With the development of network technology, the demand of Internet of Things (IoT) devices has grown significantly. However, many IoT devices might not be designed and managed irrespective of security concerns. The representative real attack involving an IoT device occurred in South Korea on 29 Nov 2014. The DNS server of a major Internet Service Provider (SK Broadband) was attacked by a large amount of packets from approximately one thousand addresses. We detected over 15 million packets in one second. It was a type of Distributed Denial of Service (DDoS) attack with the highest number of packets per second for an attack in South Korea. The attack continued for an hour and affected other services. Eventually, about 5 million subscribers, who were one-fourth of the total of 20 million subscribers, suffered from the interruption. We analyzed the IP addresses of packets and determined the cause of the attack. The attack came from IoT devices such as home routers, network switches, network-connected CCTVs and STB (SetTop Boxes) of IPTV, not a computer which is generally used for a DoS attack. We traced back to the sources and recognized the firmware of devices was infected by malicious codes for DDoS zombies. In this presentation, we will show how we detected the attack and concluded the source of attack was IoT devices with instances of the real case above. In addition, we will present a flow of the attack and describe how the attacker used security vulnerabilities of IoT devices. Next, we will suggest counter measures based on what we did with the real case.

How to Rapidly Build Security Analysis: From Benches to Trenches, Michael Collins, Redjack

In this talk, we will discuss our methods for rapidly creating and deploying new information security analysis tools.  Analytic development has a high failure rate: many proposed ideas fail due to variations in sensor data, performance issues, or a misunderstanding of live network traffic.  Even ideas that succeed at first can fail in the long term, as attackers recognize successful methods and work their way around them.

Effective analytic development requires that the development team learn to experiment, develop tools rapidly, and learn from failure.  In this talk, we will draw on our experiences develop analytic tools for the government and private sectors, and outline a methodology for developing tools.  Our approach is based around three key principles: a solid infrastructure supporting exploratory data analysis, a tight relationship with operational security personnel, and a clearly defined path for transferring, evaluating and deprecating analytical tools.  We will discuss lessons learned in building analytical systems, and how these can be adopted with current technology.