HBGary


HBGary’s Greg Hoglund: The Art Of RAT Hunting In the Enterprise

Threatpost spent much of the last year chasing after Greg Hoglund, the founder and CEO of HB Gary. First, it was to get his reaction to the bruising encounter his firm had with the hacking group Anonymous. Then it was an endless series of requests on the aftermath of that hack, including the departure of HBGary Federal CEO Aaron Barr, and the company’s decision to pull out of the RSA Conference in 2011. When Greg finally did speak out it wasn’t to us.So we were happy when Hoglund, whose firm was recently acquired by the company Mantech International Corp., agreed to speak at the Kaspersky Lab Security Analysts’ Summit in Cancun, Mexico in February. His talk there on “Lateral Movement and Other APT Interaction Patterns Within the Enterprise” reinforced Hoglund’s reputation as one of the top experts on malicious code.Threatpost editor Paul Roberts caught up with Hoglund after the speech. And, while Anonymous and HBGary Federal were not up for discussion on the record, Hoglund offered some great insights into the delicate art of tracking down remote access trojans (or RATs) after they have a foothold in your network, as well as the mistakes companies make in trying to prevent and respond to security incidents.


Editor’s note: Finding Aaron Barr at this year’s DEFCON hacker conference in Las Vegas was like a giant game of “Where’s Waldo.” Given the events of the past year, you can hardly blame him for keeping a low profile. First there was the attack on him and his then-employer, HBGary Federal, his decision to part ways with HBGary, his work to rehabilitate his image and turn his personal misfortunes into a ‘teaching moment’ for the industry, and then the legal wrangling in recent weeks that threw cold water on his plans to take part in a panel discussion about Anonymous at DEFCON. Barr was courted by numerous news outlets at the show, including the mainstream media. But he preferred, for the most part, to keep his counsel. So when Aaron offered to contribute his thoughts on this year’s DEFCON to Threatpost, we jumped at it. Here’s what he had to say.  

ED: Alleged Anonymous Leader Topiary Arraigned in LondonDEK: The authorities have charged Jake Davis, a UK resident from the remote Sheltand islands with five criminal counts. The 18 year old is alleged to be “Topiary,” a prominent member of the inner circle of the hacking groups Anonymous and Lulz Security. The authorities have charged Jake Davis, a UK resident from the remote Sheltand islands with five criminal counts. The 18 year old is alleged to be “Topiary,” a prominent member of the inner circle of the hacking groups Anonymous and Lulz Security.  Davis, whose arrest was announced on July 27, (http://threatpost.com/en_us/blogs/uk-police-arrest-man-they-say-anonymous-member-topiary-072711) is charged with violations of the UK’s Computer Misuse Act, Serious Crime Act and Criminal Law Act, including “Unauthorised access to a computer system,” “Conspiracy with others to carry out a Distributed Denial of Service Attack on the website of the Serious and Organised Crime Agency,” and other conspiracy charges. He appeared in City of Westminster Magistrates’ Court on Monday 1 August, according to the Metropolitan Police (http://content.met.police.uk/News/Man-charged-with-ecrime-offences/1260269346230/1257246745756)The teenager, who appeared in court wearing dark sunglasses and a blue, denim shirt, was released on bail until August 30, but is required to wear a monitoring bracelet and abstain from using the Internet, according to a report in the UK’s Daily Telegraph. (http://www.telegraph.co.uk/technology/news/8674987/LulzSec-hacking-Jake-Davis-had-cache-of-750000-passwords.html). Controversy has swirled around the arrest, with astonishment that a teenager in such a remote corner of the British Isles would be at the center of an international hacking collective, and members of Anonymous claiming that authorities arrested the wrong man. However, the Metropolitan Police have issued numerous statements that suggesting that they have strong evidence linking Davis to the hacker known as Topiary. If that is true, it would be a major score in the international law enforcement effort to bring down the group, which has carried out a string of high profile hacks in the last year, including attacks on HBGary, Sony, the CIA, the UK’s Serious and Organized Crime Agency and others. Leaked IRC chat logs purporting to be from a restricted channel used by the group’s leadership suggest that Topiary was a central player in the attacks on HBGary Federal and its then-CEO Aaron Barr. A user with the IRC handle Topiary is quoted in those logs directing elements of that attack, including the publication of stolen e-mails from the firm. He also served as a spokesman for the group, granting interviews to the press, though leaked chat logs suggest that he was interested in  passing himself off as an “observer” of the group rather than a leading member. The arrest is the second of a top ranked Anonymous member in recent weeks. In June, authorities arrested 19 year-old Ryan Cleary of Essex England. Cleary is alleged to have operated a botnet used t attack on tho carry out denial of service attacks, including the website of the Serious and Organised Crime Agency. The authorities have charged Jake Davis, a UK resident from the remote Sheltand islands with five criminal counts. The 18 year old is alleged to be “Topiary,” a prominent member of the inner circle of the hacking groups Anonymous and Lulz Security. 

This is the second in a two-part interview with Aaron Barr, the former CEO of HBGary FederalIn the second half of his exclusive interview with Threatpost, former HBGary CEO Aaron Barr – speaking before the arrest of alleged Lulzsec member Ryan Cleary in the UK –  talked about the likely law enforcement reaction to the Anonymous and Lulzsec hacks, the mainstream media’s portrayal of the hack of HBGary, as well as how he was picking up the pieces after the embarrassing hack of his employer.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.