Reasonable Rapid Recognition and Response to Rogues

welcome back to lunch good to see everybody all right so i don't know how many of you a nice raspberry pi onto their network so they can have a back door anyone did anyone have anyone seen mr robert remember that scene yeah so um [Music]

so yeah but really what it's about this is about roads it's about hey what is on your network right how how fast can you detect what is on your network whether it's supposed to be there and if or not that uh this thing is doing uh something that it should be and this is where my talk is really uh going forward it's like hey how are you uh how are you doing on that right the right team you've got red teamers in here right so uh working on pen tests it's a great way to get on the network right um you know where if that's included in scope you know where you can socially engineer

your way in drop a drop of device with your pineapple uh so uh darknet diaries if anyone's listening to that podcast that's becoming one of my favorite podcasts one of the recent episodes talked about fantastic was hired to start from the inside and brought his own device but this is challenging the first uh the cis controls the first control has always been that you need an inventory of the authorization devices right so know what's on your network you don't know what's on your network it's almost impossible to defend it to protect it but that's hard you got a network of you know all over the world all over the nation hundreds of thousands of devices

your network's not changing daily it's changing hourly or minute by minute man that's a challenge that is you know that those those of us have a smaller network it's a little easier it's definitely not on the scale that some of you are faced with uh devices all over and you know decentralized uh control of your network so you're trying to protect the castle right you're trying to protect you know you got this nice border that your your uh your your currency on the outside hopefully it's segmented i mean that's where we're going we're trying to cyber in our network but yet when you have a device a world device that you know or you're letting these

things pass your defenses right in your front door right they're coming right in and you you know you may have them control to a room or a section but they're still there um and so they have all these uh risks that you're you're now just really right inside of your perimeter so whatever it is you know they're past their first line of defense so now we got to figure out what these devices are and this device is broken down into four really categories at least the way i view it so you have your authorized devices these are devices you know about that you probably built right or that you or someone else has built according to your specs they've

maybe gone to change management all right so you know what these devices are these are authorized committed devices these are things you definitely should know about but then you have your other devices that are known but maybe they're out of date so they probably at some point will authorize okay but they've fallen behind right maybe they're a couple reps behind on their av maybe they're they're missing a couple of your agents we all have ages probably worried but maybe these devices are missing agents okay um maybe their configs out of date or never got properly applied so these are known but they're outdated devices and then you have devices that are unauthorized you still know what they

are it's jill's laptop or it's you know bob's ipad or maybe it's that vendor that showed up to do a demo he's like oh i just need to download some stuff from my company and so he plugs in so you know what these devices are but they're not permitted you just give them permission to get on your network um and then finally you have your unauthorized i mean sorry your unknown devices devices that you have no idea what they are they just show up as an ip and maybe an os or whatever you're like what the what the heck is that so how do we find these devices let me just talk through a couple of several methods

not really advocating one or the other but these are different ways that you can use or if you maybe have used or argued and defined devices right so you can do start with the simple things with just like angry scanner or net or nmac right here on uh solarwinds has a basic tool uh basic tools to just scan the network hit up the ips and get back some kind of results of what's alive what's not alive maybe a little more information but it's a manual process right because at the end of the day you're running it manually and then you're doing a diff of your current results against previous results and deciding uh as what's new

and what's not new and so it's fantastic but it's simple it's free it's cheap you know that's not bad then yeah on the other hand you have tools maybe manage engine solarwinds actually has a tool uh right um i'm gonna get this the the company name wrong i want to say red steel but that's that's i don't think that has a copy right here yeah so let's see if i wrote it down um ipam tools uh ip address management tools uh mac the epo i don't know if it's red c don't have to double check that i'm i'm drawing a major blank on this i apologize uh but these these tools uh claim to do or or say hey we do

road detection and they do it in various levels right some of them just say hey do you have a new ip there's a new idea i know what it is i don't have an engine on it must be road others will provide you a lot of information like hey if this ip this machine showed up it's this os it's on this uh switchboard you know so uh so it's a range of things now these these are great right because they uh they they do this for you but they're expensive they're at various levels of expat and there are various levels of complexity that you uh are required to stand up and i'm sorry guys i forgot to give you a morning i

was starting so um so there are various levels of complexity both to stand up to manage and to continue on you got to pass and everything else but that they may be what your organization needs to to manage and find and detect roads uh oh and i want to say mac network access control tools as well uh can fall into this category because they by their very nature they control uh unauthorized devices connected to your and then finally you have custom tools these are tools that you rolled your own uh maybe you take your sim and use the all the locks coming into your sim to kind of filter out a unique ip list and

then you roll some kind of script that dumps that list every x uh amount of time in between and figure out some dips and some other information and and roll your own connection to the router or whatever so you can roll your own it's built custom built for your environment custom built from the tools that you have all right and these are nice because as i already said they're custom so they fit your environment perfectly but are challenges because you have to build it yourself and then you have to maintain it and you better hope that the developer has to give good notes so that when he leaves someone else can pick up that kind of uh pick up the maintenance

of that tool to adjust to changing changes in your environment but at the end of the day when these schools run you're sitting there waiting for the results and you're trying to say all right what am i going to get back what are these tools going to give me what you don't want is that what a lot of tools do is it just gives you an idea hey this this ip is new it's probably road maybe it'll give you an operating system then maybe it'll be useful for courts but how many of you are going to be able to take this information with high fidelity be able to take deliberate and decisive action on that

okay now some of your environments may be able to say have you ever decided that your risk uh framework or your risk analysis says i don't care what it is it's a new ip we block it and that's great because that's your you have made that decision in your environment

so uh but others of you and this is where some of what drove this uh presentation for me need more than that we're not just blocking because it's an unknown id we need a little more information about that id and what it represents so what does that mean what if you actually had things like not only vip we had the operating system the cam support that that thing was plugged into right it was already part of the domain did the did your vulnerability scan it what are the results of that vulnerability and what if you included in your results will link to the sim with that id address so that an analyst when he receives that rogue alert can

click on it and get all the events that that sim has about what that ip did man is that empowering is that giving your analysts the kind of information that they can make quick high fidelity decisions on what they should do with that alert holy cow your analyst is like [Music] awesome right and you have provided that to them so now when that rope shows up and that alert comes along you can decide based on the information that you have hey should i block that uh ip at the switch maybe he's not getting anywhere maybe i'm going to block him at the router he's only allowed a subnet or maybe that he's going to be put in

his own vlan right next to this right you can configure an act to automatically put this new uh device into a subnet or his own vlan with limited access maybe uh to continue here maybe you're going to allow that device to have access to the general network but block from the server because that's where your critical data is so you're going to block the server or maybe you're going to just block it uh to the internet or maybe just give him only a pass in there maybe he's allowed on the network but he's not allowed to access anything but the internet so this is this kind of information that you uh having all that information will

actually make those kind of decisions uh very quickly right so you get that alert your sock does its analysis makes that decision maybe you work with the ops team right but what about the help desk what are some a little bit of feedback what kind of what kind of what are some reasons you might want to alert a help desk that you're taking action on a road running through another wall [Music] they're going to hear that they're going to hear about it right whether it's an actual railroad or if it's trying to social engineers way back on the network or it's a legitimate user who's pissed that they can't get to facebook so they're going to call the help desk you

got to bring your help desk into the loop of what's going on with those roads whether it's a call if it's sort of an informal discussion or some kind of ticket so that the help desk can easily say oh yeah uh you are blocking the internet uh what's your oh okay yeah um this is what's going on so make sure that you have that kind of communication uh among these groups and i'm a big proponent of security and ops having great communication method i'm not saying a relationship is always great we know that doesn't happen but having good communication is important even if that relationship is intense and this kind of thing really helps so what are some challenges right

well this is great if you have a small number of roads but if you have a large number and you're just you know we all have you know alert fatigue is real right we there's lots of discussions okay and so if you have a large number of roads this definitely becomes a challenge no matter how good the information that you are providing with the alert no matter what that information is challenging to handle a large number of growth the other thing is if some of those rogues are actually legit users and legit devices you know can you provide a way for those devices to users to self-mediate right uh if the knacks you know i'm

gonna go back to max a couple of them that these that they often have ways to say hey we're gonna put you in this vlan but as soon as you hatch as soon as you reconfigure then we'll let you back out and play with everybody so what are some thoughts on this what's my way ahead well one of the you know we are i am working with a friend of mine who's written a nice road tool that uh road detection tool that will provide a lot of this other information and that's nice i'm not saying that this tool is the end-all be-all but the whole point of this talk is that when you you know that when you have when

you're doing rogue analysis you want to grab all this other information as much as they can so that you can make better decisions and that's what we're working on this tool to do when it's ready you know we'll put out some advertising it's already out on github but it's one of those in-process projects so i didn't want to put it out there and people know this doesn't work well yeah i know we're still developing um i also want to add to this talk about protecting wireless roads right wireless aps wireless i'm sorry rogue ap as well as rogue devices connected to your agency finally a little bit of research about detecting bluetooth pro right how do we you know what's going on

with you know those kind of networks some of these other wireless networks that we have that give us access to devices so in conclusion i want to just say hey you know enhance your locks speed up your analysis really that increases your ability to react and really increase your ability to protect your network so with that my name is craig bowser um i go by reservoir 10 on the interwebs and i want to invite you if you're at all available i'm teaching sam's 525 as a mentor session and it's going to be from july 16th to september 3rd tuesday nights and this is class is all about enhancing yourself data analytics and security analytics with stem

this is about exactly what i'm talking about enhancing your logs so that your analysts are able to make faster decisions better you have a coffee break set the time where you do a search you go get a coffee we'll talk about that talk about how to make that better how to make it work for you so that you can have that kind of analysis and that kind of fast decision making with high fidelity alerts so i have a blog on the bottom i work for clear focus and uh technologies and i am a part of nova hackers if you want to talk about that as well great group that has uh totally uh helped me grow uh

security so any questions so assume worst case scenario you've got a network you

so the question is uh if we have uh we know our network we have hundred thousand devices but we have a lot that are we've discovered our rogue there's just a lot of work to discover what how do we prioritize what gets kicked off first is that your is that a good summary right so what the first thing to do is figure out where that those those what those ropes are doing this is where having that information really helps so when you're looking at the information about what those rogues are you can say oh that's susie's ipad and that's the vendor box and you can say okay those are kind of low priority they'll probably go away

but i can relegate those to doing that later uh the ones that are probably using all the information you gather about those things you can say okay this is probably something i really want to determine is better is it on my server network for instance my server subnet is the traffic that i've noticed in my sim based on the ip address or the mac address is it look something that is suspicious or is it just only it's only going to facebook type thing and so you using that other information you gathered now you can kind of it gives you the ability to rack and stack of how quickly i need to react to each one and so

that is one of the biggest reasons i think that that having that extra information gives you that ability if you have just a bunch of ip addresses then your only real choice is just block everything and figure it out just one by one that answer your question anything else yes

[Music] right so the question was uh about am i suggesting that these devices are sandboxed so that they're only allowed to do certain things

so the method is that i'm describing is about mostly about getting more information about each device so that you can make a decision about how to or whether or not to sandbox so you right so you can sandbox that's definitely a decision that as an organization you need to make based on your risk analysis of how you want to handle roads um for instance one of my organizations i was part of just lock them at the switch done i don't care what you are i don't care if you're i don't care if you're the ceo's laptop that he brought from home you're blocked um that was a risk decision that the organization made another one said hey

we don't know what it is we're just going to block it at the firewall it has free reign to our entire intranet but we're just going to block them at the firewall because we figure it's probably an unauthorized device that is we want to permit but just hasn't gone through the proper process so that was what so organizationally make that decision does that answer your question all right great anyone else behind the light that i can't see great um that's all the questions uh thanks for uh attending appreciate you coming back right after lunch i know that was challenging um but um anything else thanks a lot appreciate your time