Monday, January 11, 2016

Former Yandex Employee Tries to sell source code

There's news that a former Yandex (leading Russian search engine) employee tried to sell source code  for the search engine.  This is a really interesting case because there are presumably not many organizations that would be interested in the Yandex algorithms.  Other search engines already have their own algorithms and probably wouldn't learn much from analyzing those used by Yandex.  Some of the most valuable information a search engine has is it's data.  The search algorithm itself would likely be secondary in value to a rival.
But those trying to manipulate search engine results would be very interested in the Yandex source code for the purposes of manipulating search results.  Armed with the Yandex source code, attackers could artificially increase their position in search rankings to attract more traffic.  This would be a gold mine for exploit kit operators who can infect more victims with higher search rankings.

Know your adversary - or at least have an accurate threat model
Threat Intelligence has become a big focus for us at Rendition Infosec and one of the first questions you need to ask when assessing risk is "who would benefit from compromising our networks."  At first glance, it would appear that a rival would benefit from the search engine code, but careful analysis suggests that competitors are just as likely to benefit than someone who wants to manipulate search rankings.  Understanding who your potential adversaries are goes a long way towards a good risk assessment methodology.

Infosec Hooks
As for infosec hooks, there are at least three beyond just Threat Intelligence.  The insider clearly was able to exfiltrate source code from the corporate environment.  While a lot of infosec pros today really hate DLP software, I tend to like it.  I like the fact that it can easily* detect certain patterns of information when they are transiting the network.  Most hatred for DLP systems comes from business lost due to false positive detections (which often manifest as blocks).  But these normally point to poorly tuned rule sets on the DLP systems themselves.  Even DLP implemented in logging only mode can be useful in detecting insider data exfiltration.
* Where "easily" may be defined differently depending on whether you have implemented an SSL decryption solution.

The second infosec hook has to do with outsourcing.  The suspect in the case tried to sell the prized source code for the equivalent of $25k.  Most of our US based threat models don't look for people to sell for so little, we tend to think values of six figures and up (which tends to limit the pool of potential buyers).  But we must adapt our threat models to take into consideration the economies of the locations where we outsource.

Finally, even though the perpetrator was found guilty of trying to sell corporate secrets for profit, he was only sentenced to two years probation.  Again, in the US we tend to think of criminal prosecution as an effective deterrent to corporate espionage.  But this is not the case in every country, some of which do not even have hacking laws.  When outsourcing any portion of our operations, we must ensure that we understand the effect of any deterrents to selling our corporate secrets and adjust threat models appropriately.  Two years probation would hardly be an effective deterrent in the US for the attempted sale of corporate secrets for $25,000.  Again - different economies yield different threat models.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.