IoT is everywhere. From smart light bulbs to IP cameras, wearables and even smart kitchen appliances, IoT provides benefits for every organization by enabling workers to be more productive and critical business processes to run more smoothly, intuitively and efficiently. Everywhere to such an extent, that the income of this is expected to grow to $549 billion in 2022, and the number of connected IoT devices is expected to reach $15,9 billion by 2030. (CompTIA)
However, the rush to promote this IoT technology in the market also increases the scope of cyber attacks on organizations when the security of these assets is neglected. According to Gartner, over 25% of all cyber-attacks against businesses will somehow involve the IoT.
Innovative security providers who are always thinking about the future, such as Check Point, are determined to protect users at all costs.
This article explores a real use case in which the solution Quantum Check Point's IoT Protect detected a dangerous device and protected the organization from a catastrophic cyber attack. But first let's quickly recap why these devices are vulnerable by design. To summarize a previous blog we published on IoT a few months ago: IoT devices often come to market with inherent flaws that make them a security risk:
- Lack of standardization creates a patchwork of devices
- Weak security approach, including weak or non-existent passwords
Outdated and unrepairable hardware, firmware or software
- Larger number of devices that widens the attack surface
As a result, it is very easy for them hackers gain access to these devices and either cause damage to the IoT devices themselves or move sideways to damage critical systems and steal personally identifiable information (PII) from customers or employees, intellectual property or other assets. Hackers may also gain control of the network and keep it as a ransom. And their last trick? They combine these strategies into double blackmail attacks that promise even more lucrative rewards.
How does Check Point help?
Quantum IoT Protect allows customers to view all connected devices IoT devices on their network and monitor the communications of IoT devices, within the network and externally to the internet. This is achieved with profiles learned from understanding the expected behavior of IoT devices. Based on these profiles, customers are provided with zero-trust access policies that allow only the communications required for normal IoT operations. Other connections are detected and blocked, for example, an attempt to connect to a suspicious destination on the Internet will be blocked.
So now that we have a basic understanding of how and why, here's what happened in this particular case of use.
What happened;
(Out of respect for the customer, we will keep the customer's name anonymous and refer to him as a "customer")
Quantum IoT Protect was developed into a client network and began detecting and recognizing all connected IoT devices. Because this was the client's first experience with IoT Protect, the client chose to install security policies in detection-only mode, as opposed to activating the suspicious traffic blocking solution.
For several weeks, no suspicious activity or incident was detected until the customer saw Quantum IoT Protect detect that an IoT device was communicating with two suspicious domains for a short time. The customer then noticed that the device had stopped communicating with the suspicious domains and so decided to continue monitoring its logs.
At this point, the client chose not to take further action, believing that everything had returned to normal. This was an understandable move, as the system was virtually "silent" for a few weeks and showed no abnormal IoT device activity.
However, after two weeks of inactivity, the same device reappeared and this time started communicating with dozens of suspicious domains on the Internet. At this point the customer realized something was wrong and decided to proactively contact the Check Point IoT team for further support.
The research
At the beginning of the investigation, the Check Point team found that the device was communicating with some domains that had a high-risk reputation. Further investigation of these facts led to the conclusion that the device was communicating with one or more servers Command & Control (C&C).
The response team confirmed that this IoT device was infected with Mirai and crypto mining bots. Further analysis of the logs showed exactly how the device was infected and identified the various stages of the infection and was able to describe to the client who was on the Cyber Kill Chain schedule.
What We Learned
At the beginning of this story, we described how the client installed Quantum IoT Protect and why it ran in scan mode only. In other words, the client had not enabled the protections that would allow him to secure the IoT devices.
The customer simply did not want to disrupt or possibly "break" the functionality of the device. This is a very common concern and is understandable. IoT devices simply do not come with well-defined instructions that indicate which connections should be allowed for normal operation and, by definition, which should not be allowed or simply blocked. Check Point addresses this legitimate concern with the Quantum IoT Protect solution.
Quantum IoT Protect provides customers with autonomous out-of-the-box zero-confidence access policies that automatically secure IoT devices without disrupting or interrupting their normal operation. To reap the true benefits of IoT devices without taking on additional security risks, customers can safely choose to deploy the Quantum IoT Protect solution in preemptive mode.
Our customer history has a happy ending - Quantum IoT Protect prevented the infected device from communicating with the servers DC and was able to clean the infected device and put it back into operation, into production.
For more information on how to start protecting your body from cyber threats, visit the Quantum IoT Protect website and schedule a IoT Security Checkup.
