Imagine that you stumble across a large amount of data on the internet and realize that it includes a treasure trove of internal pricing and partner information from a direct competitor of yours. The data gives you all kinds of clues into their business, profitability and partner agreements. What would you do with it?
This post talks about a real world scenario where this happened and how it was surprisingly complex to handle. We also talk about ways to make sure it doesn't happen to you.
Accidental Data Discovery
I'm not exactly sure who found the data or when. It might have been an industrious salesperson. It might have been an accidental Google search result or even something mentioned in a Reddit thread. I don't really think it was malicious or targeted. But by the time we got involved, it was clear that there was a public S3 bucket containing substantial amounts of data for a customer's competitor.
To make it easier to tell the story, let's call:
- The company that was our customer: AcmeRiverCorp
- Their competitor: BurningCorp
So anyway, when we joined the discussion the AcmeRiverCorp Team was already going through the BurningCorp data and it almost resembled sharks that smelled blood in the water. They hadn't gotten that far though and the number of people in the loop were very few. They clearly knew there was something wrong and reached out for our advice. We quickly advised the AcmeRiverCorp team to take a step back and pause these search and collect activities. We made sure people stopped spreading the word and tried to understand what had really happened.
Then we had to figure out what to do about it.
What Would You Do?
There are a lot of different ways this could have played out.
It is, of course, possible that AcmeRiverCorp could have copied a bunch of publicly available data and made full use of it to target BurningCorp. Trust me, I've been deep enough in business to have seen these kinds of lines crossed in the past. As a side note, I once played whistleblower and the VP that handled it tried to tell me:
This isn't an economics class, this is business.Anonymous VP
To which I replied:
I think you mean ethics class not economics class...Konda
The point is: many people at many companies would have taken all that they could, used it any way they wanted and never thought twice about it. Not only that, some people and companies actively look for this type of data and exploit it. Sometimes I wonder what it would look like to be a competitive data bounty hunter ...
Anyway, when we found ourselves here, we believed that there was a substantial risk (never mind the ethical side of it) that if anyone at BurningCorp got wind of the data being used, they would be able to go back and identify that it had been accessed by AcmeRiverCorp's employees. Even though the data was publicly accessible, you never know how laws will be interpreted and AcmeRiverCorp might even be held legally responsible for damages to BurningCorp based on a loss of business tied to the exposure of the data!
So we quickly convinced AcmeRiverCorp that they should not use this data to their advantage and they should stop accessing it immediately. Turns out the golden rule applies and some people still honor it. It is a credit to AcmeRiverCorp that they listened at this time and immediately stopped accessing the data. It was basically leadership with a true North that were able to set the tone and manage this situation.
But then we thought about how we could let BurningCorp know that their data was flying in the wind and that raised the next problem. If we tell them they have a problem, they may immediately suspect us of nefarious purposes. If they look at logs, they can still see that some AcmeRiverCorp employees may have accessed the data. It wouldn't be easy, but it was a risk we weren't sure we could take.
In the end, we played the independent security researcher card and reported the issue as though we were an independent bounty hunter so that BurningCorp could respond and take action, but wouldn't be immediately litigious against AcmeRiverCorp. That seemed to have worked out. But even that wasn't without risk.
Clearly, the best case scenario would have been to not expose the data at all in the first place.
Attack Surface Analogies and Tools
Part of what we're talking about is knowing your attack surface. What data do you have exposed? How could someone target you? It is related to threat modeling but not the same thing. It is related to risk but is a more focused lens for it. A nice part about the concept of an attack surface is that it often maps to concrete technical things in your environment. When we talk with people about their attack surface, it is usually a pretty solid and direct conversation because either it is there or it isn't - and the most common outcome is that the technical team learn about mistakes that have been made and just fix them.
A common analogy for talking about attack surfaces is a house. Does it have a good roof? Are the doors and windows closed and locked? Could someone easily get in? Who has keys? Is the garage code published online? Like most online companies, there have to be functional doors for the house (or company) to function. How are we staying aware of those and making sure we know about them? Taking the analogy one step further, just by doing a review of the exterior we can often clean things up to make the house seem more secure from the outside.
Mapping online systems and capabilities to an almost physical situational awareness is useful, but it is a pretty exhaustive exercise to do in your head and based on theoretical information. Thankfully, there are a lot of useful open tools we can use to help us. Some of the ones we like are amass, dnstwist, nmap, openvas, fierce, dig and similar. We typically take the output of these and talk through it with clients to explain and prioritize any action items.
Of course, from a tools perspective, there are also a number of commercial tools that can help you do external resource enumeration and provide scoring and even risk measures. These may be things to consider as you grow. With SPIO clients, we prefer to have a conversation and blend in a bunch of open tools that combine data about domains, email, network and other configuration that is all easily and freely accessible about your company already.
If you are interested in a quick free attack surface evaluation you can request one here or just fill out this form inline:
There really is something to being a good corporate citizen and with data breaches, sometimes we get presented with challenges we never thought we would see. Approaching each situation ethically and with a sense of the greater good (and maybe getting advice!) ensures that you won't cross the wrong lines. I know once the dust settled, everyone felt better about how we had handled this situation.
From a more concrete action perspective, checking your own attack surface proactively can really help to reduce the risk of an event like this happening to you. You can work with us to do that if that is helpful.
Ultimately, building a security program is more than any one piece of this and the attack surface is just a small part of it. But it is an important part that can make a significant and important improvement fairly easily. If you want help thinking about security more broadly, we recommend our securityprogram.io tool.