Hardware Additions

From enterprise
Jump to: navigation, search
Hardware Additions
Technique
ID T1200
Tactic Initial Access
Platform Linux, Windows, macOS
Data Sources Asset Management, Data loss prevention

Computer accessories, computers or networking hardware may be introduced into a system as a vector to gain execution. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping1, man-in-the middle encryption breaking2, keystroke injection3, kernel memory reading via DMA4, adding new wireless access to an existing network5, and others.

Mitigation

Establish network access control policies, such as using device certificates and the 802.1x standard.6 Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.

Block unknown devices and accessories by endpoint security configuration and monitoring agent.

Detection

Asset management systems may help with the detection of computer systems or network devices that should not exist on a network.

Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.