Intelligent CISO Issue 03 | Page 84

SANS INTERNET STORM CENTER ANALYSES SPREAD OF ROUTER ATTACKS IN ME Johannes Ullrich, Dean of Research at SANS Institute and founder of the Internet Storm Center, discusses the cybersecurity risk to routers and the trends his team has seen in the Middle East. T hese days, any unprotected or inadequately protected device exposed to the Internet is at risk of attack from cybercriminals. This includes routers that businesses and individuals alike use to connect to high-speed Internet connections, either via DSL or wireless (LTE). These are a popular and frequent target of attackers, since they are often easily attacked via exposed administrative control panels. Once an attacker gets access to a device, the owner is less likely to notice the infection than on a desktop computer. Desktop computers usually have anti-virus installed to warn the user about malicious code and the performance impact of malware is more likely to be noticed. An infected router can easily be used to intercept traffic from the network or 84 to inject malicious content into traffic passing through the router. For example, an attacker can then wait until a user downloads an update and replace the update with malicious code. Working in collaboration with DShield. org, SANS Internet Storm Center (SANS ISC) has been collecting reports from the routers of a large global network of volunteers since 2001 to analyse and provide early detection of specific attacks. Cybercriminals can use the access they have gained to these devices to then intercept traffic passing through it. Johannes Ullrich, Dean of Research at SANS Institute and founder of the Internet Storm Center These volunteers operate sensors on their routers that detect unwanted traffic directed at these sensors. Ever since 2001, we have seen that a large percentage of these scans originate from compromised systems that are used by cybercriminals to find new victims. Indeed, by analysing this data over the last few years, the SANS ISC has observed the rapid spread of botnets like Mirai and Satori. These botnets seek to connect to unprotected Internet of Things devices – like security cameras and digital video recorders that are exposed on the Internet – and to then infect them. They also attack unprotected routers. More recently, widespread attacks Issue 03 | www.intelligentciso.com