Threat intel · upcoming program

A monthly briefing on Layer 1 attack patterns. Coming when we have enough install base to anonymize, not before.

There's a version of this page that ships fabricated "anonymized customer findings" and gets put through marketing review. We're not doing that. The page below describes the briefing program we plan to run, shows four illustrative examples so you can judge whether the format is useful to you, and lets you subscribe to be notified at launch. The first real briefing ships when the install base produces a real finding, on its own timeline.

Subscribe to be notified at launch: seceng@cybriq.io (monthly email; security engineers only; unsubscribe in every issue).

⚠ Illustrative, not yet from real data

The four briefings below describe plausible Layer 1 attack patterns drawn from the published security-research literature and from what we expect to observe at scale. They are not anonymized findings from real customers, we don't yet have a large-enough install base to publish that without identifying individual deployments. We are showing them here so you can see the shape and detail level of the briefings we intend to publish. Real briefings replace these as the install base grows; each future briefing will be clearly marked with its source date and methodology note.

Illustrative example A · Contractor-served sites

Surge in unmanaged-switch insertions on contractor-served sites

In the April–May window, CybrIQ deployments at sites with active third-party contractor work reported an 8.2x baseline rate of port-topology-changed events. Most resolved as benign (contractors connecting personal devices for legitimate work). 3% were investigated as security incidents.

Pattern

Insertions clustered between 09:00–11:00 local time on Mon/Tue, coinciding with contractor-team arrival windows. Devices behind the inserted switch were almost always personal laptops or hotspots.

Recommended detection rule

If you have CybrIQ + a contractor-access process: cross-reference port-topology-changed events against the contractor sign-in log. Auto-suppress matches; investigate unmatched. Reduces alert volume ~85% for these sites.

Illustrative example B · Supply-chain provenance

NDAA-prohibited camera batch identified post-procurement

A federal-contractor deployment surfaced 11 NDAA-prohibited cameras within 72h of activation. Investigation revealed the cameras had been relabeled by an intermediate reseller; OEM packaging claimed a different (US-allowed) manufacturer. Provenance proved compromise upstream of the customer's procurement process.

Pattern

Procurement records said vendor A; the switch-derived signal set resolved to vendor B in the reference database (on the banned list). MAC OUI had been administratively reassigned. CybrIQ's Layer 1 fingerprint caught what every layer above L2 had been lied to about.

Action taken

Customer terminated the contract with the intermediate reseller; CybrIQ added the specific signal-set pattern to the reference database for higher-confidence matching in future deployments. Lessons-learned section in our SOAR templates.

Illustrative example C · Codec abuse

Silent-codec patterns correlating with after-hours BYOD use

Across multiple healthcare and corporate deployments, conference-room codecs marked device-silent-extended during business hours showed after-hours traffic patterns reported by the switch consistent with BYOD beaconing. Codec was being used as a Wi-Fi/Ethernet bridge for personal devices during off-hours cleaning crews.

Pattern

Daytime: codec is silent (no scheduled meetings). Off-hours: the switch reports persistent low-volume egress traffic from the codec port. Same Device DNA; the change is in the activity pattern, not the identity.

Recommendation

If you have HIPAA, PCI, or CUI scope on codec-network VLANs: a device-silent-extended followed within 24h by a sudden burst of activity outside business hours should escalate. Cleaning crews shouldn't have network access through your AV infrastructure.

Illustrative example D · Firmware persistence

Firmware-shift events as IOCs preceding broader incidents

Forensic correlation across three incident-response engagements found device-firmware-shift events preceded broader compromise by 7–14 days in each case. Devices involved: HVAC controllers, building-access readers, and one VoIP gateway. All marked as benign at the time of firmware-shift because the change was below the substitution threshold.

Pattern

Adversary made small, deliberately-below-threshold firmware modifications to establish persistence on infrastructure devices. The firmware-shift was the indicator-of-compromise; nothing fired at the time because similarity stayed in the 0.78–0.84 range.

Recommended detection tuning

For high-security floors and infrastructure devices, tighten device-firmware-shift threshold to 0.90. Will produce more false positives (legitimate firmware updates) but the trade-off may be worth it for executive, HR, finance, and any port carrying regulated data.

How the briefings will be produced (when they launch)

Source. Anonymized aggregate signals from CybrIQ deployments. We will publish only when the contributing install base is large enough that no individual deployment can be re-identified.
Editorial. Engineering team reviews each draft for technical accuracy. Marketing has no input on content selection.
Cadence. Monthly when we have something to publish. Issues skip a month if the install base hasn't surfaced anything new. We won't manufacture content to hit a cadence.
Methodology note. Every real briefing carries a transparent note on data source, sample size, and any limits of inference. The four examples above carry no such note because the underlying data is illustrative.
Distribution. Free. No login. No marketing capture beyond an email address for delivery.

Subscribe, security engineers only.

One email per month. Engineering-detail level. Unsubscribe in every issue. Email seceng@cybriq.io with the subject line "Subscribe" to start.