←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 2 comments | 09 Sep 25 15:42 UTC | HN request time: 0s | source
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
1. xp84 ◴[09 Sep 25 17:13 UTC] No.45185111[source]
I was also frustrated by this. I got about 25% of the way in and was annoyed that they still did such a poor job of communicating what their product is. An advertorial like this can often save the "And that's why Our Product is so great, it can protect you from attacks like these!" for the end, but here, where the article is about how merely installing their product gives Huntress the company full access to everything you do, it leaves me with more questions than answers.

As a corporate IT tool, I can see how Huntress ought to allow my IT department or my manager or my corporate counsel access to my browser history and everything I do, but I'm even still foggy on why Huntress grants themselves that level of access automatically.

Sure, a peek into what the bad guys do is neat, and the actual person here doesn't deserve privacy for his crimes, but I'd love a much clearer explanation of why they were able to do this to him and how if I were an IT manager choosing to deploy this software, someone who works at Huntress wouldn't be able to just pull up one of my employee's browser history or do any other investigating of their computers.

replies(1): >>45185248 #
2. viccis ◴[09 Sep 25 17:22 UTC] No.45185248[source]
Their product is advertised as "Managed EDR". That usually means they employ a SOC that will review alerts and then triage and orchestrate responses accordingly. The use case here is when your IT manage chooses to deploy this and give them full visibility into your assets because your company wants to effectively outsource security response.

It's a relatively common model, with MDR and MSSP providers doing similar things. I don't see it as much with EDR providers though.