The Hunt for Major League IoT-ICS Threats: A Deep Dive into IoT Threat Terrain

Presented at Black Hat Europe 2020 Virtual, Dec. 10, 2020, 12:30 p.m. (40 minutes)

Because the Internet of Things is a major part of modern life, security threats are everywhere. Security incidents as well as the results of our many threat hunts have shown us that hundreds of millions of devices have been traumatized by attackers' malicious actions, made part of large botnets, or disrupted through malicious programs taking advantage of zero-day or one-day vulnerabilities.

In order to reinforce detection and defensive capabilities against such IoT-ICS threats, we have deployed hundreds of automated threat hunting engines worldwide. In the past year, we have received and analyzed more than 45 TB of traffic, detected over 1.1 billion attacks from over 200 countries, and hunted 400 million plus suspicious IPs, 30 million plus suspicious domains, and over 1 million malicious files (RATs, trojans, worms, ransomware, and so on). Among those malicious files, more than 40% are unknown -- VirusTotal couldn't recognize them. We also found that more than 1.1 million devices may have been assimilated into botnets.

This talk will share in detail how we built an automated large-scale threat hunting system, and give a deep look into the overall threat situation and trends from 6 hunting examples from the past year. We will share the benefits and responses to the threats we found, and the next steps for our threat hunting project.

Presenters:

• Patrick Kuo - Threat Researcher, TXOne Networks
  Patrick Kuo is a threat researcher and hunting system operator for TXOne Networks. He focused on big data analysis, threat hunting engine building and threat hunting system development. For big data analysis, Patrick has focused on monitoring and classifying malicious payloads from big data, and then analyzing the correctness and uniqueness of these payloads. For the threat hunting engine, Patrick focused on building, integrating, refactoring and improving the engine to improve its ability to hunt malicious attacks and payloads. For the threat hunting system, Patrick focused on creating complete and adjustable infrastructure to process and analyze large amounts of data flow in real-time.
• Mars Cheng - Threat Researcher, TXOne Networks
  <span>Mars Cheng is a threat researcher of TXOne Networks, blending a background and experience in both ICS/SCADA and Enterprise cybersecurity systems. Mars has identified more than 10 CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Mars was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker / trainer at several international cyber security conferences such as ICS Cyber Security Conference Asia and USA 2019, HITB Lockdown 002 and Abu Dhabi 2019, SecTor 20, and HITCON 2019, as well as other conferences and seminars related to the topics of ICS and Internet of Things (IoT) security. Mars was vice general coordinator of HITCON 2020.</span>

Links:

• https://www.blackhat.com/eu-20/briefings/schedule/#the-hunt-for-major-league-iot-ics-threats-a-deep-dive-into-iot-threat-terrain-21285

Similar Presentations:

• Black Hat Europe 2017 / Accelerate the Hunt: Make Attackers’ Lives Harder with Effective Threat-Hunting
• Black Hat USA 2022 / The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting
• TROOPERS17 (2017) / Hunting Them All