Offense to defense: one way we’ve made ExpressVPN more secure

3 mins

At ExpressVPN it’s the combination of our innovative technology and the expertise of our people that keeps users safe. In a previous post about Daniel Gericke, we outlined why he has been a valuable contributor in enabling us to best protect privacy and security. Below is a snapshot of some of our team’s achievements under his leadership.

Building our internal offense capabilities

Operating an internal offensive security team, or “red team,” is a common cybersecurity practice. By simulating external attackers, such a team identifies potential security gaps and weaknesses—which we can then fix or mitigate before real attackers can exploit them. The most effective red team is one that can best simulate potential adversaries—and Daniel is uniquely positioned to explain how modern threat actors penetrate systems and services.

Under Daniel’s leadership, ExpressVPN has built one of the strongest red teams in not just the VPN industry, but in the broader cybersecurity space. Our team recently placed in the top 3% in a “capture the flag” competition, outpacing representatives from hundreds of leading companies in technology, finance, and other industries.

Building our internal defense capabilities

Daniel has also been key in building up our Security Operations Center (SOC), which monitors all of our internal IT systems plus backend systems and services for intrusions. The SOC watches for and responds to signs of ExpressVPN’s systems being attacked. Our SOC was the champion in a recent “Boss of the SOC” contest run by Splunk, which tested teams’ ability to handle the types of real-world security incidents that security analysts face regularly.

Using his in-depth knowledge of adversarial tactics, Daniel ensured that our monitoring included measures such as logging the commands executed by any admin on our non-VPN servers to help us catch potential breaches or other unauthorized command execution from external or internal threat actors. He also put in place a project to deploy canary tokens throughout our non-VPN server infrastructure, employee IT systems, and more. These canary tokens are one of the best and most successful early warning systems of a breach available, and ExpressVPN has deployed them at scale.

How Daniel Gericke improved ExpressVPN risk assessment and mitigation

Beyond our red team and SOC, Daniel’s expertise and ability to understand adversaries helps our team properly assess and mitigate risks. The quality of many of our threat models has greatly improved through his leadership.

As a result of a previous Cure53 audit of one of our desktop applications, which identified a security issue around our desktop apps’ remote procedure call (RPC) service, Daniel dug deeper and identified a more significant issue around the improper validation of the host header. On the surface, the bug didn’t appear to be directly exploitable. However, Daniel’s experience allowed him to identify this as a class of bug commonly chained via techniques such as DNS rebinding, which could allow a remote attacker to gain access to the RPC service via a watering hole. This helped us prioritize and speed up the fix in Version 7.10.0 of our Windows app.

In another example, ExpressVPN ran several internal hackathons for our client apps, and uncovered a common theme of bugs that were only exploitable because we used a SETUID bit on our engine binary. This meant that it was easier to find ways to escalate privileges or impact the system in unintended ways because our engine binary would always run as root, no matter which user launched it. Daniel pointed out the potential risks and issues with this approach, which led our dev teams to work to re-engineer our app away from using SETUID binaries and ultimately eliminated an entire class of bugs.

Securing our employee IT stack

Daniel has also played a valuable role in improving the security of internal IT systems and policies. He moved ExpressVPN off SonicWall firewalls before that company’s big breach in 2021 and ensured our office networks were properly segregated and isolated. Because of his previous knowledge in browser exploitation vectors, he also helped to implement the Silo cloud browser. Ensuring that browser sessions are rendered in the cloud, and not on our computers, better protects our employees from many browser exploitation vectors. This is especially important for members of our customer Support Team, who directly interact with many unknown outside parties.

Daniel has led ExpressVPN’s security efforts with professionalism and commitment, and we look forward to having him continue to deliver always-improving privacy and security protections to users.

ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.