HackerOne: hacked from within

When it comes to hackers exploiting vulnerabilities in their software, organizations have two choices:

They can fight the many-headed hydra – or they can try to buy them off.

And so the bug bounty was born.

Of course, the situation is a little more complicated than that, but since Peiter C. Zatko – better known as Mudge of the OG L0pht team – swapped his hoodie for a suit and tie, every organization sought to hire the pirates. who are so good at breaking into systems in hopes of better defending those systems.

Since then, a number of companies have harnessed the power of the hacker community, offering these people a legal salary and helping their customers stay one step ahead of less scrupulous hackers. The best known of these firms are HackerOne and Bugcrowd.

Their business model is basically that hackers find vulnerabilities in organizations’ software and then report them to those companies, who then pass them on to their clients who have hired them to run their bug bounty programs. They are essentially trusted vulnerability brokers, playing an important role in helping their customers improve their security.

Because of this trusted status, it came as a bit of a surprise when stories started circulating last month that HackerOne fired one of its employees for malicious insider activity.

According to reports, the employee accessed vulnerabilities reported by other researchers, stole them, and then independently submitted them to those customers for his own financial gain.

It wasn’t until one of these customers reported that they were being approached by someone sending them aggressive messages that HackerOne stepped in and conducted a quick investigation that led them to the alleged perpetrator. For a solid write-up of the whole story as we know it at this point, check out Ionut Ilascu’s story about it in Bleeping Computer.

Although it appears that the insider only managed to make a handful of these stolen bug reports during his short tenure, this incident caused HackerOne a great deal of embarrassment and may still have a lot to do with it. other implications for his business.

Who are insider threats and why they pose additional risks

Every organization can find itself impacted by an insider threat. Someone who is part of the organization and trusted with some level of access to resources within it.

It is precisely this implicit trust that makes the insider so risky to the organization. An insider knows exactly what is of value, where to find it, and in many cases will be granted at least partial access to access that data.

This last point is crucial because it affects the balance between trust and security that any organization will have to deal with. Without access to resources, workers cannot perform their duties. But each additional access means a properly motivated malicious employee can access more resources, potentially causing more damage.

In most cases, insider threats are caused by financial motivations. It can be theft of money or records that can be sold. A well-placed insider can also help external hackers target their organization.

Alternatively, the insider may want to cause damage to the organization if they are disgruntled and seek revenge. A well-placed data leak, or just destroying it, can look appealing if they have an ax to grind.

And these incidents can cause damage, especially when the organization affected by the insider incident makes security and trust core to its business.

Implications of an insider threat inside a security company

For HackerOne, this story impacts them from several angles.

Initially, current and future HackerOne customers are likely to have concerns.

In many ways, this case where the insider used the vulnerabilities to gain additional bounties was the best-case scenario. Even worse could have seen that person using the vulnerabilities themselves or selling them to other hackers. If I were a business using or considering using the services of a bug bounty company, I would question their ability to protect my data.

There is a second base that HackerOne needs to appeal to beyond its customers – and that is the hacker/security research community. If the community doesn’t think HackerOne is going to handle their submissions properly, then they may decide it’s better to work with a competitor like Bugcrowd.

It’s still early days, so the issue of data privacy disputes and other concerns are still very much up in the air.

In any case, HackerOne is likely to come under more scrutiny, as trust and security are essential parts of their job. If their customer and supply bases believe that HackerOne has foxes watching the henhouse, we could see longer term negative implications. Let’s hope not.

Given the potential for serious adverse effects from an insider threat, organizations can take a number of steps to reduce some of their risks.

3 tips to reduce the risk of an insider threat

No attack, internal or external, can ever be 100% stopped. But there are several ways to work to mitigate some of the risk and damage that can result from an attack.

  1. Principle of least privilege

Going back to the idea that we have a balance between access and security, the principle of least privilege states that a person should have just enough access to do their job, and not one iota more.

In practice, this means ensuring that users only have access to the specific resources they need to perform their normal work. If additional resources are needed, only grant them for this limited time after verifying that they really need them. When this unusual task is complete, be sure to revoke this access.

The idea here is that even if an individual decides to abuse their access rights, the amount of damage they can cause will be limited.

  1. Use tools to monitor behavior change

Most of us access and interact with the same set of general applications and resources. We create patterns of normal behavior that can form a baseline of user behavior that can be analyzed and tracked.

By adopting tools that allow us to monitor user behavior and detect those that are out of the ordinary, we increase our chances of detecting suspicious behavior that may indicate that an insider is acting in a way that may harm the organization.

Detecting these suspicious behavioral patterns can give the organization the early warning it needs to detect illicit data access or exfiltration in time to prevent serious harm.

  1. Monitor for data transfer

Even if an employee only accesses the data they have access to, organizations must still ensure that they do not perform unauthorized interactions with this information that could put them at risk.

Important metrics to watch are whether the employee is sending files or other types of data to their private email accounts, using services like WeTransfer, or even downloading files to USB drives.

While there are many legitimate reasons for someone to access their work through personal accounts such as Gmail, it adds risks that many organizations may find unacceptable to their risk tolerance.

Where does HackerOne go from here?

HackerOne plays an important role in the security community. While this insider incident was a blow, I predict they will learn from this experience and implement even tighter controls to prevent it from happening again.

Looking at their next steps, we can expect them to do more audits more regularly, checking for signs that something is wrong.

Fortunately, we saw that once they got the indication they had the malicious insider, they took quick and decisive action.

At the same time, we can also expect the company to refocus on how it engages with its team to ensure that its employees develop and maintain a commitment to their mission and the success of their team. . Building loyalty to the organization is a critical point to help reduce the risk of an insider deciding to take harmful action.

Hopefully, the team will be able to quickly restore the trust of the client and research community through a high level of transparency on the steps they are taking to improve their internal monitoring processes.

With the right tools and practices, they should be able to regain confidence that they are a trustworthy security vendor and can focus on the job of helping their customers stay ahead of all those hackers. who are still there in the dark side.

Protect against threats inside your business with Teramind

Comments are closed.