runZero Hour, Ep. 4: Network Lookalikes and Fingerprinting Challenges

Episode 4 of the runZero Hour webcast discussed lookalikes on the network, which can include: human-machine interfaces found in OT environments, simulators/probes, honeypots, rogue devices, and compatible devices that happen to look alike just because they speak the same protocol. Most of these serve legitimate purposes for testing and monitoring, so their presence isn’t necessarily malicious, but they present challenges for fingerprinting. How do you differentiate a lookalike from the real thing?

The hurdle is incredibly steep if you're just doing passive discovery. It can't always differentiate between request and response with some protocols, such as Factory Interface Network Service (FINS). You really need to initiate the conversation for accurate fingerprinting.

Beyond that, you must leverage other techniques to identify the device doppelgängers. For example, with GasPot for the Automatic Tank Gauge (ATG) protocol, you can leverage line endings–carriage return line feed (\r\n) versus line feed (\n)--as a “tell”. Another fun example would be IoT/OT devices and their Windows lookalikes. You can actually use the discrepancy between ICMP and TCP syn response times as a giveaway.

Lookalikes was just one segment in this episode of runZero Hour. Watch the recording for more insights.

Meet Our Speakers

HD Moore

Founder & CEO

Huxley Barbee

Contributor

Rob King

Director of Security Research

Tom Sellers

Principal Research Engineer

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Resources

Webcasts
runZero Hour, Ep. 13: Anniversary episode reflecting on 2024 through the lens of IT-OT/IoT convergence
In this special anniversary episode we gathered an all-star panel of cybersecurity experts to look back on 2024 through the lens of IT-OT/IoT...
Webcasts
runZero Hour, Ep. 12: A deep-dive into OT devices, protocols, and vulnerabilities
In this month’s episode of runZero Hour, we take a deep dive into new research insights on OT devices, protocols, and vulnerabilities.
Webcasts
Dangerous Dark Matter: Confronting the Creepy Unknowns in Your Network
We explore the hidden threats and “network dark matter” lurking within your environment, viewed through the lens of zero-day vulnerabilities.
Webcasts
runZero Hour, Ep. 11: A CISA insider's perspective on managing the KEV catalog
Tod Beardsley, CISA cybersecurity expert offers an insider’s look into CISA’s mission and management of the Known Exploited Vulnerabilities (KEV)...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved