
The ingenuity and audacity of attackers should never be underestimated. In the summer of 2016, hackers used tweets to control malware. This past summer, after Twitter worked to eliminate this capability, hackers switched to posting Instagram comments to send commands to victim systems.
We decided to see if Senrio Insight could detect this “hiding in plain sight” tactic. Without proper context, it can be difficult to separate malicious traffic from ordinary operations. IoT devices may connect to the Internet, but they shouldn’t browse social media.
We decided to see if Senrio Insight could detect this “hiding in plain sight” tactic. Without proper context, it can be difficult to separate malicious traffic from ordinary operations. IoT devices may connect to the Internet, but they shouldn’t browse social media.
We began at the main dashboard, which gives us an overview of the network. Senrio automatically tags each device with descriptions of its manufacturer, operating system, and protocols in use. That makes it easy to search for all the devices that have communicated with a web server.
From this smaller list of devices, we had the option to look at websites the devices in the list had accessed. One of the devices, designed to backup data to the cloud, had regularly connected to its manufacturer’s update website, as well as to other servers for data storage and system time.
We didn’t have to manually search through the connection data though. It can help to understand what is happening behind the scenes, and we could use it to investigate if devices had reached out to any known malicious sites, however, Senrio does this work for us. It had already sent us two alerts based on suspicious connections to and from a Network Attached Storage (NAS) device. NAS devices act as data servers, storing information intended to be shared among a group of users, which makes them a critical piece of equipment to protect.
When we opened the details of the first notification, we saw that Senrio had detected a connection the NAS made to an unknown website. Searching for all traffic between the NAS and the remote site in Senrio’s logs showed us that the NAS connected to the attacker’s web server about once an hour after the initial connection.
The NAS was clearly behaving suspiciously. To find out where a compromise might have originated, we took a look at the other alert, which showed an ssh connection into the device from another address on the network.
We’ve seen attacks like this before: an intruder searches for open ssh and http ports, attempting to log in wherever they can. Thanks to Senrio, the attack did not go unnoticed.
Conclusion
Connected devices access the internet for legitimate reasons all the time. They get automatic updates, connect out to VoIP servers, and get their time from external time servers. Given the importance of such devices in enterprise, determining which connections are legitimate and which are not is critical for security and safety.
Because connected devices are not designed to be fully interactive, we can’t install antivirus or other endpoint defenses on them. However, we can use their connection behavior to learn about their normal operations. Senrio builds up a profile of a device’s standard behavior and compares against that baseline in order to detect the difference between a benign communication about device health and a malicious connection to a command and control server.
So are your connected devices browsing the internet? If so, do you know why? Senrio makes these, and other questions, easy to answer. Request a demo and find out how else Senrio can help you.