Command and Control: Tapping IP Phones In Sensitive Locations
- Attacker Objective: Blackmail and Ransom
- Threat Type: Command and Control
A major consumer finance institution in the U.S. with more than 17,000 IP phones on its network used the Awake Security Platform to determine that four of its phones were being tapped.
The organization’s large security team struggled with visibility into the IP phones since existing security controls were blind to these devices. They also exist for the sole purpose of communicating with destinations outside the company, so large volumes of traffic being exchanged with external sources is not unusual. However, it was unusual that a small number of phones were uploading data to a suspect destination every so often.
To find this activity, Awake’s analytics did not simply compare the current behavior of these devices to what it observed in the past. In this case, the devices were compromised long before Awake was deployed in the environment so a more basic anomaly analysis would have considered the malicious activity to look “normal” compared to what had been previously observed. Instead, Awake first identified all of the devices with similar fingerprints and then compared these devices to each other. This allowed it to spot four devices that deviated from the norm.
Dig Deeper with These Resources
Real World Incidents Detected and Stopped by Awake
Organizations across industries use Awake every day to identify and stop modern threats from both internal and…
EMA Top 3 Report and Decision Guide for Security Analytics
This Enterprise Management Associates (EMA) report identifies the leading priorities organizations face with resolving challenges and meeting…