Technical surveillance countermeasures (TSCM) help keep government facilities and sensitive areas safe from data exfiltration and espionage attempts. Today, increasingly hard-to-detect wireless threats call for a new, supplemental approach—continuous TSCM on a unified platform for wireless airspace defense.
What are continuous technical surveillance countermeasures (TSCM)?
Technical Surveillance Countermeasures (TSCM) have been used for decades to protect sensitive information from electronic surveillance devices like hidden cameras, audio bugs, or GPS trackers. Alongside physical inspections, thermal imaging, wire tracing, and other traditional countermeasures, wireless threat detection solutions play a key role by using radio frequency (RF) detection to find surveillance devices that would otherwise go unnoticed.
Today, wireless surveillance and data exfiltration tactics are too sophisticated to be caught in a single sweep. Continuous TSCM ensures secure government, corporate, and temporary spaces like hotels and event venues are kept that way, monitoring for wireless devices and networks 24/7 and alerting security teams the moment a potential threat is detected.
The problem with traditional TSCM
There are many ways for bad actors to exfiltrate information from an organization. For example, covert transmitters can create voice or data channels that are difficult to detect. These devices commonly use wireless protocols at unmonitored frequencies. For data exfiltration, cellular protocols are the most prevalent example of an “out-of-band” network that can move large amounts of data. Organizations are finding it harder and harder to monitor the entire radio frequency spectrum of protocols and bands for anomalous and/or high volume exfiltration signatures.
Surveillance devices are becoming cheaper and easier to access. There are countless numbers of inexpensive bugs, pwn plugs, and listening devices that can be purchased over the counter and over the Internet. They can be installed, have their own computers, and have their own cellular backhaul prepaid chips.
These devices are not going over the wire, through normal security teams’ monitoring systems. Instead, the devices backhaul the data through unmonitored protocols.
Typically, when an organization needs to conduct a bug-sweep, they hire an outside firm to do a one-time, point-in-time sweep that is rendered obsolete once the firm leaves. This is not only costly and time consuming, but also very disruptive. Unfortunately, most corporations only use bug-sweeps once per quarter, or in close proximity to a ‘sensitive moment or event’, leaving themselves susceptible to attack.
What does a continuous TSCM solution do?
A Continuous TSCM security solution should provide several key capabilities.
First, it must provide visibility into all of the wireless networks, traffic, and devices operating in your environment rather than only alert you of threats. This helps your organization understand when an anomaly occurs, enforce device policies, and stay compliant with cybersecurity standards like NIST.
Second, these solutions should inform you of the attack surface for each of these devices and offer best practices for minimizing it. This provides a comprehensive view of threats that could occur, not just those that already have.
Third, a continuous TSCM solution should alert your teams instantly on active wireless attacks via your existing SIEM systems, providing guidance on how to best mitigate an attack in action.
Finally, for a TSCM solution to be effective in today’s threat landscape, it must operate continuously—24/7 to catch out-of-hours transmission of data.
MORE SPECIFICALLY, A CONTINUOUS TSCM SOLUTIONS SHOULD:
- Detect all devices operating in the wireless spectrum, to include but not limited to, Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet of Things (IoT)
- Detect current and future protocols without requiring hardware upgrades
- Detect known and unknown emitters via observing energy patterns
- Provide awareness of any wireless threats including active attacks and rogue networks
- Detect data exfiltration via wireless devices
- Detect vulnerable devices being installed
- Detect anomalous wireless activity originating from the campus
- Alert on a wireless attack surface introduced by the installation of new equipment
- Detect rogue cell towers which can send signals into your facility