Due to the volume, complexity, and varied nature of incident response matters handled by Stroz Friedberg, Aon’s Cyber Solutions’ Digital Forensics and Incident Response team (“Cyber Solutions”), we are often able to detect trends and attack methodologies and attacker groups ahead of the market. Recently, Cyber Solutions observed a resurgence in cyber extortion cases commonly known as “Bug Poaching.” In this attack, threat actors breach a company’s systems, operate within the company’s network, access or outright steal data, and demand payment for various reasons including (i) disclosing the vulnerability utilized by the attacker to gain access, (ii) offering proof of compromise, including disclosing a provision of sample(s) of the company’s data, (iii) a promise of silence regarding the security breach/theft of the data, or (iv) return/destruction of the stolen data. Some opportunists execute a less-technical variant of this attack by obtaining data previously stolen by an initial threat actor, with a follow on attempt to leverage possession of that data for monetary gain.
These bug poaching threat actors may appear to seem helpful at first, even presenting themselves as white hats or self-described “security researchers.” They may request information about a company’s bug bounty program with a promise to provide stolen data and/or information on vulnerabilities previously unknown to the company. To be clear, however, these claimed ‘researchers’ are acting unethically at best and, more likely, unlawfully. Many proactive companies do offer bug bounty programs, where they may reward ethical hackers for finding system vulnerabilities with the goal of strengthening their networks. By contrast, in a bug poaching scheme, the threat actor’s goal is to strike fear in company executives to extort them for personal financial gain, almost always under the veil of anonymity, outside the rules of a bug bounty program, and after participating in criminal activity such as unauthorized access to a network, accessing or exfiltrating data, or outright extortion.
Recent bug poaching activity has included attempts to monetize data from old breaches, some publicly disclosed and others not. Cyber Solutions has also observed increasingly aggressive behavior in email dialogue with such threat actors, where their demeanor may begin as helpful, but quickly turns to threats and increased monetary demands, with continued network intrusion activity or threats of the same.
To prepare for and mitigate bug poacher activity, we recommend assessment, testing, and hardening defenses before poaching scammers strike, including:
- Establish a bug bounty program with clear, published guidelines and policies.
- Notify employees of procedures in the event of receipt of communication from a claimed ‘security researcher.’
- Develop a relationship with a point of contact at local law enforcement.
- Have legal counsel and forensic provider relationships already in place.
- Implement strict firewall policies and intrusion detection/prevention systems.
- Verify that SIEM technology and other network monitoring tools are set up.
- Ensure system security patches are up to date.
- Run vulnerability assessments and penetration testing on internal and external applications and systems regularly.
- Conduct regular phishing awareness and training.
- Perform routine threat hunting exercises to identify and halt any active intrusion and malicious behavior.
- Implement trusted device, two-factor authentication, and complex password policies and procedures for internal and external system access.
- Practice IR preparedness, including tabletop exercises, IR readiness assessments, and IR plan implementation.
- Transfer risk via cyber insurance.
What to Do If You Become Infested
- Document all information on the attacker and what is reported to have been stolen from the system, including any emails you received and any other pertinent information.
- With guidance from legal counsel, contact your local law enforcement authorities, provide them with all the information you have regarding the attack and the attacker.
- Assume ongoing vulnerability and intrusion. Work with a digital forensics investigation team to uncover the attack and identify vulnerabilities, if any.
For more information, please reach out to: