> The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent.

The machine was already known to the company as belonging to a threat actor from previous activity

▲

glitchc 2 days ago | parent | next [-]

Yes, but only according to the company's own logs, which were not externally validated. To rephrase, the company thinks this was an active attacker based on logs its own tool generates. It does not discount the possibility that the tool generated erroneous logs or identified the wrong machine(s).

▲

bornfreddy 3 days ago | parent | prev | next [-]

That's not very convincing. They still abused trust placed in them - by an active attacker, granted, but still... This seems like a legally risky move and it doesn't inspire trust in Huntress.

▲

fckgw 3 days ago | parent [-]

Who's trust? Their job is to hunt down and research threat actors. The information gained from this is used to better protect their enterprise customers.

This gains more trust with their customers and breaking trust with ... threat actors?

▲

viccis 3 days ago | parent [-]

>Who's trust? Their job is to hunt down and research threat actors

No, their job is to provide EDR protection for their customers.

▲

cybergreg 3 days ago | parent [-]

Threat intelligence is a thing.in fact there’s entire companies that sell just that. In fact, there’s entire government organizations that do just that.

	▲	viccis 2 days ago \| parent [-]
		Sure but that's not what their customer was engaging with them to do. It's not ethical to sell "EDR" services and then use that access to spy on your customers for intelligence purposes.

▲

viccis 3 days ago | parent | prev [-]

That is what I said, yes.