This is the third story now that William Alden has written about Palantir that appear to be based on internal documents
His profile of the company a month ago opened with:
> A trove of internal documents and insider interviews has pulled back the curtain on one of Silicon Valley’s most secretive and highly valued companies, Palantir Technologies.
There isn't much public interest in large parts of the profile nor the follow-up stories, so it has a feeling of a disgruntled employee. A really difficult class of threat to defend against and stop, but each additional story and leak provides a few more bits of data that can narrow down the suspect pool.
I really hope the leaker and journalist in this case know what they're getting themselves into - because based on the pentest report the infosec team at Palantir appear capable of tracking the leak down.
I don't doubt that Palantir has their skeletons, but having read a bit of Mitnick's stuff, this just seems like business as usual.
Finding the leak is going to involve assigning different truths to different individuals (like what Hollywood does with film previews), which will itself lead to more cultural issues.
Who among those employees leaked?
You can only know by access if that information was sufficiently isolating or unique.
Like you said, it's completely counterproductive and, I believe, actually not news to publish the results of an old red-team test without any information about what has been mitigated since.
Hardly a good advert. I would have thought a pen testing firm would make client confidentiality an extremely high priority.
My guess is a Palantir employee who feels that due to the volume and nature of the data they handle that it needs to publicly known their security isn't up to scratch.
Meanwhile, if it came out that they leaked a pen test report, it would literally destroy their company. All their current clients would ditch them, they'd get sued into oblivion, and no one would trust the senior people there in the industry ever again. Would be a very dumb suicidal publicity stunt.
Not a chance. Maybe an employee of that company did it who doesn't like Palantir but the company doing the pentests doing this on purpose is not on the table.
The upside does not begin to counter the downside (such as not having a company any more).
But you can bet they're digging very fanatically right now to figure out where the leak is.
I don't think they should be lauded for doing their jobs and discovering they failed at them. If your QA team discovers huge numbers of bugs, you don't laud yourself for doing QA.
If a leading accounting firm hires an outside auditor and discovered their own books were rotten, should they be lauded? I guess there's a silver lining in everything.
I guess I'd be willing to trust Palantir's advice on hiring penetration testers, but not on securing my systems.
It is not a reasonable expectation that software, even security software or software developed with security expertise, is secure.
Chances are, it was leaked by a disgruntled employee. But the fact is that the red team started on the internal network and used tactics that would work on darn near every org these days.
Palantir is no different. The only issue is that their pentest report was leaked.
Holding the rich to account. How very non politically correct and unjournalistic of them.
How about when they publicly outed him as gay, when he wasn't out to most of the general public?
Source, but don't visit it, in case you give those parasites a couple of dimes in the process:
Publishers -- online & off -- now fear that a single lawsuit has the potential to shut them down. Many on hn have applauded the cases' outcome. Yet it presents a future where big corporations and the world's ultra wealthy can fund endless suits against hostile news outlets until they fold. That is a chilling future in exchange for being free of the drivel of horse shit Gawker and Jezebel published daily.
Bezos and other business minded press owners recognize this. Even if they aren't free speech idealists, they don't appreciate dramatic adjustments to their company valuations due to previously unforeseen external threats.
One can weave a lot of threads between Thiel, Buzzfeed, Facebook, and even Trump. May be it has nothing to do with Peter Thiel and it was just a few disgruntled employees or two.
One thing is certain, when sources complain about Thiel or his companies now and in the future, journalists are going to be paying a little more attention than they did before.
For what its worth, in regard to the original article, it doesn't strike me as particularly damning to Palantir. If a pentest fails, either you hired someone who wasn't that good, or your network is airgapped and your devices have zero external ports.
Now, thats not to say an adanced attacker still can't be defended against, but as a sysadmin who has seen the inside of companies from law firms to publicly traded big guys to the IT firms themselves... And that's that almost no managment has put forward the personell or the budgets or the culture needed to really secure things.
Hell, a family member of mine recently got a tour of spacex and was apalled at the security. If Musk and his money dont do it right or well, almost nobody is.
I've basically told people who run windows systems for business they're already comprimised most likely, and the best thing to do is to be doing hids and good log analysis so you catch it when it happens quickly... but you probably arent going to stop any kind of semi-advanced attacker.
So to be frank, it completely makes sense to me that a company like Palantir would be massively vulnerable from thr inside. The edge of the sword they live on cuts both ways. These days, its about response time and forensic afteraction.
"When Palantir’s information security employees finally discovered the intruders, they “provided a rapid network response in which they identified and mitigated” the “majority” of the red team’s actions within days, the report says. Compared with other large companies, this defensive response was unusually robust, the industry source said, based on a reading of the report."
Many nation states prefer not to be detected when conducting espionage. And if they are detected, they really prefer to not have the attack be attributed to their country. At the very least, they want some plausible deniability; ideally full-on anonymity or framing, if they can.
Sometimes they really don't care if the source of the attack is known. It depends on the political rationale behind it. But when they do care, they're definitely at more of a disadvantage than a hired red team. The red team has no real anxiety over whether they're caught or attributed, and can act more quickly and aggressively.
The US can say "shame on you" because they feel they have enough evidence to support a narrative, and China will say, "How can you engage in such irresponsible rhetoric?" The Chinese government will condemn rogue criminals and perform a cursory investigation and that will be the end of it. And then all countries and all companies in the world continue operating as usual.
No political consequences. All nations understand it.
Of course, those indicators can be intentionally or unintentionally misleading or ambiguous. But by finding a dozen or more consistent IOCs/TTPs without any inconsistent ones, combined with a motive, often you can start making some possible accusations. Those assumptions will often remain unproven, but keep in mind government APT groups are still run by humans, and humans can always be sloppy.
Also, in some cases one state may have so thoroughly compromised another that they could find explicit evidence that an attack was ordered.
I've certainly heard it said that if you're a big tech company, you are already infiltrated by state-sponsored hackers. But since I've never seen one of these red-team reports, this synopsis provides a lot of color on how people can get around inside the network, once they get in, that I wasn't aware of (obviously I don't work in opsec).
Too bad for Palantir that this got leaked, but perhaps it can be instructive for many of us.
In the past, companies mostly just accepted this risk and focused on protecting their network perimeter. Over time, this attitude has shifted and organisations now recognise the insider threat (e.g. a rogue employee/contractor or an external attacker who has already breached the perimeter).
Having read the article, I'm not sure whether to read it as: "The extent to which the red team was able to exploit the network is a sign that Palantir's network security is bad"
"Despite Palantir following best practices and having a lot of smart people on their security team, the red team was still able to do a lot, which bodes really badly for other companies that don't have the same internal resources"?
Perhaps best practices might include more and more varied trip wire software of this nature?
Disclaimer: I'm a civilian. My exposure to infosec begins and ends with being careful about email and USB drives.
Clueless would be refusing to have teams test your security.
"I can’t stress how important this change is – an administrator who connects using “normal” RDP exposes his or her credentials to the remote system with every connection. RDPRA, on the other hand, ensures that credentials aren’t exposed to the attacker on the remote computer being managed."
It's weird that this story is considered newsworthy. I skimmed over the article and it looks about normal for the industry. As sad as it sounds, they aren't doing much worse than many other companies out there.
Palantir basically started the red team in a position where they had successfully spear phished someone and that seems to be common practice. Is trying to protect against it just a waste of time and should the resources be invested into proper segmentation to protect against the successful spear phis case? Or are people usually 80/20ing this and taking anti spear phish measures but only to an extend that covers a lot of ground at relatively low cost/time?
The one saving grace here is that the red team had to be 'let in', in other words, they started from a position that is substantially different from being a complete outsider.
It also makes you wonder what else was leaked besides the report.
A bit disappointed they seem to have started on the internal network rather then coming in from the outside :)
Bizarre to watch a company move like that ... a bit unnerving in an Enders-Game sort of way. Information manipulation, and suddenly you wonder who's wagging the dog.
This isn't really news. A company that successfully fends off multiple independent pentests would be news. I've worked for a company that actually did quite well on one pentest, but the testers were pretty terrible.
Those are just two more aspects of controlling information.
I think you're right. I would imagine this will prompt some tough questions both within their existing customer franchise and in pitches for new business.
Here's how Palantir describe their company cybersecurity platform on their own website:
> With Palantir, your enterprise can finally detect advanced threats that lie hidden within your data. All of it. Structured network logs from proxy to IDS, VPN, anti-virus, DLP, DNS queries, malware tools, and application logs. Contextual data like email, print logs, facility access logs, internal chat logs, and human resources data. Open source and third party data. Our technology integrates it all into a single environment, and separates actionable signal from the noise so you can protect your network.
So the obvious question if you're the CEO or CISO of a company that does or is considering doing business with Palantir is, "You guys have unfettered access to your own network -- you can deploy your own cyber solutions without any restraints whatsoever. And yet you couldn't detect these intruders on your own system?"
Importantly, I'm not sure this would be a fair criticism -- it sounds like the white hat hackers they hired were very very good at covering their tracks -- but there's no doubt this leak is going to result in some tough conversations.
would have detected that intrusion?