Websense is providing free source code, queries and lookups designed to help organizations use Microsoft Error Reporting to identify USB devices connecting to their networks.
Also known as Dr. Watson reports, the Microsoft Error Reporting feature was indirectly the source of controversy a few weeks ago when it was made public that the NSA had intercepted these reports and use them to gather information about its targets. With this data in hand, the spy agency could get a better read on the hardware on software on a given network and use that information to tailor its cyber-operations.
According to Websense, enterprises can use Dr. Watson reports for their own use as well – in this case, to identify when a storage device such as a USB drive or mobile phone is plugged into their network.
“We were surprised to learn that a USB drive insertion considered a hardware change, and that detailed information about the USB device and computer that it was plugged into being sent to Microsoft,” blogged Websense Director of Threat Research Alex Watson. “These logs are sent to Microsoft via HTTP URL-encoded messages. Organizations can use knowledge about their content and how to decode these messages to detect USB drives and devices that could be a risk to the organization. This knowledge can help organizations detect USB drives and devices such as those used in the KCB and [Edward] Snowdn leaks, and automatically generate reports when they are plugged into a secure system.”
The error report is sent to Microsoft every time an application crashes, fails to update, or a hardware change happens to a PC running Windows. In Windows Vista and later, these reports are automated and part of an opt-out program Microsoft estimates nearly 80 percent of the PCs in the world participate in, Watson explained.
“These reports can be gathered in a variety of ways, either by examining outbound web proxy logs… creating an IPS rule in an open source intrusion prevention system such as Snort or Suricata, or by simply monitoring a SPAN port using a sniffer such as Wireshark,” Watson blogged. “In our last blog entry, we discussed an information leakage that can arise with these reports and suggested that organizations set up a group policy that sends reports to an on-premise server which then forces encryption before forwarding to Microsoft. In this case, the reports can be processed at the organization’s WER (Windows Error Reporting) collection server.”
The Dr. Watson reports have a specific report type for USB inserted devices. Organizations can start by filtering down to messages containing ‘PnPGenericDriverFound’. Using some lookup tables, the information that follows can be broken up into several fields, including date, USB device manufacturer and host computer BIOS version and UMI [unique machine identifier].
“It turns out the Vendor and Device ID lookups can be a little tricky – but map exactly to Windows and Linux driver databases,” Watson blogged. “To see an example for yourself, try typing “lsusb” from a Linux machine. After scraping some online driver databases, we put together a lookup script that you can use for vendors and device codes that you can download on GitHub. These will obviously need to be updated periodically to remain up to date. Feel free to add new device codes yourself, or check back to our site for updates.”
“Using Splunk or a similar SIEM tool, create lookups to map the vendor and product IDs that you see in the Watson logs above to the manuf_ids.csv and product_ids.csv files that have been attached,” he added. “Please note that our Product ID lookup contains the VID+PID (Vendor ID and Product ID) together – this is the one you’ll most likely want to use in your lookups.”
The next step is decoding the WER report structure. Websense has included some Splunk queries that can be used to detect USB device insertions and create reports. It is also possible to configure the SIEM tool to trigger a report every time a certain device is added to the network.
In an interview with SecurityWeek, Watson added that the crash reports can be fed into any SIEM tool or custom framework. Leveraging this information can allow business to better understand what devices, applications and applications versions are deployed on their network without needing a dedicated endpoint.
Organizations can also use this to help prevent data leaks by filtering the reports based on computer names or IP addresses from computers with sensitive data. However, this is not meant to replace data loss prevention (DLP) products.
“DLP is an incredible technology that is really starting to gain traction in the security marketplace to enable businesses to protect their data,” Watson told SecurityWeek. “I view the example we provided as a way for businesses that have not deployed DLP to start to see the value that it can provide.”
