Dropbox invests heavily in our security program. We have lots of teams dedicated to securing Dropbox, each working on exciting things. Some recent examples covered on our tech blog include:

Our Product Security team rolled out support for WebAuthn to boost user adoption of two-step verification and upleveled our industry-leading public bug bounty program

Because security is everyone’s responsibility, our Security Culture team helps our employees make consistently secure and informed decisions that protect Dropbox, our users, and our employees

Our Detection and Response Team (DART) implementation of extensive instrumentation throughout our infrastructure to catch any indications of compromise.

And that’s just a few teams so far—you’ll hear from all of our teams in upcoming blog posts.

This post will focus on our Offensive Security team. These are the people that leverage real-world adversarial techniques to test and improve the effectiveness of our security program at Dropbox.

We recently conducted an attack simulation as a red team exercise with a third-party vendor. Penetration testing is great for identifying unknown vulnerabilities in your systems and showing how susceptible they are to being exploited; however, the tester’s goals are typically limited to just that. What about post-exploitation? An attacker who wants access to our user data, for example, still has their work cut out for them. They need to learn how to navigate through our environments, breach other internal security barriers, exfiltrate data out of our networks, and do so without raising alarm. Or at least, if they do raise alarm, be able to accomplish their goals before we’re able to kick them out.

We’ve invested a lot in our hardening, detection, alerting, and response capabilities at Dropbox. Even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation. So how do we know we’re doing a good job? That’s the kind of testing we were going for with our most recent attack simulation. Our testing goals included measuring the steady-state of our detection and alerting program, as well as measuring our team’s response when a breach has been identified. Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team).

However, we didn’t have to simulate this breach. Our third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time—a so-called zero-day vulnerability). When chained together, these vulnerabilities resulted in the ability for an attacker to run arbitrary code on a victim’s computer by having the victim simply visit a maliciously crafted web page.

We notified Apple of these issues, and they were quick to acknowledge our report. Apple released fixes for the issues in about a month, which is much better than the industry norm of “within 90 days.” The issues were granted CVEs, and we’ve validated the fixes, as did Syndis. We provide details of the vulnerabilities and the validation of the fixes in the Appendix.

This engagement was a win for us, for Apple, and for internet users on various levels. Not only did we get to test our defensive posture, we also made the internet safer by identifying and reporting vulnerabilities in macOS. Syndis went above and beyond in finding this exploit chain during our engagement, and using it during our attack simulation exercise allowed us to test our readiness against attacks using zero-day vulnerabilities. This is an excellent example of the security community becoming stronger because of good actors doing the right thing.

Dropbox protects the data of more than 500 million registered users. We know that we are targeted by adversaries that could develop and use zero-day exploits against us, and we need to protect ourselves accordingly. The risk of getting hit with zero-day exploits is a reality of being connected to the internet, but detecting these is tricky. A powerful zero-day will always gain a foothold, so this was a test of our instrumentation for detecting and alerting on post-exploit activity. Our partner noted “Dropbox demonstrated admirable monitoring, detection, and incident response” after the engagement. Although our teams and systems performed well against this well-armed adversary, we won’t get complacent. Extensive independent validation will always be a core strategy of Dropbox Security Team, and we’ll continue to adapt and learn from each new incident.