corporate espionage without the hassle of committing felonies
TRANSCRIPT
Corporate Espionage…Without the Hassle of Committing FeloniesJohn Bambenek, Manager of Threat SystemsFidelis Cybersecurity
THOTCON 0x7
© Fidelis Cybersecurity
Introduction• Manager of Threat Systems with Fidelis Cybersecurity
• Part-Time Faculty at University of Illinois in CS
• Provider of open-source intelligence feeds
• Run several takedown oriented groups
2
© Fidelis Cybersecurity
Spoiler Alert
3
© Fidelis Cybersecurity
Problem Statement• We are on the losing end of an arms race.
• Too much malware• Not enough analysts• We’re “open”, they can operate privately• “Global” law enforcement is hard• …
4
© Fidelis Cybersecurity
The Problem Illustrated (from Virustotal)
5
© Fidelis Cybersecurity
How most people solve this
• 2 major pieces of many people’s solution:
• Cloud
• Automation
6
© Fidelis Cybersecurity
What the Cloud is Good For?• Lots of compute, RAM and storage available in a dynamic
and flexible manner.
• Saves the overhead of running your own datacenter.• My DGA feeds running in AWS for instance.
7
© Fidelis Cybersecurity
Why the Cloud Sucks.
8
© Fidelis Cybersecurity
What automation is good for.• The immensity of the malware problem alone makes
manual effort laughably absurd.
• If you can reduce maliciousness to a finite number of defined patterns, you can ideally find “badness” without being in the AV signature rat-race (i.e. sandboxing).
9
© Fidelis Cybersecurity
Why automation sucks• Computers do EXACTLY what they are told.
• Automation can be manipulated.
• Temptation to over-automate (usually to achieve some arbitrary number) overcomes many development efforts.
10
© Fidelis Cybersecurity
Gratuitous Venn Diagram
Automation Cloud Services
11
Stupid shit your security vendor does
© Fidelis Cybersecurity
Malware Sharing Services• There are several services you can buy or otherwise participate
in to get malware.
• Virustotal’s API
• Security vendor malware sharing (give some – get some)
• A very “good thing” but has one key drawback.
12
© Fidelis Cybersecurity
Using and Abusing Automation• There are some security solutions that sandbox “all the
things”… do you know where those things end up?
• Example: Some security solutions submit everything to Virustotal just to scan files against every AV solution.
• This is stupid and you’re going to get us invaded. More soon.
13
© Fidelis Cybersecurity
Virustotal example
14
© Fidelis Cybersecurity
Virustotal• There are several levels of API access that allow
downloading of anything uploaded to VirusTotal.
• This is very useful for malware research.
• But the downside of uploading anything to VT is that ANYTHING can be uploaded.
15
© Fidelis Cybersecurity
VT Hunting• Virustotal also allows the use of Yara for getting real-time notifications of
matchings files as they are uploaded.
• Yara is a pattern-matching engine for finding specific content in files.
• You can also use retrohunt to scan a small amount of historical data to get files that match your yara rules.
• Anyone who pays VT has access to this functionality wherever they are in the world.
16
© Fidelis Cybersecurity
Hunting Example
17
© Fidelis Cybersecurity
Bad Example #1• A security vendor on a private list complained that their proprietary
yara rules were available for download on VT.
• Someone had a yara rule to look for yara rules… how meta.
• Another company has something searching for password dumps on yara.
• Good news, VT will remove files for good reason on request.
18
© Fidelis Cybersecurity
Bad example #2
19
© Fidelis Cybersecurity
Bad example #2• Based on a vanity search, I can see people referencing my
feeds.
• This includes several proprietary rules that security companies sell to detect things based on my research.
• In essence, someone’s web proxy solution submits everything to VT to check for AV hits.
20
© Fidelis Cybersecurity
Bad example #3• What about other structured files?• Doing a search for “----BEGIN RSA PRIVATE KEY----”
yielded 10,000 hits (maximum before VT stops the search).• Many were in binaries but there were several pure text key
files.• About 85% of those keys required NO PASSPHRASE.• Why would you ever sandbox a text file?
21
© Fidelis Cybersecurity
Bad Example #4• What about documents with the phrase “proprietary and
confidential”?
• Again, 10,000 hits including policy documents, risk management forms, some binaries, even some paperwork from a congressional office.
22
© Fidelis Cybersecurity
Bad Example #5• What about “Attorney-Client Privileged”?
• 850 documents, including documents from an automobile manufacturer’s vehicle safety research for litigation defense, an oil company discussing litigation strategy, a media company discussing their e-discovery strategy… list goes on.
23
© Fidelis Cybersecurity
Why does this work?• Core tenet of data loss protection is to have consistent
marking of documents.
• Consistent marking makes it easy to find policy violations.
• It also makes it easy to find those documents in the wild.
24
© Fidelis Cybersecurity
Taking to the next level
25
© Fidelis Cybersecurity
Source ID• Source ID is a unique identified for APIs or web users who
upload documents.
• If sensitive data was uploaded once, likely you have a leaky source ID that would be interesting to keep looking at.
• Source ID is not directly searchable via VT.
26
© Fidelis Cybersecurity
ELK Stack to the Rescue• The VT API returns reports for files as they are scanned and returns the
metadata in JSON (including Source ID).
• Putting it into Elastic Search means you can now find every hash value submitted by a given Source.
• Interesting things come up…• Foreign governments• Security vendors• One organization had their entire AD tree uploaded to VT
27
© Fidelis Cybersecurity
Wrapping it Up• If your vendor “data mines” you, do you know where that data
ends up and how it is used?• Using VT for sandboxing is ”bad”.• Important to right-size automation to things that are suspicious
but risk may require on-prem sandboxing.• If you leak your sensitive information into a cloud service that
makes the data available for download, you lose likely all your ability to protect your competitors/adversaries from using it.
28
Questions & Thank You!
John Bambenek / [email protected]