#BHEU: IoT Threat Hunting Detects Over One Billion Attacks

The development of an Internet of Things (IoT) threat hunting framework enabled the discovery of over a billion attacks.

Speaking at Black Hat Europe, TXOne threat researchers Mars Cheng and Patrick Kuo discussed the threat hunting framework they had developed for IoT malware.

They explained that they had created the framework as they had noticed the increase of DDoS attacks, as well as “the weapons including IoT malware and botnets” and Cheng said that, according to research, 20% of attacks in 2020 were related to IoT.

They said the benefits of using an automated threat hunting system include:

• Automatic detection and real-time blocking of various threats
• Instantly locating various threat trends
• Follow-up analysis of a large number of intelligence resources by threat analysts
• The cost of human maintenance is extremely low

They said their IoT hunting service is capable of analyzing 20 terabytes of traffic across IoT and ICS. “We do not need to dedicate a lot of powerful machines to do the processing to help cut down on costs,” Cheng said. It has been able to detect 1.2 billion attacks, including detecting 70 million malicious IP addresses and 15 million suspicious domains, as well as a possible 1.4 million botnet devices.

“If we count back all the way to early 2019, we analyzed 45TB of data,” Cheng said, and they were able to distinguish 70 million suspicious domains. The countries with the most devices tied up in botnets were Vietnam with 1.6 million, China with 1.3 million and India with one million. The most attacked countries were the USA with 316 million attacks, more than double for India with 155 million attacks.

Asked by Infosecurity if they were surprised by the number of attacks they found, the speakers they said they were, as it can typically take one to two days to analyze malware and understand what kind of malware it is and its behaviors. “With so much unknown malware, we need to spend time to analyze,” Cheng said.