TSCM: Technical Surveillance Counter Measures

There are many ways for bad actors to exfiltrate information from an organization. For example, covert transmitters can create voice or data channels that are difficult to detect. These devices commonly use wireless protocols at unmonitored frequencies. For data exfiltration, cellular protocols are the most prevalent example of an “out-of-band” network that can move large amounts of data. Organizations are finding it harder and harder to monitor the entire radio frequency spectrum of protocols and bands for anomalous and/or high volume exfiltration signatures.

THE PROBLEM

Bob Baxley, Chief Engineer at Bastille Networks discusses continuous "Technical Surveillance Counter-Measures".

Surveillance devices are becoming cheaper and easier to access. There are countless numbers of inexpensive bugs, pwn plugs, and listening devices that can be purchased over the counter and over the Internet. They can be installed, have their own computers, and have their own cellular backhaul prepaid chips. These devices are not going over the wire, through normal security teams' monitoring systems. Instead, the devices backhaul the data through unmonitored protocols. 

Typically, when an organization needs to conduct a bug-sweep, they hire an outside firm to do a one-time, point-in-time sweep that is rendered obsolete once the firm leaves. This is not only costly and time consuming, but also very disruptive. Unfortunately, most corporations only use bug-sweeps once per quarter, or in close proximity to a ‘sensitive moment or event’, leaving themselves susceptible to attack.

Surveillance vulnerabilities Include:

  • Rogue Wireless Devices and Networks being used for Data Exfiltration
    • Typical exfiltration prevention techniques involve monitoring corporate networks and preventing the use of USB ports for storage.  However, by utilizing cellular or other “hard to see” protocols, attackers can bypass these controls
    • Nefarious devices such as pwn plugs and pineapples that are left to specifically steal data and backhaul that data out over cellular
  • Unauthorized video systems planted in an organization

THE REQUIREMENTS FOR A TECHNICAL SURVEILLANCE COUNTER MEASURE SOLUTION

A TSCM security solution needs to:

  1. Provide visibility into the wireless networks, traffic, and devices operating in your environment, 
  2. Inform you of the attack surface for each of these devices, 
  3. Alert on active wireless attacks on those devices through your existing SIEM systems, and 
  4. Suggest best practices for minimizing the attack surface and mitigating an attack in action.
  5. Operate 7 x 24 to catch out-of-hours transmission of data

Specifically, a solution must:

  • Detect all devices operating in the wireless spectrum, to include but not limited to, Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet of Things (IoT)
  • Detect current and future protocols without requiring hardware upgrades
  • Detect known and unknown emitters via observing energy patterns
  • Provide awareness of any wireless threats including active attacks and rogue networks 
  • Detect data exfiltration via wireless devices
  • Be always on
  • Detect unauthorized devices
  • Detect vulnerable devices being installed
  • Detect anomalous wireless activity originating from the campus
  • Alert on a wireless attack surface introduced by the installation of new equipment 
  • Detect rogue cell towers which can send signals into your facility

What kinds of organizations need this solution?

  • Fortune 2000, financial services, technology, and other companies with sensitive data or high risk areas
"