NetSec + OpSec + VLAN Management for OE
Overview
Over the past few weeks, a few members here have seen an uptick in companies employing strategies (whether in house or outsourcing to a security vendor) to catch entities that may be involve with illegal "server farms" where a home may house multiple company laptops and foreign actors do work on these laptops.
Unfortunately the use cases that catch and trigger these alerts have a union with folks who are overemployed with multiple full time jobs (Often more than 4).
Some quotes (redacted):
[1] apparently, the user [redact] was already under insider threat investigation, and then crowdstrike found their router MAC address tied to multiple companies [2] crowdstrike, tanium, among a few can grab nmap scans and get that info
Got pinged by my IT Security team about my PIKVM despite changing the USB EDID
we were alerted to some insider threats that appear to be related to a server farm (initially). My team [redact] started sending out info on [foreign] remote workers and things to look out for for these users
Even if you accidentally plugged in a tinypilot/pikvm in the past (completely unmodified), audit logs can be kept for over 2 years in a SIEM, and can be acted upon retroactivelyAlthough the risk of being caught by these strategies are very minimal, especially to the average overemployed person, there are a few steps that you can take to "future proof" yourself anyways for the far enough future + increase your operational security. Steps to strengthen your network and opsec Pikvm + TinyPilot The article https://discord.com/channels/1181304501999784027/1181356611399323669 generally is a good starting place to find links on how to conceal your tinypilot and pikvm, but overall: - You must modify your EDID to NOT be the defaults (and I would err on the side of not using the alternatives pikvm or tinypilot gives you -- you should actually copy and dump your own monitor's EDID and use that). Ex: https://hub.libre.computer/t/what-is-edid-and-how-to-dump-edid-of-a-monitor/334#:~:text=To%20get%20the%20EDID%20file,present%20a%20human%20readable%20breakdown. - Make sure to turn of USB Mass storage - Make sure to change your USB ID and Vendor ID BONUS: If possible, if you have a managed switch or managed AP, put your pikvm/tinypilot in a completely separate VLAN than the job laptop it's connected to. This by itself should be enough. VLAN Management Because of the increased scrutiny by vendors like crowdstrike, there is a risk for those with 3 or 4 plus jobs where you can be accidentally misclassified as a foreign threat actor -- and even if you're not, increased probing of your status and work environment may accidentally reveal you are overemployed. Please note this is NOT applicable (generally) if you have 2 or 3 laptops because of the possibility you have a spouse who works at another job, or room mates. 3 or 4 has been the bare minimum through some observation, but anything over 5 can be caught if the security vendor or in house security team configures it as such. If you do have only 2 laptops, it isn't a bad idea to utilize your main network and a "guest network" as many wifi providers, such as Eero offers a guest network which works out to be a "second vlan". Otherwise, consider products like unifi or aruba that will allow you to create additional networks, vlans, and network segmentation across the devices on your network. I recently set up a unifi and I have the following hardware: Ideally if everything is correct, doing an
arp -a on your work laptop should show nothing in the ARP table, as it should be the only device on the “isolated network”.
More info: https://discord.com/channels/1181304501999784027/1257343690653958286/1296320106867200010231 Replies
deep-jadeOP•2mo ago
- I currently have 4 VLANs managed by the cloud gateway max, one for each job, and a dedicated VLAN for my pikvms connected via the PoE switch.
- I tagged each port on my switch to their respective devices, and set up VLANs for each port range as appropriate.
From the perspective of my company laptop, any nmap scan will not show either the pikvm or other laptops.
deep-jadeOP•2mo ago
What my top topology looks like
deep-jadeOP•2mo ago
PoE to pro wall
deep-jadeOP•2mo ago
Of course, depending on your use case, this could either be "overkill" or "i should definitely do this"
It doesn't hurt to do this because this is overally better network security for your own house anyways regardless of OE.
And by having it, you do also conveniently future proof yourself from these invasive scans and aggregation from your companies.
xenial-black•2mo ago
i just did sudo nmap -sS on local network /24 from personal laptop but only says 2 hosts up despite some of my Js's laptops being on plus all the pikvms being on. Using managed POE switch for all network connection through Ethernet but I don't remember ever setting up VLAN
eager-peach•2mo ago
You can configure your firewalls to ignore all requests and just drop packets so nothing gets reported back.
If you wanna git gud try nmap with tcpdump or wireshark. You can hide the machine but you can’t hide the data.
Watch the packets through the gateway
ratty-blush•2mo ago
@totaldev are you going to do a unifi write up for travel routers an dhoneypots etc
deep-jadeOP•2mo ago
its on the books haha but im not too failiar with it
ratty-blush•2mo ago
happy to collab, tl:dr enableon unifi side, dl the file load to travel router
deep-jade•2mo ago
Thanks for putting this all together!
xenial-black•2mo ago
use case for honeypots?
creating fake routers to poison the data that Sec at Js is scanning off of home network? 👀
deep-jadeOP•2mo ago
you can figure out which job is actually doing this shit if they ever come at you lol
typical-coral•2mo ago
It's interesting how many people use unifi here. I setup a vlan in 3 minutes for this after I heard about it.
Now I have a reason to buy more of their gear lol
deep-jade•2mo ago
Sounds like one of use needs to get a referral link business set up!
ratty-blush•2mo ago
That and seeing if scans happen from inside
xenial-black•2mo ago
Inside?? Inside the router? Corporate laptops can scan from inside the router wat??
ratty-blush•2mo ago
inside the network
typical-coral•2mo ago
They are behind the router typically. So yes.
foreign-sapphire•2mo ago
So you’re saying scans on the network from your J laptop, that they’re doing unknowingly to the user?
That’s invasive af lol
adverse-sapphire•2mo ago
yes LAN v. WAN
make a VLAN and isolate the J laptop
I isolate my china spyware smart devices & smart home devices into their own VLANs
u could honestly buy a router per J and isolate that way
ethernet only
typical-coral•2mo ago
I like your style
Typically more scalable to have a managed switch tho.
adverse-sapphire•2mo ago
meh
nbd
I think for IT-illiterate, having sub-routers would idiot-proof the vlan setup
typical-coral•2mo ago
or networking illiterate, not all IT people know/understanding networking and routing
xenial-black•2mo ago
Is networking and routing that hard to understand
deep-jadeOP•2mo ago
ah there's an interview question that's related to this
when you go to www.google.com, what do you think happens 🙂
people can go crazy on the answer
but including networking and routing is next level too haha
foreign-sapphire•2mo ago
Yea that’s a common cyber question
DNS is the answer, basically
But you can go super in depth 😉
deep-jadeOP•2mo ago
cyber... infra....
network ops...
heck i was asked this for enterprise engineering at meta lol
foreign-sapphire•2mo ago
my b
a common IT question
what did you say?
deep-jadeOP•2mo ago
it was a looong answer.. lol
but it dove deep into packets too
foreign-sapphire•2mo ago
did you get the job?
deep-jadeOP•2mo ago
i got the offer yes
but i didnt' want to be an enterprise engineer lol
foreign-sapphire•2mo ago
I aspire to be like you sir
having the luxury to deny offers from meta :mericCat:
deep-jadeOP•2mo ago
when you put it like that, it sounds positive
but at least in this space, (bay area, big tech, trying to break into high(er) TC roles), enterprise engineering is a tier below SWE
and i had an offer that was way better and was better for my TC growth
foreign-sapphire•2mo ago
well then hell yea
all about perspective :prayge:
this channel has a lot of informational vids:
https://m.youtube.com/watch?v=spMYrxai-YQ
foreign-sapphire•2mo ago
I want to get a POE switch for my AT&T router, any recommendations?
this is so I can setup my doorbell camera lol, but would it help with this separating J1/J2 etc laptops on different networks?
eager-peach•2mo ago
depends on what your router can do. can it run two dhcp servers? and two gateways? probably not
foreign-sapphire•2mo ago
switch doesnt get assigned a new IP?
and MAC?
deep-jadeOP•2mo ago
Mac tied to hardware
Switch routes clients to IPs. Routers still have to reserve
foreign-sapphire•2mo ago
Ok I got a POE switch
cheap one on amazon lol
ratty-blush•2mo ago
does it do vlan
xenial-black•2mo ago
If it cheap, I suspect it unmanaged switch
foreign-sapphire•2mo ago
I don't think so
foreign-sapphire•2mo ago
TP-Link TL-SG1005P, 5 Port Gigabit PoE Switch, 4 PoE+ Ports @65W, D...
TL-SG1005P is a 5 10/100/1000Mbps ports unmanaged switch that requires no configuration and provides 4 PoE (Power over Ethernet) ports. It can automatically detect and supply power with all IEEE 802.3af compliant Powered Devices (PDs). In this situation, the electrical power is transmitted along ...
ratty-blush•2mo ago
Unmanaged so no. No vlan for you there
foreign-sapphire•2mo ago
interesting, what about this one? https://shorturl.at/mgyZ6
TP-Link TL-SG105PE | 4 PoE+ Port @65W | Easy Smart | Plug & Play | ...
5-Port Gigabit Easy Smart Switch with 4-Port PoE+
foreign-sapphire•2mo ago
if so I'll get this one instead
ratty-blush•2mo ago
Does it say managed?
Heck do you have a guest network?
foreign-sapphire•2mo ago
ya I think so lol
but vlans sounds cool
it says this
ratty-blush•2mo ago
Seems better
foreign-sapphire•2mo ago
Ok purchased but now it comes Tuesday instead of tomorrow
grr Amazon
typical-coral•2mo ago
Get unifi switches and gateway more foolproof for you.
foreign-sapphire•2mo ago
how so? :pepeThink:
deep-jadeOP•2mo ago
unifi is like consumer-advanced, gives you a lot of control way more than typical consumer grade networking tools like eero and netgear
foreign-sapphire•2mo ago
I can upgrade in the future I suppose
I plan to rent/airbnb my current place and start traveling soon, so I don't need the most advanced setup rn I feel like
ratty-blush•2mo ago
id get unifi if your jobs expect you to be a place
deep-jadeOP•2mo ago
like-gold•2mo ago
But the original post mitigates this right.
ratty-blush•2mo ago
Sean Wright
UPDATED: Segmenting Home Network Using A Work VLAN on UniFi
Update to my previous blog on how to create a segmented LAN on UniFi, using the new interface.
ratty-blush•2mo ago
not a new thing
deep-jade•2mo ago
Do we have tier rankings of routers somewhere in this discord? Look for best router for range with decent out of the box security with minimal configuring.
adverse-sapphire•2mo ago
u could literally run a gaming pc as your router man
@Corpse u should know this already wtf
whats ur TC
u use a dedicated wireless access point for range
u use a dedicated router for routing
try like @totaldev ubiquiti unifi ? setup iirc
prosumer router brands & disable the radio
buy another router per-j if you dont want to configure anything
1G routers on amazon for like 15$usd prob lol
adverse-sapphire•2mo ago
adverse-sapphire•2mo ago
disabling the radio can be as easy as wrapping it in tinfoil if you REALLY don't want to touch it other than power, gateway, & output eth ports
deep-jadeOP•2mo ago
I think corpse asked a legit question, not sure what's the purpose of the question anyways.
In a helpful environment, there shouldn't ever be an answer of "you should know this already because of XYZ".
Because -- if you think about it, what sort of answer would you expect? 🙂
"Oh sorry?"
"Oh yes you're right I should have"
All of those directions don't really help at deriving a helpful solution in the first place, so the statement of "you should know this already.." is meaningless.
adverse-sapphire•2mo ago
its ok TC is not an indicator of much
thx nepotism
deep-jadeOP•2mo ago
got it.. dont really undestand the chain of thought in this conversation but hope you got what you need lol
deep-jade•2mo ago
Wondering if a list was already made. I tend to use router and AP to mean the same thing. TC was $500k-ish a year ago, but semi retired now on maintenance J so want to optimize for least maintenance and hassle since I may need non techie people to operate and will have to give directions over the phone.
ratty-blush•2mo ago
I'd rec the unifi stack
especially since you can remote admin
eager-peach•2mo ago
From your phone. 🫦
ratty-blush•2mo ago
yes
eager-peach•2mo ago
If anyone has any UniFi questions HMU. I don’t use their switches (except the aggregation sfp+ switch) bc they’re expensive but I have the NVR Pro dream machine pro a bunch of APs and a bunch of cameras
My switches are a mix of netgear and tp link managed switches
ratty-blush•2mo ago
full unifi here
eager-peach•2mo ago
If you hack me you’ll just find furry porn and pics of td
deep-jadeOP•2mo ago
What do you think of Cisco hardware
🤪
ratty-blush•2mo ago
i think you are old
go away boomer
eager-peach•2mo ago
I used a 1200W 80 port PoE switch once. Would do again
Are u using unfi switches too?
ratty-blush•2mo ago
yep
eager-peach•2mo ago
u like it? I imagine it propegates the vlan tags across all switches once you set it up in your router which seems kinda nice
ratty-blush•2mo ago
even nicer is the gui for vlaning, create from browser and add devices by selecting
eager-peach•2mo ago
Oh interesting so it follows the device and not the port
ratty-blush•2mo ago
yep
deep-jadeOP•2mo ago
found another person
Hi everyone, I’m new here and need some advice regarding an issue with my new job. All of my work MacBooks have CrowdStrike Falcon installed, and the IT/cybersecurity team at this job recently contacted me about suspicious activity. They flagged the use of mouse jigglers (in multiple devices) and noted that several devices were detected within my household network. I explained that those devices belong to my partner.
However, this morning, my MacBook access was blocked by IT, and my manager informed me that they’re conducting an investigation and temporarily revoked my access.
I’m now worried: Since all my jobs use CrowdStrike Falcon, is it possible that Falcon could detect my activity across all the jobs I have? Could it alert IT teams at my other jobs about these devices, revealing that I’m working multiple roles?
Any insights or advice would be greatly appreciated!https://discord.com/channels/827970590820139019/827970590820139024/1296205242882592848
adverse-sapphire•2mo ago
RIP
fuck crowdstrike
I posted it in the other channel. I’m going to do the VLAN management, what else should I do? Will they just fire me after their investigation? 😓
deep-jadeOP•2mo ago
@GlobalBuilder
deep-jadeOP•2mo ago
Example network segmentation setup
deep-jadeOP•2mo ago
Let us know how they investigate... it's not that likely they'll fire you as long as you provide a legit excuse if they ask.
realistic-cyan•2mo ago
What is AP?
deep-jadeOP•2mo ago
access point
What unifi products I have to buy? Look at the post here https://blog.sean-wright.com/segmenting-home-network-using-a-work-vlan-on-unifi/
Seems like there a few of them
Sean Wright
UPDATED: Segmenting Home Network Using A Work VLAN on UniFi
Update to my previous blog on how to create a segmented LAN on UniFi, using the new interface.
Which one is necessary? :monkaS: not very familiar with all these spec
deep-jadeOP•2mo ago
1. https://store.ui.com/us/en?s=us&l=en&category=all-unifi-cloud-gateways Get a cloud gateway
2. depending on your home, this is enough
3. if your home is huge or you need to wire from your internet cloud gateway to your room maybe you'll need a switch or a wifi AP
Cloud gateway ultra or max?
deep-jadeOP•2mo ago
if it's too advanced for you why can't you just get multiple routers..?
deep-jadeOP•2mo ago
either is fine.. depends on your use case. both can do it
Yes I will resort to this if I cannot figure it out. Lived in a small space so my work set up is tight now
adverse-sapphire•2mo ago
eww wifi
so fucking based
i called it bro
A message has been moved to #💩|shi𝚝-posts by @totaldev
deep-jadeOP•2mo ago
lol yeah it's simpler
A message has been moved to #💩|shi𝚝-posts by @totaldev
adverse-sapphire•2mo ago
god bless NAT
yea modem || gateway output -> hub -> routers 😁 or modem || gateway output -> router -> unmanaged switch -> routers 😁
so multiple routers can mitigate this issue? I'm one of the illiterate ones when it comes to networking so I'll probably just resort to this from the get go, don't wanna risk ending up with a badly implemented advanced setup.
deep-jadeOP•2mo ago
yes, multiple routers can mitigate
great, I'll give that a shot tomorrow.
realistic-cyan•2mo ago
where is the cloud gateway in this diagram? would it be the managed switch?
deep-jadeOP•2mo ago
this is the "simple" setup
for this you can just use any router
per job
realistic-cyan•2mo ago
so where would the cloud gateway come into play a different setup?
the cloud gateway creates the VLANs right? so that's lke the managed switch in that diagram?
deep-jadeOP•2mo ago
this is just my setup, yes for vlan setup
but we just learned from #👋|main that won't solve the crowdstrike issue
realistic-cyan•2mo ago
I see, I think from the discussion, I can just get a few managed Ethernet switches with VLAN and just create separate VLAN for each J connected to it right? And keep the pikvms on their own VLAN
deep-jadeOP•2mo ago
that can work for now. if you dont care if crowdstrike may be mapping your laptop to each router's mac addressl, vlans won't help with that
xenial-black•2mo ago
but a router that supports MAC address spoofing or changing at the device level in conjunction with vlans per J at switch level would mitigate this mapping?
deep-jadeOP•2mo ago
try it. and figure it out for us. 😦
xenial-black•2mo ago
i'm just going off of wut ipod posted to confirm . Don't want to end up going in wrong direction 😭
i just need to see a yes from someone if it works lol for if thinking in correct direction ;-;
deep-jadeOP•2mo ago
nobody does, but you can't really expect everyone to just have an answer for you.
all of this is speculation
you either wait for someone to implement it, and you can copy it
or you do it yourself and report for us
we literally just had this discussion today, you can't expect someone to have confirmed this right this minute
xenial-black•2mo ago
oh ic. that makes sense
deep-jadeOP•2mo ago
either
(1) you wait until someone else figured it out and relayed it or
(2) you do it yourself and report back to us
i've already reported all i can with the devices i have on hand
same with the folks who reported theirs
realistic-cyan•2mo ago
If I have 2 managed switches connected to an unmanaged switch, there shouldn't be any issues with that right?
deep-jadeOP•2mo ago
in theory, probably not, but report back to us if you run into problems or not
plus im thinking about it a bit more, any UBA correlational rule can find it suspicious that you're logging into multiple different MAC addresses at a regular cadence
especially if the MAC addresses has the same similar subnet map, i.e 192.168.0.0, unless you want to change that too, but that'll involve literally rebooting your router every day lol (or equivalent)
so whether we believe that will work or not is speculation as it's still highly dependent on the company that's implementing these security measures
realistic-cyan•2mo ago
Im thinking something like this lol
realistic-cyan•2mo ago
sorry i mean like this lol my google nest wifi pro only has 1 ethernet so i have an unmanaged switch to connect to other things from it
deep-jadeOP•2mo ago
in this case
if j1, j2, j3, j4, j5, j6 all use crowdstrike, crowdstrike will map them all to your GL-ax1800 router's MAC address independently
deep-jadeOP•2mo ago
and they will store that data centrally and notify J5 for example "Hey, just so you know, this user had 5 other company laptop connected to the same router , please follow up / investigate"
realistic-cyan•2mo ago
hmm i see... thats why its prob best to just have a router for each J then
deep-jadeOP•2mo ago
if you are extremely paranoid about that risk, yes. but with 6Js, you should definitely consider that
find the smallest router you can and just go with it lol
realistic-cyan•2mo ago
how small of a router? lol
like the GL Slate AX?
deep-jadeOP•2mo ago
idk, my unifi express is pretty nice and small. 6 of them will be OK.
routers can be big.. if it's just per j, get the smallest lol
realistic-cyan•2mo ago
if my work laptop has crowdstrike installed, i should be able to find that in the applications or from launchpad right? i couldn't find crowdstrike in any of my laptops lol
ok this
arp -a on my personal laptop give me massive outputs for my smart speakers, phones, etc.
but my work laptop has fewer options and something new though - prob because work VPN?
anyways it seems that only buying a better rounter can fix this. I have this modem+router thing, not sure if that works to connect another routerratty-blush•2mo ago
falcon sensor doesnt always show
i have rowdstrike access
found the docs
they are looking for assets with ip and mac that they can find
vlan the devices so they are alone and no other macs exist
should cover you
it also isnt the norm
requires 2 extrra licenses
deep-jadeOP•2mo ago
That's what I figured
ratty-blush•2mo ago
i have cs td
i have their docs
requires 2 licenses
active scans come from windows hosts only
deep-jadeOP•2mo ago
Mac's not involved at all?
ratty-blush•2mo ago
passive can be anything tho
depends on the policy
deep-jadeOP•2mo ago
@TL123 do you use a Windows or a mac when you got caught
ratty-blush•2mo ago
With passive discovery, assets that are on the same network are known as neighbors, and neighbors can see one another’s IP and MAC addresses. When a managed asset sees a neighbor’s IP or MAC address, and that address isn't already listed for another managed asset, then that neighbor is listed as an unsupported or unmanaged asset.
deep-jadeOP•2mo ago
"is listed"
I'd be keen to know if this is listed internally(company) or externally (crowdstrike)
The whole thing goes together if latter
ratty-blush•2mo ago
probably company unless you get someone to look under the covers such as with the NK
companies don't really want to share data otherwise
My arp -a doesnt show either laptop and when I arp -a on my work computers, they dont show my other laptop or personal, they all share the gateway, but thats it
adverse-sapphire•2mo ago
LGTM you can cut out the GL-AX router if u setup ur managed switches right
VLAN per port
u got this
realistic-cyan•2mo ago
@totaldev I got a question in https://www.answeroverflow.com/m/1181356611399323669 on this step: 3. Adjust HDMI EDID: Alter the EDID for HDMI. Details can be found in the official documentation under "kvmd-edidconfig".
what am i supposed to alter the EDID to? just any monitor name?
How do I conceal my pikvm/tinypilot from my employers? - InfOE
Hi, I am using a pikvm/tinypilot to either outsource or handle hybrid OE. What are some of the steps I can take to conceal my tracks?
deep-jadeOP•2mo ago
Ideally duplicate your monitors
Otherwise choose one that isn't a default alternative
realistic-cyan•2mo ago
awesome thanks! for step 4 with iconfig, i wasnt able to find iConfig anywhere in the
lsusb -v outputdeep-jadeOP•2mo ago
shouldn't be a problem then
realistic-cyan•2mo ago
and since i've already modified the USB identification in step 2, it now shows the keyboard
realistic-cyan•2mo ago
instead of what it was previously
deep-jadeOP•2mo ago
nice!
realistic-cyan•2mo ago
and lastly for part 5 in changing the mac address... where and what exactly are we changing in this file?
deep-jadeOP•2mo ago
deep-jadeOP•2mo ago
you can probably set it from command line
i'd have to dblchk what to do, i may be off on raspbi vs pikvm
for now it's not that big a deal
realistic-cyan•2mo ago
appreciate all your help @totaldev
did u run
sudo lsusb -v | grep iConfig from the machine connected to your PiKVM? It should say something like
iConfiguration 4 Config 1: "YOUR_DEVICE"realistic-cyan•2mo ago
Yeah nothing
did u set a config in ur override.yaml
deep-jadeOP•2mo ago
Sometimes for some devices it doesn't show
I had that on 1 out of 4 pikvm
oh really? I wasn't aware
realistic-cyan•2mo ago
Yes I did set a config override already in step 2 and 3
I think you're good if you run
kvmd-otgconf -m | grep PiKVM in the PiKVM terminal and it shows:
realistic-cyan•2mo ago
and when I go into displays, i see my "monitor" 🙂
typical-coral•2mo ago
Is it possible to put a unifi cloud express router behind a UDMPSE?
deep-jadeOP•2mo ago
I don't have a dream machine so I'm not sure.
I have an express and have put it behind a Netgear, and an eero, and a cloud gateway max
And have created different networks just fine
typical-coral•2mo ago
Are you double natting?
deep-jadeOP•2mo ago
No
Default configs after plugging in
Kept it simple
ratty-blush•2mo ago
is there a reminder bot? i did all my vlans per j and per port and for wifi as well. need to do a unifi write up
also need to get on that amazon affilate link
deep-jadeOP•2mo ago
i.. can't ermember
i dont remember when i added @NotSoBot
ratty-blush•2mo ago
remove it! its hR
Mac
deep-jadeOP•2mo ago
gotcha thanks
deep-jadeOP•2mo ago
+1 to the list
So if my router has this “guest mode” that doesn’t allow devices to see peer and stuff, and arp doesnt show other laptop (but has 4 lines of result); would it be good enough?
deep-jadeOP•2mo ago
for the 95% yes
Eh, I connect my iphone to that network and it shows it in my J laptop’s arp. Sad
eastern-cyan•2mo ago
What is the standard for opsec now? One router per job? Will routers acting as repeaters be sufficient to avoid nmap scans?
this thing
deep-jadeOP•2mo ago
1. if you care about your companies subscribing to crowdstrike overwatch threat hunting, one router per job
2. if you care about companies peering into your network via arp -a, then one VLAN per job
One router should be the safest right? Companies cannot peer into your network and crowdstrike cannot do threat hunting
deep-jadeOP•2mo ago
one router per job, yes if you want to go the extra mile
eastern-cyan•2mo ago
Is it required that the individual routers directly be connected to a modem or will repeater mode on a router that supports it be enough?
deep-jadeOP•2mo ago
"required" is subjective because we only have a very very small handful of fails and even smaller people who are in companies who have overwatch licenses...
whatever MAC address is the final termination in
arp -a is what your laptop ultimately sees for now
so whether it's "required or not" depends on the next fail story
if you think its enough, stick with it. it's 95% likely nothing will happenlike-gold•2mo ago
I'm still iffy on this. Unless there's a hard data point for someone being caught specifically for having 5+ Js from the same router MAC or similar, I'm leaning towards they'd have to raise other suspicions/already be under investigation for other things (insider threat etc). Reminder that Overwatch's full name is "Crowdstrike Falcon Adversary OverWatch", they're hunting for bad guys. CS is already expensive asf, I highly doubt companies are choosing an option to investigate every employee's MAC across every other company unless they're given a reason to
deep-jadeOP•2mo ago
@TL123 did your J specifically call out out having multiple Js and that info came from crowdstrike ?
eastern-cyan•2mo ago
From the story I've been reading so far, it seems like the reason they got investigated at all was for plugging in a foreign device at all in the first place and not just crowdstrike being in both machines. Getting caught like that was only because it flagged his system
like-gold•2mo ago
what kind of foreign device?
if it's pikvm or something like that, that adds up
eastern-cyan•2mo ago
It was a mechanical jiggler
foreign-sapphire•2mo ago
Don’t get caught with a misdemeanor while committing a felony
deep-jadeOP•2mo ago
Yep. I've corroborated both on VC and here that for the most part, this is not a big deal for literally 95 or 99% of folks who OE.
i've also (hoping) that this whole thing will blow over in a few weeks anyways lol
all it (mostly) did is spawn in new conversations on network security + good opsec for your home network for your Js, and it's really really unlikely you'll run into these issues
xenial-black•2mo ago
How much companies shelling out for crowdstrike typically
like-gold•5w ago
idk exact numbers but my previous J would complain about their prices. Several million easily I'd imagine
for bigger corporations especially
xenial-black•5w ago
Isn’t several million a drop in the bucket for companies lol 👀
ratty-blush•5w ago
@totaldev heard back from CS
Thank you for reaching out to the CrowdStrike TAM team with your concern.
CrowdStrike’s detection capabilities are based on malicious activities and behaviors on endpoints. The platform does not flag users based on their physical location or merely working in proximity to unmanaged devices, such as laptops of others in a shared space. Instead, detections focus on the actions and behaviour of the devices that are managed by CrowdStrike.
If an unmanaged device (such as a neighbor’s laptop) is in the same network, CrowdStrike will not actively monitor or flag those devices unless they interact directly with the managed device in a suspicious manner (e.g., attempting unauthorised access). As long as users are operating securely, they should not experience any issues related to working in shared spaces.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
like-gold•5w ago
probably yea lol
ratty-blush•5w ago
If a neighbor was only ever seen by assets that are no longer used for passive discovery, then the neighbor usually stops appearing as an unmanaged or unsupported asset within a short time of the rule's being enabled. In some cases, the neighbor can take up to 7 days before it stops appearing. This might happen, for example, if the neighbor is offline at the time the rule is enabled.
I'm pushing back on it. They say we do not do it but their docs say
The info gathered through active discovery is more extensive than the info gathered through passive discovery and includes details about device type, operating systems, and open ports.
Data about assets is retained for different periods of time:
Managed assets: 45 days after the asset was most recently seen
Unmanaged and unsupported assets:
7 days after the asset was most recently seen through passive discovery
45 days after the asset was most recently seen through active discovery, third-party ingestion, or Falcon EASM
External assets: 45 days after the asset was most recently seen
Most data begins to appear as soon as the sensor on a managed asset connects to the CrowdStrike cloud. Unmanaged and unsupported assets appear in the console within a few minutes of being seen, up to 30 minutes. Assets that are seen through active discovery appear in the console within a few minutes of the end of the scan.
An asset with the Falcon sensor newly installed moves from unmanaged assets to managed assets after its sensor first connects to the CrowdStrike cloud.
If an asset has no activity or is not seen for 45 days, or 7 days for assets seen through passive discovery, it no longer appears in the console. If it becomes active or is seen again after that time, it appears in the console as a new asset.
In some cases, an asset might have a Last seen date far beyond the retention window. This often happens when data is ingested from third parties that retain the asset beyond when it was last seen by CrowdStrike discovery methods. For more info, see Ingest third-party data .
Data about managed assets refreshes when a Falcon sensor connects to the CrowdStrike cloud and when the sensor detects any changes. Data about unmanaged and unsupported assets refreshes about twice an hour, or after an active network scan. Some data also refreshes at regular intervals as described throughout the documentation.
im trying for you fine folks
Yes
adverse-sapphire•5w ago
woah 👀 tyvm 🙇
ratty-blush•4w ago
Passive discovery doesn't use ports or protocols. It scrapes the ARP cache of a local machine and compares it against the host management database in the cloud/console to find unmanaged neighbors. Pretty cool stuff.
The Falcon Sensor uses Discovery to compare the IP values in the ARP table to the values in Host Management for Local IP Address to determine if the host is Managed or Unmanaged
From there, Falcon assigns a confidence rating to the discovered asset based on the following Unmanaged Asset Confidence calculation logic:
High Confidence (75) - either should apply:
At least 1 of the discoverers is a Server or Domain Controller
Has at least 5 discoverers
Medium Confidence (50) - should apply:
Has 3 or 4 discoverers
Low Confidence (25)- should apply:
Has at most 2 discoverers
foreign-sapphire•4w ago
so how do we protect against this now lol
with this knowledge
amazing recon work, thank you! also I will take the credit for guessing it was an arp cache thing 😉
well, if it's mostly looking at arp table, that will show your routers MAC address front and center. So having multiple jobs connected via even completely seperate VLAN's will still have same mac address for router. so I don't think VLAN's are enough unfortunately 😢
So there are two options off the top of my head:
1. RECOMMENDED: Get a router per job. This gives you a unique MAC address for the router per job. If you are not EXTREMELY confident with networking skills do this. Do not try to be fancy. It is so easy to fuck up network configuration and leak data inadvertently. If you don't need WiFi you can get very cheap travel routers which will be completely fine for wired connection.
2. EXPERT ONLY: If you are very skilled at networking you could try a router with 3+ discrete ethernet interfaces (these are NOT switchports!!!), giving one interface per job with traffic rules to route to WAN with something like openwrt. If you need more explanation than this to figure it out.. DO NOT DO THIS.
eager-peach•4w ago
You don’t need an x86 router. Most compute on a router is packet routing, J related shit is low bandwidth
I should rephrase, you need a router with multiple (3+) discrete ethernet interfaces. in 99% of cases that means a custom x86 router but not always.
eager-peach•4w ago
Nah pretty sure most routers besides shitty ones have multiple ethernet ports, you just need a router that can do vlans
Well really you just need a switch
wtf bro you are smarter than this
eager-peach•4w ago
Ok
did yo8u not read what i said about mac addresses 😐
eager-peach•4w ago
Ok buy multiples
you can have multiple jobs all on seperate vlans, but they still roll up to the same LAN port on your router. that is a single ethernet interface for ALL your vlans. thus all yoru VLAN's will report the same mac address
eager-peach•4w ago
The point stands, you don’t need to spec out an x86 anything to do this
which is literally what i just said to do, and then you disagreed
agreed, thats why i already edited it......
eager-peach•4w ago
that’s cheating
I love you
fair enough, it is an unusual thing to find someone who will admit their mistake and then go back and change what they wrote. i've always been a bit of a weird one 😛
and to be clear, only reason i was annoyed is that this convo will probably confuse others, who may now think that VLAN is all you need when @brodonalds has shown pretty clearly that is not the case. ARP cache will show same router MAC for all VLAN's
eager-peach•4w ago
You can change MAC addresses on higher end gear too
But no one here is trying to be a networking hardware guru
Or needs to minimize cost
you can, but it will change the mac address for all the devices. again this is assumign you are doing one router, managed switch, vlan's.
this is why almost everyone should follow suggestion 1. get a seperate router per J
eager-peach•4w ago
Nah you can specify the port you want to change
Especially in of sense and UniFi stuff
Each port has its own address
maybe i'm outdated. can you run arp -a on all devices and report bac k what the router mac is? i would super love if im wrong
i am assumign you are using again a single router currently
eager-peach•4w ago
I don’t know about linksys and asus etc
I am
i'd be willing to bet a pizza that all your devices have the same MAC address for the router in their arp cache
eager-peach•4w ago
Well of course they do they’re attached to a switch
hmm i think we're probably talking past each other. I'm worried about CS and other tools corrolating based on multiple jobs having those same mac addresses showing up the arp table somewhere. if that's not a concern than vlan and a single router is fine? just not sure what you're protecting against in that case
eager-peach•4w ago
you're allowed to have multiple devices on a router per crowdstrike
you could even say you have an open wifi network and your neighbor is using it and you didn't know
if you use vlans or device isolation then crowdstrike wouldn't be able to tell you have more than 1 J laptop connected
from what I understand, if they find multiple devices talking to the same gateway MAC then they will check to see if they can communicate with each other via CS protocols
via this https://discord.com/channels/1181304501999784027/1292639955352424559/1299022052342239242
once you're down to layer 2 you can't really get away from the addresses unless you have multiple devices, but then you could even argue they can see you coming from the same internet connection, you'll be talking to the same modem so then they could, if they want wonder why two devices are on the same internet connection.
I think VLANs and device isolation are probably fine for most people, and don't work for north korea
thank you for the detailed response. I think this is where we differ and where I'm probably making assumptions maybe I shouldn't. from a log correlation perspective three plus job laptops with crowdstrike on VLAN networks would still show up with the same upstream Mac address for the router which is a form of uuid and would identify those three jobs as all being on the same local network.
now if that's too vague for them to be actionable I'm not sure I'm not very familiar with this confidence score thing. I'm thinking more in terms of reporting from a siem
I'm not too worried about them correlating public IPs because there's a lot of fuzziness there with ISPs and CGNAT. but the only way for multiple devices to have the same upstream Mac address is if they are all physically connected in a local area network on layer 2
xenial-black•4w ago
Dont different devices sometimes have the same exact MAC address?
Like there’s not enough unique combinations for MAC addresses for all devices
ratty-blush•4w ago
likelyhood is almost 0
eager-peach•4w ago
Companies generally buy a block of MAC addresses to assign to their devices, so its unlikely they’ll repeat
typical-coral•4w ago
Yep it's like IP addresses they are unique by design.
realistic-cyan•4w ago
What about the pikvms? Do they need to be on separate Mac addresses?
deep-jadeOP•4w ago
No need. You control those
like-gold•4w ago
It’s been 2 weeks, what’s the latest? Are you still on their radar?
I wish I could hire you to set up my network for me lol
ratty-blush•4w ago
check the guides
idk if follow up here is necessary, but I just double-checked on my pikvm, if the otg cable isn't connected to your device then
sudo lsusb -v doesn't show anything but if it is then sudo lsusb -v should show on the device connected to your pikvm
if otg cable is connected and it still doesn't show then that might be specific to the devicerealistic-cyan•4w ago
I've already modified the settings to show that the USB connection from pikvm is a keyboard. It used to say pikvm before the modifications. Now with the modifications it says a Logitech keyboard so I think it's good
sounds likely, if you want to be extra sure login to the work laptop and run lsusb -v from there to check