Feb 22 2023

IoT Botnets Remain a Critical Cybersecurity Threat to State and Local Governments

Agencies can take steps to minimize their exposure to botnet attacks, which can knock services offline.

The era of bots has arrived. According to CPO Magazine, Internet of Things has been “the primary force behind the biggest distributed denial of service (DDoS) botnet attacks for some time.”

This risk is reflected in recent attack efforts. From August to December 2022, malicious actors made more than 134 million exploit attempts on IoT devices using a remote code execution flaw in the Realtek Jungle Software Development Kit.

For state and local agencies, the growing use of network-connected devices in daily operations coupled with the increasing prevalence of IoT compromise means it’s time to act. But before making the move to secure critical networks and protect key data, government organizations need to know what they’re up against.

Here’s a look at IoT botnet basics, what’s next for these attacks and how agencies can keep bots at bay.

Click the banner below to receive curated content by becoming an Insider.

What Are IoT Botnets?

According to Nitzan Miron, vice president of product management for application security at Barracuda, an IoT botnet begins when an attacker compromises a connected device.

“This could be anything you install in your home, or sensors in your business,” he says. “Attackers can take control of tens or hundreds of thousands of devices and use them to do their bidding. I imagine an army of toasters and air conditioners, and this isn’t far from the truth. While IoT devices are limited in their computational ability, even an AC unit now has a powerful processor that lets it perform some computation.”

An attacker marshals these compromised devices to attack a target, such as a state or local government network. The most common attack vectors for IoT botnets are DDoS attacks, which see agencies inundated by thousands of access, function or data requests from controlled devices simultaneously. If agencies don’t have the right security infrastructure in place, these bots can bring down entire networks.

IoT botnet DDoS attacks are often used as distractions that hide hacker efforts to compromise networks and install malware payloads capable of capturing and exfiltrating data, Miron says. For state and local agencies, however, the occurrence of the attack itself can be damaging, even if data isn’t compromised.

“Government organizations are often responsible for critical infrastructure, and agencies may hold a lot of data,” Miron says. “Even if attacks don’t impact government’s ability to perform key functions, they can impact public perception and reduce public confidence.”    

READ MORE: IoT and analytics aids disaster preparedness and response.

What’s Next for Botnets?

While volumetric botnet attacks remain common, malicious actors are also becoming more sophisticated in their approach.

“Consider the Mirai botnet, an early example of a volumetric attack,” Miron says. “It was a very simple piece of code with a simple idea: Each device would go looking for additional devices to control. Once enough devices were controlled, attackers could use them to go after one target at the same time, quickly overwhelming the organization.”

Nitzan Miron
Attackers can take control of tens or hundreds of thousands of devices and use them to do their bidding. ”

Nitzan Miron Vice President of Product Management, Application Security, Barracuda

Now, Miron says, attackers look beyond volumetric attacks to exploit the logic of applications themselves. He points to the example of an attacker looking to test 100,000 stolen credit cards. Attempting to try all of these cards at once through an e-commerce site would immediately raise red flags, so attackers use botnets to try cards from multiple locations, bypassing common security protocols.

However, defenders have become wise to this attack path. Tools can now flag suspicious user behavior that may indicate a botnet at work, such as putting items directly into digital carts and checking out without viewing any other product pages.

Yet this is an IoT arms race, meaning attackers are upping the ante with new IoT botnet attack techniques. “Some of these attackers will record a human using a web app and then direct their bots to mimic this behavior,” Miron say. This includes everything from page views to website interactions to mouse movements.

READ MORE: How city governments can defend against DDoS attacks by IoT botnets.

How Can State and Local Governments Defend Against IoT Botnets?

While it’s impossible to eliminate the risk of IoT botnets, there are steps agencies can take to reduce their total risk.

1. Put the Right Tools in Place

“The first step is having enough bandwidth to defend,” Miron says. “How much do attackers have versus how much do you have for DDoS attacks? Here, it’s often worth leveraging a security company that has terabits of bandwidth, which is orders of magnitude larger than current attacks.”

Logic comes next, which takes the form of an escalating series of challenges. “If traffic starts to look suspicious, you start to throw challenges at the application. This could include a CAPTCHA for users or a delay before apps load so that network solutions can check the security of connections. As the attacks ramp up, so do the defenses. Users may not even see the challenges,” Miron says.

In addition, Miron highlights the increasing impact of machine learning. “We’ve learned that you can’t use a human to stop a botnet attack. There are too many connections and too many sessions. You have to have predefined rules and systems. Machine learning tools are good at detecting anomalies by building a profile of what a human would do.”

2. Create a Protective Policy

Beyond in-place solutions, governments can also leverage evolving documentation to create consistent IoT policies. This includes the National Institute of Standards and Technology’s SP 800-213 series, which “addresses the needs of federal agencies seeking to deploy IoT devices within their systems.”

While the NIST IoT security standards aren’t binding or legally required, they provide a functional framework to help agencies reduce the risk of botnet compromise. For instance, NIST IoT cybersecurity documentation recommends using what’s known as the manufacturer usage description, which helps define the intent of the connected device.

For example, a printer connected to a network would signal itself as such, in turn helping security teams narrow the scope of device communication. While it makes sense for printers to talk to PCs, laptops and servers, there’s no reason they should connect with thermostats or light switches.

3. Work with Knowledgeable Partners

Agencies can benefit by partnering with IoT device manufacturers that make it possible for IT administrators to change device login and password details rather than forcing them to rely on unmodifiable firmware frameworks.

Put simply, more devices mean more risk for state and local agencies. Organizations need a dual-track security approach that creates a consistent policy for improved control of in-house devices and leverages experienced security partners to deliver the bandwidth, logic and machine learning necessary to combat evolving outside attacks.

Just_Super/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT