EDR used as a canary for network scanning
D
David
Would it be possible to convert some (or possibly all) EDR agents in to network canaries? I've heard stories of devices on the network being compromised (printers, cameras, etc) that don't have EDR on them. Those devices are used as a beachhead to scan the network for vulnerable services.
If some/all agents were to listen on certain common ports, and alert immediately if those ports get scanned etc. This would allow us to identify the IP and potentially the MAC of the device that is compromised and scanning the network.
The ability to customise the 'profile' of the canary would be useful. i.e. SMB Server, RDP server, Telnet/SSH/FTP, etc. Or have the endpoint pick an identity at random each time the system boots.
We would need to allow whitelisting for certain IPs (solarwinds etc) to allow network inventory systems to scan without triggering alerts.
B
Bjørn Mathisen
That's a brilliant idea. And I'm not sure you'd even need to manually whitelist.
Instead, use a public mac vendor database, and alert on anything that's not supposed to be network scanning. For instance "Canon" devices have no reason to be probing ports.
EDR could itself do this type of mapping across agents and then alert on strange activity above a threshold, for instance.