In Episode S2E1 – IoT Revolution Leads to Increased Risk of Cyberattacks – we talk with Hardik Modi, Assistant Vice President of Engineering, Threat and Mitigation Products for NETSCOUT.
Hardik takes us on a fascinating journey to examine some threats associated with the IoT Revolution, especially as it relates to the current worldwide pandemic. We discuss some mitigation strategies and NETSCOUT’s latest industry report as well.
Please click the image below to listen to this podcast episode. If you find it interesting and helpful, please consider subscribing.
For those that prefer to read the information, a transcript of this episode is below.
Steve Bowcut:
Welcome to the Brilliance Security Magazine podcast. Thank you for joining us today. We really appreciate you being here. We have an exciting show put together for you today. Today, we’re going to be talking with Hardik Modi from NETSCOUT, and we’re going to be talking specifically about the IoT revolution and what it is that enterprises can do to protect themselves as some of the threats that come along with that IoT revolution and kind of get a better understanding of what that is. So with that, let me do a quick introduction of our guest today. As I said, our guest is Hardik Modi. He is the Assistant Vice President of Engineering, Threat and Mitigation Products for NETSCOUT. He leads teams responsible for all aspects of threat intelligence, including threat research and collections. One of the highly sought after byproducts of Hardik’s threat intelligence research is the creation and distribution of NETSCOUT’s semi-annual threat intelligent report, which analyzes the global threat landscape.
Steve Bowcut:
And that’s, that’s important to this conversation because that’s part of what we’re going to be talking about. I’ve asked Hardik to comment on that a little bit. So this semi-annual report covers some very interesting things and comes up with some very interesting findings. And so he will talk about some of those today. So with that, let me turn some time over to Hardik so you can do a short introduction of NETSCOUT. Most of our listeners, I think, know who NETSCOUT is, but it might be helpful if you just talked a little bit about who NETSCOUT is, and then maybe a little more about yourself and then we’ll get started with some questions.
Hardik Modi:
Certainly, so Steve, let me start by thanking you for having me here. I’m really pleased to be on your show. And then let’s go right to it. Like NETSCOUT is, we think of ourselves as the guardians of the connected world. It’s a company roughly 2,500 employees globally distributed that focuses on using network analysis. So real-time in-depth network analysis to help our customers maintain the integrity, the performance, and the availability of their services. So you might be somebody that you might be a bank kind of running a large operation with tens of thousands and hundreds of thousands of customers. And you might use us to monitor your networks to monitor your services, understand when there are faults, understand where there are adjustments that can be made, enhancements that can be made to architecture to deployments.
Hardik Modi:
You might be somebody else who is worried about the security threats to your enterprise or your, or your service provider. And you’re really focused on the security and the integrity of the services that you’re providing globally. And a lot of people use as also in a security context. Again, always with a network shaped head, like that’s, that’s how all of, we think of ourselves. But so typically through the power of the network, delivering again, assurance and security to enterprises and service providers, they’re just really quick to build on what you said about me. Yes, I run teams that are responsible for threat intelligence and mitigation here at NETSCOUT, and basically, what this means is that we’re monitoring the threat landscape using a lot of our capabilities, like research capabilities, working with our customers to understand what’s happening across the landscape.
Hardik Modi:
And I should mention with a very specific focus on DDoS. So we focus on everything that’s happening across the landscape, but truly like, the specialization that we have is in the area of DDoS. This comes from a prior acquisition of a company called Arbor Networks. So Arbor was deployed worldwide with service providers and enterprises helping with traffic visibility, DDoS detection, mitigation trace back kind of capabilities. And so, today in the form of NETSCOUT like we continue to do that. And that’s, that’s specifically where my group comes from. I have about 20 years now experienced building networks on the product side, on the threat intelligence side, and, really, my preferences where those two overlap and so using intelligence to deliver better security outcomes for our customers.
Steve Bowcut:
Excellent. Thank you very much. And I’ll be interested to see how it, if actually DDoS works into our conversations today about the IoT revolution. And so I’d like to take, if you would just take a couple of minutes and talk to us, what is the IoT revolution, kind of its origins and where we’re at in that evolution process of the evolution of that revolution if you will. So we can get a good understanding of how you see the world of IoT right now.
Hardik Modi:
So certainly, the internet of things, that’s what we’re talking about, IoT, and by this at least colloquially, what I’m trying to get to is essentially non-traditional computing devices. So let’s take, let’s take the computers that we know, like the desktops, the laptops or servers, even cloud-based, and let’s put them all aside, put all of those things aside. And now think of all of the things essentially in the world that actually have something of a computer in them. There is a chipset. That’s probably quite a powerful processor running an operating system connected to the network, and things like these are embedded everywhere in the world today. And so think of; certainly, the Alexa and your various kind of voice, systems, within your home.
Hardik Modi:
Think of my remote control that is also voice-activated and can, can operate by television, which itself carries applications that connect directly to the internet, download data, download movies, shows, display them to me. I think of your refrigerator, those refrigerators that I think we kind of laughed at that could place your grocery orders by themselves just by monitoring what’s happening, what you have in the fridge. But then again, like these are the ones that may be the common person is aware of, but there has been a massive sea change in the use of computing devices in industrial systems. So where yes they’ve had processors and, for as long as we’ve had electronics, we’ve had some sort of control around those electronics that allow us to then operate, say the wind turbines and the water systems.
Hardik Modi:
But again, over the last say certainly decade and the past few years, for sure. A lot of this has been enhanced, sometimes replaced with more centered computing devices. So again, like anything that runs that has a processor runs an operating system connects to the network. That’s essentially what we’re talking about when we say IoT and the revolution, the revolution, at least as I think of it is just the productivity enhancements that have come, the gains that have come, with this broad-based deployment of computing technology. And so, so you think about how much easier it is to scale, you’re laying out a solar power plant, and you have panels that go for as far as the eye can see, and those are monitored through the deployed provision, monitored by a vast array of computing devices.
Hardik Modi:
And that’s how we’re able to achieve those scales. Right now, in July 2020, a lot of us are concerned about our hospitals and the ventilators in particular inside those hospitals. And we know that every one of those has, again, like a significant amount of computing power built into it. Our health systems depend on this. And so that’s kind of when IoT, and then, in particular, the revolution that, as I think of it.
Steve Bowcut:
Okay. So that’s fascinating. So the IoT revolution then, as we’re defining it for this conversation, is really just the migration of all of the devices that we interact with. Even if we don’t interact with them, I guess onto a connected platform and the tendency, we have to keep finding more and more ways to connect things and more and more things to connect. And they do, in fact, make our lives easier. It’s not the kind of thing that we want to go backward in our technology because those kinds of things make our lives easy. It’s hard to imagine the day when we will not know how we possibly lived without a refrigerator that would order the groceries for us, but the day may very well come where our children or grandchildren will say “what!” you had to do that by yourself. So, where does the rub come in? Where does the problem come in? So is it that these devices, is it a, a question of data, exfiltration? Are bad actors getting in and out and extracting data from these things cause they have sensitive data that they contain, or is it using them as DDoS bots, or is it just using them as an endpoint to get into the network or all of those? So what are the threats associated with this IoT revolution?
Hardik Modi:
Yes. I’m going to go with D that was all of those, all of those. And I mean, and let me explain, I mean how it can happen and then, and where I can kind of point through specific examples of where we absolutely have seen it happen. So, yes, the rub is that the devices themselves are difficult. These are not necessarily designed for certainly enterprise networks, in many cases. Not designed for enterprise networks, they might be a $20 Christmas toy that speaks back to you like needs, maybe a few dollars worth of computing equipment to enable that functionality. And it just turns out that that is essentially in many cases, the same kit that is used in other more powerful devices that get deployed around the world.
Hardik Modi:
These are not, they’re not designed not necessarily secure to start with, and then even worse they’re typically not designed for updates, and it’s either the vendors, not as necessarily pursuing this in the first place or that it’s just physically impossible to go do, update every IP camera that you’ve deployed across your home. And now, now is it, if, even if there was a way to go do the update and it required physical access, like how are you going to get to that thing that you’ve installed 20 feet high up. And so these are, these are all practical problems that are almost like endemic to the solution, that solutions that we have chosen. And now, consequently today we’re at this point where there are billions of these devices deployed worldwide.
Hardik Modi:
Many of which have these flaws and that then manifest themselves in exactly the way that you were talking about. So let’s just start with data exfiltration, and there has been a considerable amount of data loss, from individuals who happened to have network-attached storage, which again, lots of people have these things, definitely, people who care about gadgets and they’re likely to have one of those, like at least from a few years ago, like little network-attached storage device with a few drives and then somewhere in there in their home. And with backups of everything else that you may have ever done on all the other devices. And now, that thing itself has, in many cases, exposed to the internet in many cases either not updated or has lots of known vulnerabilities with exploits associated with them.
Hardik Modi:
And there’s been a lot of data loss through means like that. This is also, and this kind of comes in with something you said a little bit later, sometimes these devices are the entry point into the environment. So you might have like a really robust firewall that, that monitors every other piece of access to your environment, but then, either, unbeknownst to the classic, like IT or security team, or, maybe even with their blessing, there’s going to be that one device that, the HVAC system that needs to be accessed from the outside that, is, but also has access to maybe internal assets or access from the inside that is sitting at exactly that gray zone of, potentially insecure, with access to the outside, with access to the inside.
Hardik Modi:
And now, that becomes, that becomes your point of entry. And certainly has been true in any number of high profile incidents. I’m not going to get into names, but there was a casino a few years ago, and it was reported that their breach started with this little aquarium thing that they had. And so there’s some controller for the aquarium, essentially, a glorified fish tank that was connected to the internet. And that’s how, that’s where they first brought to, the adversary first got to, and from there found a way to kind of propagate within the enterprise. So certainly as a means for data exfil and then, and then also as an entry point, those are both fairly common.
Hardik Modi:
I said earlier, DDoS is really like bread and butter for us. And like in monitoring what the DDoS landscape looks like is key. And certainly, since roughly 2016, there have been a large, large, like uptake in DDoS attacks that originate from devices of this nature. So IoT devices, again, IP cameras, really common DVRs, other sorts of devices that are commonly deployed in homes, consumer environments with access to the internet, like I said earlier, they are not updated, not secure to start with, and now being leveraged by the adversary to launch attacks on others. So, it’s not that you, as the enterprise, you don’t just have to fear the IoT devices that you have deployed within your environment.
Hardik Modi:
You’ve got a fear of the rest of them too. And because the rest of them are basically what is going to be harnessed by the adversary when they want to launch a DDoS attack on you. So, like I said, it’s showing up across all forms of the threat landscape. And this is also true when you think of cybercrime, criminal activity even nation-state, there’ve been nation-state campaigns that have famously involved the creation of large botnets of IoT devices. And then certainly the fully opportunistic kind of like script kitty who just wants to a launch an attack doesn’t care how it’s happening and then thanks to a service or some other way of accessing it they go take advantage of IoT devices to launch attacks.
Steve Bowcut:
Interesting and kind of an anecdotal story on a personal level, and hopefully, this relates to enterprises as well, but years ago, I bought for my family a half a dozen or so inexpensive Chinese cameras. I still have them connected today, but really, I just use them kind of for fun now. After a period of time, I have some monitoring software on my network, I started to get attacks through those cameras. The alerts would show up that someone’s trying to attack, and it was always through one of those cameras. So I typically keep them disconnected now, but sometimes I’ll connect them just to see how long it takes before somebody tries. I assume that they’re using Shodan or some tool to go out there and find these things and then try and get into my network through these cameras. It usually takes certainly less than two days, but usually, the same day that I turned them back on and connected them, I’ll get an alert that somebody is trying to enter the network through that external device, which is kind of an interesting thing to me.
Hardik Modi:
And Steve, that’s it, both use the device to get into your network and then to harness your network, to launch DDoS attacks on other unsuspecting people. So, it’s inwards and outbound, it’s terrifying.
Steve Bowcut:
So let’s take a few minutes here and talk specifically about your threat intelligence report. Now it’s a semi-annual report. Do we have a new one coming out soon?
Hardik Modi:
We’re right now, we’re in we’re working on the next edition, and tentatively, I’m going to say like early September is when we plan to launch the next report,
Steve Bowcut:
An H1 2020 report? Alright. So are there some surprising or interesting findings from the H2 2019 report that you can tell us about?
Hardik Modi:
Yeah, absolutely. So I’m going to start with just on the DDoS front, we saw 8.4 million DDoS attacks. That’s how many NETSCOUT got to observe. And when I say this, this is largely through the eyes of our customers, which are certainly large enterprises but also like service providers worldwide. So it’s actually are our customers who are either the targets of, or in some form we’re involved in observing DDoS attacks. And again, through their eyes, we saw 8.4 million DDoS attacks, which was a healthy uptake on the previous year. But, I’m not gonna give away the number just yet, but I can tell you that, entering the COVID era, we have we’ve definitely seen another, kind of step function, uptake in terms of sheer prevalence. I’d say that’s the first thing, the other next few kinds of tidbits or, just kind of drawing on the IoT kind of discussion we were just having, we saw a large rise in malware samples that specifically target IoT platforms. And so we track a number of the malware families. A lot of them are offshoots of a family that got started in 2016 called Mirai. And so what happened was Mirai was used in really high profile attacks. The authors were later apprehended, but even before that, they got scared, and they publish their source code to the internet. And from there on like an all whole bunch of other people have taken, have taken their original source code and have created variants of it; actually, it was about a month ago that the FBI announced that they’d apprehended another few people who would’ve been responsible for Mirai variants and botnets based on that, and DDoS attacks resulting from them.
Hardik Modi:
So, Mirai, the sample set, continued to grow. And then, and then really I talked about IoT devices having architectures, there’s always a chipset. And on top of that, there’s some kind of operating system that’s installed connected to a network card. And now, you have an IoT device. Well, there were malware samples for 17 separate architectures. So, the way to think of this is that if you’re a designer of a new device, let’s say you’re, you’re thinking about launching a brand new television and now, as you well know, the televisions don’t come with just a screen. Behind them is like a huge apparatus of some kind of platform that lets you download games and download apps and stream directly to the TV.
Hardik Modi:
So let’s, you’re building out a new TV, if you pick one of those 17 architectures, there’s already a malware family ready, just waiting to be loaded on it. And so really what you want to be thinking about is how to make sure that people can’t get in, in the first place. We have more findings in the report around the use of default credentials. And the common usernames and passwords that we know these lists are built into malware families, but also people are scanning for them all the time. Also, with operating systems, the vulnerabilities and exploits for these platforms are kind of known in advance. So you, as a designer of that device, have to get ahead of this and go think.
Hardik Modi:
And the odds are that whatever, whatever architecture or chipset you pick, whatever OS you pick, there’s already malware that’s ready to be used. So your job is to make sure that malware doesn’t get to the device. These are the key findings that I wanted to highlight in our conversation. All of these are built into the report, it’s fascinating to me. My team wrote it, so I’m a little bit biased here, but I do think that it’s fascinating reading roughly 40 pages is available on our site. Something that I think anybody interested in the threat landscape at large, and then in particular, what we’re talking about right now at the IoT ecosystem should take a look at.
Steve Bowcut:
Thank you. Thank you so much. I appreciate that. The next question I wanted to ask, it’s kind of an interesting one. It’s more interesting now than, than it may have been a year ago or six months ago, but so I wanted to ask it, and I know that you’re in the threat intelligence business, maybe not so much mitigation, but it’ll be interesting to get your, your perspective here. So what can be done to reduce the risks that you’ve outlined in your report? And I would direct that to an enterprise-level, what can enterprises do? But in the world that we live in today, the line between enterprises and working from home has become so blurred because so many of us are forced to work from home now. And so enterprises, they’re not contained anymore within the four walls of the enterprise. Everyone’s working from home. So, do you have any advice or anything that you can contribute as it regards to mitigation for some of these threats that your report outlines?
Hardik Modi:
Yeah. So I will always start with monitoring. Like, you need to know what you have deployed, where it is, what is it communicating with? And, well, we can all build lists of devices and expect that people will register their device with us. So, time after time, what we find is that it’s the security teams that are discovering where the devices are. And usually, this happens through pervasive promiscuous network monitoring and analysis. So that’s where I would start. Okay. So let’s, let’s just say you’re at that point where your devices are, especially in the IoT space; making sure only those devices that need to connect to the internet ought to be allowed to connect, and then preferably where they need to connect to, and either through a proxy or some other kind of a containment mechanism, you’re making sure that they’re, again, you’re monitoring for this.
Hardik Modi:
So, at all times, even if a device suddenly has malware and is kind of reaching out to someplace that’s unexpected; hopefully, your monitoring is helping you understand when that happened. But, that’s the connection out to the internet. Then there’s the connection into the enterprise where again, that is then sort of the poison pill and all of this. Like when you are able to get to the internet, hence the adversary, has a way in, and then when you’re able to get to your internal domain, then, that’s essentially how they use it as a jump point. So that’s the next thing you want to think about is where does this connect, how do you kind of segregated it, make sure that it’s on its own VLAN, it’s carved out, there’s a firewall preferably between your IoT network and the classic enterprise. Into this, you’re thinking about your, all of these devices, like your printers and again, a lot of what I just described would be the enterprise that operates from an office building, which again, right now we are speaking in July and it’s in fits and starts, but, a number of office buildings are back to operating in some limited capacity, depending on where you are in the world. This is again is a moment of key vulnerability where the building is backed up, you have the HVAC running, it’s still connected. Everything is going, it might just be that you only have 20 people well in there, but the risks are the same, right. Your risks have, in fact, even grown. And it could be that in this period nobody remembered to do a software update on all of these devices that are out there. We think a lot about remote access right now, in these times. And so by this is classic, like your VPN, but also if you have VDI infrastructure or you have some other form of enterprise access that is to enable the remote worker, as we all have that to do in the past few months.
Hardik Modi:
And so this is where for that VPN device, you want to be making sure that it’s patched, you’re aware of what is facing the internet, you’re aware of you have it fully monitored. And then we spent a lot of time thinking about not just the confidentiality of these devices but also the availability of them. Because now, it is when if I buy a strong enough DDoS on that VPN device, that means that your 20,000 employees who are working from home have all lost access; that’s terrible for productivity. And, the bad guys know this.
Steve Bowcut:
Sometimes that is the objective, just to shut you down.
Hardik Modi:
It is extortion in some form, right? The threat of ransomware, it’s essentially a similar objective just from a different angle where they’re denying you access to your data and asking you to pay up in order to restore that access. And so, that’s certainly happening. So all of these risks are unfortunately alive and well, even in these times.
Steve Bowcut:
And it’s interesting, you pointed out, there may be new risks as we move back to the workplace, we’re working at home to working back in the office. There may be some risks and some threats that we really hadn’t thought about. So it probably warrants giving some thought to that. What could have been going on? What things didn’t I update. We all kind of got used to changing, to move to working at home. Now we’ve got to move back into the office.
Hardik Modi:
And the C suite is back in the office, and they want their printers working. So, you could have maybe turned it off because you knew that nobody was in the building for a few months, but now that they’re back and they want the functionality all back. I mean, that now you’re going to think about that,
Steve Bowcut:
Did I have I updated it since March, right? Those kinds of all right. Fascinating. So, well, before we wrap up here I just wanted to give you an opportunity, if there’s anything else about NETSCOUT or your threatened diligence report, or anything actually that you’d like to talk about you could take a few minutes and do that, and then we’ll, we’ll wrap up.
Hardik Modi:
Yeah. So thank you, Steve. And the one thing I’d like to say is that, as guardians of the connected world, like the way we think of ourselves, we see as part of our responsibility is to educate the world on what we’re seeing. So, this is all, everything that I just talked about, everything captured in the threat report, we’re doing this in order to create better awareness in the world. And I just wanted to add that there are a few other ways in which we do this. For one, we will frequently blog with recent findings. So where the threat report allows us to aggregate and take a kind of slightly higher level of view of what’s been happening over a six month period, there’s something new and breaking that we want to share with the world, we’ll publish it on our blog.
Hardik Modi:
So that’s NETSCOUT.com/asert and also, something we launched earlier in the year, is a situational awareness platform called cyber threat horizon. So a lot of the data that we’re we’re publishing here is in the threat report is actually coming to us essentially in real-time. And so what we’ve done now is created ways in which we have visualizations and reports on this online free platform called cyber NETSCOUT cyber threat horizon. So it’s NETSCOUT.com/horizon. And, you can go there, and you’ll see a lot of what I was just talking about. And then, further, you have the opportunity to sign up for free and now create more filtered views. And maybe like you’re interested in finance and insurance in the United Kingdom or manufacturing in Asia, and you wanted to know, okay, what are we seeing against people like yourselves in different parts of the world? These are the few more resources that I wanted to highlight to your audience, and certainly, I encourage everyone to take advantage of these.
Steve Bowcut:
Absolutely. Well, that’s fascinating. I appreciate that. It’s nice to find those kinds of free resources that people can go to and keep tabs on what’s going on with the threat intelligence world. So thank you so much. Well, Hardik, I can’t thank you enough. This has been very enjoyable and very interesting for me. I appreciate you taking the time to talk to Brilliance Security Magazine and our audience today. I’d also like to thank our listeners for tuning in, and we will be back shortly with another episode of Brilliance Security Magazine, and you can watch for an upcoming episode and published topics on Twitter, Facebook, and of course, at brilliancesecuritymagazine.com.
Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.