corporate espionage without the hassle of committing felonies

Corporate Espionage…Without the Hassle of Committing FeloniesJohn Bambenek, Manager of Threat SystemsFidelis Cybersecurity

THOTCON 0x7

© Fidelis Cybersecurity

Introduction• Manager of Threat Systems with Fidelis Cybersecurity

• Part-Time Faculty at University of Illinois in CS

• Provider of open-source intelligence feeds

• Run several takedown oriented groups

2


Spoiler Alert

3


Problem Statement• We are on the losing end of an arms race.

• Too much malware• Not enough analysts• We’re “open”, they can operate privately• “Global” law enforcement is hard• …

4


The Problem Illustrated (from Virustotal)

5


How most people solve this

• 2 major pieces of many people’s solution:

• Cloud

• Automation

6


What the Cloud is Good For?• Lots of compute, RAM and storage available in a dynamic

and flexible manner.

• Saves the overhead of running your own datacenter.• My DGA feeds running in AWS for instance.

7


Why the Cloud Sucks.

8


What automation is good for.• The immensity of the malware problem alone makes

manual effort laughably absurd.

• If you can reduce maliciousness to a finite number of defined patterns, you can ideally find “badness” without being in the AV signature rat-race (i.e. sandboxing).

9


Why automation sucks• Computers do EXACTLY what they are told.

• Automation can be manipulated.

• Temptation to over-automate (usually to achieve some arbitrary number) overcomes many development efforts.

10


Gratuitous Venn Diagram

Automation Cloud Services

11

Stupid shit your security vendor does


Malware Sharing Services• There are several services you can buy or otherwise participate

in to get malware.

• Virustotal’s API

• Security vendor malware sharing (give some – get some)

• A very “good thing” but has one key drawback.

12


Using and Abusing Automation• There are some security solutions that sandbox “all the

things”… do you know where those things end up?

• Example: Some security solutions submit everything to Virustotal just to scan files against every AV solution.

• This is stupid and you’re going to get us invaded. More soon.

13


Virustotal example

14


Virustotal• There are several levels of API access that allow

downloading of anything uploaded to VirusTotal.

• This is very useful for malware research.

• But the downside of uploading anything to VT is that ANYTHING can be uploaded.

15


VT Hunting• Virustotal also allows the use of Yara for getting real-time notifications of

matchings files as they are uploaded.

• Yara is a pattern-matching engine for finding specific content in files.

• You can also use retrohunt to scan a small amount of historical data to get files that match your yara rules.

• Anyone who pays VT has access to this functionality wherever they are in the world.

16


Hunting Example

17


Bad Example #1• A security vendor on a private list complained that their proprietary

yara rules were available for download on VT.

• Someone had a yara rule to look for yara rules… how meta.

• Another company has something searching for password dumps on yara.

• Good news, VT will remove files for good reason on request.

18


Bad example #2

19


Bad example #2• Based on a vanity search, I can see people referencing my

feeds.

• This includes several proprietary rules that security companies sell to detect things based on my research.

• In essence, someone’s web proxy solution submits everything to VT to check for AV hits.

20


Bad example #3• What about other structured files?• Doing a search for “----BEGIN RSA PRIVATE KEY----”

yielded 10,000 hits (maximum before VT stops the search).• Many were in binaries but there were several pure text key

files.• About 85% of those keys required NO PASSPHRASE.• Why would you ever sandbox a text file?

21


Bad Example #4• What about documents with the phrase “proprietary and

confidential”?

• Again, 10,000 hits including policy documents, risk management forms, some binaries, even some paperwork from a congressional office.

22


Bad Example #5• What about “Attorney-Client Privileged”?

• 850 documents, including documents from an automobile manufacturer’s vehicle safety research for litigation defense, an oil company discussing litigation strategy, a media company discussing their e-discovery strategy… list goes on.

23


Why does this work?• Core tenet of data loss protection is to have consistent

marking of documents.

• Consistent marking makes it easy to find policy violations.

• It also makes it easy to find those documents in the wild.

24


Taking to the next level

25


Source ID• Source ID is a unique identified for APIs or web users who

upload documents.

• If sensitive data was uploaded once, likely you have a leaky source ID that would be interesting to keep looking at.

• Source ID is not directly searchable via VT.

26


ELK Stack to the Rescue• The VT API returns reports for files as they are scanned and returns the

metadata in JSON (including Source ID).

• Putting it into Elastic Search means you can now find every hash value submitted by a given Source.

• Interesting things come up…• Foreign governments• Security vendors• One organization had their entire AD tree uploaded to VT

27


Wrapping it Up• If your vendor “data mines” you, do you know where that data

ends up and how it is used?• Using VT for sandboxing is ”bad”.• Important to right-size automation to things that are suspicious

but risk may require on-prem sandboxing.• If you leak your sensitive information into a cloud service that

makes the data available for download, you lose likely all your ability to protect your competitors/adversaries from using it.

28

Questions & Thank You!

John Bambenek / [email protected]

corporate espionage without the hassle of committing felonies

Internet