When A Duck Is Not A Duck But A Security Risk

Category : Business | Sub Category : News Posted on 2021-12-05 19:59:05

---

If it sounds like a duck, walks like a duck and quacks like a duck, it may still not be a duck…

Compromised by a hardware or software replacement attack, in some scenes, used to be a legitimate way to snoop on ones adversaries.

However a trend is emerging this method being used as ATT&CK vector, so how do you protect against this one?

•  Mark your equipment unique for yourself (on a sticker at the back or a specific mark at a specific location).

Check this each day, specific type of car/home/office break-ins can be replacement actions.

• After switching your equipment on for the first time (in a working day) mistype your credentials once or twice.
  

Replaced equipment often use a different authentication module which accepts anything for the purpose of interception.

• Should your desktop look different then what your used to, or strange programs appear, consider being compromised.
  

Deliberate profile corruption is used to keep you busy while data is being compromised or stolen in the background.

• For IT departments: even though it is handy to buy in bulk for all employees, it is strongly recommended to have no more than 20 of the same model, recent Windows 10/11 versions have much more abilities to stream drivers for distribution of a single (master) image.
  

Not knowing exactly who has which model makes a replacement attack much harder and easier to detect.

• For employees who travel or are considered high profile make sure their equipment is none company standard.
  

Defeat the attacker at their own game.

• Enhance your detection for Bitlocker or VeraCrypt events.
  

Make yourself aware of any replacement or (hdd) copy attempt (MSP, MSSP).

As always be vigilant and alert, it’s not about the normal attacks anymore, it never really has been.

Go!