adam's notes

Rogue Devices and Services

A rogue device is an unauthorized device or service that is on your network but isn’t under the administrative control of the network staff.

  • often completely malicious
  • exist for sole purpose of stealing sensitive data
  • most legitimate network hardware and services can be exploited through rogues
  • e.g., WAPs, DHCP servers, DNS servers, etc.
  • computers can be configured to run any service, or use packet crafting software to conduct spoof attacks
  • rogue system detection refers to identifying (and removing) unauthorized devices

Example

  • Network taps
    • physical device attached to cabling to record packets passing over that segment
    • once attached, taps cannot usually be detected from other devices inline with the network
      • need physical cable inspection
  • Wireless access points (WAP)
    • anyone with access to the network can create a WAP
      • even from laptop or smartphone
    • can use dedicated pen test roque WAPs
  • Servers
    • server can be used as a malicious honeypot to harvest credentials and data
    • often requires some method of traffic diversion
      • through ARP poisoning or corrupted name resolution
  • Wired and wireless clients
    • end-user devices may introduce malware, perform network recon, or enable data exfil
  • Software
    • rogue services like DHCP or DNS
  • Virtual machines
    • make deploying rogue servers much simpler
  • Smart appliances
    • printers, webcams, VoIP handsets can contain exploitable vulnerabilities in their firmware
    • can be used as a vector for attack

Shadow IT

Shadow IT is computer hardware, software, or services used on a private network without authorization from the system owner.

  • can be unintentional, but still pose a threat
  • exacerbated by proliferation of cloud services and mobile devices
  • creates a new unmonitored attack surface for malicious adversaries to exploit

Rogue Device Detection

  • Visual inspection of ports/switches
    • look for out-of-places devices or odd cabling
    • look inside cabinets and under desks for tape-mounted Raspberry Pis
  • Network mapping/host discovery
    • network scans can identify hosts and use banner grabbing and fingerprinting to collect valuable information
    • DHCP logs are useful
  • Wireless monitoring
    • look for unknown or unidentifiable SSIDs within range of the office
  • Packet sniffing and traffic flow
    • reveal the use of unauthorized protocols on the network and suspicious peer-to-peer communication
  • NAC and intrusion detection
    • can combine automated network scanning with defense and remediation
    • detect rogue devices and prevent them from joining the network

Protecting Against Rogue Devices

  • rogue devices depend upon network access
  • can use port-based access control or 802.1x network access control
  • these controls make identifying rogue devices easier

Scan/Sweep Events

  • scan refers to a port scan directed at a single host to enumerate open ports, software, and firmware
  • sweep refers to probing a range of IP addresses to discover hosts
  • authorized network scan should be performed from pre-authorized devices
  • scans from unauthorized devices should be immediately investigated
  • IDS can detect most types of scanning activity
    • but there are some ways to evade detection
      • e.g., sparse scanning
  • scan sweeps on Internet-facing systems are a common occurrence
    • less likely to be investigated
  • other IoCs can be compared to historical data to determine if the intrusion correlates to scanning activity and reveals info about attacker

Graph View

Backlinks