Blog
Security Lessons from the Raspberry Pi Attack at NASA
Why east-west visibility and automated asset discovery matter
Daniel Chu
July 23, 2019
Now that we're past the initial rush of news stories about how hackers used a Raspberry Pi device in a successful data breach at the NASA Jet Propulsion Laboratory, it's time to think about what we can learn from the incident. If you're unfamiliar with the attack, check out this ZDNet article for more details.
The article links to this 49-page NASA Office of the Inspector General (OIG) report about the breach that dives into the failures that allowed the data theft to happen while offering suggestions about how to prevent future attacks.
For those of us who might not want quite that much detail, there are a few major takeaways that did rise to the top.
First, east-west visibility is very important, and automated asset discovery is equally critical. As more organizations migrate to the cloud and welcome an increasing number of internet-of-things (IoT) devices, supporting the CIS Control for inventory and hardware assets is a must-have capability.
The report also offers a critique of the perimeter-based and log-focused security controls that most organizations use exclusively today.
Finally, the report highlights the operational challenges you can solve with a network detection and response (NDR) solution that leverages wire data. Let's take a closer look!
Unmanaged Devices
As attack surfaces expand to include new (and potentially unmanaged) devices like the $35 Raspberry Pi hackers used as a gateway for this particular attack, automated asset discovery is crucial to having an accurate inventory of what's on a network.
Best-of-breed NDR products can automatically discover new devices as soon as they communicate. Plus, some NDR solutions can also auto-classify devices by group and use machine learning-powered detections to fire accurate alerts whenever a device exhibits behavior that's anomalous to its group.
Lack of East-West Visibility
Once through the gateway, the attackers pivoted inside the IT infrastructure, gained access to sensitive data, and started the exfiltration. Part of the problem was a lack of segmentation in the network, but because they were also blind to lateral movement, the security team couldn't detect, much less stop, the attack.
By leveraging network data, whether ion-premises or via a virtual tap or traffic mirroring, NDR products—especially those with the ability to decrypt TLS 1.3-encrypted traffic—eliminate the darkspace where attackers hide.
Problems with Logs
The report noted that security problem log tickets weren't resolved for extended periods, sometimes up to 180 days. So, even if the security team did receive an actionable alert, it would likely have been buried under a stack of less critical warnings.
Logs don't magically move themselves to legacy security products, and those products don't automatically find attacks or review logs. This is where accurate alerts combined with smart automation and the ability to capture and analyze packets reinforces the value of NDR products backed by wire data.
Toothless Threat Hunting
Although they had monitoring tools that could defend against routine intrusions and misuse, the security team victimized in this data breach lacked a strong threat hunting program to detect and investigate signs of an attack.
With rules and behavior-based detections, as well as the ability to quickly drill down into packets to gather forensic evidence in clicks, the best NDR products can be the foundation on which organizations build effective threat hunting and incident response programs.
ExtraHop Reveal(x) and ExtraHop Reveal(x) Cloud are best-of-breed NDR solutions that security teams can use to strengthen hybrid cloud security, as well to identify, understand, and respond to everything that's happening from the inside out.
And because the wire data they use is unimpeachable and shareable between teams and tools, NDR products like Reveal(x) and Reveal(x) Cloud can help break down organizational silos, reduce tool sprawl or give existing tools new life, and optimize your current tooling budget.
To learn more about how Reveal(x) and Reveal(x) Cloud support Security and Network Operations integration, download the complimentary white paper.
Discover more