Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Is Mr. Robot in Your Network?

In Season 2 Episode 6 of Mr. Robot, Darlene and Angela continue with infiltration of the FBI and E-Corp, while Elliot is otherwise detained. Because Angela must plant the femtocell in E-Corp, members of F-Society help her learn the commands that are needed. They also offer an alternative called a “Rubber Ducky,” a USB device that registers itself as a Human Interface Device (HID) or keyboard. Since all systems trust HIDs, they are able to bypass policies that don’t allow USB storage devices. However, the infiltration plan is executed as planned with the femtocell device.

Angela makes her way to the 23rd floor, where the FBI team is working, and sets up the femtocell in the restroom. As she exits the restroom, a young FBI agent notices her unfamiliar face. Instead of checking her ID or other credentials, he takes the opportunity to ask for a date. Knowing she is almost caught, Angela plays his game and sets up a lunch date. Angela then makes her way to a cube where a small switch is located and puts the femtocell on the network. Darlene sees the femtocell collecting data, but then the data stops. As Angela re-enables the wireless network interfaces on the femtocell, Agent DiPierro interrupts her.

USB device tracking

Angela did not use the Rubber Ducky, but the threat of such a device is very real. Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) supports two methods of detecting USB device installation.

The first method uses active scanning of a Windows host and provides a full history of USB devices. There are three plugins that provide a record of USB devices attached to a system:

  • USB Drives Enumeration (24274)
  • Microsoft Windows USB Device Usage Report (35730)
  • Microsoft Windows Portable Devices (65791)

The plugins analyze the registry and native commands to report on USB devices such as storage devices, multimedia devices and human interface devices.

SecurityCenter CV also includes USB analysis with the Log Correlation Engine™ (LCE®). For Windows hosts running the LCE Agent, the installation and removal of a USB device is detected within 15 minutes of the aforementioned action. Each time a USB device is connected to a system, the LCE agent sends a log notification to LCE.

USB Events

Detecting new devices on the network

There are many solutions in the marketplace to detect when a new device is on the network, called Network Access Control (NAC) systems. Many of these NAC systems run some type of a RADIUS server and interact with network systems and wireless systems. The RADIUS server then performs authentication against Active Directory or other type of user repository. While these systems are great for detecting obvious attempts to gain access, what about attempts that are not so obvious; do more stealthy attempts get tracked in the same manner?

SecurityCenter CV uses several methods of detecting systems on the network and can alert both help desk and security operations when such an event occurs. The LCE provides SecurityCenter users the ability to track when a new account is detected on a computer, when a device first connects to a network, and when a user runs a command for the first time. These three events are only a small sampling of the Never Before Seen (NBS) events that can be used when creating alerts within SecurityCenter. When SecurityCenter and LCE are fully implemented to monitor DHCP servers and network devices, there are other events such as switch port state changing, new MAC address tracking, and DHCP lease tracking, that can also track network access events.

Host Discovery Dashboard

The Daily Host Alerts and Host Discovery dashboards provide valuable information about new host activity from many sources. The filters in these dashboards can be converted into alerts to assist the security operations team in identifying new devices on the network. By monitoring the switch and DHCP server used by the femtocell, SecurityCenter could send email alerts when these new devices are present and security ops could begin to investigate if the system is authorized or not.

Additionally, SecurityCenter alerts can launch scans of the systems and provide more information about them. In this episode, as Angela boots her computer off the thumb drive, SecurityCenter would have used the Passive Vulnerability Scanner™ (PVS™) to detect a new OS that had not been scanned before. SecurityCenter would have launched a scan if there were no Linux systems authorized in the subnet, and then a further alert would be emailed to the security ops team.

When a security operations team fully embraces SecurityCenter CV, there are many layers of detections available to identify unauthorized systems on the network. Whether the attack vector is unauthorized computers, network probes, or USB devices, Tenable SecurityCenter CV combats the attacks to protect the security of your organization.

But what about Angela? Is she caught red-handed, or has she eluded capture by the FBI yet again?

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.