Blackmail and Ransom
Command and Control
A major consumer finance institution in the U.S. with more than 17,000 IP phones on its network used the Awake Security Platform to determine that four of its phones were being tapped.
The organization’s large security team struggled with visibility into the IP phones since existing security controls were blind to these devices. They also exist for the sole purpose of communicating with destinations outside the company, so large volumes of traffic being exchanged with external sources is not unusual. However, it was unusual that a small number of phones were uploading data to a suspect destination every so often.
To find this activity, Awake’s analytics did not simply compare the current behavior of these devices to what it observed in the past. In this case, the devices were compromised long before Awake was deployed in the environment so a more basic anomaly analysis would have considered the malicious activity to look “normal” compared to what had been previously observed. Instead, Awake first identified all of the devices with similar fingerprints and then compared these devices to each other. This allowed it to spot four devices that deviated from the norm.