Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Is Mr. Robot in Your Network?

In Season 2 Episode 6 of Mr. Robot, Darlene and Angela continue with infiltration of the FBI and E-Corp, while Elliot is otherwise detained. Because Angela must plant the femtocell in E-Corp, members of F-Society help her learn the commands that are needed. They also offer an alternative called a “Rubber Ducky,” a USB device that registers itself as a Human Interface Device (HID) or keyboard. Since all systems trust HIDs, they are able to bypass policies that don’t allow USB storage devices. However, the infiltration plan is executed as planned with the femtocell device.

Angela makes her way to the 23rd floor, where the FBI team is working, and sets up the femtocell in the restroom. As she exits the restroom, a young FBI agent notices her unfamiliar face. Instead of checking her ID or other credentials, he takes the opportunity to ask for a date. Knowing she is almost caught, Angela plays his game and sets up a lunch date. Angela then makes her way to a cube where a small switch is located and puts the femtocell on the network. Darlene sees the femtocell collecting data, but then the data stops. As Angela re-enables the wireless network interfaces on the femtocell, Agent DiPierro interrupts her.

USB device tracking

Angela did not use the Rubber Ducky, but the threat of such a device is very real. Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) supports two methods of detecting USB device installation.

The first method uses active scanning of a Windows host and provides a full history of USB devices. There are three plugins that provide a record of USB devices attached to a system:

  • USB Drives Enumeration (24274)
  • Microsoft Windows USB Device Usage Report (35730)
  • Microsoft Windows Portable Devices (65791)

The plugins analyze the registry and native commands to report on USB devices such as storage devices, multimedia devices and human interface devices.

SecurityCenter CV also includes USB analysis with the Log Correlation Engine™ (LCE®). For Windows hosts running the LCE Agent, the installation and removal of a USB device is detected within 15 minutes of the aforementioned action. Each time a USB device is connected to a system, the LCE agent sends a log notification to LCE.

USB Events

Detecting new devices on the network

There are many solutions in the marketplace to detect when a new device is on the network, called Network Access Control (NAC) systems. Many of these NAC systems run some type of a RADIUS server and interact with network systems and wireless systems. The RADIUS server then performs authentication against Active Directory or other type of user repository. While these systems are great for detecting obvious attempts to gain access, what about attempts that are not so obvious; do more stealthy attempts get tracked in the same manner?

SecurityCenter CV uses several methods of detecting systems on the network and can alert both help desk and security operations when such an event occurs. The LCE provides SecurityCenter users the ability to track when a new account is detected on a computer, when a device first connects to a network, and when a user runs a command for the first time. These three events are only a small sampling of the Never Before Seen (NBS) events that can be used when creating alerts within SecurityCenter. When SecurityCenter and LCE are fully implemented to monitor DHCP servers and network devices, there are other events such as switch port state changing, new MAC address tracking, and DHCP lease tracking, that can also track network access events.

Host Discovery Dashboard

The Daily Host Alerts and Host Discovery dashboards provide valuable information about new host activity from many sources. The filters in these dashboards can be converted into alerts to assist the security operations team in identifying new devices on the network. By monitoring the switch and DHCP server used by the femtocell, SecurityCenter could send email alerts when these new devices are present and security ops could begin to investigate if the system is authorized or not.

Additionally, SecurityCenter alerts can launch scans of the systems and provide more information about them. In this episode, as Angela boots her computer off the thumb drive, SecurityCenter would have used the Passive Vulnerability Scanner™ (PVS™) to detect a new OS that had not been scanned before. SecurityCenter would have launched a scan if there were no Linux systems authorized in the subnet, and then a further alert would be emailed to the security ops team.

When a security operations team fully embraces SecurityCenter CV, there are many layers of detections available to identify unauthorized systems on the network. Whether the attack vector is unauthorized computers, network probes, or USB devices, Tenable SecurityCenter CV combats the attacks to protect the security of your organization.

But what about Angela? Is she caught red-handed, or has she eluded capture by the FBI yet again?

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training