MDE Enterprise IoT
A few months ago an organization was hacked via a Raspberry Pi connected to the corporate network (hidden under a desk and connected to an ethernet port). The Raspberry Pi was accessed from the internet via a 4G modem and stayed unnoticed for several weeks until a cleaning lady discovered the device, because there was a yellow paper with the text ‘IT, do not touch’ she didn’t touch the device and told about the device weeks after that…
Lessons learned: You cannot protect what you don’t know, this time it was a Raspberry Pi, next time it could be another IoT device connected to the corporate network or internet.
For this blog I use the same setup, a Raspberry Pi connected (wired or WiFi) to my home/corporate network.
Microsoft Defender for Endpoint (MDE)
While computer- and mobile devices are managed (e.g. Endpoint manager), protected (e.g. Microsoft Defender for Endpoint) and updated (to reduce the number of vulnerabilities that can be exploited), IoT devices are often not managed, not protected and not updated!
Endpoint & network device discovery
Microsoft Defender for Endpoint can discover 1) supported O.S. devices (Windows, Mac, iOS and Android) connected to the corporate network (see my blog Endpoint discovery for more info).
2) (SNMP) network devices, authenticated via SNMP (see my blog Network device discovery for more info) and [NEW] unauthenticated network devices via the new Enterprise IoT discovery method (e.g. WiFi Access Point).
IoT device discovery
3) Enterprise IoT device discovery is the latest discovery method of MDE. IoT devices can be more easily compromised due to outdated software and default credentials for example.
The detected IoT devices are categorized (e.g. Printer, Communication, Audio and Video, Surveillance, etc.) in the IoT devices section (and network IoT devices in the Network devices section).
Exposure level is the level of vulnerabilities (e.g. outdated software, it will also provide extra information if there is a public exploit available like MetaSploit for example).
Hunting / custom detection rule
You can create a custom detection rule to get notified when a new IoT device is detected on the corporate network.
| where Timestamp > ago(7d)
| where DeviceCategory == “IoT”
| summarize arg_max(Timestamp, *) by DeviceId
| distinct (DeviceName), DeviceId, DeviceSubtype, Vendor, OSPlatform, OSVersion, ReportId ,Timestamp
If a new device is detected via the custom detection rule (above) or the device is part of a kill-chain, an Incident is raised in the portal.
IoT device overview
Hope this blog gives some quick insights in the latest MDE discovery feature. For more information see the official Microsoft blog.