Cylance blamed for DirectDefense’s ‘botnet’ disclosure

Was Cylance behind DirectDefense’s ‘botnet’ disclosure? Fingers pointed, but proof elusive.

Lee Davy (Creative Commons BY or BY-SA)

Twenty-four hours after Carbon Black responded to a report from DirectDefense that their Cb Response product was leaking customer information (it doesn't), one company executive is pointing the finger at Cylance as the source of the disclosure.

Salted Hash covered the story yesterday

To recap: DirectDefense published a blog post accusing Carbon Black of being "the world’s largest pay-for-play data exfiltration botnet."

The reason is because their product, Cb Response, uploads files to VirusTotal if they're unknown. DirectDefense called this a serious breach of confidentiality, noting that Carbon Black's "prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration."

The feature at the center of the DirectDefense post is disabled by default. Customers are warned of the risks when it's enabled, including the fact that VirusTotal makes files available to other partners.

"The ability to upload samples to VirusTotal is something customers were practically begging for a few years ago. It wouldn’t surprise me if Carbon Black only added this at customers’ requests," wrote Adrian Sanabria, Director of Research for Savage Security, in a blog addressing the claims made by DirectDefense.

Later in the afternoon, Carbon Black responded to the DirectDefense post, pointing out the disabled by default aspect of the feature, the warnings customers receive, and the method of disclosure used by DirectDefense. In short, they fully disputed everything that was published.

The disclosure aspect of the DirectDefense post was a major discussion point with security experts online.

"The fact that DirectDefense notified affected organizations, but not Carbon Black is significant. This implies that DirectDefense realizes this wasn’t Carbon Black’s responsibility, but the responsibility of organizations that enabled the feature, accepting the risk," Sanabria's post noted.

But, as Sanabria pointed out, this wasn't really a disclosure issue, as there was nothing new discovered.

"Most who use publicly accessible sandboxes are well aware of the risks. DirectDefense says they notified organizations affected, which constitutes responsible disclosure in this case," he explained.

Outside of disclosure, other security experts focused on what DirectDefense did as an ill-conceived publicity campaign.

In a conversation with, DirectDefense CEO Jim Broome acknowledged that his blog post about Carbon Black was a stretch, explaining that his company had previously attempted to raise awareness around data leaks related to the sharing of potentially malicious files, but that it didn't get much attention.

"That didn't get a lot of play, so we decided to go with a more sensational title," Broome told reporter Jeremy Kirk.

DirectDefense later toned down some of their arguments after Carbon Black responded, posting a blog titled "Feature or Flaw, the Risk Still Exists: Our Response to Carbon Black" – but they didn't back down completely, stating that the issue was an "architectural or integration issue."


As the Carbon Black / DirectDefense story started to unfold, conversations on Twitter and other locations turned to Cylance, a company that is in direct competition with Carbon Black.

In an email seen by Salted Hash, a PR agency working for Carbon Black summed up one executive's comments on the DirectDefense post by saying they were "put out on behalf of a competitor."

Later in the email, the executive named the competitor directly.

"In reality, this security firm is one of our competitor’s (Cylance's) top partners and is taking a shot directly at Carbon Black. If this disclosure was honestly in the interest of Carbon Black’s customers and the community in general they would have followed a responsible disclosure process and notified Carbon Black before notifying the world," the executive said.

"They clearly did not as this does not have the intentions of the industry in mind, instead it’s a poor attempt at a low blow against Carbon Black."

When asked for a statement concerning the executive's comments and the inference that Cylance was responsible for the DirectDefense post, a spokesperson said:

"While we were surprised to learn about an existing relationship between the authors of the post and one of our competitors, any questions about their collaboration on the research should be directed at the companies involved."

On August 7, DirectDefense proudly displayed their partner of the year award from Cylance. However, the partner award isn't the only connection between the two firms.

In 2015, Cylance announced that DirectDefense had certified their PROTECT platform for compliance with HIPAA/HITECH. In 2016, Cylance's former Chief Resource Officer, Jon Miller, served on an advisory board for DirectDefense. Later that same year, DirectDefense promoted Cylance in a blog about the security challenges their customers would face in the coming year, followed by another promotion in December.

The multiple connections between the two companies have led some to question if the Carbon Black disclosure was some sort of hit piece on behalf of Cylance. However, as a partner, it stands to reason that the two companies would have several connections, and in some cases, would cross-promote each other. As it stands, there is no evidence proving Cylance had anything to do with DirectDefense's actions. In fact, both Cylance and DirectDefense deny any collusion.

In a statement to Salted Hash, Shaun Walsh, SVP of Marketing at Cylance, addressed the speculation over the DirectDefense post:

"The blog was the independent research, opinions and work of the DirectDefense team. They are a member of our reseller community, but Cylance did not participate in any manner with the blog they published."

Jim Broome, president of DirectDefense, said:

"We work with many vendor partners and Cylance is only one of them. We work with competitors of theirs as well. The only reason Carbon Black was called out in our findings was that all of the keys we found were traced back to their Cb Response product. I'm sure that if our analysts had found keys belonging to other vendors, Cylance included, we would have mentioned them, too. Our approach to security is one of brutal honesty, and part of that is keeping the vendors honest when we see something that is putting our customers at risk."

Bigger Picture:

It's a classic case of risk vs. reward. Nothing about Carbon Black's function is new or unusual, and they're not the only vendor that uses VirusTotal.

"… it’s worth noting that not all data needs to be sent to a third-party provider for analysis. Much like this example of customers enabling the feature to send data to VirusTotal, care should be taken in determining what types of data to send. The same goes for other cloud-based analysis platforms, such as those that are built in to NGFWs," Sanabria explains in his blog post.

"Remember, once the data leaves your network, there’s no ‘getting it back’. Sharing information can definitely help us all become better at defense, but remember to think carefully about exactly what it is you’re sharing."

The larger issue, Sanabria continues, is the lack of visibility and control over the data. In fact, he adds, that this is such a massive problem that the security industry has all but abandoned it in order to address easier problems.

"Until we can solve the problem of visibility into where corporate data is going, these kinds of issues will continue to take us by surprise."

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.