Things that Go Bump in the Night

Apparently Miranda Mowbray had been wanting to do a talk on "Things that Go Bump in the Night" for some time, and it made an excellent closing keynote for the 2019 FIRST conference in Edinburgh (recording now available on YouTube). Although "things" may increasingly need an Internet connection to operate, there are significant differences between them and end-user devices such as PCs, laptops and phones that defenders can use to their advantage.

First, the range of communications required by a "thing" should be much narrower than a general-purpose computing device. Both the protocols and destinations involved in its traffic should be easier to enumerate. Whereas networks of end-user devices may be too troublesome to do more than alert on unexpected traffic, for networks connecting things the precautionary principle of "block unknown traffic until we understand it" probably can, and should, still apply.

Where traffic is allowed, similar things (unlike similar PCs) ought to behave similarly. An unusual pattern of behaviour by a single thing – especially if that behaviour then spreads to nearby things – is probably a sign of trouble. Bumps in the night are, indeed, worth listening for: configuration changes and administrative access should happen during working hours.

But the most extreme oddities may well be mis-configurations, rather than hostile action. Two atmospheric dust sensors showed very similar peaks suggesting, perhaps, a passing dustcart. Except that their reported positions were continents apart: Boston, Massachusetts and Antarctica. After some thought it was realised that an owner swapping Latitude and Longitude was the most likely cause of this particular long-leggity beastie!