldn’t have rung more true over these past few weeks as security professionals scurried to respond to Mirai and the threat of massive Internet of Things (IoT) botnets with the ability to launch historic distributed denial of service (DDoS) attacks. Whether you agree or not as to the brilliance or level of sophistication from Mirai developers, let’s give a shout out @Anna-senpai, who dropped a wake up call to the security industry.
Figure 1: CCTV Botnet rendering courtesy of https://fossbytes.com/are-you-under-the-attack-of-cctv-botnet/
At first blush, many of us (myself included) reviewed the posted source code and reacted with a certain degree of industry arrogance… ‘I mean this is an attack vector leveraging telnet and a list of manufacturer default credentials… Who the hell could still be using telnet right?’ As these words left my mouth, a few things begin to sink in… I began to consider all of less security-conscious people each of us knows, their devices, and maybe a few devices our kids or even we might use. This was a humbling experience… ask Brian Krebs.
Here we are near the end of 2016 immersed (maybe a bit preoccupied) with machine learning, continuous authentication, and user behavior analytics. Is it possible that with all of this technological evolution, we’ve lost the lessons of the past (e.g., the Morris worm circa 1988 with 432 words in its brute-force list)? It’s certainly clear that we have forgotten perhaps the most important lesson: respect the adversary. In an era where the security industry is operating with unprecedented levels of sophistication, we have adversaries smart enough to ignore the typical attack vectors (i.e., playgrounds for industry analytics) and strike at the soft belly. Mirai developers were competent enough to leverage an aging service to harvest thousands of IoT devices via 63 passwords in a brute-force list; spring loading one of the the most impressive DDoS attack ever seen.
While there are a number of current research postings on Mirai, perhaps most insightful is the detailed post on Hackforums by Anna-senpai (aka Mirai developer), an excerpt of which is pasted below.
Figure 2: Excerpt of anna-senpai's hackforum post
As Anna-senpai steps through explanations for components and functions of the Mirai malware, two striking things can be noted. First, the hijacking of IoT infrastructure for use as a botnet effectively negates all of the fancy security controls that have been evolved over the years. (These are typically dumb devices with crappy firmware and maybe an admin console if you are lucky). Secondly, the rapid spin-up and disposable nature of these IoT botnets creates challenges for real-time response and makes post-mortem attribution nearly impossible. This means everyone on the Internet could be at jeopardy for retaliatory or even whimsical attacks from any number of different hacker groups. Scary stuff, and the truth is that we are only going to see increasing numbers of IoT related botnets like Mirai and Linux/LuaBot. As further evidence, the charts below from a shodan.io provide a snapshot in today's current growth in telnet traffic.
Figure 2: Shodan search for telnet on Oct 12, 2016
To that end, are there other glaring gaps (i.e., telnet was developed in 1969) in aging applications and services that might be ignoring in today's IT hygiene practices? Are there other perceived as ‘well-understood’ or ‘protected’ services that also deserve additional scrutiny? These are hard questions for most businesses to answer, and unfortunately more times than not we’re relegated to a reactive security posture due to circumstances just such as Mirai.
so what actions can we take in the security industry? First and foremost, clean up poor IT Hygiene. This means blocking traffic to ports and services at the perimeter, and moving ‘dumb’ devices inside of your perimeter defense. For example, under no circumstances should your Nest thermostat, Rachio smart sprinkler, or Samsung family hub refrigerator be connecting directly to the Internet without the protection of a properly configured access point with firewalls. Just as critical is enforcing a policy to change any and all default credentials for Internet-enabled devices, many of which have direct access to and control of critical infrastructure. Consider this year’s unprecedented hack of the Ukrainian power grid… but hey don’t blame the Fridge!
Of course there are already quite a few security vendors that have built themselves around the DDoS protection use case, and these services currently stand as our best chance of mitigating future such IoT hosted attacks. However, it remains to be seen how effective these capabilities will be under fire.
In addition, a problem-oriented response is also building momentum across facets of the security industry. For example, a recent article by Motherboard (Digital Vigilantes Want to Shame DDoS Attackers And Their Corporate Enablers) features a project called SpoofIT, the goal of which is to “shame not only the hackers responsible for such crippling attacks, but also the Internet providers and traffic carriers that enable them”. Other organizations such as the non-profit group MITRE are offering cash incentives to 'fingerprint' rogue, dangerous IoT devices. Whether either of these approaches will gain significant traction also remains to be seen.