Written by Damien Lewke of Crowdstrike
Social engineering continues to be exploited by hackers and feared by security teams. Due to attackers’ subtlety and users’ natural curiosity, hackers succeed daily in baiting users to click on a link or answer a phishing email. Baiting is a highly successful technique that relies on an organization’s weakest security link: the end user. This type of attack is so effective that it is used in over half of all successful breach attempts today.
“Lost” and Found: The USB Drop Attack
A favorite variant of baiting is the “USB” drop attack, which involves tricking a user into physically picking up a malware-loaded USB device and plugging it into an endpoint. This attack is particularly devastating because removable media can breach any network, from a university to the international space station.
The malicious reprogramming and dropping of a USB device can be accomplished in three ways:
- Malicious Code: Attackers insert malicious code onto a USB and this code is auto-executed when a USB device is plugged in or when a user clicks on a disguised malicious file once the device is inserted. The code can install anything from a worm to a remote access trojan, immediately infecting an endpoint and giving the attacker a beachhead for downloading additional malware.
- Watering Holes: In addition to the social engineering methods used in the initial drop attack, opening a malicious HTML file on an infected USB can lead the victim to a watering hole site where they unknowingly enter personally identifiable information (PII).
- Human Interface Device Spoofing: In a more sophisticated attack, the device itself is designed to look like a USB drive, but it behaves like an entirely different device, such as a USB keyboard, which can then be used to inject keystrokes that give an attacker remote access to an endpoint.
A recent study showed that a USB drop attack succeeds almost 50 percent of the time — and gets past even security-conscious users. The same study showed that 68 percent of those who knowingly picked up a dropped USB failed to scan the device for malware — they simply plugged it in and accessed the device’s content.
The Struggle Continues
Security teams are faced with a dilemma: how to safely enable USB devices while reducing the risks they pose. The traditional response has been to either ban all USB devices, or manage them with a device control solution that determines which devices can access an endpoint. Unfortunately, these solutions come up short. USB-related breaches have increased 8 percent year over year and now account for almost one-third of all breaches.
Security teams have mainly relied on two types of device control solutions:
- Standalone: Monolithic solutions offer strict control over USB devices, down to a single drive. However, because they are not integrated with other elements of security, they require additional time and effort to install and manage, and they lack the visibility and context required to verify that device control policies are adequate. To gain visibility into which devices are used in their environments, security teams must deploy additional security tools such as endpoint detection and response (EDR) solutions.
- Endpoint Suites: Endpoint security vendors have typically developed and marketed “integrated” device control solutions as part of their endpoint security suites, but their solutions are often not truly integrated. These suites generally require a separate management console and additional agents (and larger system footprint), and they offer limited device visibility. As a result, security teams have no context or understanding of the devices in their environment, and the solutions themselves consume valuable resources, especially during a USB device-related security incident.
Neither solution provides immediate visibility into which devices are in use and where, leaving security teams lacking the necessary knowledge to enforce and manage accurate USB device control policies. As a result, social engineers are thrilled because it leaves the door wide open for opportunistic baiting attacks.
CrowdStrike Shuts The Door on USB Drop Attacks
CrowdStrike®’s Falcon® Device Control™ can reduce the risk of baiting via USB drop attacks by providing unparalleled visibility and granular control over USB devices. This device control solution is superior to existing standalone and endpoint suite offerings because it provides full EDR capabilities seamlessly delivered via the lightweight Falcon agent. Security teams are immediately able to see which devices are in use and where, throughout their environment.
Falcon Device Control provides three crucial benefits beyond other options:
- Unprecedented Visibility: Core to the Falcon platform is the principle of visibility: being able to see everything in the environment in order to make informed security decisions. Falcon Device Control automatically discovers and reports all devices operating over USB ports, without needing an additional external tool. In seconds, teams can search real-time and historical data to identify patterns of attack, including the attack process, the affected hosts and users, and the infected device itself.
- Granular Control: Visibility prompts action, and Falcon enables security teams to define policies and enforce them both online and off, down to the specific device. With the automatic visibility provided by the Falcon platform, Falcon Device Control gives teams the agility to update policies on-the-fly, based on what has been observed.
- Cloud-native architecture: Since Falcon Device Control is 100 percent cloud-delivered and managed, it’s up and running almost immediately and can create and deploy policies in minutes. Security teams no longer need to spend time pivoting between solutions since they now have all relevant USB device information in one place, enabling swift, effective action.
Armed with these capabilities, security teams can effectively address USB device risks, including the dreaded USB drop attack. If a user unknowingly plugs a malicious USB device into an endpoint, a security team can use Falcon Device Control to immediately see the event, act to stop it right away, then prevent it in the future