Full Trust and Zero Trust: Impressions from RSA Conference 2019
The RSA Conference 2019 in San Francisco attracted more than 50,000 attendees from around the globe to discuss current IT topics. The gray weather in San Francisco had me thinking of cloud security but I quickly realized that the best protection when it came to these clouds was a nice rain coat.
But joking aside, there were many interesting and varied topics being discussed at this year’s conference. While some talks still focused on machine learning and how it can help organizations to be more efficient, the artificial intelligence (AI) talks from last year were replaced by discussions around various degrees of trust.
The human factor and trust
A common theme in the panels and keynotes was the human aspect, from preventing insider threats to keeping your talent working for you. There was emphasis on the importance of the trust we put into the hyper connected world we live in. People need to be able to trust that their data will not be part of the next data breach, and companies that jeopardize their customers trust will face challenges in the future. Increased cloud adoption and the complexity of IT solutions means that customers are increasingly putting their trust in multiple cloud service providers without realizing that the attackers have already started following the data to the cloud.
In the same vein followed various presentations that talked about trust in information and how to control information without censorship. Groups like NewsGuard are tackling the issue of fake news from the journalist’s side by verifying background research on news sites, and there are service providers that fight bot accounts, consequently shutting down such news amplifiers. With events such as the 2020 Olympic Games in Tokyo and the next U.S. presidential election on the horizon, tackling propaganda, disinformation, and fake news is a very important topic. Unfortunately, it is also not a simple one to solve.
5G
Not surprisingly 5G was covered in many talks as well. Although it is still too early to talk about the impact the technology may have, it is clear that it will change many IoT devices such as smart home devices. Machinery, for example in the agricultural sector, will also benefit from 5G connectivity. Always-on and directly connected to the internet, means anything utilizing 5G needs to be protected in order to not become the low-hanging fruit for tomorrow’s attackers. The 5G Phase 2 specifications show a lot of promising encryption and anonymization considerations, but we will have to wait for the final implementation details to see if we will likely face any huge 5G DDoS attacks in the future.
Zero trust
Another common theme at the RSA conference was zero trust. It felt like every second vendor had something to present around zero trust on their portfolio; however, the term was laid out quite differently by various vendors. From “no more firewalls,” to “assume our network to be hostile,” to “never trust, always verify,” there were a lot of different ideas about zero trust. So it wasn’t surprising that many presentations started with defining what they mean by the term zero trust and explaining what it is not. Although to be honest it didn’t remove all nebulosity from my mind, so I won’t give a comprehensive definition here, as that would be far beyond the scope of this article. Simplified, it probably could be described as a security model based on the principle of maintaining strict access controls with least privileges and not trusting anyone by default, regardless of their location or device. But it’s not a product you can install, it’s a process and design model. If you’re interested in learning more about Symantec’s view on zero trust, then I recommend the RSAC presentation from Nico Popp “How to Apply a Zero-Trust Model to Cloud, Data and Identity.” Nico discusses the future of cloud security for unmanaged devices and how to secure their access to cloud services.
MITRE ATT&CK framework
The MITRE ATT&CK framework was referenced in many presentations at the RSA conference. The ATT&CK matrix is a great tool to describe adversary behaviors in a unified language and identify defense gaps that need to be improved in your environment. It is a nice knowledge base of different attack methods, but it is not a risk assessment tool. The main focus of most presentations was on lessons learned and how the framework can be applied efficiently in real life to things like threat hunting. We have written about our view and why we think that the ATT&CK framework matters before.
Profiting from compromised IoT devices
Not to be left out, I presented on IoT threats at the RSA conference or, more precisely, on how attackers are profiting from compromised IoT devices. The premise for my talk was that we always hear new stories about how IoT product XY can easily be hijacked and that search engines like BinaryEdge or Shodan list thousands of exposed devices, but we rarely discuss what these devices are really used for once they are compromised. We discussed the various attack vectors and the conference held a few talks on that topic as well. Default credentials or weak passwords have been a well-known weak point for years, and the same holds true for unpatched vulnerabilities that can be remotely exploited by malware. In addition, LAN attacks, such as DNS rebinding or UPnP attacks, or supply chain risks, should not be forgotten.
In our recent Internet Security Threat Report 24 (ISTR) we talk about the IoT threat landscape in more detail. Our IoT honeypot registers more than 5,200 unique attackers each month. With 75 percent, the majority came from infected routers, followed by connected cameras with 15 percent, and multi media devices with 5 percent. On the other hand, more and more IoT devices are bought and installed at home, adding to the sea of potential targets. Telemetry from our Norton core product showed that we already see an average of six connected IoT devices per household in the U.S.
So what are cyber criminals using these devices for? Looking at the top three IoT threats, we see that DDoS functionality is the most common payload. LightAidra (31 percent), Kaiten (31 percent) and Mirai (16 percent) all focus on DDoS attacks. Such attacks are easy to do, but they only generate $5,000–10,000 revenue per month for the attacker, when rented out as a booter/stresser service.
Another common assumption is that the devices are misused for crypto coin mining. This was definitely true at the beginning of 2018. Unfortunately, the price of cryptocurrencies, such as Monero, fell by 87 percent last year. Which means that the profitability for attackers also fell drastically. For example, the Hide’n’Seek botnet only generated XMR coins worth $25 per month in 2019. For larger IoT botnets, that results in a profit of only a few hundred, or thousand, dollars per month; not the big payday cyber criminals are looking for. Of course, attackers still love coin mining, as it is simple to implement and does not require any user interaction, as seen with ransomware. Also, the generated cryptocurrencies allow for an anonymous cash out method. Maybe some cyber criminals are speculating or hoping that the crypto winter will soon be over and that their coins will rise in value again.
But these two example scenarios highlight that profits have dropped, meaning attackers are interested in new possible ways of profiting from compromised IoT devices. During my talk, I described the 12 likeliest scenarios for this and discuss the pros and cons for the attackers. This list includes:
• DDoS attacks — including the misuse of IoT protocols for amplification
• Spam attacks — including spamming printers or smart speakers
• Cryptocurrency mining — direct or indirect on IoT devices
• Ransomware/locker — which won’t work for all device classes, but could work for expensive devices
• Blackmail/extortion — which we have already seen, and will probably grow with the amount of private data being shared
• Pranks/nuisance — which is growing in numbers, although it won’t generate profit for the attackers
• Information stealing — yet another avenue for data breaches
• Click fraud/ad fraud — very profitable and often overlooked
• Premium services — not really a main concern, as rare
• Network sniffing — interesting, but difficult with the increase of traffic encryption
• Attack other devices — a major concern for enterprise customers
• Proxy network — simple and flexible for future attacks
If you are interested in reading more on the topic of profiting from compromised IoT devices, my slides are available on the conference site (PDF).
Exhibition hall
Of course, the RSA conference also has a large exhibition hall with many vendors showing their newest products, and the early stage expo with some uprising companies to check out. I always like walking around getting inspired by ideas or feeling the pulse of the newest trends. Although it can get a bit stressful with that many people and booth staffers chasing you in order to scan your badge details.
For me the exhibition hall also meant running some live hack demo at the Symantec booth. Our theme was to demonstrate what devastating attacks could happen in just seven minutes. In order to verify this, my colleague Antonio Forzieri demonstrated how an attacker could compromise a misconfigured S3 data bucket and take over the online presence of an enterprise. My own demo comprised of a supply chain attack on a visitor counter JavaScript, which enabled me to inject formjacking malware into an online shop. All in under seven minutes. It was good fun and sparked a lot of nice discussions with visitors.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
