CybrIQ for government · USB & insertion attacks
CybrIQ
Government/Use cases/USB & insertion attacks
USB attacks · HID-spoofing · rogue mass storage

The attack rides a switch port that already has a legitimate workstation on it. The switch-side view cannot see it.

USB-borne attacks — Rubber Ducky, O.MG cable, Flipper Zero, BadUSB-class HID-spoofers, malicious mass storage — present to the switch as the host workstation, not as a new device. CybrIQ's primary deployment (switch-side, agentless) does not see this class on its own. The optional endpoint agent, available on Windows and Linux workstations, fills that gap.

A two-layer visibility approach for USB-based attacks. Layer 1 is the switch-side default deployment — it sees USB-to-Ethernet bridges presenting as Layer-2 network devices on a switch port, wireless dongles or rogue APs that bring up a new MAC on an existing port, and inline implants between legitimate equipment such as Raspberry Pi-class and BeagleBone devices. But by physical limit, switch-side cannot see what is plugged into a host's USB port. Layer 2 is the optional opt-in workstation agent — it sees USB device class enumeration on the host (vendor and product ID of every plugged device), HID emulation patterns (keyboard injection vs. human typing cadence), storage class abuse, composite-device shenanigans, and cable-impersonation in the O.MG family. The agent is typically rolled to a named population such as CUI workstations, classified workstations, or contractor laptops. The attack-class coverage matrix: BadUSB HID emulation — workstation agent only. Rubber Ducky or Bash Bunny — workstation agent only. O.MG Cable family — workstation agent only. Mouse jiggler — workstation agent only. USB-to-Ethernet bridge or Raspberry Pi-class implant — both layers. Switch-side catches what reaches the network; the agent catches what plugs into the host; two complementary surfaces, not a substitute pair.

Why USB attacks need a different sensor

A USB device plugged into a workstation does not appear on the network the way a new networked device does. The workstation's MAC, IP, and switch-port identity stay the same; the USB device manifests as a peripheral inside the workstation's operating system. Switch-side detection cannot see what's plugged into the USB port of a host; that's not a limitation of CybrIQ specifically — it's a limitation of any switch-side approach.

The classes of USB attack federal and defense environments care about are well documented. HID-spoofing devices present as a keyboard and type at machine speed (Rubber Ducky, Flipper Zero in BadUSB mode). Cable-form-factor implants like the O.MG cable look identical to a normal USB cable and host a wireless command-and-control surface. Rogue mass storage writes documents off the workstation or carries malicious binaries onto it. Each of these has been documented in federal red-team reports and IG findings over the past five years.

What the endpoint agent does

CybrIQ ships an optional small agent for Windows and Linux workstations. The agent watches USB-device insertion events at the OS level and fires an event when:

  • A device is plugged in that does not match the workstation's allow-list of approved peripherals.
  • A device claims to be a keyboard but its USB descriptor matches known HID-spoofing implants (Rubber Ducky, Flipper Zero in BadUSB mode, OMG cable family).
  • A device's vendor / product ID matches a curated catalog of red-team and offensive-security hardware.
  • A device presents as multiple classes (e.g., a "cable" that is also a keyboard and a mass-storage device).

The events feed the same main instance and the same SIEM/NAC integrations as the switch-side device discovery. Detection is on-insertion — the event fires within the operating system's USB event loop, surfaced to the agency's SOC in near-real-time.

Controls CybrIQ supports compliance with

  • NIST SP 800-53 Rev. 5 — MP-7 (Media Use), AC-19 (Access Control for Mobile Devices), AC-20 (Use of External Systems), SI-3 (Malicious Code Protection).
  • NIST SP 800-171 Rev. 2 — 3.8.7, 3.8.8 (Media Use restrictions).
  • CMMC L2 — MP.L2-3.8.7, MP.L2-3.8.8.
  • NIST CSF 2.0 — PR.DS (Data Security) and DE.CM (Security Continuous Monitoring) functions.
  • HSPD-12 / FIPS 201 — Identification of unauthorized peripheral devices in PIV-card-controlled environments.

Why this is a separate feature, not the default

The endpoint agent is opt-in by environment. The switch-side device discovery (the rest of the CybrIQ deployment) requires no software on the agency's managed assets, by design. The USB-protection feature is the one place CybrIQ ships an agent — and only on environments where the agency decides the trade-off is worth it. Federal evaluators sometimes need that posture as a starting point for the agent-aversion conversation.

Schedule a USB-protection briefing

30 minutes: we walk the threat model, the endpoint-agent posture, and the integration with your existing SOC tooling.

Request briefing