RISKY BIZ SOAP BOX: ROOT9B ON AGENTLESS THREAT HUNTING

RISKY BIZ SOAP BOX: ROOT9B ON AGENTLESS THREAT HUNTING

PATRICK GRAY
MAY. 4, 2018

“Hey everyone and welcome to the Risky Biz Soap Box, the podcast where vendors pay us to tell you all about their stuff. This is basically the podcast series where we nerd out on stuff people have built.  It’s marketing for them, and on the listener side it’s really just designed to let you know what the participating company actually does in as simple a way as possible.

And this month’s soap box is oh-so-controversial… it’s brought to you by root9B.

Some of you would know the company through negative reporting by a friend of the show, Brian Krebs, who’s written about them twice –one piece said the company’s 2015 report into APT28 mistook the activity of an African phishing gang for Fancy Bear activity, and again last year when he wrote that the company had ceased to exist.

So, when I got an email from root9B asking if they could do one of these soap box podcasts last year, I was, honestly, a bit reluctant. But, after spending a bunch of time on the phone with one of their people I decided hey, it’s the Soap Box, and stopping them from participating based on a couple of reports they dispute probably isn’t fair.

And here’s the thing — their 2015 report into APT28 was actually ok. They dropped a couple of malware hashes and some IP and domain IOCs that later panned out. At the time Krebs on security quoted a bunch of people saying the root9B analysis was dead wrong… but as I say, it wasn’t.

I don’t think it helped that the marketing department obviously wrote the thing, but yeah, I did take a look at it and it turns out the German parliament was owned by recompiled versions of the same samples root9B had uncovered, using the same C2. So, I think we can say that one panned out. They *had* found a malicious APT28 DLL and they correctly identified the associated C2 infrastructure, so I feel that Krebs’ report probably wasn’t fair. No offence to Brian of course, I’m not perfect myself and we’re only as good as what our sources tell us.

And look, as for them being out of business, they’re clearly not. They were part of some weird reverse listing on the NASDAQ that went sideways, but the company remains, now as a private company, has around 100 staff, and has just released a new version of its product at the RSA conference in San Francisco.

So, it being the Soap Box podcast we’re going to talk to them about what it is they’re actually doing. And I guess the way you’d describe root9B is as a threat hunt product maker and managed threat hunt provider. And their approach is a bit different — they are agentless, they basically authenticate to a machine, inject various payloads into memory, and use that to pull back all sorts of telemetry from machines. They say this means it’s much less likely that attackers will see them… they offer this as a product, ORION, or they offer it as a service. They say their managed services customers come to them because pretty unhappy with their MDR and MSSP providers and want
better signaling…

I do think the approach here is interesting… I guess their stuff gives you what software like Google’s GRR gives you, but they’re pushing it out as memory-injectable code for stealth… anyway, you’ll hear all about it in a minute.

So, I was joined by John Harbaugh, COO of root9B, and Mike Morris, CTO.  Both of these guys are ex-US Air Force cyber before jumping out to the private sector. And the company really started off doing training before developing their platform ORION. I asked Mike if that was an accurate summary of how the business started and here’s what he had to say.”

This was originally posted by Risky.Biz.  Click here to view on their site.