Trellix Source Code Breach Claimed by RansomHouse Hackers

Overview

Recent news that RansomHouse has reportedly been linked to an attack in which the source code of a leading enterprise security firm was compromised has sent shockwaves across the cybersecurity community. The attack is said to have occurred within the last three weeks.

This incident shows that cyber adversaries are becoming more sophisticated and are starting to attack the organizations that defend the world in cyberspace. Unauthorized access to a company’s intellectual property is one of the most dangerous new threats to emerge against the computer systems of companies that operate critical infrastructure. For additional background, visit our explainer on AI basics and how it impacts today’s cybersecurity defenses.

What It Does

RansomHouse is known for using an extortion approach, regularly exfiltrating high-value information, and making the victim aware of what was taken to increase the chance of payoff. If this breach is confirmed, the hackers state they have enough internal source codes that could potentially be used to develop new zero-day exploits for security products. If source code gets out, you’re basically giving the keys to an attacker to get around whatever defenses you’ve put up in front of your network. EFF has also documented similar privacy concerns around centralizing security data, and the inherent risks of maintaining massive codebases in an era of persistent state-sponsored and criminal cyber-espionage. The Benefits The forced transparency in the wake of a breach often means organizations are required to face a thorough audit, which can ultimately lead to a better security posture. Security researchers often use public disclosures to develop more comprehensive patches, guaranteeing the software ecosystem becomes more robust to future attacks. You can find more advantages here which explain how defensive transparency enhances collective defense through collective security.

The Risks

• The most obvious risk is that exposed source code can be exploited by adversaries to develop advanced malware that specifically targets the user base of the affected product, effectively making defense a vulnerability.
• Enterprise customers are put at risk of serious privacy harm, as the theft of internal documentation could make the client’s data processing by a security product visible, possibly allowing an adversary to direct increasingly sophisticated attacks against the customer’s deployed infrastructure.

Finding Balance

These systemic vulnerabilities require a move to a world in which systems are built in a least privileged way and where encrypted development environments restrict the damage a thief can do. Depending only on perimeter security is not enough anymore. It is important for companies to put strong access control and source code repository monitoring in place so that any unauthorized exfiltration is found in real time. Check our best practices guide on how to protect sensitive corporate assets in a distributed development world.

What You Can Do

Actionable tip: As an enterprise user, ensure that your IT teams are applying patches the moment they are released by your vendors. Also, be sure to have offline, immutable backups of your important system configurations so that if a security tool does become compromised, your core systems are still protected from downstream tampering or data exfiltration.

Final Thoughts

The RansomHouse claim around Trellix is a sobering example of the house of cards that is digital security. Technology companies are always coming up with new ideas to stay ahead of those who pose a threat, but the truth is that there is no system that can’t be affected. We need to do more than just react to breaches after the fact. We need to build resiliency into our systems from the beginning. We must assume that breaches will occur, even as we work to prevent them. Balancing the need for rapid software development with ironclad security protocols is the defining challenge of our generation.