Detecting Info Leaks with ClawBack

Clawback smallClawBack Is Purpose Built to Detect Info Leaks

ClawBack is MicroSolved’s cloud-based SaaS solution for performing info leak detection. We built the tool because we worked so many incidents and breaches related to three common types of info leaks:

  • Leaked Credentials – this is so common that it lies at the root of thousands of incidents over the last several years, attackers harvest stolen and leaked logins and passwords and use them anywhere they think they can gain access – this is so common, it is even categorized by OWASP as a specific form of attack: credential stuffing 
  • Leaked Configurations – attackers love to comb through leaked device and application configuration files for credentials, of course, but also for details about the network or app environment, sensitive data locations, cryptographic secrets and network management information they can use to gain control or access
  • Leaked Code – leaked source code is a huge boon for attackers; often leaking sensitive intellectual property that they can sell on the dark web to your competitors or parse for vulnerabilities in your environment or products

MicroSolved knows how damaging these info leaks can be to organizations, no matter the type. That’s exactly why we built ClawBack to provide ongoing monitoring for the info leak terms that matter most to you.

How to Get Started Detecting Info Leaks

Putting ClawBack to work for you is incredibly easy. Most customers are up and monitoring for info leaks within 5 minutes.

There is no hardware, software, appliance or agent to deploy. The browser-based interface is simple to use, yet flexible enough to meet the challenges of the modern web. 

First, get a feel for some terms that you would like to monitor that are unique to your organization. Good examples might be unique user names, application names, server names, internal code libraries, IP address ranges, SNMP community strings, the first few hex characters of certificates or encryption keys, etc. Anything that is unique to your organization or at the very least, uncommon. 

Next, register for a ClawBack account by clicking here.

Once your account is created, and you follow the steps to validate it, you can login to the ClawBack application. Here, you will be able to choose the level of subscription that you would like, picking from the three different service levels available. You will also be able to input your payment information and set up additional team members to use the application, if available at your subscription level. 

Next, click on Monitoring Terms and input the terms that you identified in the first step. ClawBack will immediately go and search for any info leaks related to your terms as you put them in. Additionally, ClawBack will continually monitor for the terms going forward and provide alerts for any info leaks that appear in the common locations around the web. 

How To View Any Info Leaks

Reviewing any info leaks found is easy, as well. Simply click on Alerts on the top menu. Here, your alerts will be displayed, in a sortable list. The list contains a summary of each identified leak, the term it matched and the location of the leak. You can click on the alert to view the identified page. Once reviewed, you can archive the alert, where it will remain in the system and is visible in your archive, or you can mark it as a false positive, and it will be removed from your dataset but ClawBack will remember the leak and won’t alert you again for that specific URL. 

If you have access to the export function, based on your subscription level, you can also so export alerts to a CSV file for uploading into SIEM/SOAR tools or ticketing systems. It’s that easy! 

You can find a more specific walkthrough for finding code leaks here, along with some screen shots of the product in action.

You can learn more about ClawBack and view some use case videos and demo videos at the ClawBack homepage.

Give ClawBack a try today and you can put your worries to rest that unknown info leaks might be out there doing damage to your organization. It’s so easy, so affordable and so powerful that it makes worries about info leaks obsolete.

Underground Cyber-Crime Economy Continues to Grow

I read two interesting articles today that reinforced how the underground economy associated with cyber-crime is still growing. The first, an article from Breech Security, talked about their analysis of web-hacking from 2007. Not surprisingly,  they found that the majority of web hacking incidents they worked last year were geared towards theft of confidential information.

This has been true for the majority of incident response cases MSI has worked for a number of years now. The majority are aimed at gaining access to the underlying database structures and other corporate data stores of the organization. Clearly, the target is usually client identity information, credit card info or the like.

Then, I also read on darknet this morning that Finjin is saying they have been observing a group that has released a small P2P application for trading/sale of compromised FTP accounts and other credentials. Often, MSI has observed trading and sale of such information on IRC and underground mailing lists/web sites. Prices for the information are pretty affordable, but attackers with a mass amount of the data can make very good incomes from the sale. Often, the information is sold to multiple buyers – making the attacker even more money from their efforts.

Underground economies have been around since the dawn of capitalism. They exist for almost every type of contraband and law enforcement is usually quite unsuccessful at stamping them out. Obviously, they have now become more common around cyber-crime and these events that have “bubbled to the surface” are only glimpses of the real markets.

It is critical that information security teams understand these motivations and the way attackers think, target victims and operate. Without this understanding, they are not likely to succeed in defending their organizations from the modern attacker. If your organization still spends a great deal of time worrying about web page defacements and malware infections or if your security team is primarily focused around being “net cops”, it is pretty likely that they will miss the real threat from today’s cyber-criminals and tomorrow’s versions of organized crime.