IoT gateways/brokers should be configured to look for suspicious behavior from the endpoints. As an example, MQTT brokers should capture messages from publishers and subscribers that may signal malicious behavior.
MQTT Specification Version 3.1.1 provides examples of behaviors to report:
- Repeated connection attempts
- Repeated authentication attempts
- Abnormal termination of connections
- Topic scanning
- Sending undeliverable messages
- Clients that connect, but do not send data
Within the AWS IoT suite, one can take advantage of integrated log management features through CloudWatch. CloudWatch can be configured directly within AWS IoT to log process events on messages flowing from devices to the AWS infrastructure.
Message logging can be set to errors, warnings, informational, or debug. Although debug provides the most comprehensive messages, these also take up additional storage space.
Amazon CloudTrail should also be leveraged for an AWS-based IoT deployment. CloudTrail supports account-level AWS API calls to enable security analysis, analytics, and compliance tracking. There are many third-party log management systems, such as Splunk, AlertLogic, and SumoLogic, that integrate directly with CloudTrail.