Posted by George Prichici / August 11, 2017
Earlier this week, cyber security firm DirectDefense made some fairly serious allegations about Carbon Black's Cb Response product, claiming that the product was "the world's largest pay-for-play data exfiltration botnet." However, the issue was not with Carbon Black's product, but rather with an optional, disabled-by-default feature that uploaded sensitive files to a free third-party service – VirusTotal.
Though the initial accusations directed at Carbon Black appear to be unfounded or exaggerated to say the least, this incident did bring to light the danger of exposing data to third-party cloud anti-malware services, especially if those services offer publicly available threat data repositories. I'd like to provide some clarity and context to this week's news. How did Carbon Black customer data get exposed, and why did it happen?
The answer starts with a discussion of endpoint security solutions, and of the popular multi-scanner VirusTotal.
Third-Party Sources in Endpoint Security Solutions
Endpoint security is a fast-growing market. Tools for incident response or endpoint detection and response (EDR) are widely deployed and used to optimize and automate the visibility of the organization, speeding up incident response.
Even though such solutions are usually used as a complement to local anti-malware software, some players have taken their solutions to the next level, using different detection mechanisms in order to offer a true replacement for local anti-malware. Some of them rely exclusively on machine-learning algorithms, but some still rely on third-party sources that provide data on file reputation – reputation usually built on top of the analysis provided by the anti-malware vendors.
One example of such a third-party source is VirusTotal, which allows its customers to analyze files and retrieve analysis results in order to decide if a file is malicious or not.
Once again, I would like to emphasize that this discussion is a generic overview – we are not talking about our partner, Carbon Black.
Why not VirusTotal?
Here's the problem: Analyzing files with VirusTotal means that you are making those files publicly available.
In theory, this is for the greater good, since those files can be retrieved by malware analysts in order to adjust the detection of their own products. This feature is available to be purchased not only by contributors of the cloud service, but by any commercial users.
Getting access to VirusTotal's data is simple. The issue is what you can find there. Exercise your YARA skills and the repository is an open vault – sensitive information is available to anyone who knows where to search (e.g. confidential Homeland Security and FBI documents).
We just saw an example of this in DirectDefense's accusations of data leakage by Carbon Black. Anyone who dug past the provocative headlines knows that the issue was not that Carbon Black had leaked customer data – rather, Carbon Black customers had enabled an optional feature in Cb Response to upload files to VirusTotal for scanning, thereby exposing potentially sensitive files to public view via VirusTotal.
Why You Cannot Rely on Hashes, Whitelists and Blacklists, or File Reputation
Relying on a predefined list of hashes is not a good approach. Application control is one thing, but data varies and repackaging the same malware will easily bypass a hash check. This is why it makes sense to do a deep analysis of all the data seen.
"Data" is a very generic term, but so is "data leakage." Sharing any file outside of your organization is always a huge risk and in many cases, a violation of regulations.
Benefits of Hybrid Model (Cloud EDR with On-Premises Analysis)
In general, a solution that leverages cloud data is faster, since it has access to all the data of the centralized cloud. This approach is definitely logical, since the customer is aware of the data shared with the vendor, while the vendor does not share data with third parties and should have strict commitments regarding data privacy.
But for data that wasn't seen previously by the vendor and analyzed by their cloud infrastructure, an on-premises solution should be deployed in order to provide the necessary threat intelligence.
I can't emphasize this enough: To a certain point, metadata shared with a cloud solution is acceptable, but uploading files, even to the vendor's own infrastructure, shouldn't occur without explicit customer consent.
This will prevent sensitive data from leaving an organization. More than that, relying on local analysis doesn't mean that you will be limited to a subset of the tools available. Organizations with high-end security policies also have offline and even air-gapped environments, which should be addressed by any serious cyber security vendor. In such cases, relying on a third-party cloud vendor to do the detection would be a showstopper.
Example of a Hybrid Solution: RSA NetWitness and OPSWAT Metadefender
We partner with over 50% of the EDR market share, and one of the most successful partnerships in this area is our partnership with RSA. The joint solution empowers our joint customers to get fast responses and even remediation to any anomalies detected.
RSA NetWitness Endpoint monitors endpoints and reports anything suspicious to our Metadefender on-premises solution for a quick analysis of the data. Metadefender assesses and detects known and unknown malware, but also improves the amount of focus of the analysts on the truly important incidents, while the commodity is handled automatically and removed from the incidents queue.
Also, Metadefender is able to connect running processes with known vulnerabilities, which provides analysts with enriched information about the running processes, in order to assess the risk and also provide information on how a normal or recognized process is behaving strangely (e.g. Excel process downloads a file via PowerShell).
Further reading: See Carbon Black's response to the DirectDefense accusations.