Welcome to the world of IoT (Internet of Things). More and more devices get connected online every day with approximately 9 billion devices already in use. With weak or almost no security, these devices can easily become a victim and turned into a BOT which can then be controlled and used to participate in a DDOS (Distributed Denial of Service) attack like the one that has targeted Dyn. This attack brought popular websites like Netflix, Twitter, Amazon, Airbnb, CNN, and the New York Times to their knees and offline. Of course not only is IoT heavily impacted by such attacks, our critical and fragile infrastructure also relies heavily on the same infrastructure.
It is yet unknown to what the intentions or motive for this attack was. It could range from a hacktivist group, script kiddies, cyber criminals, or a nation state though this highlights the existing weakness in our Internet directory services infrastructure. Domain Name Services (DNS) acts as a method for making sure the URL or web page you entered into your browser gets quickly routed to the correct web server that is hosting the website. When the DNS is unavailable those requests can easily get lost and your browser will not be able to find the website to display.
These DDOS attacks can also be an example of testing an incident response plan or countries cyber defense capabilities. It could even be for something greater, a rehearsal for a much larger attack on the Internet. Many of the BOT’s that take part in such DDOS attacks are unknowingly doing so and can easily be someone’s personal computer, smart device, webcam and fridge, as well as infrastructure like CCTV.
Given the U.S. presidential election just around the corner, could this be a massive rehearsal to disrupt the election process? In many previous incidents, for example, the attack on the Ukraine Energy Sector last year was also tested on the Ukraine’s Railways and Media companies prior to the attack on the energy sector. Usually, such incidents are a test of the capabilities and this incident may well be a test making Dyn just a secondary victim.
We hav seenseveral incidents in recent weeks where Krebs on Security, a well-known cyber security journalist site, was taken down. Akamai, Krebs on Security’s internet provider, decided to no longer host the site due to the threat and impact it could have on their customers and subsequently has been moved to Google. This shows the serious impact of DDOS attacks and is just a sample of what is coming in the future. The fact is these will simply keep getting bigger and bolder.
The best way to defend and reduce the risk of a DDOS attack is for it to be distributed. This means that it is much more difficult when the target is in multiple locations. This is an approach that was highlighted during the 2007 nation-state attack against Estonia where Russian Cyber attackers targeted Estonian public and private companies in a nation-state cyber war.
As more and more smart devices and IoT infrastructure get deployed, a major security weakness is highlighted with this DDOS attack. Many of these devices get deployed with default credentials and passwords. In our recent State of Privileged Account Management report, we found 20% of respondents do not change default passwords and 40% do not change generic IDs. This means as the connected devices that make up IoT grow so will the threat of such DDOS attacks.
Here are some recommendations and best practices to protect your critical infrastructure and IoT.
1. Distribute and De-risk. It is more difficult to carry out an attack when the target is not centrally located. This reduces the risks from DDOS or service interruptions.
2. Ensure that default ID’s and Privileged Accounts on each system is changed, protected, and audited.
3. Keep Privileged Accounts at a minimum and use a PAM solution.
4. Use and adopt a Least Privilege Model.
5. Make sure sensitive systems are air-gapped and access is heavily controlled.
6. Adopt a Whitelisting approach and Trusted Computing Model for systems which run specific applications or tasks.
7. Keep applications and systems up to date.
8. Make sure a Recovery Plan is ready and tested.
To reduce the risk of future DDOS attacks it is important to get in control of Privileged Accounts and lock down those devices with Thycotic Secret Server. This will make it much more difficult for attackers to gain access and turn your devices into a BOT that could be used to attack other companies.