Smart Devices During A Breach: Threat, Exposure and A Source Of Forensic Data During Incident Response

Brief

Smart devices add exposure and threat during a breach and are a source of intelligence and forensic data during incident response.

Issue
A common challenge in any incident response is figuring out how access was gained, which vulnerability or exploits were used, and how to prevent a recurrence. Many breaches are not single events, but the end of a long series of probes, penetrations, and exfiltrations. The reality is that we are often dealing not with “a breach,” but a series of incidents that can have been going on longer than many realize.

The explosion of smart devices creates many more opportunities not only to reveal the information but for attack vectors. A “phishing” email might be read on an employee’s cell phone and not directly breach a corporate system. But, it might install malware on that phone so the next time it is in WiFi or Bluetooth proximity of a business network the malware starts searching for new opportunities. This shifts what would have been an external penetration to an internal one.

Impact
The specific impact to InGuardians customers is relatively low.

The real challenge is in mapping the many additional connections to your networks, and identifying where such connections are logged – if at all. You cannot effectively investigate the cause or source of a breach if you do not have a clear record of the network.

Recommendations
InGuardians recommends regular review of network architecture as it develops, not merely as planned. Systems and connections often grow organically and in creeping increments, and too often expedient solutions are imperfectly documented. It is important to know what the network looks like today, to know where device access logs are stored, and whether they have ever been reviewed.  InGuardians highly recommends robust egress filtering and monitoring.

InGuardians also recommends reviewing the policy for the devices managed by your organization.  Secretary of Defense Mattis is reconsidering DoD’s policies for every personal electronic device that “transmits a two-way signal”.  That’s much more than just cell phones, but you should at least know WHAT you allow.

Additional Resources

http://www.nextgov.com/policy/2018/01/pentagon-reviewing-electronic-device-policy/145625/