CompTIA CYSA+ CS0-002 – Analyzing Network IOCs Part 3

  1. Rogue Devices (OBJ 4.3)

Rogue devices. One of the things you have to be concerned about on your network are rogue devices. Now, anytime a device is connected to your network, these network devices are identified using the hardware interface, Mac address and their IP address. So if I connect my smartphone to the network, or I connect a laptop to the network or a smart TV, all these devices, if they have a network card, have a Mac address and will hopefully be assigned an IP address. When that happens, you can use that to identify these devices across your network. Now, if you want to prevent things from connecting to your network that aren’t authorized, one of the best mitigations you can use is to use digital certificates on those endpoints and servers, forcing them to authenticate and encrypt traffic using IPsec or Https.

This will make sure that only devices you authorize will get onto your network. Now, if you get an unauthorized device on your network, this is known as a rogue device. And that’s what we’re going to focus on inside of this lesson. Now, when we talk about rogue devices, these are any unauthorized device or service, such as a wireless access point, a DHCP server, or a DNS server that’s on a corporate or private network that allows unauthorized individuals to connect to that network. Now, most often people think of rogue devices as things like a wireless access point or a switch or a hub that’s being added, but they actually include much more than that.

For example, if I have this thumb drive and I stick it into a server, is that a rogue device? Well, yes, it is, because that thumb drive could be attached to the server to download sensitive data. It’s something that is not authorized and it’s being connected to my network through that workstation or through that server. And so this is an idea that you have to think about as well. When you start talking about rogue devices, one of the most important things to do with rogue devices is detect them. Because if you identify these things, you can then remove them. So rogue system detection is simply a process of identifying and removing machines on the network that are not supposed to be there.

So for the rest of this lesson, we are going to talk about rogue systems. We need to figure out first what is considered a rogue system. Well, there’s lots of them out there. We have network taps and wireless access points or WAPs. We have servers, we have wired and wireless clients. We have software that’s installed without our permission. We have virtual machines and we have smart appliances. All of these things can be rogue devices or rogue systems. Now, one of our jobs as a cybersecurity analyst is to identify everything that’s on our network and identify what shouldn’t be there. Based on that, we can then go through this rogue device system detection, find out what’s not supposed to be there and get it off our network. So let’s talk about all of these different categories of rogue devices.

First, we have network taps. Now, a network tap is a physical device that is attached to Cabling to record packets that are passing over that network segment. We talked about network taps earlier in this course because we use them as cybersecurity analysts. We want network taps that are in our control so we can collect information and detect things on our network by looking through all of our packet captures and network flows. But we don’t want a road network tap that is under the control of some adversary. And that’s what we’re talking about here. With network taps, the next area is wireless access points, or WAPs. Now, these are different devices that can be connected to your network and they extend your physical network into the wireless spectrum.

Now, there’s lots of problems when you start dealing with wireless access points, especially ones you don’t control. One of them is that there can be rogue access points on your network. Now, there’s two ways of looking at this. One is you have a rogue access point that’s connected to your network, which can allow an adversary to connect to their wireless access point and then convert their radio signal from the parking lot going into your access point into the physical network over your Ethernet network. Now, the other type of rogue access point we can have is where an attacker gets close to you and then sets up their own access point with its own connection to the Internet. Now, that point isn’t going to actually connect to your network, but it can be used as an evil twin and make it look like it’s part of your network.

So for example, if I set up a rogue access point in the middle of Starbucks and you try to connect to the Starbucks WiFi, you may be connecting to the Starbucks WiFi, or you may be connecting to mine. If you’re connecting to mine, I now act as a man in the middle and capture your traffic and put you at risk. As a cybersecurity analyst, we want to make sure this doesn’t happen. And so we’re going to scan our airwaves and find out what wireless networks are near us, identify those rogue devices and get them taken down. Now, often students ask me, how hard is it to create one of these rogue access points? Well, if you have something like a WiFi Pineapple shown here, you can easily create a rogue access point and then become a man in the middle for all those unsuspecting users.

The next type of rogue device we’re going to talk about is a server. Now, an adversary may try to set up a server as a honeypot to start harvesting network credentials or other data. By doing this, they can then be another server on your network and try to trick your users into giving them critical information. They could also use things like ARP poisoning or corrupting name resolution to be able to divert traffic into their server instead of yours. So you want to make sure you’re identifying these rogue servers and get them off your network. Another type of rogue device you might have is a wired or wireless client. For example, if somebody brings in their personal laptop, takes out the connection from their work laptop and plugs it into their personal laptop, they have now added a rogue device, their personal laptop, to your organizational network.

This can be a big problem because these are devices you don’t control. They have webcams on them which can see inside the room. They have microphones to record conversations. They might bring malware into your network. Lots of different things can happen when you don’t control the device. In an organization. If you’re using a bring your own device policy, this would not be considered a rogue device because you’re allowed to bring them in under that policy. But in most organizations, if you don’t have a bring your own device policy, bringing your own personal laptop is not going to be authorized, and it would be considered a rogue device. Now, another thing to think about when you talk about authorized client devices is that they could be used in an unauthorized way.

For example, I have a workstation in my office that the company gives me. I can log in there using my username and password. All of that is authorized, but I don’t have permission to try to SSH into a server or perform network scans or tether my smartphone to it. All of these are things that are unauthorized. And so if I do those things, I now have turned that authorized client into a rogue device because it’s not following the right procedures. The next type of thing we want to talk about is software. And software can actually be rogue as well. If I just go to the Internet and download a piece of software on my workstation and install it, that can go against company policy and it would be considered a rogue device at that point.

This can actually have things like malicious DHCP or DNS servers. It might be malware, it could be covert spying software. All of these things could be installed as part of this rogue software. So instead, you should always install software using the appropriate change management processes and make sure that software is clean and ready to go on the network. Another type of rogue device is virtual machines. If you’re using a very highly virtualized environment, people can start creating virtual machines that could be used to create rogue servers and services inside that virtualized environment.

Now, in the old days, if somebody wanted to bring a new server into your offices, you would probably see them carrying this big computer and hooking it up. But with virtual machines, it’s just software code. So if they could spin up a virtual machine and run software to run a server on it, that would be a way to put a rogue server in your network. So keep that in mind as well. The final area we want to talk about is smart appliances. Now, these are devices like printers and webcams and VoIP handsets and VTC systems, and washing machines and refrigerators and smart TVs and all sorts of other things. These days, everything seems to be Internet connected.

And when they’re Internet connected, that means there are potential vulnerability that adversary could exploit. A lot of these devices are running Linux based operating systems, but they don’t receive the patching and updating like your Linux servers would. And so they are something that could bring vulnerabilities into your systems. As we talk about things like ICS and SCADA, we’ll go back and revisit smart devices as well. But it is something to think about when you start talking about rogue devices. If you install a new TV in the conference room, does that TV have WiFi and did you plug it into the network? Because if so, that device could be something that could be used by an attacker against you.

So now that we’ve talked about all the different kinds of rogue devices, and I told you all the bad news out there, how can you figure out what rogue devices there are and how do you detect them? Well, we could perform rogue device detection in lots of different ways. One of them is by doing a visual inspection of ports and switches, especially if you’re dealing with wired networks. This is one of the best ways to find rogue devices. Now, when you’re conducting your physical inspection, you want to make sure that you’re careful to ensure the attacker didn’t install some additional piece of equipment or counterfeit equipment with fake asset tags.

For instance, if you have a rack of a bunch of Cisco gear and somebody brings in another device that looks like a Cisco device, and you had five there yesterday and now you have six, will you be aware of that? Will you see it as you walk in on a daily basis? Well, if you had five and six, you might. But if you had 50 and now you have 51, you might not. And this is something to keep in mind as you’re looking at things.As you go through. You should do inventories either monthly or quarterly to see all the devices that you expect are there and no additional devices. Another detection mechanism for rogue devices is to conduct network mapping and host discovery. You can use an enumeration scanner to help identify hosts via banner grabbing and fingerprinting of those devices across your network.

As you start running scans across your network and performing this enumeration, you’ll start figuring out exactly what’s on your network. You’ve got ten Linux servers and they’re this version. You’ve got five Windows 2019 servers, you’ve got three Windows 2016 servers, whatever those things are. This will help you do that. And if you know what your baseline is and you run another scan and now you have three new servers, you can then figure out why do you have those three new servers? Because if they didn’t go through the proper change control process, they would be rogue devices. If you’re worried about wireless devices, you can conduct wireless monitoring. This is also known as wireless sniffing and discovery and this can be used to find unknown or unidentifiable service set indicators or SSIDs showing up within the range of your office.

So again, if you have an office and the name was Deon Training as your WiFi, and right next door is a coffee shop and somebody sets up a rogue access point called Deon Training and you start seeing there is three different signals coming out from Deon Training, but you only have two in your office. Well, that would be a rogue device, and wireless monitoring can help you figure that out. Another good detection mechanism is to use packet sniffing and traffic flows. This can be used to identify any unauthorized protocols that are on your network or any unusual peer to peer communication flows. For example, if you’re not running any web servers on your network, but you start seeing port 80 is running and sending data out, often that could be an indication that somebody set up a malicious or rogue web server inside your network and so you want to look into that.

And finally we have NAC and intrusion detection. A lot of security suites and appliances can combine automated network scanning with defense and remediation suites to try to prevent rogue devices from accessing the network. If you’re using NAC, you might be using something like usernames and passwords to gain access to the network. Or even better, digital certificates. If somebody doesn’t have that digital certificate, that device can’t get on the network. If you’re dealing with intrusion detection, it can go and scan the network and say, I found this new thing, I don’t know what it is and therefore I’m going to flag it. And that way an analyst can look into it further and figure out if it’s a rogue device.

  1. Scans and Sweeps (OBJ 4.3)

Scans and sweeps. In the last lesson on rogue devices, we talked about the importance of scanning your network and enumerating your network to figure out what is exactly on there. Now, rogue devices often are going to begin their attacks by scanning and sweeping to find additional hosts and vulnerabilities. Just like you as a cybersecurity, analysts want to scan your network to figure out what’s out there. Also, these devices want to do the same thing. So if I just hooked up a rogue device, like a malicious client to your network, the first thing I want to start doing is scanning and sweeping around the network to see what hosts are there, what servers are there, what routers and switches are there.

As I get that information, I can start building up a presence and start figuring out exactly what’s there so I can then figure out how I want to attack it. Now, when we talk about this, there’s a couple of key terms we have to think about. First is port scan. What is a port scan? Well, a port scan is going to enumerate the status of TCP and UDP ports on a given target using software tools. The most common of these is Nmap, which we’re going to spend a lot of time on later in this course. Now, when we talk about enumeration of a single target, this is called fingerprinting. Fingerprinting is identifying the type and version of an operating system or a server application by analyzing its responses to network scans.

So, for instance, if I’m using  Nmap and I’m doing a port scan of your server and it reports back to me that you’re on port 80 and that’s open, it will then tell me also in addition knowing that it’s port 80, that you’re running Apache or IIS as your web server. Now, in addition to that, it will also figure out if you’re running Windows or Linux based on what the responses are that it’s getting through this fingerprinting process. Now, that’s what happens when we do a scan that’s one single target. But what if I want to start looking at a wider range? Well, that’s called a sweep.

Now, a sweep is a scan that’s directed at multiple IP addresses to discover whether a host responds to a connection request for a particular port. So, for example, if I want to sweep my entire network and see who has port 80 open, who’s running a web server, I can do that. That might be useful if I found that there is a vulnerability out there that only attacks port 80. Want to figure out who’s open on port 80. And once I do that, that might give me a list of five or ten servers. I can then go deeper into just those five or ten servers and ignore the other thousands of servers on my network. Now, when we’re dealing with a sweep or we’re dealing with multiple assets, this is also known as footprinting.

So with Footprinting, this is the phase of an attack or penetration test in which the attacker or tester gathers information about the target before attacking it. Now, in this case, when we talk about the target, we’re talking about the target organization. We are trying to figure out across the board what’s there. So when you hear fingerprinting, it’s one machine. When you hear Footprinting, that tends to be multiple machines. Now, one of the questions students often ask me is, who should be doing these scans? Well, only the people who are authorized. Authorized network scans should be performed from a restricted range of hosts as well.

So if you’re a cybersecurity analyst, you probably have a small network of administrative workstations, and these are the ones that you and your team are going to use to do all of your scanning from. Now, why do we want to do that? Well, because a lot of our systems have intrusion detection systems that are looking for things like port scans or sweeps. And if we know that it’s coming from a particular range, we can authorize that range and ignore those requests. So if I see a port scan coming from the host at 192, 168, 110, which is my workstation, that can be written as a rule to ignore it. But if it comes from any other IP address, we’re going to flag it. That’s the way these things work. So you want to keep that in mind and keep a restricted range of hosts when you do your scans.

Now, intrusion detection systems, like I just mentioned, can identify scanning by detecting the different numbers of sin packets, synac packets or fin packets. And if we don’t see a statistical balance there, that means we’re probably being scanned, as we’re going to talk about later with Nmap. When people do scans, often they will send out sin packets and never respond with the synac. So if I had 100 sin packets go out but only three Synac packets, that probably means I’m doing a lot of scanning here because I’m sending out a lot of sins to see what the responses are and never replying to them. That would be something that an IDs could flag for us.

Now, let me give you a quick warning here and a word of advice. I’ve worked for some companies that have freaked out when they started seeing port scanning against their resources. If you’re running web servers or any internet facing resources, just realize that scan sweeps of your organization’s footprint is going to be a common occurrence and it should not be something that sends you into a panic. Yes, if somebody is doing a scan, they may want to attack you at some point in the future. Yes, if people are doing a scan, they may not want to attack you at some point in the future. Both of those are true statements because attackers use this, but so do other organizations, too.

So if you have something that’s forward facing, you’re going to see a lot of scanning. It’s just something that happens all the time. My own personal network in my office, I see scans happening against us all the time, but it’s not necessarily an indication that there’s going to be an attack. Now after the fact, if you were the victim of an attack, you might go back and look at that historical data to see if an intrusion could be correlated to some skating activity. But the scan activity by itself is not a big enough indicator for us to get worked up about and try to start deploying resources against it, because it is just such a common occurrence.