←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 4 comments | 09 Sep 25 15:42 UTC | HN request time: 0.604s | source
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
d4mi3n ◴[09 Sep 25 16:28 UTC] No.45184376[source]
It's definitely not a product for an individual user. Controls like this are useful in certain arenas where you need total visibility of corporate devices. As with any highly privileged tool or service, compromise of it can be a big problem. That said, the goal with tools like this is to usually lock down and keep a close eye on company issued laptops and the like so you know when one gets stolen, hit by some malware, or somebody does things with it they aren't allowed to be doing (e.g. exfiltrating corp data, watching porn at work, running unauthorized executable, connecting to problematic networks, etc.).

As an example, if you're at a FedRAMP High certified service provider, the DoD wants to know that the devices your engineers are using to maintain the service they pay for aren't running a rootkit and that you can prove that said employee using that device isn't mishandling sensitive information.

replies(1): >>45185452 #
isatsam ◴[09 Sep 25 17:36 UTC] No.45185452[source]
This makes sense, but in this case, isn't the company behind Huntress having direct access to this data still a problem? For example, if the government purchased Outlook licenses, I'd assume DoD can read clerks' emails, but Microsoft employees can't. I imagine worst case compromising a lot of Huntress' users is just a question of compromising of its developers, like one of the people in the authors section of this article.
replies(4): >>45186517 #>>45186821 #>>45190699 #>>45194684 #
1. evanjrowley ◴[09 Sep 25 18:36 UTC] No.45186517[source]
Many businesses outsource their SOC to third parties like Huntress, Carbon Black, SentinelOne, all of whom offer very fancy Endpoint Detection and Respone (EDR) tools. Just about every EDR solution is a Cloud/SaaS offering provided either directly or indirectly through a third party Managed Service Provider (MSP). We call this Managed Detection and Respone (MDR). From technical and privacy standpoints, it probably sounds like a huge risk, but it's also worth acknowledging that EDR companies operate immense threat intelligence platforms through real-time monitoring of customers. From a C-suite perspective, it makes a lot of sense to offload the specializations of real-time protection and malware analysis to EDR solutions. There are risk managers who have quantified the risk tolerance for these types of products/arrangements. The company legal department, the CFO, and the board of directors are all satisfied with the EDR solutions placement on the Gartner quadrant and SOC Type 3 report saying the EDR provider follows best practices. Sometimes it's even a requirement for "cyber insurance" which a business may need depending on the industry. For better or for worse, EDR is how most institutions secure their IT infrastructure today.
replies(1): >>45190710 #
2. rcxdude ◴[09 Sep 25 23:07 UTC] No.45190710[source]
For worse, I would say. This kind of thing is about accountability shuffling and not at all about improving security.
replies(2): >>45191157 #>>45191219 #
3. cybergreg ◴[09 Sep 25 23:50 UTC] No.45191157[source]
Huh? Small and medium sized businesses have how much to spend on security? Let alone IT?
4. NegativeK ◴[09 Sep 25 23:56 UTC] No.45191219[source]
I'm concerned that you're not familiar with EDR and organizations who flat out can't build a full 24/7 SOC. Which is the vast majority of businesses.

EDR is a rootkit based on the idea that malware hashes are useless, and security needs to get complete insight into systems after a compromise. You can't root out an attacker with persistence without software that's as invasive as the malware can get.

And a managed SOC is shifting accountability to an extent because they are often _far_ cheaper than the staff it takes to have a 24/7 SOC. That's assuming you have the talent to build a SOC instead of paying for a failed SOC build. Also, don't forget that you need backup staff for sick leave and vacation. And you'll have to be constantly hiring due to SOC burnout.

If all of this sounds like expensive band-aids instead of dealing with the underlying infection, it is. It's complex solutions to deal with complex attackers going after incredibly complex systems. But I haven't really heard of security solutions that reduce complexity and solve the deep underlying problems.

Not even theoretical solutions.

Other than "unplug it all".