Retailers have long relied on merchandising techniques to entice you into purchasing their products. Someone figured out way back that if you put small-ticket, impulse items at the check-out, you could increase overall sales. How many times have you just ‘thrown in’ a pack of gum or a candy bar when checking out at the grocery store? Chances are, these items were not on your list when you left the house, but they were just so easily obtainable and cheap compared with the rest of your items in your basket. Your rationale could just simply be that your purchase is ‘no big deal’. In fact, this behavior can lead to more than you would expect — for the retailer.
Malicious actors know too that certain behaviors can be exploited for their gain. Just like retailers, the key is to get you to take actions without thinking about it too much.
In this next installment of our Armis ASQ series, we’ll explore how advertising network connections (intentional or not) can lead to trouble, and show you a couple of ways Armis is there to help you identify them.
If you missed earlier parts of this series, you can find them here and here.
Propping the Door is Still an Open Door
In my college days, I saw fellow dorm room inhabitants prop open side doors to keep from having to walk too far to enter a common area. You have probably also seen other examples like a janitor propping open a backdoor to take out the garbage so they don’t need another employee to open it again for them to get back in, or fire doors propped open in today’s health-safety conscious environment to avoid contact with their potentially-infected surfaces.
With this simple act of propping a door open, however, the protections for which the door was intended to safeguard in the first place are disabled. Might a similar action be happening on your network today?
In network security, propping open the door can be compared to the practice of network bridging. This includes when cross-network access is attainable through a secondary connection, for example, a trusted device on your corporate network opening a hotspot. We need to understand when devices on our trusted networks subsequently prop this door open. More than likely, these connections are not properly secured, and can allow unfettered access.
Since a solution like Armis is aware of all the connected devices within your environment, and can understand when, for example, SSIDs are being beaconed, it can alert you to a condition that could allow this bridged access. In the below, let’s look at an example of what such a query may look like:
In the above query, you’ll notice that we are looking for devices beaconing on the Guest network. You may be less concerned about a bridge on your Guest network, but remember, if you truly didn’t care about this landscape, you wouldn’t have protected it by putting an authentication requirement on it. When a device opens another path (as exemplified below), this protection may be bypassed and worthy of investigation.
Connect Without Warning
The action of a WiFi hotspot popping up on your network is dangerous, but most likely created unintentionally by otherwise well-intentioned users. Let’s look at some possible ways that nefarious actors are intentionally advertising malicious wireless connections, and of course, how Armis can help identify them.
Actors leveraging automatic WiFi reconnections are not new, and while they rely on being within proximity of a target, they are still real-world attacks. Reconnecting to networks automatically is the premise of deauth attacks. Specialized WiFi hardware has made these types of attacks, and spoofing an Access Point (AP), effortless.
Attackers who know the SSID that a target device connects to can easily advertise that SSID, send deauth packets to knock that device off its current connection, and then watch to see if the target connects back to the malicious AP. If unsuccessful, they just rinse and repeat until it does.
Lucky for us, there are actions we can take to look for and easily identify these rogue points of access, especially with the Armis Standard Query (ASQ) tool. By understanding your networks, SSIDs, and when beacons occur, you can use the Armis agentless security platform to be aware of when rogue APs appear. Below is an example of ASQ that is looking for:
- An SSID beacon starting
- A device that is not being managed by your WLC(s)
- A device that is not identified as an Access Point
- An SSID that contains ‘Armis’
- Time frame of 7 days
Lo and behold, in our example, we have APs that are not managed by a WLC, and that are beaconing SSIDs that look like official IDs. Investigation of those APs should begin immediately.
Conclusion
We’ve seen a couple of examples here of some of the WiFi hijinx that you may encounter on your networks, and how by using the ASQ tool, you can detect them when and where they occur. Traditionally, getting these details would be difficult and decentralized as typical WLC management interfaces are not optimized for the function of alerting, or are spread across multiple geographies. Armis brings these to the forefront using its seamless alerting in either the application interface itself, or as a feed to a SIEM integration. Additionally, due to its unique vantage of the entire network and its sites and boundaries, locating and troubleshooting the device in question is effortless. Of course, these are just a couple examples of how using the Armis agentless device security platform can make your life easier – there are certainly many, many more.
We hope you will find your own quick and easy ways to investigate the comings and goings of connected devices communicating on your networks using the Armis ASQ tool.
For a full demonstration of the Armis agentless device security platform, please visit www.armis.com/demo.