Alert: Tracking exposed OT/ICS: 2017 – 2024

Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

The Rise of Botnets

Cyber Bob, Principal Security Engineer and CTO at Forescout | September 10, 2019

Twitter: @MeetCyberBob

There is a new variety of the Mirai Botnet on the rise.

This time, instead of largely attacking IP cameras, it includes TVs and other network-centric devices. The attacks are evolving to include more enterprise-class systems as well, making risk assessment in businesses much more difficult.

We are all consumers of these technologies. The attack is quite easily mitigated – update software and change the default passwords. Seems simple enough. The challenge is the number of devices prone to attack. The first generation of Mirai affected just over a hundred types of devices. Brian Krebs, from KrebsonSecurity, discusses the  source code of Mirai being released in his blog post. He states the increased risk is largely due to device growth. There are just too many devices, too many consoles – and the speed of change ensures that most of the time you and your corporate IT security team cannot keep up.

Take a look at this review from the perspective of a service provider on the botnet.

The core basics of Information Technology asset management (ITAM) place you in a cycle of know, assess, patch, and repeat. Your configuration management database (CMDB) usually doesn’t even track IoT devices. TVs are part of the latest iteration of Mirai. Next will be your refrigerator, microwave, or your lighting management system. All those new devices that actually benefit your end-users by being connected. 

So, how do you take control?

You need to move from a reactive state to a proactive state through automation, aligning the tools that you already own:

  1. Understand every device connected to your network in real-time. (Centralized admission event monitoring; within events; RADIUS; Netflow; DHCP monitoring; or even SPAN/TAP.)
  2. Automated vulnerability assessment (VA) – move this from scheduled scan to on-demand and real-time assessment including IoT (this requires coordination but should be available as most VA vendors support API integration).
  3. Create dashboards and alerts that show the orchestration of your multi-vendor environment, then feed this data to update your Configuration Management Database. Ensure this is accurate and cross-functional for each IT group: Security, Endpoint Management, and Network Operations at minimum.
  4. Start requiring compliance for all devices, not just the devices you manage with an agent. If devices are not compliant then remove them from your network.
  5. Start leveraging defensive in-depth design for segmentation, isolating devices from sensitive corporate infrastructure.

Lastly, we all need to be aware of these devices not just on our corporate infrastructure, but also on our home networks. Talk with your friends. When they complain about slow bandwidth at home from service provider X, let them know they can make sure their own home is botnet free with simple updates that do NOT take a lot of time.

We are an online community. Let’s help keep it safe.

Demo Request Forescout Platform Top of Page