Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Trust Policies and the Behavior Analytics Engine

            Modified on Thu, Sep 26, 2019 at 12:17 PM

            802 Secure's Behavior Analytics Engine (BAE) monitors, reports and responds to advanced threats and attacks against wireless systems within an AIRSHIELD monitored airspace. BAE uses a series of proprietary algorithms and processes that may be enhanced through intelligence provided by you, a third party system or identified during the feedback process.


            Providing Intelligence: Trust Levels and Client Groups

            While the BAE does learn it can be assisted with by be provided initial intelligence known as active learning. This can be as simple as giving it a list of known ESSID and BSSID combinations, assigning labels to known devices or linking the system to third party knowledge systems.


            Defining Trust Levels

            One of the primary functions of the BAE is to identify those behaviors that are "out of the normality" for every day usage. To begin the system must first learn what is normal behavior.


            In the list of Access Points all identified advertising systems are initially provided the trust level assignment of Unknown. An unknown trust level means the system does not have enough information to determine its possible intent. By default the following Trust Levels are defined and may be configured at at https://console.802secure.net/wifi/trust_groups.



            Numeric assignments are to provide an order to the list. Names for trust levels 1 to 49 are user definable. Attributes of the Trust Level may be modified:



            Assigning Trust Levels

            By searching for known internal/corporate ESSID Network Names and assigning each BSSID as Trusted will start the BAE with a base knowledge. This can be quickly performed by viewing the network detail page for the ESSID, such as https://console.802secure.net/wifi/network/xfinitywifi, which will view all the BSSIDs for the xfinitywifi network. From this page you may review, select all correct BSSIDs and group assign them to a Trust Level.


            Integrations with API-based cloud-based platforms, such as Cisco Meraki, can be utilized to perform this activity with little overhead when available.


            The same process should be performed with any Guest networks as well. Known Neighbor networks may be added but they are labeled only for your knowledge and not used by the BAE.


            NOTE: The BSSID displayed is the advertised physical radio address from the Access Point and not the Ethernet or "internal" address. This may cause confusion when using vendor management systems that may not accurately represent this address.


            Special Trust Levels

            There are two (2) Trust Levels that have a special relationship to the BAE. Access Points will be automatically assigned to one of these levels if an AIRSHIELD has observed it within a mostly regularly operating state for 24-36 hours and meet the criteria

            • Suspected NeighborWPA2 or better encrypted access points
            • High ThreatWEP encrypted or Open access points

            As a routine you should review the APs assigned to these two levels and decide their more appropriate Trust Level placement.



            Clients and Client Group Assignments

            Clients, also known as stations in IEEE 802.11 nomenclature, are the second part of the BAE equation process.


            Based on rules defined in the Trust Level, the first time a client is observed by the AIRSHIELD cloud platform it may be assigned to a Client Group:



            Based upon this assignment, if the client is observed connecting to a disallowed Trust Level an event will be generated, at least once per hour of each violation. 




            Trust Policy Activities

            After labeling has been performed the BAE will begin to understand the behaviors of 802.11 Stations and their usage. A primary component of the BAE is to identify when a suspicious or known malicious behavior is undertaken, such as:

            • Client connected to an Approved BSSID connects to a Guest BSSID
            • Client connected to an Approved BSSID connects to a Rogue BSSID
            • An ESSID with a similarity to an Approved ESSID has been seen in the airspace
            • An ESSID with a similarity to a Rogue ESSID has been seen in the airspace    

            An activity identified by the BAE generates an Event which can be viewed on the Events page and/or consumed by a third-party SIEM.




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0