Jun 5, 2017

Three Critical Lessons from the Mirai Botnet Attack


In late 2016, the world discovered the Mirai Botnet. In September, the Krebs on Security website was targeted by a DDoS attack that reached up to 620 Gbps of traffic. In October, the Internet was hit by a DDoS attack of historic proportions using the Mirai Botnet — a massive coordinated attack that made high-profile names like Amazon, Netflix, AirBNB, Twitter, and Reddit inaccessible.

There are millions of new malware variants discovered every month, and there is nothing new about botnets or DDoS attacks. What makes the Mirai Botnet unique is how it takes advantage of the weak security in many IoT devices to spread and attack.


There are three critical lessons we can learn from the Mirai Botnet attack to protect IoT devices and prevent similar attacks in the future.

1. Mirai Targeted IoT Devices

Mirai leveraged known security weaknesses on IoT devices to spread rapidly around the world. Devices infected by Mirai scan the Internet in search of other exposed IoT devices to compromise. In some cases, Mirai used a table of common factory default credentials to log into and infect the IoT devices. Mirai targeted IP printers, cameras, DVRs, and other similar systems and devices connected to the Internet.

2. Most Companies Did Not Know They Were Compromised

Given how these devices connect, and that they are generally not managed and have no security on them, businesses did not know their devices had been compromised. They did not know they were being used as part of an attack. Devices infected by Mirai continue to function normally. The only impact is the devices may seem occasionally sluggish. Or that there would be an increased use of network bandwidth as they seek out other exposed IoT devices to compromise or communicate with a command and control server. But companies did not have any method to know these devices had been compromised. They were blind to what was happening.

3. Businesses Are Still Exposed

Because Mirai targets IoT and unmanaged devices, businesses are still exposed. These types of devices can’t have an agent installed. They can’t be managed or protected using traditional security or anti-malware methods. IoT and unmanaged Internet-connected devices can be compromised for the following uses:

  • An attack against a third party that appears to originate from the company
  • An attack against the company’ own network and servers
  • An exploit to gain network access for data theft or other nefarious goals

Mirai was not a one-off incident. The relative insecurity of many IoT devices is unlikely to changes any time soon. Security experts are already seeing Hajime and Persirai botnets that follow a similar strategy of seeking out and compromising exposed IoT devices.

Because many IoT devices were not designed with security in mind, it is clear that businesses must take action. In our IoT Security Assessments, we have found that companies can’t see 40% of the devices in their environment. Devices that can’t be managed or protected by the traditional methods.

We believe that a net new approach is needed to address the vulnerabilities brought on by IoT and any unmanaged device. It can’t be with an agent. IoT security requires an agentless solution that will let you identify and monitor the devices and the connections they make. This is our vision. One that we are already executing on. And one that I will be talking about as we move through this internet-connected world together.

Get Updates!

Sign up to receive the latest news.