Background
One of the tasks our company focuses on is the investigation of Smart Device networks.
We analyze the behavior of existing devices to make sure they are not acting up and we also investigate cases where devices have been compromised to understand what caused the compromise and to make sure it never happens again.
In this post we are going to show you a good methodology when it comes to investigating exploited Smart Devices. Think of it like a behind the scenes of the kinds of work we do to keep you safe.
One thing to note is as time goes on our methodology evolves to tackle new threats and make sure existing ones do not affect you, our users. So don’t assume we only have one methodology.
A process for investigating a smart device
The first thing we do is we scan the network for all existing devices. This is to gather information about the network topology. This includes but is not limited to:
- How many devices are out there?
- What kinds of devices are out there? (e.g router, smart lock, smart light bulbs etc)
- What protocols are they using to communicate?
- etc.
The next thing we do is to look at what the devices are actually doing, these include things like:
- Who are the devices talking to?
- How are they responding?
- What kind of data is being generated? e.g you can expect a smart camera to generate large amounts of data due to it streaming video but a smart lock should NOT be generating gigabytes of data.
Now the fun (or not so fun part if your device is compromised). We compare the traffic of the Smart devices to traffic that is occurring on various Darknets. This is see if the device is being used for malicious purposes.
If a device is found to be compromised and be used for malicious purposes, we try to detect what the purpose of the attack is e.g is it to de-activate the device?, to steal your private information?, to use your device as a weapon in a larger scale attack? etc.
After all this is done, we can then notify you (the user) of what has happened.
Lucky for us (and you), we have many tools that help handle the huge amount of data this process requires. We also have many Artificial Intelligence tools that allow is to work even faster in detecting and investigating network breaches.
Conclusion
Investigating network security breaches usually comes down to sifting through piles and piles of data. For example A billion rows of access logs or hundreds of millions of network requests.
It pays enormous dividends to have the proper tooling in place that allow you to go through the aforementioned data in a quick and efficient manner as every second counts.
It also pays to have good methodologies and processes that can serve as a guiding light when it comes to network forensics.
I hope you enjoyed this read, make sure to share this article with your friends and visit our Facebook and Twitter pages for facts about Smart Device security.
You can also visit our website here to Sign Up for Early Access and get the protection you need!
Sources
Torabi, Sadegh & Bou-Harb, Elias & Assi, Chadi & Debbabi, Mourad. (2019). A Scalable Platform for Enabling the Forensic Investigation of Exploited IoT Devices and Their Generated Unsolicited Activities. Digital Investigation. 32. 10.1016/j.fsidi.2020.300922.