Understanding Indicators of Compromise in the Internet of Things (IoT) Landscape

Indicators of compromise (IoCs) are a foundational concept in cybersecurity. In simple terms, an IoC is a piece of information that signifies a potential security breach or cyberattack. This indicator could be a lot of different things: a file, an IP address, a domain name, a registry key, or any other evidence of malicious activity. 

IoCs are used in incident response and digital forensics to identify attacks in progress, track pathways through critical systems, and understand how cyber criminals could have breached information architecture. Cybersecurity vendors will use IoCs to update their protection technologies, and defenders in companies of all sizes will use them to ensure that they’re protected. 

IoCs are distinct from Indicators of Attack (IoAs) in that IoAs signify that an attacker is trying to gain access. IoCs are what’s left behind when someone has already compromised the system. 

As IoCs from known cyberattackers become common knowledge, cybersecurity professionals will be able to more accurately respond to threats and lock down any potential impact on their systems. 

In the Internet of Things (IoT) and Internet of Medical Things (IoMT) landscape, understanding potential indicators of compromise becomes especially important. The feature-limited devices inherent in IoT and IoMT make knowing what to look for – and when – vital. 

Types of Indicators of Compromise 

There are a lot of potential IoCs that may occur when an attacker breaches critical systems. Some, such as file-based IoCs, are less relevant to IoT and IoMT because connected devices tend to not have the storage space or functionality required to receive anything but the most rudimentary of files. 

A few of the common IoCs to look out for in IoT/IoMT install bases are: 

• Anomalous outbound traffic – If the connected device sends outbound traffic to an unfamiliar or suspicious destination, such as an unknown IP address or a malicious website, or sudden spikes or dips in network traffic. 
• Unexpected software updates – If the IoT/IoMT device updates with new software on an unexpected schedule, this could be an indication that there is an attack in progress. Manufacturers may remotely update their products, but these should come on a set schedule and there should be extensive warning for this to occur. Be wary if an update occurs off schedule. 
• Unusual traffic between ports – Network traffic patterns between internal systems that deviate from normal, like unexpected ports being opened or traffic between specific ports that are abnormal for the organization can raise red flags. Using a combination of dedicated IoT security tools and network traffic monitoring can help identify these anomalies. 
• Geographic abnormalities – If access is being requested from unusual geographies, such as an IoT device sending information to a country that it isn’t normally communicating with, that could be a sign of compromise. Sending data back to a manufacturer in China isn’t necessarily unusual, but if that device that was sending data to China suddenly starts sending data to Russia, that could be cause for concern. 

These are not necessarily all the IoCs that can occur on IoT/IoMT devices, but they are a good baseline to understand what types of information might indicate an attacker has gained a foothold on these technologies. 

For something to be considered an IoC, an indicator must satisfy the following three conditions:

• Observable: it must have signs of a malicious event happening
• Context: an artifact must fit the specific context of the attack. In a phishing campaign, IoCs should be suspicious URLs or email attachments – items specific to phishing emails.
• Metadata: There has to be additional information that enables security teams to make sense of the IoC. This could be the indicator source, data, time of occurrence, and related artifacts linked to the attack.

IoCs, in other words, point you to the tools used to carry out the attack, different touchpoints on the attack chain, and the result of the attack. 

How to Integrate IoCs into IoT/IoMT Security 

IoT and IoMT devices are highly feature-limited. In some respects, this makes the devices easier to secure because there are fewer possibilities for threat actors to compromise them. This doesn’t mean that connected devices can be ignored in security practices, however. 

The same thing goes for IoCs. Tracking down IoCs and monitoring for their occurrence in your network is a vital component of any defensive strategy. If an MRI suddenly has an indicator of compromise, then security teams can know that they need to respond to a potential incident in progress. 

To fully integrate IoCs into your IoT/IoMT security program, you need a solution that can track these indicators on IoT devices. Traditional defensive solutions that focus on workstations and network equipment can do some of this, but they do not easily identify IoT/IoMT devices connected to your network architecture. Identifying the connected devices and understanding their normal operations are key to being able to recognize IoCs on these systems. 

These indicators are a critical component of your threat intelligence operation, as well as incident response and digital forensics. Having the right tooling to ingest IoCs from connected devices makes it possible to leverage the data from that equipment accurately and efficiently. 

How Asimily Helps Monitor for Indicators of Compromise

The Asimily platform is designed with IoT/IoMT device security in mind. It easily integrates into an organization’s IT and security technology stack. It is designed to monitor traffic to and from IoT equipment and discover anomalous behavior that may indicate an attack. Using its ability to passively scan the network for IoT/IoMT devices and surface key information like MAC address, communication protocols in use, and more, Asimily helps defenders easily identify IoCs and respond to attacks in progress.

Asimily also provides vulnerability information on high-risk weaknesses with a proprietary algorithm fueled by vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. This vulnerability intelligence empowers security professionals with the information they need to prioritize identified vulnerabilities based on their specific context and resolve the highest-impact weaknesses quickly.

Using these insights, Asimily customers can resolve issues in their systems and monitor their technology architecture for IoCs with the confidence that they can identify where the attack originated and respond quickly. This way, critical IoT and IoMT devices can be protected from attack, and threat actor access to critical data is limited. 

Asimily customers receive peace of mind from knowing what systems are attached to their networks and which ones need the most mitigations. With this insight, as well as improved monitoring, Asimily customers can better defend their IoT systems and critical information from threat actors. As more attacks focus on IoT/IoMT devices, this ability to respond quickly and efficiently is even more important. Asimily makes that happen. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.