Connect with us

Hi, what are you looking for?


IoT Security

Dangerous Liaisons: The Interaction Between Threat Actors and High-Risk Devices

Forescout’s 2024 analysis of the riskiest devices highlights vulnerabilities and threat actor interactions across IT, IoT, OT, and IoMT.

A dangerous liaison comes from a successful interaction between a threat actor and a risky device. Each year, Forescout analyzes and presents the risk score for different devices; that is, the riskiest devices most likely to suffer a dangerous liaison.

Forescout’s data is derived from almost 19 million devices deployed by its customers. The risk score is calculated from the confluence of three factors defined as configuration (severity and number of vulnerabilities together with the number and importance of open ports); behavior (effectively detected threat activity based on inbound and outbound traffic); and function (the impact on business functions potentially arising from compromise). The higher the score, the greater the risk.

In simple terms, explains Rik Ferguson, VP of security intelligence at Forescout, risk is calculated by the combination of severity in all three categories. If any category is absent, there is no risk. “No asset [device], no risk,” he told SecurityWeek; “no vulnerability, no risk; no threat actor interested in your asset, no risk. All three things must be present.”

Vulnerabilities are the big unknown – we only know about the vulnerabilities we know about. Technically, vulnerabilities known to threat actors but unknown to defenders could change the real risk; but that doesn’t lessen the value of measuring known risk by known vulnerabilities.

From these considerations, Forescout annually calculates a risk score for different devices in different verticals. “The purpose,” says Ferguson, “is to drive awareness.” This is not a predictive report, nor an action plan on what to do. It does, however, demonstrate which devices require specific and possibly urgent attention.

The devices are categorized as IT, IoT, OT, and IoMT. Routers followed by wireless access points are the riskiest IT devices. NAS and VoIP are the riskiest IoT devices. UPS and distributed control systems top the list for OT. And medical information systems and electrocardiographs come out top in IoMT. The top three verticals with the riskiest devices are technology, education, and manufacturing.

An example of how Forescout’s three risk factors combine to highlight the riskiest devices can be seen in the current threat activity against network infrastructure devices. “At the beginning of 2023, endpoints were riskier than network devices,” says Forescout. “At the end of 2023, there was a reversal in the number of vulnerabilities found and exploited in network infrastructure devices. Today, network equipment has become the riskiest IT device category surpassing endpoints.”

The threat actors have their own motivations. “Most of these devices are significantly less visible in the defenders’ security stacks, with limited to zero visibility,” comments Ferguson. “They can often be seen from an architecture perspective, but not from a security and incident event monitoring perspective.”

Advertisement. Scroll to continue reading.

Bad actors are increasingly focusing their attention on these devices because they offer an easier and stealthier entry point into the network. But simply being a network infrastructure device doesn’t mean it is a risky device: the remaining two factors still need to be present: firstly, an exploitable vulnerability, and secondly a business impact from potential compromise.

Ferguson cites the healthcare industry as an example of improving security by tackling the risky devices. This doesn’t mean that healthcare compromises have ceased, but they are lower this year than last year. “There has been a positive move within the medical sector because healthcare was getting hammered a couple of years ago and even last year,” he comments. “But we’ve seen they have hugely driven down their exposure of insecure things like RDP and telnet.”

In the number of such risky devices, the report notes, “The highest Telnet decrease was in healthcare which moved from 10% to 4%… RDP also decreased in every industry… the highest decrease was in healthcare, from 16% to 6%.”

Significantly, perhaps, healthcare now sits at #10 in the top ten verticals with the highest average device risk (7.25). Technology (8.3), education (8.14), and manufacturing (7.83) occupy the top three slots.

Geographically, China has the highest average device risk (7.32), with Canada fourth (6.51), USA fifth (6.44), and the UK thirteenth (6.0).

There is always a slight question over chicken and eggs with such reports. Is the risk a report of what is happening, or does the report focus the minds of attackers on specific new targets? It is true that the statistics for Forescout’s report are fundamentally historical, but that history is so recent (based on telemetry between January 2024 and April 2024) that it is highly pertinent right now.

If the purpose is to raise corporate awareness, Forescout’s analysis of risky devices is based on very fresh eggs.

Related: Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data

Related: Cisco Warns of Vulnerability in Discontinued Small Business Routers

Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Related: Forescout Acquires Healthcare Cybersecurity Firm CyberMDX

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

Megan Samford named Chief Security Officer of Schneider Electric's US National Security Agreements & US Federal Business.

More People On The Move

Expert Insights