GUEST ESSAY: Leveraging real-time visibility to quell persistent ‘take-a-USB-stick-home’ attacks

By Ben Smith

Each of us has probably sat through some level of cybersecurity awareness training during our professional lives.

Related: Dangers of spoofed QR codes

Stop and think before you click on a link within an email from an unexpected source. Don’t re-use a password across multiple sites. Beware over-sharing personal information online, especially on social media platforms. All good advice!

When we sit back and think about the target audience for this training, much of this advice is designed to reach the busy or distracted employee who postpones laptop software updates or who copies sensitive or who copies proprietary information to a USB stick and takes it home.

Irresistible lure

This classic take-a-USB-stick-home scenario has been around for a couple of decades. The careless employee places the information on that stick at considerable risk of theft or even outright loss. But have you thought about the potential impact of an adversary introducing a USB stick to a curious employee?

Consider an employee who leaves the office or the house in the middle of the day to grab lunch somewhere nearby. They place their order, get their food, and because it’s a nice day, they grab a table outside.

But today’s lunch run has a new ingredient: a lonely, presumably lost USB stick sitting on the ground. Even better, there is an especially delicious label on the stick: “Upcoming RIF” or “Executive Strategy PPT” or “Post-Acquisition Plans?”

Dedicated adversaries


Sound far-fetched? Think about this from the perspective of the bad guys. Most companies have multiple IT/security layers of defense in place designed to keep bad actors out, and to prevent good actors inside the company from making mistakes. If a bad actor can’t get in through the front door, maybe there is some other way to initiate an attack.

Wouldn’t a dedicated adversary consider a location known to be visited by employees of the company they are targeting, like a nearby restaurant where many employees eat daily? Or how about a USB stick left at some other plausible location like a hotel or your local print shop?

The employee picks up the stick, carries it back into the office, and plugs it in. The malware installs itself to the now-infected laptop, and the attack is underway.

In most cases, determining how the malware gets onto one of your machines takes a back seat to remediating, or cleaning up, that infected machine. You need to put out that fire as quickly as you can, before that fire spreads across the network to other machines and servers.

Staged attacks

If there is any good news in this scenario, it’s this: most malware is designed to communicate back to the adversary at some stage of the cyberattack. Perhaps it needs to contact the mother ship which may have additional instructions or code for that malware to deliver.

That initial broadcast or beaconing message is often a simple one, announcing the equivalent of “I’ve been installed successfully, what’s the next step?” Or perhaps the malware has already completed its mission and is ready to send out or exfiltrate the information it has collected.

Ongoing forensics

It’s at this critical stage that comprehensive, real-time visibility across your environment is so important. Many organizations keep logs sourced from devices and applications scattered throughout their IT environment; depending on your industry, this may be a regulatory requirement. But logs are not nearly enough.

Mature organizations are also collecting and storing their network traffic for potential forensic use in support of a future investigation. It’s very powerful to be able to produce an authoritative answer to the question, “What network traffic was moving through this part of my infrastructure ten days ago?” Being able to “replay” that activity is often the only way to piece together what was actually happening as the attack rolled forward.

Factor this scenario into your awareness training, and more importantly, ensure that the visibility you have into your environment is not just a collection of logs. Network-level visibility is the highest-fidelity source available to you and your security team today. Only by seeing what’s on your network, both right now and from the recent past, can you detect and respond to real-time incidents in the fastest and most comprehensive way.

About the essayist: Ben Smith is Field Chief Technology Officer with NetWitness, a threat detection and response firm. His prior employers include RSA Security, UUNET, and the US Government, along with several technology startups.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone