Network Airspace Control and Protection (NACP)

All you need to know to control and protect the emerging attack surface

Network Airspace Control and Protection (NACP)

The Network Airspace Attack Kill Chain

The Network Airspace Attack Kill Chain

A4H Reconnaissance

Search over the internet for an Antenna for Hire (A4H)

Example:
Security camera

A4H
Reconnaissance >

+

A4H Control

Remotely take
control of the Antenna for Hire (A4H)

Example:
Exploit CVE-20XX-XXXX in security camera

A4H
Control >

+

WR Reconnaissance

Use the A4H to search for a Wireless Receptor at a corporate

Example:
Boardroom TV broadcasting via Wi-Fi Direct

WR
Reconnaissance >

+

Exploit

Take over the Wireless Receptor

Example:
Connect to the boardroom TV via Wi-Fi Direct

Exploit >

+

Unauthorized Network Access

Penetrate into the wired or wireless network through Wireless Receptor (WR)

Example:
Use TV authorization to access wired network

Unauthorized Network Access >

+

Lateral Movement

Identify Wireless Receptors (WR) on other segment and hop wirelessly

Example:
Hop from boardroom TV to employee’s laptop via laptop’s enabled hotspot

Segmentation Hopping >

+

C&C Communications & Exfiltration

Connect to an unmonitored channel. Create a tunnel to a C&C

Example:
Connect to cafeteria open Wi-Fi and connect via HTTPS to C&C

C&C Communications & Exfiltration >

+

Why should you look at your corporate network airspace?

The majority of the corporate devices today include dual connectivity – on one hand connected to the corporate network and on the the other, acting as Wireless Receptors open to connecting to any wireless channel.

The vicinity of the corporate is also about with Antenna for Hire – broadcasting wireless devices.

While it is the corporate wireless security policy to allow employees and corporate-controlled devices to communicate only on supervised channels, corporations find that they cannot effectively enforce that wireless policy.

For example, a common policy violation occurs when an employee that is required to communicate over a restricted wireless network turns to a less restricted, or even a Guest or an open network when lacking wireless reception.

Attackers are also aware of this lack of control and enforcement and leverage Antenna for Hire as a proxy to penetrate the corporate network through Wireless Receptors.

In fact, an AirEye survey showed that 44% of experienced IR professionals investigated incidents related to wireless attacks or vulnerabilities.

40% of surveyors mentioned they did not have sufficient forensic data in such attacks, and another 40% were not sure whether data was leaked.

By not leaving forensics or attack data, this attack surface is used over and over again by attackers.

Companies must enforce their wireless security policy and protect their corporate network airspace to eliminate the risk of:

Unauthorized access to the corporate network

Unauthorized access to the corporate network – noncorporate devices accessing corporate devices through their wireless capabilities.

Device hijacking

Device hijacking – corporate devices being taken control of through wireless attacks

Data Leakage

Data Leakage – corporate devices accessing unmonitored and unauthorized channels.

Segmentation hopping

Segmentation hopping – bypassing network access controls through the network airspace

Shadow Networks

One of the biggest concerns security teams is shadow networks – networks generated by corporate-controlled devices.

No security solution today apart from NACP can identify, monitor and place controls over shadow networks.

Here are just a few examples of network entry points that are created by shadow networks and the risk they pose:

Shadow Networks

Entry Point

Security Risk

An employee establishes a mobile hotspot on their computer.

Entry Point Vs Security Risk

Creates an insecure path for data to leave the organization.

An employee’s laptop back at the corporate still continuously probes for a common cafe’s network after having connected to one during remote work.

Entry Point Vs Security Risk

Allows attackers to hijack the device and create a network bridge between an attacker controlled device and the corporate network.

A network generated by the corporate printer, caused by the printer’s enabled Peer to Peer (Wi-Fi Direct) capability.

Entry Point Vs Security Risk

Allows an attacker to communicate with the printer device over an insecure channel and use it as a bridge into the internal network.

A portable X-Ray device emitting its own open network for its sensor plates to transmit patient data.

Entry Point Vs Security Risk

Provides an easy path for an attacker into the hospital’s network.

A Peer-to-Peer communication between forklifts at a factory.

Entry Point Vs Security Risk

Creates a path for lateral movement (e.g. for ransomware proliferation) through an insecure and unmonitored channel.

A boardroom monitor to which corporate laptops connect to.

Entry Point Vs Security Risk

Allows the attacker to hijack the laptop which later connects to the corporate network.

Shadow Networks

One of the biggest concerns security teams is shadow networks – networks generated by corporate-controlled devices.

No security solution today apart from NACP can identify, monitor and place controls over shadow networks.

Here are just a few examples of network entry points that are created by shadow networks and the risk they pose:

Shadow Networks

Entry Point

An employee establishes a mobile hotspot on their computer.

Entry Point Vs Security Risk

Security Risk

Creates an insecure path for data to leave the organization.

Entry Point

An employee’s laptop back at the corporate still continuously probes for a common cafe’s network after having connected to one during remote work.

Entry Point Vs Security Risk

Security Risk

Allows attackers to hijack the device and create a network bridge between an attacker controlled device and the corporate network.

Entry Point

A network generated by the corporate printer, caused by the printer’s enabled Peer to Peer (Wi-Fi Direct) capability.

Entry Point Vs Security Risk

Security Risk

Allows an attacker to communicate with the printer device over an insecure channel and use it as a bridge into the internal network.

Entry Point

A portable X-Ray device emitting its own open network for its sensor plates to transmit patient data.

Entry Point Vs Security Risk

Security Risk

Provides an easy path for an attacker into the hospital’s network.

Entry Point

A Peer-to-Peer communication between forklifts at a factory.

Entry Point Vs Security Risk

Security Risk

Creates a path for lateral movement (e.g. for ransomware proliferation) through an insecure and unmonitored channel.

Entry Point

A boardroom monitor to which corporate laptops connect to.

A Peer-to-Peer communication between forklifts at a factory.

Entry Point Vs Security Risk

Security Risk

Allows the attacker to hijack the laptop which later connects to the corporate network.

Wireless attacks are remote and software based

The corporate IT landscape includes an increasing number of Wireless Receptors – wireless-capable devices, ranging from corporate laptops, printers, and even coffee machines. Each of these may create shadow networks, flying under the radar of the security team, and posing a security risk to the corporate network.

Outside the corporate, there is an endless number of Antenna for Hire – wireless devices broadcasting in the vicinity of the organization, ranging from security cameras to a router at a nearby cafe.

Attackers leverage the Antenna for Hire and gain unauthorized network access, device hijacking or data leakage, using Wireless Receptors as a springboard into the corporate network.

In essence, the Antenna for Hire acts as a proxy for the attacker without needing to physically be in the vicinity of the corporate.

Trends in wireless attacks

Trends in wireless attacks

Trends in wireless attacks

Trends in wireless attacks

How should a network airspace security policy look like?

1
Audit and enforce that all network access and configurations are properly implemented by the networking team

2
Unauthorized devices are automatically identified and do not connect to the corporate network

3
Authorized devices should not connect to non-corporate networks

4
Authorized devices should connect only to authorized corporate networks

5
Unauthorized devices should not connect to authorized devices with dual-connectivity (such as peer to peer technologies, e.g. Wi-Fi Direct)

6
Authorized devices should not establish ad-hoc networks such as hotspots, file transfer, etc.

The Solution:

Network Airspace Control and Protection (NACP)

How is NACP defined?

Shadow Networks

Monitor the Corporate Network Airspace and classify controlled and uncontrolled assets

All wireless broadcasting technologies and channels need to be monitored for full visibility of corporate network airspace. Create an inventory of all Access Points (APs) and devices that are part of the corporate network airspace.

Discover and continuously monitor Antenna for Hire

Detect, identify, classify and continuously monitor Antenna for Hire and monitor their activities, behaviors, and interactions that can affect the corporate network.

Discover and continuously monitor Wireless Receptors

Detect Wireless Receptors and monitor their activities, behaviors and interactions.

Automatically enforce wireless security policy

Detect out-of-policy violations such as connections to unauthorized and unmonitored wireless networks and automatically block these connections.

Automatically detect & prevent wireless attacks

Detect interactions between Antenna for Hire and Wireless Receptors.
Automatically block these connections to prevent unauthorized access to corporate network, device hijacking and data leakage.

Attack timeline reporting and forensics

Provide complete attack details, incl. identification of Antenna for Hire, all Wireless Receptors communicating with Antennae for Hire, communication channels, type of attack, and resolution.

Who should care about their network airspace?

Who should care about their network airspace?

Each company needs to consider their network airspace security as part of their network security strategy.

The endless number of wireless broadcasting devices in the vicinity of the network means that each company today needs to have visibility into all their corporate networks – including shadow networks, have a solid wireless security policy that is enforceable and be capable of preventing wireless attacks.

These include financial companies, banks, telcos, manufacturing, healthcare, retailers, software companies and defense.

Even the rare organizations with the most secure controls that do not allow for corporate wireless networks, have an issue through shadow networks due to the pervasiveness of wireless-capable devices. Also these organizations need to ensure they are protected from wireless attacks and enforce that a corporate-owned device does not connect to an unauthorized channel in their network airspace.