At their core, delivery services do one thing -- they deliver goods.
While you may have choices as to who you want to hire to perform this service, and while the methods to achieve the end result may differ, their service boils down to getting a package from one point to another. And when things go awry and your package doesn’t arrive as planned, it’s helpful to be able to search for answers as to where your package is and when you can expect it to be delivered.
Let’s see how Armis can provide insight into your delivery services...
Of course, we are metaphorically speaking here. In part 2 of our series we’ll be talking about the services available in our electronic world, and how we can leverage the Armis Standard Query (ASQ) tool to search for information about device behaviors and anomalous service usage we wouldn’t expect.
If you missed part 1 on finding devices by model and their users, you can find it here.
Poor Device Behavior
Almost all networks have some devices where certain usage should be strictly limited to only specific, approved actions; and having the right tools that allow you to quickly and easily understand the behavior of offending devices is a security professional’s dream. Behavioral analysis, particularly for unmanaged or IoT devices, is difficult if not impossible with traditional tool sets because accurate information about them - if it even exists at all - likely exists in many different systems that don’t work well or “talk” with one another. They can include, but are not limited to things like engineering workstations managing industrial control systems or point-of-care workstations used to manage patient data in hospitals. Restricted service usage or behavior could include things such as using web services like Instagram or TikTok on an engineering workstation from where business-critical manufacturing ICS elements are controlled. As a reminder, an Internet accessible engineering workstation was an attack vector used for the Triton malware that was used to shut down an oil refinery in 2017.
Often, these policy violations are thought to already be closed down by current security controls; yet, loopholes such as misconfigurations can be present that allow these actions to occur. At other times, users may intentionally subvert those same controls. This makes monitoring for these out-of-policy or anomalous behaviors necessary.
As the saying goes, ‘knowing is half the battle’ and knowing when this type of activity is occurring will allow security teams to quickly identify and rectify the situation. ASQ helps those security teams uncover these behaviors and allow for not only the identification of the activity, but also to help cross-reference those users who violated those policies.
In the below example, I walk through how someone could do this through the Facebook app being open on MRI machines. This sample query could be used in combination with other services that are prohibited, or conversely against a list of whitelisted services. Let’s first look at a query for finding the prohibited service on an unmanaged device.
If results are then found, you can drill down into the services, and filter further using time frames. This may allow you to identify a window of time in which potential users may have been using a shared machine. This could then allow for the education of the user as to why this behavior is prohibited. In the below view, you can see the spikes and dips at certain times, which may allow for targeted user correlation.
What about those services that are expected to be used within your environment? How might one be able to look at this traffic and understand if it is malicious?
Monitoring the traffic patterns of connection protocol’s like SSH is invaluable for uncovering unexpected connections, suspicious activity, or potential misconfigurations. Instances where these services are improperly left available can open doorways for malicious activity. This can be especially true if these services are available remotely and are secured by weak passwords or no password protection.
If you are looking, the clues may present themselves readily. For example, high spikes in traffic volume can indicate malicious activity. Service usage at hours that are unexpected may be another. Lastly, the mere presence of service usage on a restricted device could raise an immediate flag.
Leveraging ASQ, you can view activity volume inbound and outbound, view latency or packet loss, packet counts, retransmits, and/or jitter for a specific time frame, including when the service was first seen and last seen.
Let’s start with a simple query that shows the traffic for the last seven days on ports 22 and 2222, which are used for SSH communications. ASQ allows you to add a time frame of your choice, and you could save this query as a report to be automatically delivered to your inbox on a schedule for your review. Below you see the query we will use:
Once you have the results, let’s investigate some reasons SSH hosts may be highlighted for further investigation. In the below view, we will filter based on total traffic volume, and immediately are presented with an internal host that has large amounts of inbound and outbound traffic. If SSH traffic is NOT expected for this host, this would immediately raise a flag. If SSH WAS expected on this host; however not this much traffic then you would want to investigate further. Lastly, if the devices to which this host is communicating with were external devices, and that was not expected behavior, you should investigate why. Any of these scenarios could point to the aforementioned clues quickly and easily with just a single query
As you’ve seen, finding useful information does not mean you have to have complicated queries using the ASQ tool. Its uses are limited only by the ways you can think of to slice and dice the bounty of data that the Armis agentless device security platform provides. And with all this device and behavioral data at your fingertips, you no longer have to search through multiple tools and data sources. With the ASQ tool you can investigate and respond quickly. In our next installment of the series, we’ll look at two more interesting ways you can use this data and harness the power of the ASQ.
Until then, we hope you’ll find your own quick and easy ways to investigate the comings and goings of devices communicating on your networks using Armis ASQ.
For a full demonstration of the Armis agentless device security platform, please visit www.armis.com/demo.