fd53

Internet of Everything: Hands-On Cyber Security

/ 7 min read

Source Presentation

Presented at SANS @ Night, Wednesday, June 21, 2017 (Happy Solstice!), by Matthew J. Harmon (GSEC, GCIH, GCIA, CISSP). Matthew is a Security Consultant & Researcher for IT Risk Limited and an Instructor for SANS & Saint Paul College.

Agenda

  • Legal challenges for IoT security research
  • Importance of routine maintenance, an analogy
  • The Internet of Everything
  • Smart = Exploitable, most of the time
  • Establishing a known state
  • Device enumeration
  • Data enumeration

The Minneapolis FBI Cyber Division at Saint Paul College (Spring 2017) discussed the legal landscape around IoT security research, including patent law and reverse engineering IoT devices. When consulting a cyber lawyer and the Electronic Frontier Foundation, the advice was essentially ambiguous and cautious.

These things matter not to attackers, however – adversaries do not concern themselves with patent law or legal boundaries when targeting vulnerable devices.

Internet Census 2012 (Carna Botnet)

The Internet Census 2012 scanned 460 million IP addresses that responded to ICMP ping requests or port scans between June and October 2012, demonstrating the scale of exposed devices on the internet. Source: http://census2012.sourceforge.net/paper.html

IoT Growth

According to the Cisco Visual Networking Index 2017:

  • Approximately 429 million mobile devices and connections were added in 2016
  • Global mobile devices and connections in 2016 grew to 8.0 billion, up from 7.6 billion in 2015
  • By 2021, roughly three-quarters of all connected devices would be “smart”

Shodan

Shodan indexed IPs (filtered by country:us) and IoT-tagged devices revealed the massive scale of exposed systems. Thanks to John C. Matherly at Shodan (@achillean).

IoT Attack Surface

Source: OWASP IoT Attack Surface Areas (https://www.owasp.org/index.php/IoT_Attack_Surface_Areas)

Administrative Interface

  • Directory traversal vulnerabilities (e.g., a Smart Dishwasher)
  • Weak or default passwords (e.g., “password”)

Local Data Storage

  • Unencrypted or weakly encrypted data
  • Decommissioning issues (data left on devices)

Patches and Updates

  • Transmitted in the clear
  • Eventually everything comes to an end – no more updates

Firmware

  • Backdoors and insecure credential storage
  • Weak recovery/reset mechanisms
  • Vulnerable services, hardcoded credentials, privacy issues

Sensors

  • Location tracking, microphone access
  • Potential for physical damage

Network Traffic

  • LAN to Internet communications
  • Wireless protocols: WiFi, X/Zigbee, Bluetooth

Some Questions We Shouldn’t Have to Ask

  • Is your dishwasher’s web server patched?
  • Do you know if your lightbulb is packet flooding a journalist?
  • Is your camera sending MPEGs to another country?
  • Is your TV sending fingerprints of movies you are watching?
  • Is your refrigerator being used as a C&C host?
  • Is a nation state using your SOHO router as a monitoring point?
  • Is your NAS syncing to an unknown party, or has weak permissions?
  • Is your board room phone recording and sending those recordings somewhere?

Why do we have to ask these questions?

Smart = Exploitable

As Mikko Hypponen (@mikko) put it: “If it says ‘Smart’, you should read it as ‘Exploitable’.”

The Y2K38 Problem

The IoT of today will eventually fail. 32-bit processors face the Y2K38 epoch problem – about the time AI is reaching critical mass. The future of IoT raises the question: what time is it, really?

How Do We Tackle This?

Know what you’re defending.

Collection Methods

  • Passive: Takes longer but captures more information
  • Active: Faster but can disrupt
  • Aggressive: Attackers don’t care if they tip over systems – but we do. nmap -T4 is called “insane mode” for a reason, and you probably don’t need masscan

Use Darkstat, Bro, and ntopng for passive enumeration, then validate with nmap.

Minimum Device Inventory

At the very least, document for each device:

  • Manufacturer, Model, System Name, Location
  • Operating System, IP address/Netmask, MAC address

Then identify and map “normal” traffic profiles.

Do It Yourself Build

Step 1: Security Onion

Install Security Onion on a 2+1 NIC box. Go bleeding edge and test Security Onion + ELK: http://blog.securityonion.net/2017/06/towards-elastic-on-security-onion.html

Step 2: Network Tap

Set up a span, mirror, or network tap. The NetGear GS108E is still awesome at only $60.

Step 3: Darkstat and ntopng

Install Darkstat and ntopng:

Step 4: Deploy OSSEC & Sysmon

Passive Enumeration Tools

Darkstat

Darkstat provides passive network enumeration, capturing hosts and traffic patterns without generating network noise. Source: https://unix4lyfe.org/darkstat/

ntopng

ntopng offers host discovery, flow enumeration, and traffic visualization. Correlating Bro and ntopng passive enumeration data provides a comprehensive view of network activity.

Bringing It All Together: NetBox

NetBox provides both DCIM (Data Center Infrastructure Management) and IPAM (IP Address Management):

DCIM (netbox_devices.csv): Device Name, Device Role, Tenant, HW Manufacturer, Model, OS, Serial Number, Interface, Site, Rack, Position, Face

IPAM (netbox_IP_addresses.csv): IP Address, Device Role, Tenant, Status, FQDN, Interface, Connected, Serial/MAC

Source: https://github.com/digitalocean/netbox

The Easy Button: nmap + nmaptocsv

nmap -vv -oN mynetwork.nmap 192.168.0.1/24
python nmaptocsv.py -i mynetwork.nmap ip-mac-fqdn-os-port-service-version

Source: https://github.com/maaaaz/nmaptocsv

Detecting Deviant Traffic with Bro

Bro-IDS can detect deviant traffic using custom scripts such as DNS bad behavior detection: https://github.com/sooshie/bro-scripts/blob/master/2.4-scripts/dns-bad_behavior.bro

Interesting Domains

Network forensics with Bro samples: https://github.com/aboutsecurity/Bro-samples

Identifying malware traffic with Bro: http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html

Lenny Zeltser’s REMnux “Toolkit for Analyzing & Reverse Engineering Malware”: https://remnux.org/

Data Enumeration

Once you have a list of hosts and services, it’s time to identify your data stores. Start with servers and workstations-turned-server, have discussions with third-party vendors, then address your IoT devices.

Artifacts to Collect

  • Type, Asset Unique ID, File Name, Description
  • Recipient, Data Custodian, Responsible Party
  • Primary Location, Criticality Level, Classification
  • Restriction, Internal Share Location, External Share Location
  • Internal Backup Location, Off-Site Backup Location
  • Public, Legal Restricted, Medical Restricted

Detecting Lateral Movement

JPCERT Coordination Center

“Detecting Lateral Movement through Tracking Event Logs” provides detailed guidance on identifying pivot activity and detecting tools like PSEXEC through Windows event logs. Source: https://www.jpcert.or.jp/english/pub/sr/ir_research.html

MITRE CAR & ATT&CK

Cyber Analytics Repository (CAR)

https://car.mitre.org/wiki/Main_Page – provides analytics for detecting adversary behavior, including searching for Process:Create events and removing the low-hanging fruit.

Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK)

https://attack.mitre.org – the comprehensive matrix of adversary tactics and techniques.

The secret? Once enumerated, it’s all low-hanging fruit.

Thank You

Security B-Sides MSP 2017 starts Saturday! BSidesMSP.org

Contact: mjh@itys.net or @mjharmon on Twitter.