Gambling with Connections
By Oren Domaczewski, Researcher, Office of the CTO
Recently, a casino was reported to have been hacked, and 10 gigabytes were exfiltrated through its internet-connected thermostat in an aquarium. Through the thermostat, the cyberattack hackers were able to pivot to the casino’s non-secure database in its corporate network, and steal data. As we’ve been hearing for some time now, the use of connected devices of all kinds, known as the Internet of Things (IoT), is more and more common. Its goal is to enhance our lifestyles with smart assistants and on a larger, industrial scale, to make systems much more efficient. However, every connection opens a path to hackers and increases the attack surface exponentially.
IOT devices, sensors, and other monitoring appliances are not covered in the perimeter of endpoint detection devices. They are not protected by anti-viruses. There are very few software updates against found vulnerabilities. They are hard to manage, and often referred to as “shadow IT”. In fact, these devices can be almost entirely invisible, hidden among billions of network requests made through the firewall every single day.
Without a doubt, the only feasible solution to detect a breach that goes through multiple IOT devices, typically unmanaged and difficult to monitor and inspect, must be performed in the network.
“Industry largely underestimates the critical societal need to embody the highest levels of security in every network-connected device—every child’s toy, every household’s appliances, and every industry’s equipment” Microsoft starts a research paper titled paper “The Seven Properties of Highly Secure Devices.” The simple fact is that with attacks on these highly vulnerable devices, it’s easy for attackers to pivot their way to a corporate and industrial network. Organizations, being unable to rely on IOT device manufacturers, lean on network traffic analysis (NTA) technology that can detect the breach.
Threat detection before damage strikes
SecBI’s advanced machine learning was able to automatically find and prevent similar cyberattack vectors, before a single byte was stolen, let alone 10 Gigabytes!! In one instance, SecBI’s artificial intelligence, mimicking an expert analyst, was able to find an attack the moment an industrial sensor of a large manufacturer, was misconfigured and exposed to the internet in an unsecure way. The breach allowed extremely sensitive data about manufacturing process not only to be read, but also potentially tampered. Without waiting for gigabytes to be stolen, SecBI recommended an immediate response to prevent remote connections, isolate the IOT sensor with proper firewall and authentication, as well as updated authorization rights to prevent this from happening again. SecBI’s Autonomous Investigation technology™ provided all the evidence needed in a single place, and within hours the VP-level of the organization approved and implemented the critical changes.
Cybersecurity, as any risk-based operation, begins with one thing: Monitoring. SecBI monitors entities from all corners of the organization’s network, be it corporate IT, production OT, or even unsanctioned shadow IT. Once monitored, we can then move to the next steps: Analysis, threat detection, and response.
The cybersecurity reality is that there’s hundreds of thousands of anomalies every day. The burden on the security analyst to chase each one and validate is too big to bear. Analysts need technology to help them deal with this overload, and have machines chase the anomaly, collect the evidence, assemble the narrative, summarize it, and present it in a way the analyst can do what he does best: Take action. Any second spent on writing queries, filtering data, pivoting tables, etc. is the second where he loses 10 gigabytes, and is a second too late.