APT/Threat Hunting and Telemetry

As of late, clients from distinct verticals have reached out to our team expressing concerns regarding telemetry-enabled applications. Read the news and consider the timing! Since our multi-disciplinary background gives us a unique perspective, we decided to share some of our thoughts. Enjoy!

The advent of telemetry and cloud-enabled detections was a real game changer in the (endpoint) protection/anti-virus industry, enabling detailed feedback from customer devices and much greater insight into the landscape. Depending on one's pedigree, telemetry will have various unique definitions, most of which are incongruous. In this instance, telemetry is (meta-)data about 'events', like details about a file that was downloaded or a particular URL that was visited. A security product may send a file's hash to the cloud to check if it is a good or bad file. Details like detection names, full file paths and user names may also be sent back to the cloud. Products may also upload files to the cloud. Online documentation exists that shows a subset of the types of collected (meta-)data. Finding said documentation is an exercise left up to the reader - OSINT powers activate! 

This telemetry and cloud revolution ensured a major boost for protection and hunting capabilities. Suddenly cyber operations could be tracked in real-time by entities other than government SIGINT/Signals teams. Over the last couple years the amount and types of (meta-)data collection by all sorts of products has only increased. Browsers & mobile "apps" have gotten particularly good at this. Got to put all that processing power and bandwidth to use, right? But that is a discussion for another day.  For now, let's stick to endpoint and AV solutions.

Consider the following capabilities and circumstances:

  • Endpoint protection products have access to everything on the system and communicate constantly. They are effectively 'trusted implants'.
  • Today's (and yesteryear's) detection 'signatures' have way more capability than is generally understood. Signatures go well beyond simple pattern matches. In most products they can be written in a low-level programming language for maximum flexibility. In other words: signatures can do absolutely anything the creator wants them to do.
  • Some products have unique detection rule-sets per location or customer.
  • Hunting state-sponsored implants/malware inherently involves going after classified material. After all, these programs are classified. (Hint - this work is inherently messy, therefore everyone largely focuses on e-crime.)
  • Most endpoint protection products heavily rely on so-called silent detections. These are smart Indicators of Compromise which can report back on anything without causing alerts visible to the user. They are used for back-end processing by automation and/or a human team. The system or human can then decide how to proceed.
  • There are plenty products - not just endpoint protection - that make it impossible to turn off telemetry.
  • These capabilities are a huge intelligence trove for analysts, allowing for extremely effective hunting and targeting.
  • By extension, this means there's also ample opportunity for counter-intelligence operations.

What does this mean?

  • It's easier than ever before for products to behave in undesirable ways.
  • At the same time, these capabilities enable more opportunity to investigate if a product is misbehaving.
  • Products employing unique signatures present unique challenges as businesses and researchers can't easily validate third party observations. Everybody will have to do their own homework.
  • This ecosystem of products and services is a very enticing and valid intelligence target. Ponder the implications of this.
  • Between this and information operations, the tech sector is in for some changes.

Businesses are at serious risk when they don't know what information is being collected from their systems and what parties ultimately have access to this data. If your business works with sensitive information, a counterintelligence approach should be part of your defense-in-depth strategy.

Adversaries and misconfigurations aren't stopped by legal documents. An end-user license agreement (EULA) provides a legal framework, it doesn't technologically prevent abuse. Create a threat model based on actual capabilities and possible impact, including third party suppliers/vendors like your anti-virus or favourite consultancy. As we've seen, security companies get breached too.

Don't trust, verify.

If you have trust issues like we do, please contact us. We can help facilitate your success.

Written by: Daniel Nowak & Roel Schouwenberg