SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah

Page created by Christian Kim
 
CONTINUE READING
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
SECURE THE ENTERPRISE OF THINGS
UNDERSTANDING THE NEW ATTACK LANDSCAPE

Jack Marsal
Sr. Director, Product Marketing

                                  ©2018 Armis Inc. All Rights Reserved.
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
Enterprise of “Things”

               ©2018 Armis Inc. All Rights Reserved.
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
Office Environment
©2018 Armis Inc. All Rights Reserved.
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
Explosive Growth in Enterprise “Things”
                                                                                                                     20 Billion

                                                                                                                                  VOIP                    Security Cameras

                                                                                     20+ Billion Connected Devices
                                                                                                                                  Switches                Access Points

                                                                                                                     15           Printers                Bluetooth
                                                                                                                                                                       Unmanaged
                                                                                                                                  Point of Sale           Smart TVs       and IoT

                                                                                                                                  Medical Devices         Smart HVAC

                                                                                                                     10
                                                                                                                                  Manufacturing           Smart Lighting

                                                                                                                                  Smartphones
                                                                                                                                                                             BYOD
                                                                                                                                  Tablets                             (PC & Mobile)
                                                                                                                     5
                                                                                                                                  Laptops
Unmanaged

                                                                                                                                                                           Traditional
Managed                                                                                                                           Web, PCs and Servers
                                                                                                                                                                           Enterprise

            2010   2012      2014             2016                    2018          2020

                          Protected      Protected/Unprotected                Unprotected                                                         Source: Gartner, BI Intelligence 2016

                                      ©2018 Armis Inc. All Rights Reserved.
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
“IoT has become the leading
          technology for digital transformation
          and is the number one priority for 92
          per cent of organizations.”
                           Inmarsat, “The Future of IoT in Enterprise -- 2017”

©2018 Armis Inc. All Rights Reserved.                                        5
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
“IoT architectures and solutions are
             critical enablers to achieving
             innovative and planned business
             outcomes.”
                                        Gartner, “Internet of Things Primer for 2018”,
                                        9 January 2018, Nathan Nuttall, Emil
                                        Berthelsen, Martin Reynolds

©2018 Armis Inc. All Rights Reserved.                                               6
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
Meet The New (Insecure) Endpoint
                    Designed                                            No
                   To Connect                                         Security

      Billions                                                                       Hard to
     of Devices                                                                      Update

                     Many                                                 Hard to
                  Manufacturers                                           Discover

                                  ©2018 Armis Inc. All Rights Reserved.
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
Attacks on Unmanageable Devices are Increasing

600%   Increase in attacks from 2016 to 2017

                                                                           Symantec ISTR 2018

       had a breach or security incident
 46%   associated with IoT security.
                                                                                   IDC, 2017

       of all identified attacks in enterprises will
 25%   involve unmanageable devices by 2020.
                                                                              Gartner, 2017

                                ©2018 Armis – Confidential & Proprietary                        8
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
©2018 Armis Inc. All Rights Reserved.
SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
©2017 Armis Inc. All Rights Reserved.   10
©2017 Armis Inc. All Rights Reserved.   11
©2018 Armis Inc. All Rights Reserved.
6 EXPLOITS
Real Stories Behind the Headlines

           ©2018 Armis Inc. All Rights Reserved.
Compromised Tablet
            UNAUTHORIZED VIDEO STREAMING               WHAT
            • 200 conference rooms, each had an tablet to
              control the video system
            • The tablet in one conference room was streaming
              video and audio to unknown destination
            • This represented a leakage of sensitive
              conversations.

               ©2018 Armis Inc. All Rights Reserved.
Compromised Smart TV
            ATTEMPTING TO INFECT OTHER DEVICES        WHAT
            • Boardroom was equipped with a Smart TV
            • Malware on the Smart TV was trying to infect
              nearby devices via Wi-Fi and Bluetooth.

              ©2018 Armis Inc. All Rights Reserved.
Compromised Security Camera
            BOTNET ATTACK
                                WHAT
            •   Security cameras on the network were
                compromised with a botnet
            •   Botnet was connecting to routers on the network,
                trying to compromise the routers.
Infected Healthcare Device
             ENTRY POINT FOR WANNACRY
                                 WHAT
             • MRI machine had an external internet
               connection for vendor remote support
             • Running Windows XP -- unpatched since it
               would void the warranty
             • Infected with WannaCry and trying to infect
               other Windows systems via SMB
Unauthorized Network Bridge
             PRINTER ALLOWED ANYONE TO CONNECT         WHAT
             • A printer connected to the wired network had
                an open hotspot, allowing unauthenticated
                access to anyone.

               ©2018 Armis Inc. All Rights Reserved.
Rogue Network Stealing Credential
            THEFT OF NETWORK CREDENTIALS
                                                      WHAT
            • A corporate device was connecting to a
              pineapple that was collecting Active Directory
              credentials or hashes

              ©2018 Armis Inc. All Rights Reserved.
DNS REBINDING EXPLOIT
  Nearly Every Enterprise is Exposed

                                       20
Armis Findings

  Half a billion devices in the enterprise are
         vulnerable to DNS Rebinding
   Firewall and network segmentation will
         not protect against attack

                  ©2018 Armis – Confidential & Proprietary   21
Vulnerable Devices
                                                         • IP Phone – IP-based desk phones
                                                         • Printer – Corporate printers
                                                         • Network equipment – access
                                                           points, routers, or switches
                                                         • IP Camera – Typically security
                                                           cameras
                                                         • Streaming Media Player –
                                                           Chromecast, FireTV, Apple TV, etc.
                                                         • Video conferencing – IP-based
                                                           conference room phones, speakers
                                                         • Smart TV – Connected monitors.
                                                           often running apps
                                                         • Conference phone – IP-based
                                                           conference room phones and
                                                           speakers
                                                         • HVAC control – Smart / connected
                                                           thermostats
                                                         • Peripherals – UPS, lab equipment,
                                                           KVM
                                                         • Point of Sales – Sales terminals,
                                                           could be iPads
                                                         • Smart speaker – Amazon Echo,
                                                           Google Home, Sonos, etc.

              ©2018 Armis – Confidential & Proprietary                                  22
HOW DNS REBINDING ATTACK WORKS

           ©2018 Armis Inc. All Rights Reserved.   23
worldsportsscores.com

                       Malvertisement
                       World Sports Scores

         User visits malicious website or site with malicious ad.
STEP 1   Java-script runs on user’s browser

              ©2018 Armis Inc. All Rights Reserved.                 24
worldsportsscores.com

                                                                Malvertisement
                                                                World Sports Scores

IP Cameras   Smart TVs   Speakers / Digital                                                    Printers   IP Phones   Critical Data
                            Assistants

                                              Malicious website commands the end-user browser to scan local IP
                         STEP 2               addresses for target devices

                                                       ©2018 Armis Inc. All Rights Reserved.                                      25
worldsportsscores.com

                                                           Malvertisement
                                                           World Sports Scores

IP Cameras   Smart TVs   Speakers / Digital                                               Printers   Critical Data
                            Assistants

                                         STEP 3        Hacker access the target device

                                                  ©2018 Armis Inc. All Rights Reserved.                          26
worldsportsscores.com                                  company.com

                                                                                                     DDOS

                                                                  Malvertisement
                                                                  World Sports Scores

IP Cameras   Smart TVs   Speakers / Digital                                                      Printers   IP Phones       Critical Data
                            Assistants

                     STEP 4                   Hacker establishes outbound connection through the unmanaged or IoT device

                                                         ©2018 Armis Inc. All Rights Reserved.                                          27
WHAT TO DO?

              28
What is Your Security Strategy?
                                                     Types of Endpoints                               Security Strategy

                                                   VOIP                    Security Cameras

                                                   Switches                Access Points

                                                   Printers                Bluetooth          ????????
                                                   Point of Sale           Smart TVs

                                                   Medical Devices         Smart HVAC

                                                   Manufacturing           Smart Lighting

                                                   Smartphones

                                                   Tablets                                    Mobile device management,
                                                                                              guest networks, VDI
                                                   Laptops

                                                   PCs and Servers                            Security agents, patch management,
                                                                                              firewalls, NAC
 2010   2012   2014   2016   2018   2020

                                           ©2018 Armis Inc. All Rights Reserved.                                            29
Zero-trust Approach

      Agent            =                              Trust

              ©2018 Armis Inc. All Rights Reserved.
Zero-trust Approach

              ©2018 Armis Inc. All Rights Reserved.
Discover and Classify – Fortune 1000 Company
• 1,212 Windows Machines    205 Unmanaged                   • 80 Switches
                                                                                     21 Unpatched
• 578 Servers                                               • 110 APs                Vulnerabilities
                                                                                     10 Possible
• 1117 Employee Phones      587 Unmanaged                   • 150 Security Cameras   Botnet Infections

• 370 Tablets               295 Unmanaged                   • 10 Gaming Consoles
                                                                                     17 Trying to Connect
• 213 Guest Phones                                          • 140 Smart Watches      to other Devices
                            5 Previously
• 60 Smart TVs              Unknown                         • 5 Digital Assistants   4 on Guest Network

• 10 Telepresence Systems                                   • 25 Smart Thermostats
• 100 Printers              78 Open Hot Spots               • 20 HVAC Controllers
                            2 Sending Data To                                        Connecting to Multiple
• 500 VoIP Phones           Unauthorized IP                 • 2 Wi-Fi Pineapples     Corp Devices

                                    ©2018 Armis Inc. All Rights Reserved.                                32
Zero-trust Approach

              ©2018 Armis Inc. All Rights Reserved.
Network Segmentation Is Not Trustable

Perimeter                      Firewall

                                                             Guest                 Corp   VLAN “N”
Network Core                 Core Switch

Aggregation Layer   Aggregation Switches
                                            Attacks
                                            Switch
Access Layer             Access Switches

Managed &
Unmanaged Devices

                                           ©2018 Armis Inc. All Rights Reserved.
Remote Control Execution Incidence
Traditional Desktop   Mobile                         Network Infrastructure      IoT

        1              2-3                                             100
    per year          per year                                    per year    every year

                               ©2018 Armis Inc. All Rights Reserved.
Cisco Bulletin
• April 6, 2018: ”Attacks targeting Cisco IOS
  switches were detected exploiting the CVE-
  2018-0171 vulnerability in the Cisco Smart
  Install Client software. According to the Cisco
  Talos team, more than 168,000 devices
  worldwide are potentially exposed.”

                    ©2018 Armis Inc. All Rights Reserved.
Location of Vulnerable Cisco Devices

               CVE-2018-0171
               ©2018 Armis Inc. All Rights Reserved.
©2017 Armis – Confidential & Proprietary   38
Network devices are often easy targets. The following factors contribute to the
vulnerability of network devices:
• Few network devices run antivirus, integrity maintenance, and other security
  tools that help protect general purpose hosts.
• Manufacturers build and distribute these network devices with exploitable
  services, which are enabled for ease of installation, operation, and
  maintenance.
• Owners and operators of network devices do not change vendor default
  settings, harden them for operations, or perform regular patching.

                               ©2017 Armis – Confidential & Proprietary           39
Zero-trust Approach

              ©2018 Armis Inc. All Rights Reserved.
Continual Behavior Monitoring
                DEVICE                                                              NORMAL BEHAVIOR TRAITS

Samsung 60" Class J6200 Full LED Smart TV                • DNS queries followed by connection attempts to
                                                           xpu.samsungelectronics.com
                                                              • 10 consecutive attempts spaced 5 minutes apart, followed by a 45
                                                                minute gap before attempting again
                                                         • Interfaces: BT, Wi-Fi
                                                         • Stationary, does not connect to other devices on the network
                                                         • Tizen OS
                                                         • Several default applications such as Netflix and Amazon Instant Video

        Nest Thermostat, 3rd Gen                          • DNS queries to transport.home.nest.com, transport.home.ft.nest.com
                                                            in a periodic manner
                                                          • Every night at 4am, ~1GB of data transfer
                                                          • Interfaces: Wi-Fi
                                                          • Stationary, no other protocols, routing between Nests on the same
                                                            network, no connection to other devices, no devices connecting to it

                                            ©2018 Armis Inc. All Rights Reserved.                                                  41
DISCUSSION

  ©2018 Armis Inc. All Rights Reserved.
What is your near-term focus?

                ©2018 Armis Inc. All Rights Reserved.
Reaction to Gartner’s prediction?
 “By 2020, more than 25% of
 identified attacks in enterprises
 will involve the IoT, although the
 IoT will account for less than 10%
 of IT security budgets.”

                                                                 130 info security professionals
                                                                      attending Black Hat

                         ©2018 Armis Inc. All Rights Reserved.
©2018 Armis Inc. All Rights Reserved.
You can also read