Blog

Static Devices and Detecting Deviations

There are lots of IP devices connected to networks that aren’t workstations or servers. A combination of printers, phones, cameras, sensors, or industrial devices, and others are likely to be found on many networks.

These devices are often difficult to secure - it’s difficult to install agents or trusted certificates on them, and they may not receive timely updates for software vulnerabilities.

Observable’s Endpoint Modeling is good at monitoring these “Internet of Things” things. Since they are often very predictable in their behavior, it’s possible to identify subtle changes in behavior (that might indicate compromise) without producing lots of nuisance alerts.

Changes in connectivity

Observable will treat devices that do the same thing over and over again as a special category - “Static Devices.” When one of them breaks its pattern and does something concerning, the service will generate an alert.

In this example, a normally-static network device had two changes in behavior: it sent out more data than usual (more than 2x), and it made a connection it doesn’t normally make:

In the “Static Connection Set Deviation” observation we can see that it normally connects to 10.20.6.4 only, but on 2016-11-16 it connected to 10.20.4.250 also.

The Device page (available via the Source dropdown) shows how the behavior has shifted:


Notice that the pink like (Connections) was flat for most of the period, but it jumped up on 2016-11-16.

Changes in behavior

Other alerts might fire for devices that start sending or receiving traffic with an unusual protocol. For example, this alert is for a device that typically only uses ports 137 and 138 (typical Windows Intranet traffic). However, on 2016-11-13 it started using port 445 (SMB, or Windows File Sharing) and 3389 (RDP, or Windows Remote Desktop):


The Traffic page (available via the  link) shows the details of the new sessions:


Notice that our device is now being remote-controlled with Remote Desktop and 470 MB has been retrieved from it by the “Connected IP.” If we don’t know why our device is servicing these connections, we’ll probably want to take it off the network and examine logs to determine whether sensitive data was exfiltrated.

Protecting static devices

Alerts from Observable about static devices changing their pattern of operation should prompt you to review how they’re secured.

For a device that goes from serving a particular set of connections to a new set of connections, you may want to examine your firewall configuration - restricting the static device from connecting elsewhere can protect the device from compromise. For example, if your IP camera starts sending its data feed to a new location, it might be participating in a DDoS attack - you should isolate it from the outside world.

For a device that starts interacting on a latent protocol, you may want to re-configure it to reduce its attack surface. For example, if your network printer allows for files to be uploaded via FTP, but you never use this feature, you should probably turn it off - the server daemon may have as-yet-unknown vulnerabilities.

Detect Threats Faster – Start Your Free, No-Risk Trial