CybrIQ for government · Threat model
CybrIQ
Government/Threat model
Threat model

The classes of attack CybrIQ is built to surface — and the ones it isn't.

CybrIQ identifies devices. The threat model is shaped around the attack classes where device-identification is the meaningful sensor: rogue insertion, relabeled supply-chain compromise, OT compromise via unauthorized hardware, BYOD on production VLANs, USB-borne implants, and the post-Volt Typhoon awareness of nation-state pre-positioning on edge devices. Each is named below with the detection mechanism and the controls it supports.

Seven attack classes CybrIQ is built to identify, plus an explicit panel of threat classes CybrIQ is not built for. T1: unauthorized device insertion (MITRE T1200 Hardware Additions). T2: relabeled covered hardware under NDAA Section 889. T3: device substitution detected via port-history delta. T4: OT and ICS compromise detected via inventory-class delta. T5: USB attacks including Rubber Ducky, BadUSB, O.MG cable, and mouse-jiggler implants (MITRE T1091 / T1056). T6: BYOD on production VLAN, detected against VLAN authorization-list deviation. T7: post-Volt-Typhoon edge-device pre-positioning, matched against the CISA AA24-038A pattern. CybrIQ identifies these using switch-side, read-only signals from five signal classes against a 750-million-device reference library. Threat classes CybrIQ is explicitly not built for: software-layer attacks (EDR / XDR domain), identity-based attacks (IAM / PAM domain), network traffic anomalies (NDR / SIEM domain), and patch state (vulnerability scanners). The diagram closes with the line: CybrIQ is layer-1 device-identification, not a substitute for the rest of the stack.

Threats CybrIQ is built for

T1 — Unauthorized device insertion

Scenario. An attacker (insider, contractor, vendor with physical access) plugs an unauthorized device into a managed switch port. Could be a rogue access point, a small board computer, a USB-to-Ethernet bridge, a packet-injection tool.

Detection mechanism. Switch port goes from empty (or known-device) to a new device whose Device DNA fingerprint matches a class not on the authorized-hardware list. Event fires within one polling cycle.

MITRE ATT&CK. T1200 (Hardware Additions). Supports compliance with: CM-8(3), DE.CM-7, NIST CSF Detect function.

T2 — Relabeled covered hardware (NDAA Section 889)

Scenario. Covered hardware from a named NDAA Section 889 entity (Hikvision, Dahua, Hytera, Huawei, ZTE) is delivered to the agency under a different brand label by a downstream integrator. Asset register reflects the label; the hardware itself presents to the network as the original manufacturer.

Detection mechanism. Layer-1 fingerprint identifies device by its switch-side signal set (link negotiation, OUI, LLDP TLV ordering, port stats) rather than the chassis label. Reference-library catalogs the five covered entities by signal-set similarity.

Supports compliance with: NDAA Section 889(a)(1)(B), SR-3, SR-11, FAR 52.204-25. See Section 889 page.

T3 — Device substitution (the swap attack)

Scenario. A legitimate device is removed from a switch port and replaced with a malicious lookalike that presents the same MAC (MAC spoofing) and broad characteristics. Defeats MAC-based NAC.

Detection mechanism. Device DNA changes because the five-input signal set diverges from the prior device's fingerprint even when the MAC matches. Substitution alert fires.

MITRE ATT&CK. T1200, T1556 (Modify Authentication Process — adjacent). Supports compliance with: SI-4, IA-3, CSF DE.CM.

T4 — OT and lab-segment compromise via unauthorized hardware

Scenario. An adversary places a sensor gateway, protocol converter, or rogue PLC on an OT or lab segment that endpoint-based tooling cannot reach. Used as a pivot for lateral movement or as a long-term beacon.

Detection mechanism. CybrIQ identifies OT devices from switch-side signals; new device on an OT VLAN surfaces immediately even though no agent could be installed on the device. This is the class CDM HWAM cannot reach by design.

Supports compliance with: CM-8 family, NIST SP 800-82 Rev. 3 (OT) guidance.

T5 — USB-borne attacks (Rubber Ducky / BadUSB / O.MG)

Scenario. An attacker drops or hands a USB device that presents as a keyboard (HID-spoofer) typing at machine speed, or a cable-form-factor implant with wireless C2.

Detection mechanism. Optional endpoint agent on Windows and Linux workstations identifies the USB device on insertion, matching against a curated catalog of HID-spoofers and red-team hardware. See USB & insertion attacks page.

MITRE ATT&CK. T1091 (Replication Through Removable Media), T1056 (Input Capture). Supports compliance with: MP-7, AC-19, NIST 800-171 3.8.7/3.8.8.

T6 — BYOD on production VLAN

Scenario. An unmanaged laptop, phone, or personal device appears on a production VLAN. Could be a contractor, an internal user violating policy, or an attacker hopping VLANs.

Detection mechanism. Device class (consumer laptop, phone) on a VLAN where consumer-class devices are not authorized.

Supports compliance with: AC-19, CM-8(3), NIST CSF PR.AC.

T7 — Edge-device pre-positioning (post-Volt Typhoon awareness)

Scenario. Nation-state actor (Volt Typhoon, Salt Typhoon, similar) pre-positions on edge devices (routers, switches, surveillance gear, building-systems gateways) for long-term beaconing or supply-chain compromise. Often invisible to managed-endpoint detection.

Detection mechanism. CybrIQ identifies every device on managed switches including edge-device classes. Authorization-list deviations on edge segments surface devices that should not be there. Anomalous device-class changes on edge gear (an "ATM" that suddenly presents like a Linux box) surface as substitution events.

Supports compliance with: SI-4, CM-8 family, CISA cybersecurity advisories AA24-038A and related.

Threats CybrIQ is not built for

CybrIQ's sensor surface is switch-side device identification. Attack classes that don't surface there require different tooling. Naming them explicitly so the threat-model honesty is clear:

  • Application-layer attacks. Use a WAF.
  • Endpoint malware on managed assets. Use EDR.
  • Phishing and credential theft. Use SEG and identity-focused tooling.
  • Encrypted-traffic exfiltration. Use NDR / network-traffic analysis.
  • Identity-based attacks acting through legitimate credentials and legitimate hardware. CybrIQ sees the hardware; the identity layer is the gap.
  • Cloud and SaaS misconfiguration. Use CSPM.
  • Insider threat using authorized devices for authorized actions. Out of scope for any device-discovery tool.

Walk the threat model against your environment

30 minutes: we walk the seven attack classes above against your environment, your existing sensor coverage, and the specific gaps a CybrIQ deployment would close.

Schedule threat-model walkthrough