CTEM-INF-6 - Infected Employee Owned Device (Internal Network Connected)
Documentation has not been completed. This page is a placeholder for future documentation.
An Infected Employee-Owned Device (Internal Network Connected) is a compromised host that is not owned by the organization but has been connected to the internal corporate network. This type of device presents a unique challenge, as it is not managed by corporate IT but has gained access to internal resources, creating a potential pathway for attackers to infiltrate the corporate environment. Evidence of this type of infection often comes from indications that the host has accessed internal servers or intranet services that are not accessible from the internet.
Characteristics of an Infected Employee-Owned Device (Internal Network Connected)
- Non-Corporate Ownership: The device is personally owned by an employee, and it is not managed or controlled by the organization's IT department.
- Internal Network Connection: The device has been connected to the internal corporate network, which may involve accessing internal servers or intranet resources that are restricted from public access.
- Established Persistence: Attackers have established persistence on the device using methods such as malware, trojans, or other malicious software, enabling them to maintain control over the device.
Common Methods of Discovery
Infected employee-owned devices that have been connected to the internal network are typically discovered through:
- Network Traffic Analysis: Monitoring internal network traffic may reveal unusual or suspicious activity originating from the device, such as accessing servers that are not typically accessed by personal devices.
- Internal System Logs: Logs from internal servers or applications may indicate unauthorized access attempts or successful connections from devices not recognized as corporate assets.
- Threat Intelligence: Information from threat intelligence sources may indicate that a personal device used by an employee has been compromised and is attempting to access internal resources.
Risks and Impact
The compromise of an employee-owned device that has been connected to the internal network presents several significant risks to the organization:
- Internal Network Exposure: Attackers may use the compromised device as a foothold to explore and exploit internal network resources, potentially gaining access to sensitive corporate data.
- Credential Theft: If the device is used to access internal resources, attackers may capture corporate credentials, allowing them to move laterally within the network and access other systems.
- Data Exfiltration: The attackers may use the compromised device to exfiltrate sensitive data from the internal network, leading to a potential data breach.
- Network Contamination: The compromised device could be used to spread malware or other malicious software to other devices within the internal network, causing widespread infection.
Key Considerations for Threat Exposure Management
Managing infected employee-owned devices that have been connected to the internal network requires a comprehensive approach that includes monitoring, response, and policy enforcement:
- Network Access Controls: Enforce strict policies regarding which devices are allowed to connect to the internal network. Use network access control (NAC) solutions to ensure that only trusted and compliant devices can connect.
- Monitoring and Detection: Continuously monitor network traffic and internal system logs for signs of unusual activity from non-corporate devices. Implement alerting mechanisms to detect and respond to suspicious behavior.
- User Education: Educate employees on the risks of connecting personal devices to the corporate network and provide clear guidelines for secure remote access.
- Incident Response: Develop and implement a clear incident response plan for when a compromised employee-owned device is detected on the internal network. This should include isolating the device, revoking any credentials used, and conducting a thorough investigation.
Infected employee-owned devices connected to the internal network represent a critical security threat, as they provide attackers with direct access to corporate resources. Effective threat exposure management should include strict network access controls, proactive monitoring, and employee education to minimize the risks associated with these devices.