Why the Basics Still Matter: Lessons from the SOC on USB Malware and Exposed Devices

In cybersecurity, it’s easy to become enamored with the latest zero-days, AI-driven threats, or multi-stage attacks. But from where I sit in the Security Operations Center (SOC), I can tell you that some of the most impactful incidents we respond to stem from much simpler causes – ones we’ve been warning about for years.

Despite all the advancements in detection and response, threats like USB-borne malware and improperly secured devices still present serious risks. These “basic” issues often open the door to much larger compromises. The ATO found a 27% increase in USB-based threats in 1H 2025, in comparison to 2H 2024.

The USB Drive Problem

One recent case involved a user who plugged a personal USB drive into a corporate-managed workstation. That single action was all it took to kick off a malware infection that could’ve had serious consequences. Fortunately, Ontinue’s ION platform flagged and contained the threat quickly. That said it’s a sobering reminder of how small actions can carry significant risk.

This attack method isn’t new. USB-delivered malware has been around for decades. In fact, according to a 2024 Honeywell report, over half of USB-based threats (51%) had the potential to cause major disruption to industrial and enterprise environments. Even now, with endpoint protection tools and device control capabilities widely available, many organizations still allow removable media usage without strong restrictions.

Exposed Devices: A Modern Risk from Old Habits

In another incident, we identified a managed device that had been exposed to the public internet – not due to a vulnerability – but because a user created an SSH tunnel to their home router. This effectively opened a backdoor, allowing attackers to discover the endpoint, perform reconnaissance, and attempt brute-force access using stolen credentials from the dark web.

There wasn’t anything advanced or novel in the attack technique, just old methods repackaged for modern environments. That’s what makes them so dangerous. They’re easy to execute and often overlooked.

We caught this activity thanks to a combination of real-time telemetry, threat intel, and behavioral context enriched by Agentic AI. However, even the best technology can only go so far when human behavior creates unnecessary exposure.

Why Human Error Remains a Core Risk

These incidents reflect a broader truth in cybersecurity: human behavior still accounts for the majority of breaches. According to Verizon’s 2024 Data Breach Investigations Report, 74% of breaches involve the human element, whether through error, misuse, or social engineering.

In our day-to-day operations, we often see:

• Employees with local admin access who install unapproved software or misconfigure critical settings.
• Lack of USB controls, allowing external devices to introduce malware.
• Shadow IT behaviors like personal tunneling or unmonitored remote access.
• Devices with default or weak configurations exposed to the internet without proper patching or segmentation.

These are preventable issues, but prevention takes more than tools, it requires clear policies, continuous education, and cultural reinforcement of security hygiene.

How Agentic AI Helps, But Doesn’t Replace Security Basics

At Ontinue, we leverage Agentic AI, built into the ION MXDR service. This gives us deep, contextual insights before our analysts even begin investigating.

For instance, when a malware alert is triggered, Agentic AI will already have checked the user’s role, their behavioral history, file activity, and known threat associations. In the USB case, it automatically quarantined the malicious file and opened an investigation before the SOC touched it.

That speed and context are game-changing. However, even the best AI can’t prevent poor user decisions or compensate for lax policies. It’s the partnership of smart automation paired with strong fundamentals.

Reinforcing the Fundamentals

If there’s one takeaway I’d share with any CISO, IT leader, or security team, it’s this: before chasing the next innovation, make sure the basics are locked down. From my seat in the SOC, here’s what makes the biggest difference:

• Block or tightly control USB devices on managed systems.
• Remove unnecessary local admin privileges – users don’t need full control over their machines.
• Continuously monitor for exposed assets and flag unusual remote access activity.
• Train users regularly on safe computing habits and evolving attack vectors.
• Treat configuration hygiene (patching, segmentation, access control) as seriously as detection and response.

We talk a lot about defending against advanced threats, and rightly so, but don’t forget, it’s often the small, overlooked vulnerabilities that create the biggest openings.

In cybersecurity, sophistication isn’t always the enemy. Sometimes, it’s simplicity.

Read more about this and other threats in Ontinue’s 1H Threat Intelligence Report.