←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 1 comments | 09 Sep 25 15:42 UTC | HN request time: 0.001s | source
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
cbisnett ◴[09 Sep 25 17:30 UTC] No.45185367[source]
Thanks for the feedback on not understanding what we sell from the homepage. We sell an Endpoint Detection and Response (EDR) product that we manage with our 24/7 SOC. To perform the investigations on potentially malicious activity, we can fetch files from the endpoint and review them. We log all of this activity and make it available to our customers. We are an extension of their security team, which means they trust us with this access. We’ve been doing this for more than 10 years and have built up a pretty good reputation, but I can see how that would freak some folks out. We also sell to businesses, so this is something that would be installed on a work computer.
replies(3): >>45185521 #>>45185882 #>>45187740 #
1. viccis ◴[09 Sep 25 19:47 UTC] No.45187740[source]
>We are an extension of their security team, which means they trust us with this access

So if <bad actor> in this writeup read your pitch and decided to install your agent to secure their attack machine, it sounds like they "trusted you with this access". You used that access to surveil them, decide that you didn't approve of their illegal activity, and publish it to the internet.

Why should any company "trust you with this access"? If one of your customers is doing what looks to one of your analysts to be cooking their books, do you surveil all of that activity and then make a blog post about them? "Hey everyone here, it's Huntress showing how <company> made the blunder of giving us access to their systems, so we did a little surprise finance audit of them!"