Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Corporate Espionage…
Without the Hassle of Committing
Felonies
John Bambenek, Manager of Threat Systems
Fidelis Cybersecur...
© Fidelis Cybersecurity
Introduction
• Manager of Threat Systems with Fidelis Cybersecurity
• Part-Time Faculty at Univers...
© Fidelis Cybersecurity
Spoiler Alert
3
© Fidelis Cybersecurity
Problem Statement
• We are on the losing end of an arms race.
• Too much malware
• Not enough anal...
© Fidelis Cybersecurity
The Problem Illustrated (from Virustotal)
5
© Fidelis Cybersecurity
How most people solve this
• 2 major pieces of many people’s solution:
• Cloud
• Automation
6
© Fidelis Cybersecurity
What the Cloud is Good For?
• Lots of compute, RAM and storage available in a dynamic
and flexible...
© Fidelis Cybersecurity
Why the Cloud Sucks.
8
© Fidelis Cybersecurity
What automation is good for.
• The immensity of the malware problem alone makes
manual effort laug...
© Fidelis Cybersecurity
Why automation sucks
• Computers do EXACTLY what they are told.
• Automation can be manipulated.
•...
© Fidelis Cybersecurity
Gratuitous Venn Diagram
Automation
Cloud
Services
11
Stupid shit
your security
vendor does
© Fidelis Cybersecurity
Malware Sharing Services
• There are several services you can buy or otherwise
participate in to g...
© Fidelis Cybersecurity
Using and Abusing Automation
• There are some security solutions that sandbox “all the
things”… do...
© Fidelis Cybersecurity
Virustotal example
14
© Fidelis Cybersecurity
Virustotal
• There are several levels of API access that allow
downloading of anything uploaded to...
© Fidelis Cybersecurity
VT Hunting
• Virustotal also allows the use of Yara for getting real-time notifications
of matchin...
© Fidelis Cybersecurity
Hunting Example
17
© Fidelis Cybersecurity
Bad Example #1
• A security vendor on a private list complained that their
proprietary yara rules ...
© Fidelis Cybersecurity
Bad example #2
19
© Fidelis Cybersecurity
Bad example #2
• Based on a vanity search, I can see people referencing my
feeds.
• This includes ...
© Fidelis Cybersecurity
Bad example #3
• What about other structured files?
• Doing a search for “----BEGIN RSA PRIVATE KE...
© Fidelis Cybersecurity
Bad Example #4
• What about documents with the phrase “proprietary and
confidential”?
• Again, 10,...
© Fidelis Cybersecurity
Bad Example #5
• What about “Attorney-Client Privileged”?
• 850 documents, including documents fro...
© Fidelis Cybersecurity
Why does this work?
• Core tenet of data loss protection is to have consistent
marking of document...
© Fidelis Cybersecurity
Taking to the next level
25
© Fidelis Cybersecurity
Source ID
• Source ID is a unique identified for APIs or web users who
upload documents.
• If sens...
© Fidelis Cybersecurity
ELK Stack to the Rescue
• The VT API returns reports for files as they are scanned and returns
the...
© Fidelis Cybersecurity
Wrapping it Up
• If your vendor “data mines” you, do you know where that
data ends up and how it i...
Questions & Thank You!
John Bambenek / john.bambenek@fidelissecurity.com
Upcoming SlideShare
Loading in …5
×

Corporate Espionage without the Hassle of Committing Felonies

1,295 views

Published on

Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.

Published in: Internet
  • Be the first to comment

Corporate Espionage without the Hassle of Committing Felonies

  1. 1. Corporate Espionage… Without the Hassle of Committing Felonies John Bambenek, Manager of Threat Systems Fidelis Cybersecurity THOTCON 0x7
  2. 2. © Fidelis Cybersecurity Introduction • Manager of Threat Systems with Fidelis Cybersecurity • Part-Time Faculty at University of Illinois in CS • Provider of open-source intelligence feeds • Run several takedown oriented groups 2
  3. 3. © Fidelis Cybersecurity Spoiler Alert 3
  4. 4. © Fidelis Cybersecurity Problem Statement • We are on the losing end of an arms race. • Too much malware • Not enough analysts • We’re “open”, they can operate privately • “Global” law enforcement is hard • … 4
  5. 5. © Fidelis Cybersecurity The Problem Illustrated (from Virustotal) 5
  6. 6. © Fidelis Cybersecurity How most people solve this • 2 major pieces of many people’s solution: • Cloud • Automation 6
  7. 7. © Fidelis Cybersecurity What the Cloud is Good For? • Lots of compute, RAM and storage available in a dynamic and flexible manner. • Saves the overhead of running your own datacenter. • My DGA feeds running in AWS for instance. 7
  8. 8. © Fidelis Cybersecurity Why the Cloud Sucks. 8
  9. 9. © Fidelis Cybersecurity What automation is good for. • The immensity of the malware problem alone makes manual effort laughably absurd. • If you can reduce maliciousness to a finite number of defined patterns, you can ideally find “badness” without being in the AV signature rat-race (i.e. sandboxing). 9
  10. 10. © Fidelis Cybersecurity Why automation sucks • Computers do EXACTLY what they are told. • Automation can be manipulated. • Temptation to over-automate (usually to achieve some arbitrary number) overcomes many development efforts. 10
  11. 11. © Fidelis Cybersecurity Gratuitous Venn Diagram Automation Cloud Services 11 Stupid shit your security vendor does
  12. 12. © Fidelis Cybersecurity Malware Sharing Services • There are several services you can buy or otherwise participate in to get malware. • Virustotal’s API • Security vendor malware sharing (give some – get some) • A very “good thing” but has one key drawback. 12
  13. 13. © Fidelis Cybersecurity Using and Abusing Automation • There are some security solutions that sandbox “all the things”… do you know where those things end up? • Example: Some security solutions submit everything to Virustotal just to scan files against every AV solution. • This is stupid and you’re going to get us invaded. More soon. 13
  14. 14. © Fidelis Cybersecurity Virustotal example 14
  15. 15. © Fidelis Cybersecurity Virustotal • There are several levels of API access that allow downloading of anything uploaded to VirusTotal. • This is very useful for malware research. • But the downside of uploading anything to VT is that ANYTHING can be uploaded. 15
  16. 16. © Fidelis Cybersecurity VT Hunting • Virustotal also allows the use of Yara for getting real-time notifications of matchings files as they are uploaded. • Yara is a pattern-matching engine for finding specific content in files. • You can also use retrohunt to scan a small amount of historical data to get files that match your yara rules. • Anyone who pays VT has access to this functionality wherever they are in the world. 16
  17. 17. © Fidelis Cybersecurity Hunting Example 17
  18. 18. © Fidelis Cybersecurity Bad Example #1 • A security vendor on a private list complained that their proprietary yara rules were available for download on VT. • Someone had a yara rule to look for yara rules… how meta. • Another company has something searching for password dumps on yara. • Good news, VT will remove files for good reason on request. 18
  19. 19. © Fidelis Cybersecurity Bad example #2 19
  20. 20. © Fidelis Cybersecurity Bad example #2 • Based on a vanity search, I can see people referencing my feeds. • This includes several proprietary rules that security companies sell to detect things based on my research. • In essence, someone’s web proxy solution submits everything to VT to check for AV hits. 20
  21. 21. © Fidelis Cybersecurity Bad example #3 • What about other structured files? • Doing a search for “----BEGIN RSA PRIVATE KEY----” yielded 10,000 hits (maximum before VT stops the search). • Many were in binaries but there were several pure text key files. • About 85% of those keys required NO PASSPHRASE. • Why would you ever sandbox a text file? 21
  22. 22. © Fidelis Cybersecurity Bad Example #4 • What about documents with the phrase “proprietary and confidential”? • Again, 10,000 hits including policy documents, risk management forms, some binaries, even some paperwork from a congressional office. 22
  23. 23. © Fidelis Cybersecurity Bad Example #5 • What about “Attorney-Client Privileged”? • 850 documents, including documents from an automobile manufacturer’s vehicle safety research for litigation defense, an oil company discussing litigation strategy, a media company discussing their e-discovery strategy… list goes on. 23
  24. 24. © Fidelis Cybersecurity Why does this work? • Core tenet of data loss protection is to have consistent marking of documents. • Consistent marking makes it easy to find policy violations. • It also makes it easy to find those documents in the wild. 24
  25. 25. © Fidelis Cybersecurity Taking to the next level 25
  26. 26. © Fidelis Cybersecurity Source ID • Source ID is a unique identified for APIs or web users who upload documents. • If sensitive data was uploaded once, likely you have a leaky source ID that would be interesting to keep looking at. • Source ID is not directly searchable via VT. 26
  27. 27. © Fidelis Cybersecurity ELK Stack to the Rescue • The VT API returns reports for files as they are scanned and returns the metadata in JSON (including Source ID). • Putting it into Elastic Search means you can now find every hash value submitted by a given Source. • Interesting things come up… • Foreign governments • Security vendors • One organization had their entire AD tree uploaded to VT 27
  28. 28. © Fidelis Cybersecurity Wrapping it Up • If your vendor “data mines” you, do you know where that data ends up and how it is used? • Using VT for sandboxing is ”bad”. • Important to right-size automation to things that are suspicious but risk may require on-prem sandboxing. • If you leak your sensitive information into a cloud service that makes the data available for download, you lose likely all your ability to protect your competitors/adversaries from using it. 28
  29. 29. Questions & Thank You! John Bambenek / john.bambenek@fidelissecurity.com

×