Cyber deception is very effective in IoT security, although naturally there is a limit to that effectiveness.
Security concerns with IoT revolve around a few central issues (threats), which include visibility into the existence of IoT devices, vulnerability of IoT devices, what these IoT devices might be able to do, and how they can be controlled.
Attempts at solutions to these threats abound, to varying degrees of effectiveness. In this post we will examine how you can make use of cyber deception, such as Cymmetria’s own MazeRunner platform, to achieve some of that control and visibility.
Cyber deception will not allow you to control IoT devices directly; it will help you to detect and prevent an attacker from doing that. You will be able to detect attackers attempting to use these devices, whether it is to compromise them or to employ them for their own needs.
Specifically, if an attacker attempts to:
- Find IoT devices to compromise for the purpose of pivoting on your network using various lateral movement techniques,
- Gain a persistent foothold in your environment through them, or
- Use them for exfiltration
… you will most likely be able to detect and prevent the attacker from succeeding.
Cyber deception at its most basic is about preventing lateral movement. It can not prevent an attacker from compromising a host in your environment (for example, by use of spear phishing). It can however, quickly detect an attacker once they try to pivot from that system toward their target.
The reason deception is so effective is because, once attackers break into an environment, their first move is to collect intelligence. During reconnaissance they unknowingly gather our data (credentials, share cookies, etc.). If we control the data they use to make a decision about where to go next, then we control them. That is the very definition of counter-intelligence.
Hence, our first use case is preventing attackers from finding our real IoT devices to begin with, by making sure they are presented with better, more alluring paths (which lead to IoT devices under our control). If they follow the wrong path even once, they are caught. Effectively, the burden of anomaly detection is now on them. To see a good example of this, you can read about how we slowed down NATO red teams at the annual Crossed Swords wargame.
Our second use case is about what happens once an attacker has already compromised an IoT device and then attempts to perform lateral movement, pivoting through our environment from that foothold.
When attackers attempt to collect data on the network, they are likely to run into interesting-looking deception stories, campaigns, and assets that were set in advance (by us). Thus, even if attackers managed to take control of an IoT device, with cyber deception deployed we could detect their attempt and mitigate it.
Cyber deception is not a silver bullet, much like every other control in cyber security. It is however, incredibly effective in countering lateral movement, regardless of the tools or vulnerabilities attackers may use. It is also effective in generating high-fidelity intelligence, and validating suspicious events to the point where they can be made deterministic (see: ActiveSOC).