A security service provider's sensational claims this week about an endpoint detection and response (EDR) product from Carbon Black leaking terabytes of sensitive customer data has focused attention on how organizations should pay close attention to how their security controls work.
DirectDefense Inc., which discovered the supposed leak, described it as the "largest pay-for-play data exfiltration botnet" and pinned the blame for it on a fundamental flaw in Carbon Black's EDR architecture.
But Carbon Black co-founder and CTO Michael Viscuso characterized DirectDefense's claims as a gross misrepresentation of what is actually going on. He says the data that DirectDefense claimed was leaked was actually data that customers had shared voluntarily, and a feature that allows that is off by default.
DirectDefense Inc said its researchers had been able to harvest highly sensitive data belonging to several Fortune 1000 companies as the result of Carbon Black's Cb Response tool publicly sharing the data with cloud multi-scanner services such as Google's VirusTotal.
The data included keys that would have let attackers take control of an organization's cloud instances or that would have let someone upload rogue applications to an organization's mobile app store, DirectDefense said. Also available via Cb Response was customer data, internal usernames, passwords, and network data belonging to Carbon Black customers as well as details about their communications infrastructure.
Jim Broome, president of DirectDefense, says security researchers at his company stumbled upon the data while investigating a potential data breach at a customer site last year. When they used a cloud multi-scanner service to search for some malware samples, they found several completely unrelated files that upon closer inspection turned out to be from Carbon Black's customers.
Further investigation revealed that Cb Response had uploaded hundreds of thousands of files, representing terabytes of data on Carbon Black's customers to the multi-scanner service, he says.
The issue, according to both Carbon Black and DirectDefense, has to do with the way Cb Response vets the security of new and previously unseen files. Like many EDR tools, Cb Response routinely monitors and inspects a wide range of binaries related to activity on endpoint devices.
Whenever the tool encounters an unknown or suspicious binary, it automatically sends the file for further analysis to cloud-based scanning services such as VirusTotal to determine if the file is good or bad and needs to be blocked. Such scanning is common to many EDR products.
The problem, Broome says, is that often, the files that get automatically sent for scanning to cloud multi-scanner services can contain very sensitive data of the sort DirectDefense harvested. For example, if Cb Response is deployed across an application development environment, it might upload executables to a cloud multi-scanner each time a new piece of code is compiled.
Such files can contain a lot of sensitive data that an organization might not even begin to realize is being uploaded to a multi-scanner service and then made available to any paid subscriber of these services.
For example, researchers from DirectDefense were able to recover identity and access management credentials for a large streaming media company's AWS instance that Cb Response has shared on a multi-scanner service. Similarly, they found hardcoded AWS and Azure keys belong to a social media company and shared AWS keys that provided access to customer data belonging to a financial services company, Broome says.
"The key point is for Carbon Black customers to be aware of the use of their data," Broome says. Cloud multi-scanning services of the sort that Cb Response taps can be incredibly useful in identifying new and unknown threats, he admits.
But before organizations turn such tools on, they need to know what data is being collected and uploaded to cloud scanning services that are accessible to anyone with a subscription. "What seems to have gotten lost is the issue of educating the customer base," of where or when such scanning is useful he says.
Carbon Black's Viscuso says DirectDefense's blog completely misses the fact that data sharing with scanning services is a completely optional feature. Cb Response has a feature that lets organizations upload unknown binaries to the VirusTotal's of the world, but it is turned off by default.
Carbon Black in fact has explicit warnings about the risks that organizations face when enabling Cb Response to share data with VirusTotal and customers in fact have to opt-in twice separately, he says. The warnings clearly spell out what happens when customers enable the sharing and clearly notes that any binaries that are uploaded to VirusTotal will be made available to others.
In fact, Carbon Black specifically recommends that organizations should not enable the sharing of binaries related to sensitive applications, Viscuso says.
Unlike many other EDR vendors, Carbon Black goes to the extent of recommending that even hashes not be shared in such environments. "We are very explicit about the risks," Viscuso says. "In fact, we were actually nervous it was too much information," and would scare customers from enabling the sharing at all, he says.
In the few instances where a customer wanted data that was shared with VirusTotal to be removed, Carbon Black has been able to get the scanning service to do it, he claims.
Cloud multi-scanners can be extremely useful he says but it is up to the organizations themselves to decide how and when they want to use it. "We believe that security organizations are very intelligent and we shouldn't stand in their way and make risk decisions for them."
- The Rebirth Of Endpoint Security
- How the Adoption of EDR Transforms a SOC’s Effectiveness
- Sharing Cybersecurity Threat Intelligence Is The Only Way We Win
- 7 Elements Of Modern Endpoint Security