HackerOne: Hacked from the Inside

When it comes to hackers exploiting vulnerabilities in their software, organizations have two choices: 

They can fight the multi-headed hydra — or they can try to buy them off. 

And thus was born the bug bounty. 

Of course the situation is a bit more complicated than that, but ever since ​​Peiter C. Zatko — better known as Mudge of the OG L0pht crew — traded in his hoodie for a suit and tie, every organization has sought to hire the hackers who are so talented at breaking into systems in the hopes that they can defend those systems better.

Since then, a number of companies have come up to harness the power of the hacker community, giving these folks a legal payday and helping their customers to stay ahead of those hackers who are less scrupulous. The best known of these firms are HackerOne and Bugcrowd. 

Their business model is basically that hackers find vulnerabilities in organizations’ software and then report them to these firms, who then pass them onto their clients who have hired them to run their bug bounty programs. They are essentially trusted vulnerability brokers, playing an important role in helping their clients improve their security. 

Because of this trusted status, it came as a bit of a surprise when stories started circulating last month that HackerOne had terminated one of their employees for malicious insider activity.

According to the reports, the employee was allegedly accessing vulnerabilities reported by other researchers, stealing them, and then submitting them to those clients independently for his own financial gain. 

It was only when one of these clients reported that they were being approached by someone sending aggressive messages to them that HackerOne stepped in and performed a rapid investigation that led them to the alleged perpetrator. For a solid write up of the whole story as we know it at this point, check out Ionut Ilascu’s story about it in Bleeping Computer.

While it appears that the insider only managed to carry out a handful of these stolen bug reports during his short period of employment, this incident has caused HackerOne a considerable amount of embarrassment and may yet have further implications for their business.

Who are Insider Threats and Why They Pose Added Risks

Every organization can find itself impacted by an insider threat. That is someone who is a part of the organization and is trusted with some level of access to resources inside it. 

It is exactly this implicit trust that makes the insider so risky for the organization. An insider knows exactly what is valuable, where to find it, and in many cases, will have at least partial access granted to them to reach that data. 

This last point is crucial because it hits on the balance between trust and security that every organization will have to confront. Without access to resources, workers can not perform their duties. But every bit of extra access means that a properly motivated malicious employee can reach more resources, potentially causing more damage. 

In most cases, insider threats are caused by financial motivations. This can be stealing money, or records that can be sold. A well placed insider may also help external hackers to target their organization. 

Alternatively, the insider may want to cause damage to the organization if he or she is disgruntled and seeks revenge. A well placed leak of data, or simply destroying it, may seem appealing if they have an ax to grind.  

And these incidents can cause damage, especially when the organization hit with the insider incident trades in security and trust as core elements of their business.

Implications of an Insider Threat Inside a Security Company

For HackerOne, this story impacts them from a number of angles.

Starting off, HackerOne’s current and future customers are likely to have concerns. 

In many ways, this case where the insider allegedly used the vulnerabilities to get extra bounties was a best case scenario. An even worse one could have seen this person either use the vulnerabilities himself or sell them to other hackers. If I was a company using, or considering to use a bug bounty company’s services, I would question their ability to keep my data secure. 

There is a second base that HackerOne has to appeal to beyond their customers — and that is the hacker/security researcher community. If the community does not feel that HackerOne is going to handle their submissions correctly, then they may decide that they are better off working with a competitor like Bugcrowd. 

It is still early days, so the question of litigation over data privacy and other concerns are still very much up in the air. 

In any event, HackerOne is likely to face additional scrutiny because trust and security is such a key component of their work. If their customer and sourcing bases feel that HackerOne has foxes watching the hen house, then we may see longer term negative implications. Hopefully not though.

Given the potential for serious adverse effects from an insider threat, there are a number of steps that organizations can take to cut some of their risk.

3 Tips for Reducing the Risk of an Insider Threat

No attack, internal or external, is ever going to be 100% stoppable. But there are more than a few ways that we can work to mitigate some of the risk and damage that can result from an attack.

  1. Principle of Least Privilege

Returning to the idea that we have a balance between access and security, the Principle of Least Privilege holds that a person should have just enough access to do their job, and not an iota more. 

In practice, this means making sure that users have access only to the specific resources that they need to do their normal work. If additional resources are required, then only grant them for that limited time after verifying that they really do need them. When that out of the ordinary task is complete, be sure to revoke that access. 

The idea here is that even if an individual decides to abuse their access rights, then the amount of damage that they can do will be limited in scope.  

  1. Use Tools to Monitor for Changes in Behavior

Most of us access and interact with the same set of general apps and resources. We create patterns of normal behavior that can form a baseline of user behavior that can be analyzed and tracked. 

By adopting tools that allow us to monitor user behavior and pick up on those out of the ordinary behaviors, we increase our chances of spotting suspicious behavior that may be indicative of an insider acting in a manner that may harm the organization. 

Detecting these suspicious behavioral trends can give the organization the early warning that they need to catch illicit data access or exfiltration in time to prevent serious damage.

  1. Monitor for Transferring of Data

Even if an employee is only accessing data that they have access to, organizations still have to ensure that they are not performing unauthorized interactions with that information that could put it at risk. 

Important indicators to watch for are if the employee is sending files or other data-types out to their private email accounts, using services like WeTransfer, or even downloading files onto flash drives. 

While there are plenty of legitimate purposes where a person may access their work via personal accounts like Gmail, it adds risks that many organizations may find unacceptable for their risk tolerance. 

Where Does HackerOne Go From Here?

HackerOne serves an important role in the security community. While this insider incident has been a knock, my prediction is that they will learn from this experience and implement even stronger controls moving forward to keep this from happening again.

Looking at their next steps, we can expect them to perform more audits more regularly, checking for signs that something may be amiss. 

Thankfully, we saw that once they had the indication that they had the malicious insider, they took swift and decisive action. 

At the same time, we can also expect the company to refocus on how they engage with their team to ensure that their people develop and maintain a commitment to their mission and team success. Building loyalty to the organization is a critical point in helping to reduce the chance that an insider may decide to take harmful actions.  

Hopefully, the team there will be able to restore customer and researcher community trust quickly via a high level of transparency over the steps that they are taking to improve their internal monitoring processes. 

With the right tools and practices, they should be able to regain confidence that they are a trustworthy security vendor and can get back to focusing on the work of helping their customers stay a step ahead of all those hackers who are still out there on the dark side.

Protect Against Insider Threats To Your Business with Teramind

Source link

Isaac Kohen