How to secure edge devices from botnets?

Every industry uses internet-connected edge devices to enhance operational efficiency and bring value propositions by building an ecosystem that monitors and reacts to the surrounding changes in real time. As these internet-connected edge devices grow in number, the threat landscape increases for hackers to carry out botnet attacks.

The previous article explained the background and methods of various botnet attacks on IoT edge devices and distributed infrastructure. In this article, we examine additional IoT botnet attacks from the past and delve into AI EdgeLabs’ solution to this problem, which will also be discussed in length. 

Recent botnet attacks on IoT edge devices

The European Union Agency for Cybersecurity Threat Landscape Report 2022 said that Mozi, another botnet, was detected more than 5 million times. In recent history, there have been some serious botnet attacks on IoT edge devices that have led to serious consequences:

1. Mozi botnet

The Mozi IoT malware was initially detected in the latter half of 2019 and is unique in that it combines three other infamous malware families – Mirai, Gafgyt, and IoTReaper. Its key characteristic is its peer-to-peer network architecture, which allows it to launch DDoS attacks, data exfiltration, and command or payload execution. Remarkably, the Mozi botnet still exploits a security vulnerability that was discovered eight years ago, and it targets unpatched devices to construct botnets with hundreds of thousands of endpoints.

2. Meris botnet

After the release of the Mirai botnet source code, there were several versions of Mirai botnets emerged. While Mirai infected IoT devices with low computational power, Meris infects routers and network hardware that have the higher processing power and data transfer capabilities. The Meris botnet exploited vulnerabilities in the router’s operating system, which enabled the attacks to gain unauthenticated, remote access to read and write arbitrary files. Attacks on these devices could cause more harm to the large-scale enterprise edge infrastructure if not protected with advanced edge security solutions.

Botnet threat detection

Many parameters can define that the IoT device is under a botnet attack, such as vulnerability in the operating system, changes in network traffic, irregular behavior of the IoT device, change in CPU power and memory usage within the device, and more. Following are some of the capabilities of AI EdgeLabs that help protect your distributed edge environment from IoT botnet attacks.

1. Operating system telemetry data

AI EdgeLabs agent is equipped with advanced capabilities that enable it to gather and analyze network and operating system metrics in real time, facilitating the process of analysis and connectivity profiling. The operating system telemetry data can include a range of valuable details about the system’s performance, such as information about the central processing unit (CPU), memory usage, and disk input/output (DiskIO). 

One potential application of this data is identifying and responding to IoT botnet attacks. In such attacks, a network of compromised devices is used to perform coordinated attacks, and by monitoring the CPU and memory usage of individual devices, the AI EdgeLabs agent can detect any unusual spikes or drops in performance, which may be indicative of an IoT botnet attack. 

2. Traffic inspection for anomalous patterns with RL algorithms and threat modeling

AI EdgeLabs is designed with advanced technologies that can monitor network traffic and detect any unusual patterns that may indicate a security threat. To do this, our security platform utilizes reinforcement learning algorithms that learn from experience to make decisions and take actions based on complex data inputs. Using RL algorithms with traffic inspection will make it possible to analyze the network traffic in real time and identify any anomalies that can be a potential security threat.

Threat modeling is also important in the battle against IoT botnet attacks as it involves using sophisticated machine learning models to identify potential vulnerabilities and attack vectors in the network. The combination of threat modeling and RL algorithms make it possible to develop an effective security strategy for emerging botnet threats.

3. Asset Discovery of the Connected IoT

Enterprises need to adopt a robust security solution that includes a network-based asset discovery system with the ability to monitor internet-connected IoT edge devices. This is essential to protect against botnet attacks, which are a common threat to networks of all sizes. 

In a peer-to-peer botnet attack, a network of zombie devices is used to infect other vulnerable devices. This can lead to a rapidly spreading attack that can quickly overwhelm a network and cause significant damage. In such attacks, the security of IoT edge devices is particularly important, and by implementing a network-based asset discovery system, security teams can identify and monitor all internet-connected devices within their network. 

Various background processes occur within the security feature asset discovery system, including vulnerability assessment, security monitoring, incident response, remediation, and configuration management. 

Internet-facing devices undergo routine vulnerability assessments to pinpoint security vulnerabilities and potential points of entry. It is crucial to effectively manage and align the configuration of these endpoint devices with optimal security practices. Additionally, the security solution must continuously monitor for any signs of suspicious activity and promptly detect potential security breaches. 

In the next section of this article, we will explore another approach to safeguard the distributed edge infrastructure against botnet attacks – the implementation of endpoint detection and response capability.

4. Endpoint Detection and Response

Endpoint detection and remediation is a cybersecurity solution that focuses on protecting endpoint devices such as IoT edge equipment. It involves performing many of the same actions that are typically associated with XDR solutions but focuses specifically on endpoints. 

AI EdgeLabs’ Endpoint Detection and Response (EDR) is a cutting-edge security feature that leverages multi-layered protection and uses machine learning models to detect unknown botnet threats. It is designed to provide comprehensive security against a wide range of botnet threats, as well as zero-day threats, which are previously unknown and, therefore, not detected by traditional signature-based security solutions. 

Due to the vast number of IoT edge devices deployed across geographical locations, endpoint devices are a major source of cyber attacks. The AI EdgeLabs Endpoint Detection and Response solution gives deep visibility into these endpoint devices and enables the prevention of attacks. The objective of this security technique is to secure the edge infrastructure with real-time monitoring and provide data analytics to detect threats.

Conclusion

In the report from ESET Threat Report, the number of devices that were turned into bots by Mirai-based botnets grew in Q3 2022 by 11 percent to almost 200,000. The devices found in the United States were the second most active, with 15 percent attack detection. The lack of IoT edge security in the organization enables this state of things.

To stay up-to-date with the advancements in cyber threats, especially IoT botnets, the security teams need to focus on adopting AI-based cybersecurity solutions. Learn more about our advanced solution to combat IoT botnet here.