mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,139 @@
|
||||
---
|
||||
name: implementing-usb-device-control-policy
|
||||
description: >
|
||||
Implements USB device control policies to restrict unauthorized removable media access on
|
||||
endpoints, preventing data exfiltration and malware introduction via USB devices. Use when
|
||||
deploying device control via Group Policy, Intune, or EDR platforms to enforce USB restrictions.
|
||||
Activates for requests involving USB control, removable media policy, device control, or
|
||||
data loss prevention via USB.
|
||||
domain: cybersecurity
|
||||
subdomain: endpoint-security
|
||||
tags: [endpoint, USB-control, device-control, data-loss-prevention, removable-media]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
# Implementing USB Device Control Policy
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when:
|
||||
- Restricting USB storage devices to prevent data exfiltration or malware introduction
|
||||
- Implementing device control policies via GPO, Intune, or EDR device control modules
|
||||
- Creating USB whitelists for authorized devices while blocking all others
|
||||
- Meeting compliance requirements for removable media control (PCI DSS, HIPAA)
|
||||
|
||||
**Do not use** for network-based DLP or cloud storage restrictions.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Active Directory GPO or Microsoft Intune for policy deployment
|
||||
- Device Instance IDs of authorized USB devices
|
||||
- EDR with device control module (CrowdStrike, Microsoft Defender for Endpoint)
|
||||
- Understanding of USB device classes (mass storage, HID, printer, etc.)
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Inventory Current USB Usage
|
||||
|
||||
```powershell
|
||||
# Enumerate currently connected USB devices
|
||||
Get-PnpDevice -Class USB | Select-Object InstanceId, FriendlyName, Status
|
||||
|
||||
# Query USB storage history from registry
|
||||
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" |
|
||||
Select-Object FriendlyName, ContainerID, HardwareID
|
||||
|
||||
# Collect USB usage across fleet (via EDR or scripts)
|
||||
# CrowdStrike: Investigate → USB Device Activity
|
||||
# MDE: DeviceEvents | where ActionType == "UsbDriveMounted"
|
||||
```
|
||||
|
||||
### Step 2: Configure GPO Device Control
|
||||
|
||||
```
|
||||
Computer Configuration → Administrative Templates → System → Removable Storage Access
|
||||
|
||||
- All Removable Storage classes: Deny all access → Enabled
|
||||
(Block read AND write for all removable storage)
|
||||
|
||||
OR for granular control:
|
||||
- CD and DVD: Deny read access → Enabled
|
||||
- Removable Disks: Deny write access → Enabled (read-only USB)
|
||||
- Tape Drives: Deny all access → Enabled
|
||||
- WPD Devices: Deny all access → Enabled
|
||||
|
||||
To allow specific approved USB devices:
|
||||
Computer Configuration → Administrative Templates → System → Device Installation
|
||||
→ Device Installation Restrictions
|
||||
|
||||
- Prevent installation of devices not described by other policy settings → Enabled
|
||||
- Allow installation of devices that match any of these device IDs → Enabled
|
||||
Add approved Device IDs: USB\VID_0781&PID_5583 (example: SanDisk Cruzer)
|
||||
```
|
||||
|
||||
### Step 3: Deploy via Microsoft Defender for Endpoint
|
||||
|
||||
```xml
|
||||
<!-- MDE Device Control policy (XML format) -->
|
||||
<PolicyGroups>
|
||||
<Group Id="{d9a81dc0-1234-5678-9abc-def012345678}"
|
||||
Type="Device" Name="Approved USB Devices">
|
||||
<MatchClause>
|
||||
<MatchType>VID_PID</MatchType>
|
||||
<MatchData>0781_5583</MatchData> <!-- SanDisk -->
|
||||
</MatchClause>
|
||||
</Group>
|
||||
</PolicyGroups>
|
||||
|
||||
<PolicyRules>
|
||||
<Rule Id="{rule-guid}" Name="Block unapproved USB storage">
|
||||
<IncludedIdList>
|
||||
<PrimaryId>RemovableMediaDevices</PrimaryId>
|
||||
</IncludedIdList>
|
||||
<ExcludedIdList>
|
||||
<GroupId>{d9a81dc0-1234-5678-9abc-def012345678}</GroupId>
|
||||
</ExcludedIdList>
|
||||
<Entry>
|
||||
<Type>Deny</Type>
|
||||
<AccessMask>63</AccessMask> <!-- All access -->
|
||||
<Options>4</Options> <!-- Show notification -->
|
||||
</Entry>
|
||||
</Rule>
|
||||
</PolicyRules>
|
||||
```
|
||||
|
||||
### Step 4: Audit and Monitor
|
||||
|
||||
```
|
||||
# Monitor USB events in SIEM:
|
||||
# Windows Event ID 6416 - New external device recognized
|
||||
# Windows Event ID 4663 - File access on removable media
|
||||
# MDE: DeviceEvents where ActionType contains "Usb"
|
||||
|
||||
# Generate USB activity reports monthly
|
||||
# Track: blocked attempts, approved device usage, exception requests
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|-----------|
|
||||
| **VID/PID** | Vendor ID and Product ID that uniquely identify USB device models |
|
||||
| **Device Instance ID** | Unique identifier for a specific physical USB device |
|
||||
| **Device Control** | EDR/endpoint feature restricting device access based on type, vendor, or serial number |
|
||||
| **USB Class** | USB device category (mass storage 08h, HID 03h, printer 07h) |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
- **Microsoft Defender Device Control**: MDE module for USB restriction policies
|
||||
- **CrowdStrike Falcon Device Control**: EDR-based USB policy enforcement
|
||||
- **Group Policy (Removable Storage Access)**: Built-in Windows USB restriction via GPO
|
||||
- **Endpoint Protector**: Third-party device control and DLP solution
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
- **Blocking all USB without exception**: Keyboards and mice are USB HID devices. Block only mass storage class, not all USB.
|
||||
- **Not communicating policy to users**: USB blocks without user notification generate helpdesk tickets. Display a notification explaining the policy.
|
||||
- **Ignoring USB-C and Thunderbolt**: Modern devices use USB-C for docking, charging, and storage. Policies must distinguish between USB storage and USB peripherals.
|
||||
- **No approved device process**: Users with legitimate USB needs (presentations, field data collection) require an exception process with approved, encrypted devices.
|
||||
@@ -0,0 +1,24 @@
|
||||
# USB Device Control Policy Template
|
||||
|
||||
## Policy Configuration
|
||||
| Setting | Value |
|
||||
|---------|-------|
|
||||
| Default Action | Block all removable storage |
|
||||
| Enforcement Mode | Audit / Enforce |
|
||||
| Notification | Display user message |
|
||||
|
||||
## Approved Devices
|
||||
| Device Name | VID:PID | Serial | Issued To | Expiry |
|
||||
|-------------|---------|--------|-----------|--------|
|
||||
| | | | | |
|
||||
|
||||
## Exception Register
|
||||
| User | Business Justification | Device | Approved By | Expiry |
|
||||
|------|----------------------|--------|-------------|--------|
|
||||
| | | | | |
|
||||
|
||||
## Sign-Off
|
||||
| Role | Name | Date |
|
||||
|------|------|------|
|
||||
| Security | | |
|
||||
| IT Ops | | |
|
||||
@@ -0,0 +1,12 @@
|
||||
# Standards & References
|
||||
|
||||
## Primary Standards
|
||||
- **NIST SP 800-53 MP-7**: Media Use - restricting removable media types and usage
|
||||
- **PCI DSS 4.0 Req 3.4.2**: Restrict removable electronic media for cardholder data
|
||||
- **CIS Control 10.4**: Configure device control to prevent removable media autorun
|
||||
- **ISO 27001 A.8.3.1**: Management of removable media
|
||||
|
||||
## Supporting References
|
||||
- **MDE Device Control**: https://learn.microsoft.com/en-us/defender-endpoint/device-control-overview
|
||||
- **CrowdStrike Device Control**: Falcon Console documentation
|
||||
- **GPO Removable Storage**: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement
|
||||
@@ -0,0 +1,17 @@
|
||||
# Workflows
|
||||
|
||||
## Workflow 1: USB Device Control Deployment
|
||||
```
|
||||
[Audit current USB usage across fleet] → [Identify legitimate USB needs]
|
||||
→ [Create approved device whitelist] → [Configure block policy with exceptions]
|
||||
→ [Deploy in audit mode for 2 weeks] → [Review blocked events]
|
||||
→ [Add missing legitimate devices] → [Switch to enforce mode]
|
||||
→ [Communicate policy to users] → [Monitor and maintain]
|
||||
```
|
||||
|
||||
## Workflow 2: USB Exception Request
|
||||
```
|
||||
[User requests USB access] → [Verify business justification]
|
||||
→ [Issue approved encrypted USB device] → [Add device ID to whitelist]
|
||||
→ [Deploy updated policy] → [Log exception with expiry date]
|
||||
```
|
||||
@@ -0,0 +1,88 @@
|
||||
#!/usr/bin/env python3
|
||||
"""USB Device Control Audit - Analyzes USB device activity from endpoint logs."""
|
||||
|
||||
import json
|
||||
import csv
|
||||
import sys
|
||||
import os
|
||||
from collections import Counter, defaultdict
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
def parse_usb_events(csv_path: str) -> list:
|
||||
"""Parse USB device events from exported Windows event logs or EDR data."""
|
||||
events = []
|
||||
with open(csv_path, "r", encoding="utf-8-sig") as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
events.append({
|
||||
"timestamp": row.get("Timestamp", row.get("Date and Time", "")),
|
||||
"host": row.get("Computer", row.get("DeviceName", "")),
|
||||
"user": row.get("User", row.get("AccountName", "")),
|
||||
"action": row.get("Action", row.get("ActionType", "")),
|
||||
"device_name": row.get("DeviceName", row.get("FriendlyName", "")),
|
||||
"device_id": row.get("DeviceId", row.get("HardwareId", "")),
|
||||
"vid_pid": row.get("VID_PID", ""),
|
||||
"serial": row.get("SerialNumber", ""),
|
||||
"blocked": row.get("Blocked", row.get("ActionType", "")).lower() in ("blocked", "deny", "prevented"),
|
||||
})
|
||||
return events
|
||||
|
||||
|
||||
def analyze_usb_activity(events: list) -> dict:
|
||||
"""Analyze USB events for policy violations and usage patterns."""
|
||||
analysis = {
|
||||
"total_events": len(events),
|
||||
"blocked_events": sum(1 for e in events if e["blocked"]),
|
||||
"unique_devices": len({e["device_id"] for e in events if e["device_id"]}),
|
||||
"devices_by_host": defaultdict(set),
|
||||
"top_users": Counter(),
|
||||
"blocked_devices": Counter(),
|
||||
"allowed_devices": Counter(),
|
||||
}
|
||||
|
||||
for event in events:
|
||||
if event["host"] and event["device_id"]:
|
||||
analysis["devices_by_host"][event["host"]].add(event["device_id"])
|
||||
if event["user"]:
|
||||
analysis["top_users"][event["user"]] += 1
|
||||
if event["blocked"]:
|
||||
analysis["blocked_devices"][event.get("device_name", event["device_id"])] += 1
|
||||
else:
|
||||
analysis["allowed_devices"][event.get("device_name", event["device_id"])] += 1
|
||||
|
||||
analysis["devices_by_host"] = {k: len(v) for k, v in analysis["devices_by_host"].items()}
|
||||
return analysis
|
||||
|
||||
|
||||
def generate_report(analysis: dict, output_path: str) -> None:
|
||||
"""Generate USB activity report."""
|
||||
report = {
|
||||
"report_generated": datetime.utcnow().isoformat() + "Z",
|
||||
"summary": {
|
||||
"total_events": analysis["total_events"],
|
||||
"blocked": analysis["blocked_events"],
|
||||
"unique_devices": analysis["unique_devices"],
|
||||
},
|
||||
"top_users": dict(analysis["top_users"].most_common(20)),
|
||||
"top_blocked_devices": dict(analysis["blocked_devices"].most_common(20)),
|
||||
"hosts_with_most_devices": dict(sorted(
|
||||
analysis["devices_by_host"].items(), key=lambda x: -x[1])[:20]),
|
||||
}
|
||||
with open(output_path, "w", encoding="utf-8") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: python process.py <usb_events.csv>")
|
||||
sys.exit(1)
|
||||
|
||||
csv_path = sys.argv[1]
|
||||
events = parse_usb_events(csv_path)
|
||||
analysis = analyze_usb_activity(events)
|
||||
|
||||
out = os.path.join(os.path.dirname(csv_path) or ".", "usb_audit_report.json")
|
||||
generate_report(analysis, out)
|
||||
print(f"Report: {out}")
|
||||
print(f"Total events: {analysis['total_events']}, Blocked: {analysis['blocked_events']}")
|
||||
Reference in New Issue
Block a user