Programmable Active Scans Controlled by Passive Traffic Inference for IoT Asset Characterization.

The proliferation of Internet-of-things (IoT) assets has expanded the attack surface of enterprise networks exposed to malicious actors. Therefore, obtaining visibility into connected assets and their behavioral characteristics is increasingly becoming essential to security teams in better managing their network and connected assets. Scheduled vulnerability scans are widely used by enterprises to manage traditional information technology (IT) assets. However, resource-constraint IoT assets may not always withstand disruptive active scans. Passive traffic inference tools have recently emerged for continuous network detection and response capabilities that can be safely applied to IoT and IT networks. Both active and passive approaches come with advantages and limitations in the insights they provide versus measurement and computing costs. This paper attempts to systematically and dynamically leverage the combined capabilities offered by these two approaches. Our contributions are twofold. (1) We highlight capabilities (richness of insights, response time, and temporal utility) and quantity costs (overhead traffic and computing resources) across five active scanning tools (open-source and commercial) and a commercial passive inference tool by applying them to our testbed consisting of 12 commercial IoT devices; and, (2) We develop “pScan”, a programmable packet emitter with open APIs that is dynamically controlled to perform contextualized scans on target IoT assets via SNMP, mDNS, and SSDP packets, as well as banner grabbing and custom probing via TCP connections. We show on our testbed how pScan integrated with the commercial passive inference tool helps to maximize the insights into the characteristics of IoT assets and their utility at significantly reduced costs. We contribute pScan as open source.