Detection & Monitoring

Raspberry Pi OUI Detection

The Mandiant PoC used a Raspberry Pi 4 as the evil twin platform. Monitor for Raspberry Pi OUI prefixes appearing on enterprise SSIDs:

OUI Prefix	Manufacturer
B8:27:EB	Raspberry Pi Foundation (older models)
DC:A6:32	Raspberry Pi Foundation (Pi 4)
E4:5F:01	Raspberry Pi Foundation (Pi 4 variant)

OUI Prefix

Manufacturer

B8:27:EB

Raspberry Pi Foundation (older models)

DC:A6:32

Raspberry Pi Foundation (Pi 4)

E4:5F:01

Raspberry Pi Foundation (Pi 4 variant)

# Query ISE for endpoints matching Raspberry Pi OUI prefixes
netapi ise endpoint list --filter "mac.startswith=B8:27:EB" --format table
netapi ise endpoint list --filter "mac.startswith=DC:A6:32" --format table
netapi ise endpoint list --filter "mac.startswith=E4:5F:01" --format table

# Combined check — pipe through awk for consolidated output
for oui in B8:27:EB DC:A6:32 E4:5F:01; do
    netapi ise endpoint list --filter "mac.startswith=$oui" --format table
done

Any Raspberry Pi MAC appearing on CHLA_Staff or CHLA_Secure SSIDs warrants immediate investigation — these are not authorized endpoint types for enterprise wireless.

ISE Live Logs Daily Review

Checklist for daily ISE Live Logs review:

Failed Authentications — Review all failed auth events; investigate repeated failures from same MAC or username
Unknown MAC Addresses — New MACs not in endpoint database; check against authorized inventory
Policy Set Violations — Endpoints hitting unexpected policy sets (e.g., corporate device on guest SSID)
Posture Failures — Endpoints failing posture assessment; check for pattern (specific OS, location, time)
Authorization Changes — Endpoints receiving unexpected authorization profiles
Profiling Anomalies — Device profiled as one type but exhibiting different behavior

Weekly Reporting

Generate weekly security metrics from ISE:

Top Failed Authentications

# Top 10 failed authentications by username (last 7 days)
netapi ise logs failed --days 7 --group-by username --top 10 --format table

# Top 10 failed authentications by MAC address
netapi ise logs failed --days 7 --group-by mac --top 10 --format table

Posture Compliance Rate

Track week-over-week compliance trending:

Target: 95% overall compliance rate
Alert threshold: Any platform dropping below 90%
Escalation: Two consecutive weeks below target triggers investigation

Policy Set Usage

# Authentication summary by policy set
netapi ise logs summary --days 7 --group-by policy-set --format table

Review for unexpected patterns — endpoints hitting wrong policy sets may indicate misconfiguration or attempted bypass.

Anomalous MAC Detection Patterns

Watch for these indicators of compromise or policy bypass:

Pattern	Description	Action
MAC Spoofing	Known device MAC appearing from unexpected switch port or AP	Investigate — possible MAC clone attack
OUI Mismatch	Device profiled as Windows but OUI belongs to embedded/IoT vendor	Re-profile — possible spoofed endpoint
Rapid MAC Cycling	Same switch port authenticating multiple MACs in short period	Investigate — possible hub/bridge or attack tool
After-Hours Auth	Enterprise auth from endpoints during non-business hours in sensitive areas	Review — legitimate remote access or unauthorized physical access
Geographic Anomaly	Same username authenticating from distant APs within impossible travel time	Escalate — credential compromise indicator

Pattern

Description

Action

MAC Spoofing

Known device MAC appearing from unexpected switch port or AP

Investigate — possible MAC clone attack

OUI Mismatch

Device profiled as Windows but OUI belongs to embedded/IoT vendor

Re-profile — possible spoofed endpoint

Rapid MAC Cycling

Same switch port authenticating multiple MACs in short period

Investigate — possible hub/bridge or attack tool

After-Hours Auth

Enterprise auth from endpoints during non-business hours in sensitive areas

Review — legitimate remote access or unauthorized physical access

Geographic Anomaly

Same username authenticating from distant APs within impossible travel time

Escalate — credential compromise indicator

Certificate Lifecycle Monitoring

Certificate-based authentication (EAP-TLS) requires active lifecycle management:

Certificate Type	Validity	Renewal
Machine Certificate	2 years	Auto-enrollment via AD GPO; monitor 60 days before expiry
User Certificate	1 year	Auto-enrollment via AD GPO; monitor 30 days before expiry
ISE System Certificate	2 years	Manual renewal; calendar reminder 90 days before expiry
ISE Admin Certificate	5 years	Manual renewal; calendar reminder 180 days before expiry

Certificate Type

Validity

Renewal

Machine Certificate

2 years

Auto-enrollment via AD GPO; monitor 60 days before expiry

User Certificate

1 year

Auto-enrollment via AD GPO; monitor 30 days before expiry

ISE System Certificate

2 years

Manual renewal; calendar reminder 90 days before expiry

ISE Admin Certificate

5 years

Manual renewal; calendar reminder 180 days before expiry

Auto-renewal target: certificates should renew 30 days before expiration. Monitor for:

Endpoints with certificates expiring within 30 days that have not renewed
Certificate enrollment failures in AD Certificate Services logs
ISE system certificate expiration (causes authentication outage if missed)