Anomaly Detection and IoT

Mar 18, 2021 | breach, IoT Vendors, Key Features, Risk

The IoT Context

Over the past 15 years, we’ve seen the rapid adoption of the Internet-of-Things(IoT) in both consumer and commercial environments. IoT has been the bridge between the virtual and physical, and provided a glimpse into a more integrated and efficient world that is now starting to take shape. From home devices like robot vacuums, smartTVs, and climate control, through to critical infrastructure like our energy and water supply, all are benefiting from the efficiencies brought by IoT adoption. This rapid increase in the number and reliance upon IoT, however, comes at a trade-off with cybersecurity demands; there are simply more devices, meaning inherently, more vectors for attack or compromise, and therefore more risk. It doesn’t take much imagination to predict the innate threats that we already face, let alone as we continue to build IoT into our collective lives. This is why Anomaly Detection is so vital.

Given the increasing prevalence of IoT devices, the volume of attacks on these devices and the networks upon which they can be found is also increasing. While there are certainly, IoT security issues like IoT botnets running Distributed Denial of Service (DDoS) attacks, malicious device control, ransomware, etc, the issue we need to address with IoT is currently largely a problem posed by that of lateral movement. That is, the ability for a threat actor to move throughout a computer network once they have an established foothold through a single compromised device, like in the 2017 Fish Tank example. As organisations are increasingly introducing IoT solutions to their environments, typically, attackers will use IoT devices as a launching pad to further infiltrate corporate networks, map and compromise other networked devices, and ultimately exfiltrate the most valuable assets of the organisation; their ‘crown jewels’.

IoT Security Options

Given the limited computational resources available to IoT devices because of their simple footprint and often physical size, it’s impractical to install traditional security solutions onboard to manage encryption and authentication between devices, as well as with the rest of the corporate network. Therefore, it typically falls to measures like Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) that don’t require agents to help prevent IoT cybersecurity incidents.

As IoT-rich networks are constantly evolving with the integration of new technologies and new vendors, therefore new possibilities for attack are also introduced. The sheer rate (and scale) of change means that it is all but impossible (especially with limited resources) to manually study the behaviours and interactions of each additional device, including the host of possible edge-cases each may present. Given that the number of IoT devices in most deployments far exceeds the device-count of traditional networks, coupled with their often continuously changing deployment, means the standard practices of access control are far too laborious to keep pace. To further compound this issue, each deployment is unique in its network topology and applied purpose, making the accurate detection of security incidents incredibly difficult, and thus any security measure likely to fall well short of its intent.

New IDS/IPS solutions are now often being installed with the primary aim of addressing IoT security, sometimes in parallel to existing deployments. These usually rely on an established database of signatures that indicate possible attacks – a problem for halting novel variations or zero-day attacks. These are known as ‘signature based’ IDS/IPS solutions. An emerging alternative more fitting for IoT environments, are the behavioral-based models where the IDS/IPS generates a unique fingerprint of the network, typically using statistical analysis. While these behavioural-based IDSs offer (some) protection from new types of attacks, they also generate a lot of false-positives. Moreover, both signature and behavioural approaches to IDS/IPS also fail to adapt to constant changes in network architecture common to IoT-rich networks.

So, while an IDS/IPS can provide valuable insights into possible (or identified) security incidents, and integrate with other solutions like the corporate Security Information and Event Management (SIEM), they are ostensibly just another ‘pane of glass’. This means that they require input, verification, and ultimately action from an analyst to be of use. And given most organisations lack credible incident response capabilities (even with better performing tools), so the possible attack – if not a false-positive – goes unchecked until it’s too late. IDS/IPS solutions aren’t the panacea for IoT they are purported to be by many vendors, and often just generate more work for security teams rather than the meaningful security/business outcomes being sought.

Newer Methods – Network Anomaly Detection

If the discussed methods of signature-based solutions essentially can’t respond effectively to new challenges or configurations in a timely manner, and the behavioural models to identify potential issues generate too many false-positives, where do we go now?

An anomaly, also termed outlier, exception, or deviation, is any isolated observation, event, or artefact which deviates significantly from a projected pattern or behaviour. Network anomaly detection is any activity that identifies the deviations from a given device profile, and might indicate to atypical network traffic, identify a device that is (or in the process of) malfunctioning, or simply highlight data for cleansing before analysis takes place, and therefore, warrants closer inspection. Therefore, a behavioural-based approach to anomaly detection is the logical basis for evolving a solution, albeit hampered by its inexactitude.

The fundamental problem with specification-based anomaly detection is the vast array of heterogeneous devices on the market. This incredibly broad matrix of all device types, functions, manufactures, and utilisations a Herculean effort to model! Adding to this, it’s also worth noting that the data points IoT devices generate are limited in volume too, as IoT devices are not by function, large producers of network traffic. So we have a very large range of devices, and very little in terms of identifiable signals. It’s like playing the children’s poolside game, ‘Marco Polo’ in a giant lake with thousands of different organisms, none of which have vocal chords.

There are several solutions developed to help filter and identify these devices to augment the behavioural-based anomaly detection methods. Ranging from how and where the systems are placed; gateways, firewalls, etc, through to data science based methods to processes potentially anomalous data; Machine Learning (ML), Deep Neural Networks (DNN), and the like, there have been featured in a multitude of efforts. Given the computational complexity and power required to implement these solutions, they are invariably unwieldy in an IoT context. Cynically then, it is easy to say of most, that they are attempts at market differentiation rather than genuine innovation, and they still ultimately require human supervision and interaction.

A Better Approach to Anomaly Detection in IoT Environments

We need to limit cyber risks while still pushing for digital innovation through the adoption of new technologies like IoT. Our unique solution allows customers to monitor their IoT and OT assets for presence, functionality, and cybersecurity, without requiring any specialised devices or protocols. Our automated solution allows for rapid and wide adoption of new technologies while ensuring they are protected from attack and even malfunction.

CyAmast employs formal models of device network behaviours for on a flow-level basis for Anomaly Detection. This means that the unique patterns on the network as a whole are used to monitor and detect anomalies fully compliant with the emerging Manufacturer Usage Description(MUD) IETF MUD standard. This is further enhanced by combining this with the time-series signals of individual device flows, providing a ‘zoom in/ zoom out’ capability for monitoring and assessment of anomalous behaviours.

Given they specify expected and permitted network activity and behaviour, the MUD standard is undeniably a step in the right direction for IoT. There are, however, some limitations. More sophisticated – and increasingly frequent – attacks can’t be stopped by MUD profiles alone. As there is no provision to limit rates within the standard, volumetric attacks for instance, are still effective methods of attack.

While MUD profiles should be the baseline from which to operate, there needs to be more comprehensive measures in place. CyAmast engines automatically generate the MUD profile of individual networked devices (even legacy ones) at run-time by passively analysing their traffic. Paired with our sophisticated behavioural modelling that monitors the level of activity associated with each policy rule to detect anomalies, we believe we have addressed these deficiencies.

If you’d like to see how CyAmast can help you improve your operational efficiencies and boost your security posture, reach out today.