Illusive Blog October 15, 2020

Reduce Detection Blind Spots with Deceptive Emulations of IoT, OT, and Network Devices

By Jason Silberman

When it comes to IoT devices – or other network devices including routers, switches and printers – the impossibility of effectively patching or monitoring them, along with their sheer diversity, creates a mass of ideal network locations for cyberattackers to carry out reconnaissance, surveillance and data theft undetected. This article will look at a deception-led approach to reducing detection blind spots surrounding these difficult-to-secure devices.

IoT Devices and Routers – an increasing cyber threat 

In 2015, the hacker-focused TV series Mr. Robot included a fictional plot to destroy magnetic tape data backups held at a facility that was portrayed as both well-fortified and remote. The plan was to slowly raise the temperature of the storage room to point where the tapes would be compromised. The means of raising the temperature was to connect an ordinary Raspberry Pi computer board into the climate control system.

As said, that story is fictional. But there has been a very real-world increase in both internet-connected devices (not even talking about smartphones, tablets and the like) and the ability and motivation of attackers to exploit vulnerabilities within them. A forecast from International Data Corporation (IDC) estimates that by 2025 there will be 41.6 billion connected IoT devices. Security researchers from F-Secure have issued a stark warning that cyberattacks on IoT devices are now accelerating at an unprecedented rate. The company’s “Attack Landscape H1 2019” measured a three-fold increase in attack traffic to more than 2.9 billion events. 

And what of IoT’s twin, the network devices like routers and switches? They are very vulnerable as well. In 2018, 200,000 Cisco network switches were brought down in global cyberattack. In the same year, we saw a sharp increase in attacks on routers, most notably from APTs like Russia’s Fancy Bear. The FBI even had to put out a warning, due to these attacks. Finally, figures in Avast’s Threat Landscape Report for 2019 suggest that 60 percent of users have never updated their routers firmware, leaving them open to attacks primed to exploit simple vulnerabilities.

So why are IoT and network devices such a challenge? For many reasons:

  • The sheer diversity of devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, routers, switches, printers, to people who bring in their Alexa devices into work (though it is true that we’re mostly working at home right now).
  • While connected to the corporate IT network, they are often unmonitored. 
  • These devices expand the attack surface and most of them aren’t covered by traditional defenses. Take for example internet-connected medical devices – you can’t install anything like endpoint deceptions on them.
  • Device manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked.
  • When talking about network devices, they are always on, seldom updated and often configured to default settings
  • The wide range of available network devices, and the difficulty of supporting and updating all of them, has created a gap that legacy security stacks struggle to effectively fill.

Challenges surrounding OT / ICS machines

Nearly every organization has systems that are difficult or impossible to secure through its standard controls, maintenance and monitoring processes. Not everything can be perfectly locked down. It’s the stark—though risky—reality of today’s diverse IT environments.

Some technologies have inherent security limitations or are subject to third-party restrictions. These systems were designed decades ago without today’s attacks in mind, and often can’t be patched, monitored or protected with the latest controls. In other cases, security takes a back seat when organizations face resource constraints or make deliberate choices to prioritize uptime over ideal security practices.

But cyberattackers are adept at finding weak links. When unsecurable systems support mission-critical processes or access to valuable data, defense gaps create dangerous potential for sabotage, espionage, and data theft. As IT security hardens and threats evolve, operational technology and industrial control systems are increasingly targeted: Stuxnet, TRITON, and the notorious attacks on Ukraine’s power grid all illustrate the risks of vulnerable OT. 

Illusive Deceptive Device Emulations – Better Visibility, Threat Detection and Response

With Illusive’s technology, organizations can prevent attackers from ever reaching business-critical systems—which is especially important for devices that cannot be properly secured. 

Through 3 groups of customizable device emulations, deception technology can be extended to include high-risk OT, IoT, and IT network infrastructure: 

  • IoT Emulations – Customizable emulations mimicking any IoT device running on any IoT protocol. IoT Emulations poison an organization’s potential attack surface by flooding its network with a scalable web of deceptive IoT devices that appear real to attackers.


  • Network Device Emulations – Customizable emulations of routers, switches, printers, VoIP systems and other network devices are designed to detect attacks against network communications infrastructure. Illusive deploys a web of these highly credible emulations, as well as endpoint data deceptions that point to them as lures, across the network. 


  • OT Emulations – Customizable OT emulations, and data-based lures such as deceptive jump servers and workstations leading to the emulations, are spread on the network and appear to attackers as components of real OT systems. Ultimately, Illusive emulations prevent increasingly common OT attacks, eliminate threat detection blind spots without interruptions and secure infrastructure without the need to take vital OT systems offline. 

These emulations are highly authentic-looking, indistinguishable to attackers from genuine OT, IoT and network devices, and fool attackers into interacting with them and revealing their presence. Emulations also send a high-fidelity incident record to defenders immediately upon attacker interaction, with full and detailed forensics, so organizations can monitor, counter, block, and collect intelligence about threats in real time.

Finally, it’s important to note that deploying these emulations in large numbers is super easy, frictionless, and requires no infrastructure interruption. 

Illusive’s next-gen IoT, OT and Network Device Emulations are engineered to mimic real-world environments in a way that fools attackers into engagement, consequently triggering a powerful response and removing unconventional infrastructure as an attack path for cyber criminals.

Want to learn more about emulations and see how easy they are to set up? Request a Demo with an Illusive cybersecurity expert today.