The real perpetrator of the widespread Internet outage on Friday, October 21, 2016 is still not known but the weapon of choice was definitely IoT devices compromised with Mirai malware. The Distributed Denial of Service (DDoS) attack that started on the East coast of the United States targeted DNS provider Dyn, and appears to have comprised 10% of IoT assets participating in the botnet.
Scale of Attack Could Have Been Larger
The command and control structure of a botnet allows for the remote strategic and anonymous command and control of compromised assets (bots) to conduct an attack. According Dale Drew, the CISO of Level 3 Communications, the Mirai botnet has about 550,000 active nodes. Considering that it was estimated that 55,000 nodes (10%) where used in the attack and caused this much distribution, what would 50%, or 90% participation look like in terms of Internet usability? The outage could be potentially devastating and the financial losses easily escalate into the hundreds of millions of dollars since it affects so many businesses and so much of our modern daily electronic lives.
Precursor to a Larger Attack?
The events of October 21, 2016 have proven that compromised IoT devices, botnets, and a targeted DDOS attack can be effective on a large scale and can disrupt major companies that rely on the Internet. It also raises the question as to whether this attack was a precursor to a larger attack, a test similar to DDOS attacks three weeks ago in France, or if the owners of the botnet have a more devastating plan in place awaiting activation. This was just another test mission.
Everyone from the board room to government entities should take notice. This could be potentially our last real warning before a sustained attack.
The Real Problem is how We got to This Point
Sure, thieves, criminals, and malicious entities will always exist, but IoT devices are the dumbest and simplest devices to be connected to the Internet. They have basic security, can have hard coded passwords, and no methods for patching vulnerabilities or controlling privileges. Trivial hacking techniques linked with publicly available source code designed to compromise these devices has led to underground networks that control these botnets and literally sell time for usage on a “rent to use” basis for conducting malicious activity.
Stopping the Next Attack Means Improving IoT Security
While we cannot stop the criminal mind, we can stop manufacturers from making devices with poor security and require any device that accesses the Internet to have basic security capabilities. This is no different than the laws requiring automotive safety standards that appeared in the 1960’s and continue to evolve today.
Some of my peers, however, have voiced a clear opposition to this legislation. Arguments against basic security adoption via legislation range from “attacks can occur from anywhere,” to “all nations would need to adopt them,” in order to be effective. Considering how the entire planet is becoming dependent on these technologies, viability for international legislation actually sounds reasonable considering the risks to every nation. In addition, claims that a defensive posture is the most successful mitigation since these devices are already present is also a topic for debate. Filtering MAC traffic for IoT devices as an example only limits capabilities and does nothing to stop bots, traffic, and potentially other targets from being acquired and consuming resources.
The botnet’s command and control services are the key to stopping these threats and can essentially leave the army of bots headless without a commander-in-chief to instruct the next mission. We can no longer be reactionary to the problem and need to stop the poor construction, design, import, and implementation of these devices in the first place, and prevent the next botnet zombie outage apocalypse.
Start with Minimum IoT Safety Standards
As we continue to monitor the facts about last Friday’s attacks, we need to remember history. Attacks like SQL Slammer, Code Red, and even Melissa have demonstrated weaknesses in our technology and highlighted the success of social engineering. This attack is no different. We need to change things in order to prevent them from happening again. In my opinion, we need minimum safety standards for Internet devices. Otherwise, we are just going to continue to introduce devices that bring unnecessary risks to the Internet. We would never put them ‘as is’ in our business, so why would we trust them publicly?
My advice: Patch your systems, cycle your passwords and restrict privileges as much as possible.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.