Today sees the launch of the first cybersecurity development platform for Internet of Things (IoT) products. It is an effort to test the security of IoT devices, as well as identify and mitigate global attack risks and vulnerabilities. Infosecurity met with the Global Cyber Alliance (GCA) at Black Hat in Las Vegas to discuss GCA's new concept and general ethos.
Adnan Baykal, chief technical adviser of the GCA, said that the intention of what it calls the AIDE (Automated IoT Defence Ecosystem) is to “enable small businesses, manufacturers, service providers and individuals to identify vulnerabilities, mitigate risks and secure IoT devices to protect global users of IoT products.”
Baykal said that the GCA “wanted to build a platform that could collect data about IoT attacks and turn that data into actionable intelligence” to better protect the public. This is enabled by a 1200 node “honeyfarm” that it has been running for a year, using real IoT devices and building a repository of IoT data.
“We can use those devices to build a honey farm in a scalable way,” he explained, as the honey farm uses devices virtually around the globe. AIDE harvests data from the IoT devices and turns it into threat intelligence data which is then made available.
Baykal pointed out that nothing is sold; data is exchanged for free to those entities who provide data to AIDE, including companies, academia and non-profits. He explained that in exchange for access to the data, researchers will be required to share any algorithms developed to help AIDE generate additional information products.
Baykal said that the GCA is partnering with other firms who run their own honeyfarms “to give us their data and in return we share our data with them.” New partnerships are being announced, with a partnership with Attivo Networks, a SCADA-based IIoT honeyfarm, being created.
Also, as part of the AIDE effort, the GCA has developed a custom IoT honeypot solution, known as ProxyPot, which is capable of replicating one IoT device across multiple IP addresses and physical locales to identify global attack risks quickly, efficiently and accurately. Specifically, AIDE will automatically collect IoT attack data in three ways:
- Honeyfarms located around the world, including a GCA honeyfarm with more than 1200 instances (nodes) and data feeds from partners
- Virtual IoT devices located on simulated networks
- ProxyPots that can be distributed around the world and backed by real and virtual IoT devices
Baykal said that mitigation is carried out by publishing publicly-available threat intelligence feeds, which are fed into its DNS service, and it is building a platform for consumer networks to be protected. “You cannot rely on consumers to do the right thing,” he argued. “If you have a Nest thermostat at home and its starts resolving a domain that is malicious, our platform recognizes that and reaches out to a threat intelligence provider and says ‘this domain has been blocked, what other domains should I block on my network’ and they just realize that they cannot reach those IPs or domains.”
Baykal said that the platforms have been live for around a year before being publicly announced today. “With AIDE, any organization can access our threat feeds for data, conduct analysis and even search specific activity by username, source IP, destination IP, commands, hashes and geographic location,” he said.
The concept forms part of the GCA’s mantra of spotting gaps in the market, and building solutions to fit those issues. “Once a risk is identified, we build coalitions with companies who are either doing work in that area, or they have some insight into that specific problem,” he said. “We sit down with them and try to build a business case on how long it will take and how much it will cost and once the solution is built, we make it publicly available to anyone.”
Another example is the GCA’s publicly-available Quad9 DNS service, which Baykal said was for the public need for a DNS service “that is effective at blocking known malicious domains and not mining the public data for commercial purposes.”
Another was the GCA’s Small Business Toolkit to provide advice on how to run anti-virus, do a backup and deploy 2FA. Baykal concluded by saying that there is a “terrible job being done in getting people more secure” as nobody is going to give clear guidance to the public, as too many compromises are at all small businesses, but most solutions do not scale for small businesses.”
The intentions of the GCA are very sound, as they are designed to better improve the security of IoT devices, and allow others to learn from the data collected into the honeyfarms. With so much negativity around IoT security, maybe this could be the first step forward to an improved level of security.