National Cyber Warfare Foundation (NCWF) Forums

Isolating potentially rogue devices

1 user ratings
2021-06-05 17:35:17
Blue Team (CND)

 - archive -- 
Placing things into a glass jar... well cyber glass jar.

One of the cool things our Cyber Warfare Range technologies allows us to do is to place things into a glass jar. In other words, isolate it, but see everything it does/tries to do.

One of our volunteers told us about a device running on their network. It was a surveillance DVR that was calling home a lot and has some other suspicious behaviors.

So we placed it into a glass jar.

What we found is how the device behaves when it does not necessarily know it has been isolated. The results were interesting. Within a few minutes the device started behaving differently. It looked like it was trying to figure out if it had been isolated. however, our technologies were able to keep it contained. We sent the data over to our CWR ISAO, now the CWR ISAO clients will be able to easily identify these devices and their activity.

We picked up some new heuristics, malicious domain names, bad ip addresses, and a great opportunity for our team to learn more about uncovering covert monitoring/surveillance devices.

We suspect this is a much more common problem than people realize.

The volunteer identified the potentially rogue activity via our "sniffer". It flagged the activity. The flag was thrown based on the networking hardware using an invalid MAC address. We then placed the device inside one of home based Cyber Warfare Ranges. This gave us control over the DNS and DHCP for the device. next we tailed the logs looking for the device's communications.

We saw the device was up to no good. So we then cracked into the ssh shell that was enabled on the device. It is using a proprietary Linux.

The rest of what we did will likely be classified by now, so we will end the story there. However, much more happened in our investigation.

new comment
Nobody has commented yet. Will you be the first?
Blue Team (CND)

© Copyright 2012 through 2023 - National Cyber War Foundation - All rights reserved worldwide.