{"id":6445,"date":"2023-08-11T09:33:25","date_gmt":"2023-08-11T16:33:25","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=6445"},"modified":"2023-08-11T10:36:43","modified_gmt":"2023-08-11T17:36:43","slug":"finding-rogue-access-points-on-the-microsoft-corporate-network","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/finding-rogue-access-points-on-the-microsoft-corporate-network\/","title":{"rendered":"Finding and remediating rogue access points on the Microsoft corporate network"},"content":{"rendered":"

\"Microsoft<\/p>\n

Finding rogue access points on Microsoft\u2019s network is an important mission for our IT teams.<\/p>\n

Networked devices have come to dominate the IT world, and their prevalence has led to more complex and vulnerable gateways. As a result, employees within Microsoft and many other large organizations regularly bring in their own wireless devices. Using a wireless router designed for home office use or a wireless speaker system might seem harmless, but these rogue access points (APs) pose serious security risks.<\/p>\n

An unauthorized user could be sitting in the parking lot and you just knowingly or unknowingly gave them access to the corporate network.<\/p>\n

\u2013 Pete Fortman, principal engineer, Microsoft<\/p>\n<\/blockquote>\n

In the case of a wireless router designed for home use, it might have a default password that\u2019s literally \u201cpassword\u201d or the device\u2019s brand name. That could give drive-by hackers easy access to an enterprise\u2019s network.<\/p>\n

\u201cAn unauthorized user could be sitting in the parking lot and you just knowingly or unknowingly gave them access to the corporate network,\u201d says Pete Fortman, a principal engineer for Microsoft who focuses on security.<\/p>\n

With networking built into more and more devices, an increasing number of seemingly benign APs can also act as connectors. That means that in spite of strict segmentation within our overall network environment, threats can piggy-back on increasing numbers of rogue APs to gain access to corporate networks.<\/p>\n

Eliminating these vulnerabilities is essential to maintaining a Zero Trust<\/a> environment.<\/p>\n

The danger of rogue APs<\/h2>\n

Once inside, bad actors can wreak havoc. They can steal intellectual property, flood a network with useless data, or set up conversations between people who think they\u2019re speaking with each other when in fact they\u2019re talking to the attacker.<\/p>\n

One of the most damaging outcomes is a ransomware attack. That\u2019s a type of malware that blocks access to critical data or systems until the target pays a ransom, and they can be massively disruptive in terms of both operations and customer trust.<\/p>\n

Beyond that, rogue APs can interfere with legitimate wireless traffic\u2014often by simply competing for airtime with the unwanted device. \u201cIt\u2019s like a conference room with 18 seats, but 50 people are in the room and they\u2019re all trying to stream something wirelessly,\u201d Fortman says.<\/p>\n

We\u2019ve fought to keep rogue APs off our network for years. But as devices become more complex and plentiful, they\u2019ve also become more difficult to detect. That doesn\u2019t just increase the number of risky APs attached to our network. It also vastly increases the amount of telemetry that IT teams have to address, resulting in greater data volume and complexity.<\/p>\n

To combat that, we\u2019re applying machine learning and other advanced techniques to track rogue APs down.<\/p>\n

\"A
The pathways that rogue access points can use to gain access to a wired corporate network.<\/figcaption><\/figure>\n

When we began examining additional telemetry to find rogue access points in 2019, Fortman was surprised by what we uncovered.<\/p>\n

\u201cWe had rogue devices all over the place,\u201d Fortman says. \u201cWe kept the data private for a while to prevent adversaries from knowing what we can and cannot detect. When we shared the data more broadly, there was a collective gasp as people realized what was going on.\u201d<\/p>\n

[Learn how Microsoft 365 helps create a secure, modern workplace.<\/em><\/a> Find out how Microsoft ensures security with Windows Hello for Business.<\/em><\/a>]<\/p>\n

Tracking down rogues<\/h2>\n

Obviously, rogue AP vulnerabilities aren\u2019t good at a company that relies on Zero Trust<\/a> to ensure security.<\/p>\n

Gathering all this information into one place was a feat unto itself. We had to do it twice for two different data sets. Then we had to correlate the data sets together, and then look at suppression technology.<\/p>\n

\u2014Vincent Bersagol, senior software engineer, Microsoft<\/p>\n<\/blockquote>\n

An engineering team within Microsoft Digital Employee Experience (MDEE), the organization that powers, protects, and transforms our internal technology, took on the challenge of identifying and removing rogue devices.<\/p>\n

Finding rogue APs posed a substantial engineering challenge. Potentially thousands of devices from a wide range of manufacturers might be on the loose in the corporate network\u2014all using different wireless protocols.<\/p>\n

\u201cGathering all this information into one place was a feat unto itself,\u201d says Vincent Bersagol, a senior software engineer for Microsoft. \u201cAnd we had to do it twice for two different data sets. Then we had to correlate the data sets together, and then look at suppression technology.\u201d<\/p>\n

Microsoft\u2019s data tools, such as Microsoft Power BI, Microsoft Azure Data Lake, and Microsoft Azure Synapse, played a key role in collecting and correlating the data. \u201cThat was a great way to visualize all this data for folks to have a look at it,\u201d Bersagol says.<\/p>\n

Our expertise in machine learning also proved helpful for finding rogue APs. We used it to sort through the correlations between wired and wireless devices.<\/p>\n

\u201cWe used a clustering algorithm that allowed us to tease out all the media access control (MAC) addresses that were statistically related to each other in a way that humans couldn\u2019t see,\u201d Bersagol says.<\/p>\n

Many access points have commonly identifiable designs we can determine by looking at multiple sets of network telemetry, including the MAC addresses. Finding these identifiable designs began with a manual examination of the rogue APs we\u2019d already discovered. We recognized that requiring a sample of every type of rogue AP to generate a manual identification to find new patterns would present problems as the project scaled.<\/p>\n

But collecting all the wired and wireless telemetry to hunt for new rogue AP designs wasn\u2019t enough. \u201cThat\u2019s too much data for humans to sift through,\u201d Bersagol says.<\/p>\n

Instead, we ran a script that matched the two telemetry sets across all machines encountered. If the script found any correlated wireless and wired data, the odds were very high that they came from the same device\u2014a rogue AP. We gained further confidence that we\u2019d found a rogue AP when the correlated addresses came from within the same building.<\/p>\n

So far, so good.<\/p>\n

But some devices have designs that elude direct correlation using the existing telemetry. By using additional telemetry sources, we\u2019ve been able to unearth devices that are more difficult to detect.<\/p>\n

Still, even finding the simpler devices yields an impressive collection.<\/p>\n

In the early stages of the project in October 2019, a sweep of about 100 buildings on the Microsoft campus unearthed more than 1,000 rogue APs.<\/p>\n

COVID-19 plays a role (of course)<\/h2>\n

The COVID-19 pandemic had several impacts on the team tasked with finding rogue access points. Many rogue devices disappeared from the network because their owners were working from home.<\/p>\n

The disruption also challenged some of the engineers working on the problem.<\/p>\n

Blaze Kotsenburg, a software engineer, began work on the project in June 2020\u2014his first month as a Microsoft employee. But onboarding, meeting new team members, and getting up to speed on the rogue AP project all took place over Microsoft Teams.<\/p>\n

\u201cI couldn\u2019t go to my mentor Vincent and ask him for a 15-minute whiteboard,\u201d Kotsenburg says. \u201cI\u2019d work on something for a few hours, then ping him and say, \u2018Hey, I need some help.\u2019\u201d<\/p>\n

In spite of these challenges, the entire team found new ways to collaborate and recreate the in-office dynamic. Diego Baccino, a principal software engineering manager, shares that the virtual work environment helped create a single team, rather than one team led by Fortman and one by Baccino.<\/p>\n

\u201cWorking with two teams in parallel worked even better because of the remote situation,\u201d Baccino says. \u201cIf I were to do this over again, I\u2019d put even more emphasis on communication between everyone involved.\u201d<\/p>\n

This strong collaborative stance has remained as employees have transitioned from fully remote to hybrid work.<\/p>\n

Pulling the plug<\/h2>\n

It\u2019s possible to take a very fine-grained approach to finding rogue access points and booting them off a network, such as assigning traffic through their ports to a virtual local area network (VLAN), or by blocking the devices\u2019 MAC addresses.<\/p>\n

In this case, we opted for a more blanket approach: shutting down any port connected to a rogue AP. This technique proved simple and effective, and safer than trying gentler approaches.<\/p>\n

There\u2019s what Fortman calls \u201ccollateral damage\u201d because when a port is shut down, its user might lose network connectivity for other devices in their office, and Microsoft loses visibility to anything connected to that port.<\/p>\n

\u201cShutting down a port is a basic capability of wired access\u201d Fortman says. “As more Zero Trust networking capabilities become available on the infrastructure, we’re leveraging them to proactively prevent some devices from connecting and to enact more precise rogue AP suppression through automated remediation.”<\/p>\n

While our earlier work was about identifying, cataloging, and remediating accumulated rogue AP issues, we\u2019ve now developed a more real-time approach. We\u2019re using Azure EventHub and Data Explorer to handle real-time telemetry to help improve the security response time.<\/p>\n

That set the stage for automated remediation. Now, when our systems detect a rogue AP, we can automatically suppress it through an automation platform that turns off the associated ports\u2014no human intervention required.<\/p>\n

Extending the lessons of rogue AP suppression<\/h2>\n

MDEE\u2019s work tracking down and remediating rogue APs has been so successful that they\u2019re preparing slices of that data to provide to Azure datacenter teams. They\u2019ll use the lessons learned to enact their own rogue AP detection to fulfill regulatory requirements across different geographies throughout the world.<\/p>\n

Finally, these capabilities are spawning other abilities across teams as well. MDEE is actively looking for opportunities to apply the platform they\u2019ve created throughout Microsoft. That might eventually lead to a self-serve platform that other business groups within Microsoft can access for their own AP security needs.<\/p>\n

As new threats emerge and old ones find new ways to cause problems, security is a constant challenge. At Microsoft, preventing unwanted intruders is a top priority, and digital sleuthing has helped us close off one more avenue that bad actors might use.<\/p>\n

\"Related<\/p>\n