SRC's Spoofed Laptops Bypassing MACsec

A Sepio customer, who deployed a NAC solution, implemented a MAC based security policy. When challenging his cybersecurity posture during a periodic penetration testing session by his red team, he discovered that malicious actors conducting spoofing attacks could easily bypass their security measures. How do you close this visibility gap?

Let’s follow a Spoofing use case scenario.

A rogue agent, Mr. X, intends to infiltrate SecureCorp, a high-profile organization with stringent cybersecurity measures in place. He knows that gaining physical access to the network is often easier than remote penetration. Especially if he can engage in spoofing to make his computer to look like a legitimate organizational device.

Act 1: Infiltration

1. Using network sniffing tools (i.e., passive tap, unmanaged switch hub), he manages to capture a MAC address of a legitimate device connected to SecureCorp’s network.

2. Mr. X then clones this MAC address onto his unauthorized computer. Believing this would grant him undetected access to the organization’s resources.

Act 2: First Line of Defense

As Mr. X connects his computer to the SecureCorp network, the NAC (Network Access Control) system scans the device and approves it (so do other security solutions that rely on L2, and above, data and traffic). Mr. X can engage in spoofing the MAC address. Creating the same port mapping façade (so that Nmap or other port mapping would not trigger an alert). Traffic wise, it looks pretty much the same (Mr. X is very cautious in his network activity, being patient, and manipulating or injecting traffic in a covert way).

Act 3: Spoofing Unveiled with Sepio’s Intervention

1. Sepio’s solution evaluates the physical layer characteristics of the device, detecting potential spoofing attempts. Every hardware asset has a unique “Asset DNA” (Asset Risks). A superset set of vectors that identify the asset, delivering vendor name, product name, and additional information that goes beyond MAC addresses or IP configurations.

2. Sepio’s platform, immediately recognizes the discrepancy between the cloned MAC address and the asset’s physical characteristics.

3. An alert is generated, indicating the presence of a potentially unauthorized device engaged in spoofing. It provides detailed information about the asset’s connection point, its physical attributes, and a comparison with the legitimate device that shares the same MAC address – followed up with recommended actionable measures.

Act 4: Rapid Response to a Spoofing Incident

1. SecureCorp’s cybersecurity team receives the alert and quickly isolates the suspicious device engaged in spoofing from the network.

2. Surveillance cameras identify Mr. X in the act, and security personnel apprehend him.

3. The rogue device is confiscated and further analyzed for potential threats and intelligence gathering.

Outcome

Thanks to the multi-layered cybersecurity measures in place, especially Sepio’s unique capability to detect discrepancies at the physical layer, which NO OTHER SOLUTION CAN DETECT, SecureCorp manages to prevent a potentially devastating security breach.

This incident serves as a testament to the importance of not solely relying on superficial data (like MAC addresses) and highlights the need for deep, hardware-level analysis to ensure network security.