How Bug Bounty Platform HackerOne Handled Its Own 'Internal Threat' Actor (hackerone.com) 14
Bug bounty platform HackerOne has "a steadfast commitment to disclosing security incidents," according to a new blog post, "because we believe that sharing security information far and wide is essential to building a safer internet."
But now they've had an incident of their own: On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter's disclosure was similar to an existing disclosure previously submitted through HackerOne... Upon investigation by the HackerOne Security team, we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.
This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate.
The blog post includes a detailed timeline of HackerOne's investigation. (They remotely locked the laptop, later taking possession of it for analysis, along with reviewing all data accessed "during the entirety of their two and a half months of employment" and notification of seven customers "known or suspected to be in contact with threat actor.")
"We are confident the insider access is now contained," the post concludes — outlining how they'll respond and the lessons learned. "We are happy that our previous investments in logging enabled an expedient investigation and response.... To ensure we can proactively detect and prevent future threats, we are adding additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data...."
"We are allocating additional engineering resources to invest further in internal models designed to identify anomalous access to disclosure data and trigger proactive investigative responses.... We are planning additional simulations designed to continuously evaluate and improve our ability to effectively resist insider threats."
But now they've had an incident of their own: On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter's disclosure was similar to an existing disclosure previously submitted through HackerOne... Upon investigation by the HackerOne Security team, we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.
This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate.
The blog post includes a detailed timeline of HackerOne's investigation. (They remotely locked the laptop, later taking possession of it for analysis, along with reviewing all data accessed "during the entirety of their two and a half months of employment" and notification of seven customers "known or suspected to be in contact with threat actor.")
"We are confident the insider access is now contained," the post concludes — outlining how they'll respond and the lessons learned. "We are happy that our previous investments in logging enabled an expedient investigation and response.... To ensure we can proactively detect and prevent future threats, we are adding additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data...."
"We are allocating additional engineering resources to invest further in internal models designed to identify anomalous access to disclosure data and trigger proactive investigative responses.... We are planning additional simulations designed to continuously evaluate and improve our ability to effectively resist insider threats."
Re: (Score:2)
2022-06-22 10:30 PDT Call with a customer requesting an investigation into reports of an intimidating and suspicious off-platform communication from an actor with the handle "rzlr"
The Razzler strikes again!
DAMN YOU, RAZZLER!!
I watch too many cartoons (Score:1)
Re: (Score:2)
2. Be surprised when people report fake bugs
3. ???
4. PROFIT!
Overall, a pretty good response... (Score:1)
Overall, I can't really find anything wrong with their response. Even "armchair quarterbacking", they found a suspect (in general, internal suspects are some of the hardest to find), found convincing evidence, locked the alleged culprit's laptop, took possession of it, and end the incident.
I'd definitely consider them come pentest time.
Re: Overall, a pretty good response... (Score:3)
Right. It sounds like it was handled perfectly in all regards.
The focus here seems to be more on announcing the shame of having it happen to you when your job is to stop it. We shouldn't be shameful of this if not a regular occurrence, so the transparency seems to further assert them handling it perfectly
Re: (Score:2)
It _sounds_ like it, yes.
It's a bit difficult to verify without even more transparency Did this now discovered bad actor leave any back doors. Did they ever exist as anything byt a "deep fake" with a LinkedIn profile? Cleaning up after such an incident is very painful for a responsible security company. And are the paperwork pushers in HR and middle management lying through their teeth about doing a responsible cleanup? That can be very difficult to evaluate?
Sadly, I've been involved in some cleanups with c
Re: (Score:3)
Yep, full marks for both dealing with the issue promptly and being open about what happened.
This is typical of a relatively small company where the top people are still close to the business. In large companies this kind of instant response is pretty much impossible. Everything has to go through multiple levels of management, then HR have to rubber stamp every decision. Frequently the bad actor is allowed to resign rather because it's easier and quicker than going through months of disciplinary procedures.
"We have since terminated the employee" (Score:5, Funny)
"We have since terminated the employee" ...
Whoa! Seems a bit harsh to kill them before a trial and all. But hey, it's blackhat world. ;)
Re: (Score:2)
A crime? (Score:2)
'we will also decide whether criminal referral of this matter is appropriate'
If there isn't a law to punish this, there should be!
Re: (Score:2)
Whether there's a law is one thing, whether there's enough evidence for a prosecution is something completely different. The companies he threatened might choose not to testify for example.