[HN Gopher] What It Takes to Defend a Cybersecurity Company from...
___________________________________________________________________
What It Takes to Defend a Cybersecurity Company from Today's
Adversaries
Author : gnabgib
Score : 161 points
Date : 2025-04-30 02:53 UTC (20 hours ago)
(HTM) web link (www.sentinelone.com)
(TXT) w3m dump (www.sentinelone.com)
| CyberMacGyver wrote:
| It's RSA time so expect lot of cybersecurity posts
| owyn wrote:
| I haven't heard of that one. What is RSA time?
| ash-ali wrote:
| RSA conference in the city
| mandevil wrote:
| 2025 RSA Conference USA in San Francisco. So lots of papers
| are going to be presented and talks given on new clever ways
| researchers have figured out to beat different layers of
| security, tracking APT's, etc.
|
| https://www.rsaconference.com/usa
| keyle wrote:
| That sounds like the oracle version of defcon.
| hiddencost wrote:
| That's kinda cruel. RSA is trying to do a good job, and
| takes their customers safety quite seriously.
|
| (Kidding. A little.)
| imiric wrote:
| I hope you're entirely kidding with that statement.
|
| RSA was famously bribed by the NSA to make their
| compromised PRNG the default in their cryptography
| library, which shipped from 2004 to 2013. Any credibility
| they might've had vanished after that was publicized in
| the Snowden leaks.
| h4ck_th3_pl4n3t wrote:
| I laughed more at that one that I should have.
|
| Kudos, made my day
| saagarjha wrote:
| Ah, that's why all the people in business attire are swarming
| around
| hulitu wrote:
| > Recent adversaries have included: DPRK IT workers posing as job
| applicants ransomware operators probing for ways to access/abuse
| our platform Chinese state-sponsored actors targeting
| organizations aligned with our business and customer base
|
| Thank god there were no Russians or Iranians. /s
| bigfatkitten wrote:
| Iranians have been doing it too, on an individual, sanctions-
| evading level rather than as a state-sponsored mission.
|
| Many of the DPRK workers operate out of Russia (and China.)
| looperhacks wrote:
| Is there any way to recognize adversary IT workers? Not many
| companies have the capabilities of cybersecurity experts
| Animats wrote:
| Start with a fingerprint check before you even talk to them.[1]
| Then ask for a REAL ID at the interview, take fingerprints
| again, and match with the ones from the pre-screen fingerprint
| check. You need to be signed up with a driver's license
| verification service to validate the ID.[2]
|
| It takes that level of verification to become a security guard
| or a school bus driver. Anybody in computer security should be
| doing this.
|
| [1] https://www.sterlingcheck.com/services/fingerprinting/
|
| [2] https://www.aamva.org/technology/systems/verification-
| system...
| Gathering6678 wrote:
| Are you serious about this?
|
| I live in China, a supposedly autocratic country and one with
| universal ID, and even companies here don't take
| fingerprints. ID will be shown when you are officially
| onboard. I can't say for all, but for most companies (at
| least the ones without the need for a security clearance),
| requiring ID at interview will be seen as a red flag, and
| requiring fingerprint would probably be put on social media
| and name shamed, if not straight up reported to the
| authorities.
| mixmastamyk wrote:
| Not a typical job but one in a high security environment,
| seems somewhat understandable.
|
| Not that I'd do it. The paradox that security for a firm
| means zero privacy for me is too much to bear these days.
| Gathering6678 wrote:
| I have some experience working for financial institutions
| with access to highly confidential information, and
| haven't been required to produce my fingerprint for,
| like, ever.
|
| Again, I can't say for all, and I'm sure there are
| certain companies and positions which require such
| measures, but I could not imagine requiring fingerprints
| (or even ID during interview) to be acceptable in most
| cases.
| Spooky23 wrote:
| You probably worked in divisions where the auditors
| didn't issue a finding yet, or outside the regulatory
| scope.
|
| It's pretty common in finance, government and human
| services. Amazon is very aggressive with this -
| contractors in their facilities get regular background
| checks.
|
| Usually the employee goes to a third party run by a
| company like Idemia to collect the biometric. I can't
| imagine not collecting the ID information of perspective
| employees - that's just asking for fraud.
| hiatus wrote:
| You didn't have to do an in-person background check that
| included fingerprinting? When I worked at a bank this was
| required. It was run by a third party company not at the
| office.
| Cthulhu_ wrote:
| In a high security environment, you can get a report from
| law enforcement; in the Netherlands this is called a
| "declaration around behaviour" (??), which is basically a
| signed / authenticated document saying "this person was
| not involved in financial crimes" - you need to have it
| specified for a category of crimes, the previous is for
| example one I had to get to work at a bank as a
| contractor.
|
| I don't know what the equivalent in the US is, but
| https://www.fbi.gov/how-we-can-help-you/more-fbi-
| services-an... seems similar enough.
|
| I'd trust an FBI report more than taking their
| fingerprints and the like.
| Animats wrote:
| The way it worked for a real US high security job
| (TS/SCI) was that the clearance process was totally
| separate from the employer. The fingerprints and
| polygraph exams were done off premises. The famous SF-86
| form[1], all 130 pages, had to be filled out, but nobody
| at the employer ever saw it. The checking and processing
| were done by the FBI or a unit in DoD.
|
| (The current SF-86 only wants your residence addresses
| for the last 10 years. Used to be "List all residences
| from birth".)
|
| [1] https://www.opm.gov/forms/pdf_fill/sf86.pdf
| Animats wrote:
| If you're under attack by a foreign government, this isn't
| optional.
| recursivecaveat wrote:
| Biggest thing you can do is just ensure you conduct at least 1
| on-site interview, and make sure that interviewer is in a
| position to realize if the person they met is not the same one
| who shows up for other interviews and/or the work. Cost of a
| flight is nothing really compared to recruiting and hiring (and
| if you really are fully-remote and geographically distributed,
| you probably already have somebody in their metro area), on-
| sites used to be standard.
| khafra wrote:
| I mean, it's not the _biggest_ thing you can do; you could
| start selling to the government, become a cleared contractor,
| and then you could require a USG security clearance for job
| applicants.
|
| I would call the on-site interview and/or minimal background
| check "the most pareto frontier thing you can do."
| Mountain_Skies wrote:
| How much of that would you get from just using e-verify?
| That doesn't find criminal issues like a security clearance
| does but seems like it would at least reduce the pool of
| nefarious applicants by a significant margin.
| smolder wrote:
| The reality is a bunch of people trying to secure their
| insurance relationship. Useless money absorbers are running
| things.
| CyberMacGyver wrote:
| Yes there are lot of identifiers. They are improving a lot, so
| things are changing daily. There are certain steps to take pre
| hiring and post hiring. If you need help share your email and I
| can provide details.
| bigfatkitten wrote:
| Just make them show up in person at least once for onboarding.
| They're not going to fly out from China or Russia (where they
| tend to be based) to do this; especially not to the US.
|
| Verify their ID in person, issue their laptop etc in person,
| make sure someone who interviewed them is there to meet and
| greet them (and attest that it's the same person they talked
| to.)
|
| If you can at least do a final interview in person also, then
| that's even better.
| Cthulhu_ wrote:
| Definitely the 'regular' application procedures - check
| someone's ID, check their references, ideally meet them face to
| face, etc.
|
| This is more tricky with remote-only jobs or worse, "gigs"
| where you don't even meet people. But also, I would've expected
| open source to be "infiltrated" a lot more than it has, since
| that's very much anonymous internet culture... but also a
| culture of code reviews and the like.
| wlk wrote:
| Some high-level advice is listed here:
| https://ofac.treasury.gov/media/923131/download?inline
|
| I run outsourcing agency, we work with US clients and have seen
| lots of fake applications (different degree of sophistication),
| so far we have either rejected them right away, or we were able
| to filter them during (remote) interviews.
| lukan wrote:
| The latest advice about spotting at least north koreans who
| apply under fake identities is asking them to comment on how
| fat Kim Jong Un is. Real north koreans could not comment on
| that..
| paulryanrogers wrote:
| Is this technique used in the real world?
| razakel wrote:
| There's often red flags, such as a Polish name, graduate from a
| Polish university, but doesn't actually speak Polish.
|
| Local knowledge, too. If they claim to be from Krakow, get
| someone from there to chat to them. If you hear frantic typing,
| they're imposters.
| betaby wrote:
| > There's often red flags, such as a Polish name, graduate
| from a Polish university, but doesn't actually speak Polish.
|
| That's oddly specific. Any famous examples?
| af78 wrote:
| Famous, I don't know, but one example comes to mind:
|
| https://www.bellingcat.com/news/americas/2022/06/16/the-
| braz... The Brazilian Candidate: The Studious Cover
| Identity of an Alleged Russian Spy
|
| Maybe also Pablo Gonzalez Yague aka Pavel Alekseyevich
| Rubtsov.
| torton wrote:
| Might have been a retelling of
| https://newsletter.pragmaticengineer.com/p/ai-fakers, which
| is only about two months old.
|
| > "The candidate did not speak Serbian, despite graduating
| from the University of Kragujevac, in Serbia."
| leoqa wrote:
| The solution is just-in-time access controls, context-aware
| authorization for things like database access (i.e. given a
| justification with an approval workflow, the employee can
| access a user X for 2 hours). These are the guard rails against
| a rogue employee, by introducing friction.
|
| I rolled out these level of controls at a big company and got
| push back from the sales team -- they needed access to generate
| leads. do demos on the spot, etc. Was a hard fight and I lost.
| ta1243 wrote:
| Young naive and full of memes, parachuted into place from a
| billionaire, completely unaccountable and completely unaware of
| how todo anything securely.
| dubbel wrote:
| Heh, given the title I initially thought SentinelOne was
| addressing the Chris Krebs situation, and the adversary would be
| the current administration. But it's about different nation state
| actors.
|
| (context: https://www.cnbc.com/2025/04/16/former-cisa-chief-
| krebs-leav... )
| croes wrote:
| Don't expect that much courage
| jillyboel wrote:
| In Article III, Section 3 of the United States Constitution,
| treason is specifically limited to levying war against the
| U.S., or _adhering to their enemies, giving them aid and
| comfort._
|
| Under U.S. Code Title 18, _the penalty is death_ , or not less
| than five years' imprisonment (with a minimum fine of $10,000,
| if not sentenced to death). Any person convicted of treason
| against the United States also _forfeits the right to hold
| public office in the United States_.
| Retric wrote:
| The constitution sets a really high bar on Treason. "It was
| not enough, Chief Justice John Marshall's opinion emphasized,
| merely to conspire "to subvert by force the government of our
| country" by recruiting troops, procuring maps, and drawing up
| plans. Conspiring to levy war was distinct from actually
| levying war." https://constitutioncenter.org/the-
| constitution/articles/art...
|
| "No person shall be convicted of Treason unless on the
| Testimony of two Witnesses to the same overt Act, or on
| Confession in open Court."
|
| Cramer v United States being an interesting example. 'As the
| Court explained: "A citizen intellectually or emotionally may
| favor the enemy and harbor sympathies or convictions disloyal
| to this country's policy or interest, but, so long as he
| commits no act of aid and comfort to the enemy, there is no
| treason. On the other hand, a citizen may take actions which
| do aid and comfort the enemy--making a speech critical of the
| government or opposing its measures, profiteering, striking
| in defense plants or essential work, and the hundred other
| things which impair our cohesion and diminish our strength--
| but if there is no adherence to the enemy in this, if there
| is no intent to betray, there is no treason." In other words,
| the Constitution requires both concrete action and an intent
| to betray the nation before a citizen can be convicted of
| treason; expressing traitorous thoughts or intentions alone
| does not suffice.'
| wizardforhire wrote:
| Those are great words both of you. A lot of good was done
| with those words and the others that come before and after
| them. Its too bad they don't matter anymore... I wish they
| did.
| formerphotoj wrote:
| Agreed. We are now "back" to laws for thee but not for
| me.
| wizardforhire wrote:
| In the spirit of hn endless pedantry... we're sadly back
| to might makes right.
| Terr_ wrote:
| > they don't matter
|
| In way that is--ultimately--very real and practical, the
| words continue to matter while people assert they matter.
|
| It's difficult, but we should avoid crossing from
| cynicism to defeatism.
| dspillett wrote:
| _> The constitution sets a really high bar..._
|
| Unfortunately the current DPRUS administration doesn't seem
| to care what the constitution says. They happily ran over
| the due process requirements set in the 5th amendment and
| openly ignored a court ordering something to be done to
| rectify that.
|
| For the time being at least, any protection "guaranteed" by
| the constitution can not be relied upon if it goes against
| the wishes of a certain few.
| godelski wrote:
| https://archive.is/aRNSn
| firtoz wrote:
| Wow, so if you don't fall in line with the demagoguery, you'll
| be thrown out, probably to be replaced with someone who does,
| or it'll be rinse and repeat until that happens.
| nopcode wrote:
| I haven't seen American cybersecurity companies share
| meaningful threat intel about any American threat campaigns.
| This is not new.
| mikewarot wrote:
| You just _can 't_ secure something like Windows, Linux, MacOS,
| because it's faulty by design. Any business that claims to be
| able to do so is selling snake oil.
|
| Capability based operating systems _can_ be made secure. Data
| diodes are a proven strategy to allow remote monitoring without
| the possibility of ingress of control. Between those two tools,
| you have a _chance_ of useable and secure computing in the modern
| age, even against advanced threats.
|
| Yeah... I feel like Cassandra, but here we are. You've been
| warned, yet again.
| Cthulhu_ wrote:
| What OSes are you proposing though? You're positing a problem
| and warning people, but what are the alternative operating
| systems that implement these data diodes?
| mdhb wrote:
| Google's in development (contrary to what people on here will
| tell you) new operating system Fuchsia actually has what
| seems to be a genuinely defendable architecture.
|
| https://fuchsia.dev/fuchsia-src/concepts/principles/secure
| guappa wrote:
| I expect it to be ready long after GNU/Hurd will be the
| default system installed on new machines being sold.
| sublimefire wrote:
| hmm but this is not really about it, it is more about how
| companies can be protected. It talks e.g. about shadow IT
| workers trying to infiltrate into the company.
| concerndc1tizen wrote:
| I agree about data diodes, but how do you handle data egress?
| One solution is to have strict data checks on egress, but leaks
| are still possible. Data diodes also still suffer from the
| ability to inject malware that can execute DOS attacks.
|
| I agree about capability-based security, but strictly speaking,
| the capabilities of current OS are just primitive, i.e.
| checking file permissions. What capability checks do you mean?
|
| My understanding is that the biggest threat is not capability
| checking, but capability escalation, i.e. bypassing checks, and
| hardware hacking, e.g. spectre/meltdown-type attacks that can
| read arbitrary memory.
| khaki54 wrote:
| There is a step up from diodes called [inspecting] data
| guards and an adjacent technology called content disarm and
| reconstruct (CDR) that doesn't rely on signatures or
| heuristics - it just assumes every document is malicious.
|
| Combining these 3 technologies with certain policies, e.g. 2
| man rule, the hw/sw itself developed on airgap you can make
| it practically impossible to attack, even for nation state
| adversaries.
|
| Edit to point out that these all work in 2-way configurations
| as well.
| immibis wrote:
| This is one of those situations, like with cryptocurrencies or
| social media, where the old thing had certain problems for
| pretty fundamental reasons, and the new thing claims it won't
| have the same problems, but that's just because the new thing
| is new and hasn't gotten to the point of the problems being
| discovered yet.
|
| If an operating system can run any program you want, then it
| can run malware if you want. Windows, Linux and Mac OS are OSes
| that let you run any program you want. Android and iOS are OSes
| that restrict which programs you can run. Different techniques
| end up placing the boundary in different places but they still
| either limit you from running lots of nonmalware programs or
| they allow you to run lots of malware.
|
| Operating systems already completely sandbox processes. Then
| they poke a ton of holes in the airtight hatchway because holes
| are useful. Suddenly it's not airtight, but at least it's
| useful. Then someone make a new OS with a holeless airtight
| hatchway. In time, it too will discover which holes it needs,
| and won't be airtight.
|
| Something similar happens with data diodes. A reply mentions
| punching holes in a data diode by allowing certain limited two-
| way communication. Fine, but then it's not a data diode. And
| someone will suggest putting a data diode on one side of your
| not-data-diode to make it airtight again. And you'll have the
| problems of a data diode again.
| kube-system wrote:
| > You just can't secure something like Windows, Linux, MacOS,
| because it's faulty by design.
|
| Every system is. Security isn't a goal that is ever 'achieved',
| it is a continual process of _mitigating_ risk.
| mlinksva wrote:
| I tend to agree though the conventional response I'd guess also
| has merit: "secure" isn't binary and various mitigations
| deployed on non-capability-based operating systems change the
| economics of attack/defense and are valuable.
|
| But the main reason I'm responding is to thank for the TIL
| about data diodes
| https://en.wikipedia.org/wiki/Unidirectional_network which seem
| under-discussed and under-utilized. Only a handful of
| discussions on HN, most substantial (only 19 comments) from 10
| years ago https://news.ycombinator.com/item?id=10213836 if I
| understand correctly, only used in very high security
| environments, but plausibly could be used in many applications
| that don't really need to be connected for input but could just
| broadcast or vice versa (many IoT devices). Thank you, thought
| provoking!
| sublimefire wrote:
| It was an interesting read whilst having a cup of coffee. But
| rather shallow. A couple of mentions of some tools: goreshell,
| shadowpad, scatterbrain. It might be targeting C-suite folks more
| than analysts or other security folks. It is more about how you
| should be slightly afraid to do it on your own and better hire
| sentinelone to help you.
| 0xEF wrote:
| Now that you mention it, the article does read like curated
| content. I suppose a piece does not have to be directly selling
| anything to be an advertisement. Fluff can do just as good a
| job by simply making readers feel good about a brand.
| nonrandomstring wrote:
| The essence of the article is a topic of concern, but is
| expressed rather lightly in TFA. End runs around security
| happen at the edges. From the bottom; by undermining hardware,
| or code libraries, supply chains. And we're now seeing
| "decapitation attacks" right at the top. Our "western" security
| models have a weakness, with their roots in Prussian military
| organisation and bureaucratic technical management, by default
| they _trust up_. The whole DOGE caper (what I would call a Dr
| Strangelove scenario - variation of insider-threat) exposes
| this as actually very vulnerable.
|
| Cybersecurity services that operate as MSPs (the acronym
| variation where S is for security) hit a fundamental problem. A
| managed security provider becomes a bigger and juicer target
| since all of its clients are implied spoils. If they in turn
| defer-to/buy-from bigger actors up the food chain, those become
| juicer targets too.
|
| This a frequent chestnut when we interview cybsersecurity
| company CEOs. Although it resurfaces the old "Who guards the
| guardians?", there is more to it. One has to actively avoid
| concentrating too much "power" (non-ironically a synonym of
| _vulnerability_ ... heavy lies the crown) in one place, but to
| distribute risk by distributing responsibility for building
| trust relations (TFA mentions this). I expect we 'll see more
| and more of this sort of thinking as events unfold.
| PeterStuer wrote:
| I tuned in late to this show. Are they down to tHe DPRK because
| they already successfully rooted out the MOSSAD, CIA and NSA
| insiders in previous episodes?
| Cthulhu_ wrote:
| It's an American based company, they still assume those parties
| are on their side.
| a3w wrote:
| Or at least powerful enough to just march in with a court
| order, taking the company onto the side of them at a whim.
| praptak wrote:
| A good reason to reconsider using their services if you are
| outside US or even just potentially undesirable in the eyes
| of US administration.
| ElWalkingBeard wrote:
| About 7GB of RAM, in my experience
| motohagiography wrote:
| the key message to me was a reminder that setting up front
| companies to purchase security services and software for reverse
| engineering and competitive analysis is table stakes.
|
| I knew it was common, even standard in some playbooks, but I
| always underestimate the parallel black market services economy.
| mediumsmart wrote:
| I am glad they don't have to pay for training - rule 1,2 and 3 -
| keep your overheads low.
| gitroom wrote:
| straight up, i always underestimate how much black market stuff
| runs alongside the official security game. you think closing
| those leaks really comes down to better tech or is it always just
| smarter people?
| ganoushoreilly wrote:
| The excess use of -- within this really screams "I Used ChatGPT
| to write/rewrite this".
___________________________________________________________________
(page generated 2025-04-30 23:01 UTC)