The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about how you can monitor USB usage using simple Windows logs (MITRE ATT&CK® Technique T0847).
What Threat Do USB Drives Possess?
USB drives, despite their convenience, present a significant threat as a potential vector for malware, leading to data breaches if not appropriately managed. While their portability and widespread usage make them a significant risk across all environments, they stand out as a common attack vector in OT/ICS environments.
The infamous Rubber Ducky exemplifies this risk: masquerading as an innocuous USB device, it empowers attackers to disrupt and exploit compromised systems. Educating end users to avoid picking up random USB drives in parking lots or refrain from blindly trusting USBs borrowed from friends is all well and good. However, even with such precautions, preventative measures, especially education, are never 100% effective.
Malware Risks within USB Drives
The primary source of these risks lies in a USB drive’s ability to easily transport and spread malware. A malicious actor can implant malware into a USB drive. When this infected USB is plugged into an OT/ICS system, it can rapidly spread, disrupting operations and potentially causing data leakage.
A scenario more likely to happen is a USB drive being lost or stolen. People leave their belongings, such as laptops, on trains all the time. USB drives, being smaller and easier to overlook, are even more likely to be forgotten somewhere. Considering the critical nature of data in OT/ICS environments, such a breach could result in grave consequences.
A prominent case illustrating the graveness of an OT/ICS breach linked to a USB device is the infamous Stuxnet worm. Believed to have been created by nation-states, Stuxnet was designed to target specific industrial systems. It reportedly spread via a USB drive, leading to considerable damage to Iran’s nuclear program.
Similarly, in 2008, a USB drive containing malicious code was inserted into a U.S. military laptop in the Middle East. The malware spread undetected across classified and unclassified systems, creating a digital beachhead for foreign entities to access and steal sensitive U.S. data.
How Can LogRhythm Help You?
At LogRhythm, we frequently receive inquiries about monitoring and auditing the usage of removable media. In response, the Analytic Co-Pilot team has devised a rule tailored explicitly for this purpose. In the context of Windows 10 and Server 2016 operating systems, activating the “Audit PNP Activity” setting triggers a process of systematic logging.
This logging includes the recording of events linked to the usage of USB devices and other relevant activities. By activating this audit feature, you attain a comprehensive overview of how peripheral devices interact with your system, aiding in system management and security oversight.
Once the logs have been ingested and parsed into LogRhythm, the rule itself operates as a simple Log Observed style rule block, generating alerts whenever a USB device is detected.
Typically, LogRhythm recommends fine-tuning rules of this nature to trigger alerts based on the criticality of the system involved. Simply alerting each time a user plugs in a USB device to their workstation might not align with most businesses’ risk profiles.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.