IoT is everywhere. From smart light bulbs to IP cameras, wearables, and even smart kitchen appliances, IoT provides benefits for any organization as it enables employees to be more productive and crucial business processes to run more smoothly, intuitively, and efficiently. So much so, that IoT revenue is expected to grow to $549 billion in 2022 and the number of connected IoT devices is expected to reach $15.9 billion by 2030. (CompTIA)
However, the rush to bring this IoT technology to market also increases the cyber-attack surface for organizations when the security of these assets is overlooked. According to Gartner, more than 25% of all cyberattacks against businesses will involve IoT in some way. Closer to the home, in India an organization is being attacked on an average 1797 times per week in the last 6 months, compared to 1564 attacks per organization in APAC, as outlined in Check Point’s Threat Intelligence report. Apart from this, in India, the average weekly impacted organizations by mobile malware stood at 4.3 percent as compared to the APAC average of 2.6 percent.
Innovative security vendors that are always thinking toward the future, like Check Point, are determined to keep users protected at all costs.
This blog will explore a real-life use case in which Check Point’s Quantum IoT Protect solution identified a risky device and protected the organization from a devastating cyberattack. But first let’s quickly recap why these devices are vulnerable by design. Summarizing a previous blog, we released on IoT a few months back: IoT devices, often, come to market with a intrinsic flaws that make them a security risk:
- Lack of standardization creates a hodgepodge of devices
- Weak security approach, including weak or nonexistent passwords
- Outdated and unpatchable hardware, firmware, or software
- Larger number of devices which expands the attack surface
As a result, it’s all too easy for hackers to gain access to these devices and either wreak havoc with the IoT devices themselves or move laterally to harm mission-critical systems and steal the personally identifiable information (PII) of customers or employees, intellectual property, or other assets. Hackers may also gain control over the network and hold it for ransom. And their latest trick? Combining these strategies in double extortion attacks that promise even more lucrative payoffs.
How does Check Point help?
Quantum IoT Protect enables customers to see all of the connected IoT devices in their network and tracks IoT device communications, within the network and externally to the internet. This is accomplished with profiles that are learned from understanding the expected behavior of IoT devices. Based on these profiles, customers are provided with zero trust access policies that only allow communications needed for normal IoT operations. Other connections are detected and blocked, for example an attempt to connect to a suspicious Internet destination will be blocked.
So now that we have a basic understanding of how and why, here is what happened in this specific use case.
What Happened?
(Out of respect for the customer, we will keep the customer’s name anonymous and refer to them as “customer”)
Quantum IoT Protect was deployed in a customer network and began to detect and recognize all connected IoT devices. Because this was the customer’s first experience with IoT Protect, the customer opted to install the security policies in detect-only mode, as opposed to enabling the solution to actively block suspicious traffic.
For several weeks, there were no suspicious activities or incidents detected until the customer saw Quantum IoT Protect detect that one IoT device was communicating with a couple of suspicious domains for a short period of time. The customer then noticed that the device had stopped communicating with the suspicious domains so they decided to continue to monitor their logs.
At this point, the customer chose to not take any further action as they believed everything had returned to normal. This was an understandable action, as the system was essentially “silent” for a couple of weeks, and not showing any abnormal IoT device activity.
However, after the two weeks of no activity, the same device showed up again and this time began to communicate with dozens of suspicious domains on the Internet. It was at this point that the customer understood something was wrong and decided to proactively contact the Check Point IoT team for further support.
The Investigation
Early in the investigation, the Check Point team determined that the device was communicating with a few domains that had a high-risk score reputation. Further investigation of these events led to a conclusion that the device was communicating with one or more Command & Control (C&C) servers.
The response team confirmed that this IoT device was infected with Mirai and crypto mining bots. Further log analysis demonstrated exactly how the device became infected and identified different steps of the infection and was able to describe to the customer where they fell on a Cyber Kill Chain timeline.
Lessons Learned
At the beginning of this story, we described how the customer installed Quantum IoT Protect and why they ran in a detect-only mode. In other words, the customer essentially had not activated protections which would have enabled them to secure their IoT devices.
The customer simply did not want to disturb or potentially “break” the device’s functionality. This is very common concern, and it is an understandable one. IoT devices simply do not come with well-described instructions that state which connections should be allowed for normal operations, and, by default, which ones should not be allowed or should simply be blocked. Check Point is addressing this valid concern with the Quantum IoT Protect solution.
Quantum IoT Protect provides customers with out-of-the-box autonomous zero-trust access policies that automatically secure IoT devices without disturbing or breaking their normal functionality. To realize the true benefit of their IoT devices without incurring any additional security risks, customers can safely choose to deploy the Quantum IoT Protect solution in prevent mode.
Our customer story ends on a high note – Quantum IoT Protect blocked the infected device from communicating with the C&C servers and was able to clean the infected device and put it back online, in production.