Invisible Network Devices

Network Device Detection

Network devices are physical devices that facilitate communication and data transfer within a computer network. These devices play specific roles in managing and directing data traffic, ensuring the efficient and secure exchange of information. One such overlooked are the unmanaged, unauthorized, hidden, or invisible network devices. They refer to network devices that are invisible on a network and can threaten an organization’s cybersecurity.

Invisible or hidden network devices detection is a security process aimed at identifying malicious unauthorized devices connected to a network. In an era where cybersecurity is paramount, the importance of robust software platforms for the detection and mitigation of unmanaged or invisible network devices has come to the forefront. Securing network devices is crucial to ensuring the confidentiality, integrity, and availability of data and services within a network.

Invisible Network Devices Case Study

A Tier 1 bank audit revealed some irregularities. It became evident that invisible network devices, rogue devices, had continuous access to the internal and secured parts of the network. After investigating the bank’s computing assets, including the servers, desktop workstations, and management’s laptop, the team found no evidence of malware with remote access capabilities.

Subsequently, investigations focused on deep monitoring of the in going and out going communications from the network hoping there would be an indication as to what was occurring. Again, the investigators found no evidence of full remote access. The bank sought assistance from the cybersecurity investigations practice of a leading global consulting firm. The team discovered that the perpetrators had cloned an authentic laptop, spoofed laptop, belonging to the bank. It was connecting to the network infrastructure via an out-of-band channel in parallel to the existing and legitimate laptop.

The network access profile and envelope, in addition to the certificate, were authentic and valid. Meaning that none of the existing security and monitoring tools recognized it as a invisible network device. The attackers were using a “ghost” malicious device that was acting in the shadow of the legitimate one. Upon further investigation, the team discovered an unidentified small hardware device installed in one of the distribution cabinets. It was providing the perpetrator with remote access capabilities, with the existing security measures completely oblivious. No one knew what this device was, what it was doing, who brought it in, and when.

Attack Study

With the growing sophistication of cyber threats, the concept of invisible network devices detection has become a crucial focus in ensuring network security.

The attackers used a legitimate off-the-shelf network router sold by a third party. Besides its other modus operandi, the device supports a virtual cable mode whereby two devices can be paired, and each installed at different locations while operating as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application. The device enables the interception of traffic and injection of data packets, streaming them back into the network. In addition to being able to carry out more complex man in the middle, MiTM attacks.
These devices do not have an IP or MAC address meaning that Intrusion Detection Systems (IDS), Network Access Control (Moving Beyond NACs) and Network Monitoring tools are unable to detect them. The entire manipulation occurs on the Physical Layer (Layer 1 Visibility) and the Data-Link Layer (Layer 2). Therefore, all higher-level communications are deemed authentic and secure.

How Network Devices Bypass Authentication Methods

In this specific incident, the perpetrators utilized a BeagleBone board running USBProxy. When attached to the scanning device and the computer system that stores the records of genuine handprints, allowed the attacker to bypass the authentication.
The BeagleBone does not require any extra hardware in addition to its superior set of input/output features. Making it easy to interface with exterior electronics.

Sepio’s Network Devices Detection and Mitigation

Sepio is the leader in rogue devices mitigation (RDM) market. It is disrupting the cybersecurity industry by detecting unauthorized or invisible network devices. Preventing hardware based attacks operating over network and USB interfaces.

Sepio’s Asset DNA technology, rooted in the physical layer, relies on the existence of devices rather than their behavior. Enabling the discovery and identification of all managed, unmanaged, hidden or invisible network devices. Through innovative methods and machine learning algorithms, Sepio gets to the true source of asset risk, free from misleading profile perceptions and behavioral assumptions.

The Sepio platform strategically prioritizes assets based on their risk levels and implements precise hardware access controls. It automatically blocks devices that violate preset rules or are recognized as known attack tools.

Having a comprehensive view of all network devices is crucial for effective hardware defense. However, the value lies not just in seeing, but in utilizing this information.

Sepio, provides instant insights into network devices that require attention. Leveraging Asset DNA technology and policy rules, the system alerts you to high, medium, and low risks, expediting resolution times, pinpointing regulatory gaps, and preventing hardware-based attacks. This real-time, actionable visibility empowers your security team to gain a deeper understanding of your device attack surface and proactively manage hardware defense.

See every known and unknown devices. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.

Invisible Network Devices (pdf)
May 12th, 2020