Axonius
How to Find Rogue Devices On Privileged Networks
Top  

How to Find Rogue Devices On Privileged Networks

How to find Rogue Devices On Privileged Networks

While the definition of a “rogue device” varies widely, a consensus definition would include at least three elements:

  • A device that is on a privileged network
  • A device that is not expected to be on the network
  • A device that is or has the potential to be used for malicious intent

Although some vendors define rogue devices as “just plain malicious in nature,” this strict definition omits devices like the “rogue Raspberry Pi that allowed criminals to access NASA JPL systems.” So for the purposes of this article, we’re talking about devices on privileged networks that are not supposed to be there and may be used for malicious intent. 

Challenges Identifying Rogue Devices On Privileged Networks

The biggest challenge in identifying rogue devices on privileged networks is the lack of information about the device and its context. This makes it difficult to identify which devices are not supposed to be on the privileged network.

Security Implications OF Finding Rogue Devices On Privileged Networks

The NASA JPL breach is a great example of a rogue device on a privileged network that was exploited to exfiltrate data:


“A Raspberry Pi that was not authorized to be linked to the JPL network was targeted by hackers. The attackers were able to steal 500 megabytes of data from one of its major mission systems, and they also used that chance to find a gateway that allowed them to go deeper into JPL’s network.”

— Mariella Moon, Engadget

Proactively identifying rogue devices on privileged networks, and taking the appropriate action, is the only way to ensure that only the right devices have access.

Data Sources Needed To Find Rogue Devices On Privileged Networks

  • Network/Infrastructure Data Connecting to the network infrastructure allows you to see devices that are known to the network
  • IAM Solutions Services like Active Directory or Azure AD that authenticate and authorize users and devices
  • Configuration Management Tools SCCM and Jamf Pro
  • Virtualization Tools Shows all VMs in the environment
  • Vulnerability Scanner Console — By connecting to the admin console of the vulnerability scanner, you can see all devices that are known and that are being scanned

Finding Rogue Devices On Privileged Networks 

When looking for rogue devices using Axonius, you can build simple queries ranging from the broadest possible scenario to the most detailed.

Let’s take a look at a query to find rogue devices on privileged networks. The query below looks for the following: devices on a Fortigate network, not in VMWare, not in Active Directory, not in Hyper-V, not in Jamf Pro, and last seen in Axonius within the past four days.

(adapters_data.fortigate_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.esx_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.active_directory_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.hyper_v_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.jamf_adapter.id == ({"$exists":true,"$ne":""})) and specific_data.data.last_seen >= date("NOW - 4d")

This query can also be represented in the Axonius Query Wizard as:

Here are the results:

That query will return all rogue devices on any Fortigate network, and we can add filter criteria to show only devices that are not on the guest network using the following:

(adapters_data.fortigate_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.esx_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.active_directory_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.hyper_v_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.jamf_adapter.id == ({"$exists":true,"$ne":""})) and specific_data.data.last_seen >= date("NOW - 4d") and not adapters_data.fortigate_adapter.interface == regex("guest", "i")

This query can also be represented in the Axonius Query Wizard as:

Here are the results:

Taking Action On Rogue Devices 

Any time a rogue device is identified, security teams need to automatically know and then take action to remove the device from any privileged network. The Axonius Security Policy Enforcement Center allows customers to determine which automated action to execute.

The Axonius Security Policy Enforcement Center

Highlighted actions include:

  • Block Device in Firewall Block the rogue device at the firewall level
  • Notify Let someone know about the device via email, Slack, Syslog, or CSV
  • Create an Incident Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk
  • Enrich Device Data Find out what is publicly known about the device using data from Shodan, Censys, or Portnox

Finding Rogue Devices On Privileged Networks

With that said, we’ve created a video that outlines Finding Rogue Devices on Privileged Networks here:

And as always, if you’d like to see a custom demo to better understand how Axonius can help your organization solve the asset management challenge, request a demo here.

See for yourself.

Interested in seeing what Axonius can do for your organization?

Schedule a demo and let us show you