So here's the scenario, a bad guy/girl has come along and planted a Raspberry Pi type device on your employers network. You don't use 802.1x/NAC/ISE/Port-Security. The Raspberry Pi has a 4G connection in the back so any C2 traffic from the bad guy is not going to go anywhere near your external firewalls, but in the meantime he's going to explore your network. How do you detect him/her and what kind of tools do you use?
At the moment I have a script that dumps the arp table from the gateway routers and then NMAPs new devices. There are some select ports that we would always expect to see open on our hosts. Everything else is considered bad. However, I'm looking for new ideas.
No comments:
Post a Comment