By 2020 there will be 29 billion connected devices, according to ABI Research1, and a growing percentage will be Internet of Things (IoT) devices that are inherently more vulnerable to attacks than traditional computing equipment. The addition of billions of unsecure (and in many cases unsecurable) IoT devices to global networks is the cyber-equivalent of the Great Pacific Garbage Patch: it is overwhelming, anxiety-causing and mostly out of sight. Securing these devices so that they can operate safely in homes, small businesses, large corporate enterprises and government agencies is critical. We need to explore all viable ideas for a future where IoT can be made more secure, so they can continue to deliver improved safety, efficiency and convenience to all parts of our societies and economies. The Manufacturer Usage Description (MUD) framework is one such idea that is worth exploring.
The National Cybersecurity Center of Excellence (NCCoE) has undertaken a number of incredibly useful projects, which convene key partners from the private sector with the National Institute of Standards and Technology’s (NIST’s) deep bench of cyber experts. The projects culminate with the publication of free-to-all “practice guides” meant to show one way of effectively addressing some of the day’s most pressing cybersecurity challenges.
In its latest project, the NCCoE has turned its attention to the problem of unsecured IoT and Distributed Denial of Service (DDoS) attacks. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A DDoS attack occurs when an attacker gains control of a computer or IoT device by exploiting one or several vulnerabilities. The attacker (“bot herder”) directs conscripted devices from all over the world to send packets to one single place. This huge amount of traffic overwhelms the computer on the receiving end of the attack, shutting it down. The massive growth in the number of Internet-connected devices provides ample fuel for such attacks.
The reality of IoT-fueled DDoS attacks generated significant attention in 2016, when a major domain name service provider was attacked by an army of hundreds of thousands of IoT devices. This army included specific types of IP cameras and home routers that were susceptible to the now infamous Mirai malware because they had factory-default passwords. The incident took down web hosting services that caused fairly widespread disruption of websites and web services, causing wide-spread business loss.
The Mirai bots of 2016 began a discussion among government and private sector leaders about how we can better prevent IoT-enabled DDoS attacks in the future. While there have been a variety of different ideas put forward, essentially, at their core they all involve limiting the utility of compromised IoT devices to malicious actors. Much attention has been focused on producers of IoT to make security more of a priority at the design and manufacturing stages. It is critical that manufacturers understand the need to improve quality by building better and more secure hardware and software into their IoT devices. However, we also have to provide consumers and business enterprises with measures they can put in place on their own networks to secure their IoT devices.
An idea that embodies the need for IoT security to be treated as a shared responsibility is the Manufacturer Usage Description (MUD) framework. This is a proposed mechanism, advanced by the Internet Engineering Task Force, which would allow manufacturers to post information about expected device configuration and behavior to a specialized server. End users, in turn, would access such information using a specialized controller. Having information from manufacturers that can be consumed machine-to-machine will help home or enterprise users to better understand what might be considered “normal” device behavior in order to create security policies around abnormal device behavior. Several important details of the concept have yet to be worked through, including how to ensure manufacturers participate – but overall, this is a constructive, forward-leaning idea that warrants consideration. The NCCoE is the right organization to do this.
The NCCoE’s IoT/Automated Distributed Threats project aims to create a working prototype of a security platform that includes the MUD managers, file servers and the associated network infrastructure requirements. ForeScout is thrilled to be chosen to participate in this important project. We bring a proven track record of helping enterprises detect, profile and classify devices and then enforce security policies on those devices.
The project emphasizes home and small-business applications, but the feasibility and workability of the MUD construct can eventually be extrapolated to business or even industrial environments. The project uses MUD specification to permit an IoT device to signal to the network the type of access and network functionality it requires in order to properly operate. The resulting access control capability reduces the potential for the devices to be used in a DDoS attack by constraining the communication abilities of exploited IoT devices. It also addresses secure configuration for IoT devices (for example, no hard-coded password), software update mechanisms and threat signaling.
ForeScout has the ability to understand a wide variety of device attributes (including baseline configuration and behavioral attributes) at scale. In fact, the ForeScout Device Cloud is a growing repository of three million device fingerprints, which all of our customers can access. This can be leveraged to bridge the gap between today and a future universal implementation of MUD controllers. ForeScout’s agentless discovery and classification database can also be used to secure IoT devices that do not participate in MUD or cannot accept a certificate, which is true of most legacy IoT devices.
ForeScout offers a way for users to enforce many of the NIST-recommended controls with IoT today, as it is doing for a host of government agencies in programs like Continuous Diagnostics and Mitigation (CDM). Bringing real-world expertise and capabilities to the table in this project can help ensure that MUD is not just aspirational, but rooted in reality and built in consideration of the networks and devices we have today.
The NCCoE is emblematic of ‘shared solutions’ with a ‘get things done’ demeanor that is a core characteristic of both the NCCoE and NIST. They keep their heads down and focus on what is important in advancing our nation’s efforts to be more cyber secure. We are excited that NIST has taken the lead exploring this framework and we’re excited to be part of this important project.
1 Figure based on ABI Research, Internet of Everything Market Tracker
