Monthly Archives: February 2016

Before A Cyber Attack Happens Use These 6 Questions For Damage Control – Charles Leaver

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern life is that if cyber opponents want to breach your network, then it is simply a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they interact with whatever information that an opponent wants: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) systems, where Ziften is a leader, that supply the required visibility and insight to help decrease or avoid the possibilities or period of an attack. Methodologies of prevention consist of reducing the attack area through eliminating recognized vulnerable applications, reducing version expansion, eliminating malicious processes, and guaranteeing compliance with security policies.

But avoidance can just go so far. No system is 100% effective, so it is essential to take a proactive, real time methodology to your environment, watching endpoint habits, finding when breaches have taken place, and responding right away with remediation. Ziften likewise supplies these abilities, typically called Endpoint Detection and Response, and organizations should change their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To understand the true ramifications of an attack, organizations have to have the ability to take a look back and rebuild the conditions surrounding a breach. Security detectives need answers to the following 6 questions, and they require them quick, considering that Incident Response officers are surpassed and handling restricted time windows to reduce damage.

Where was the cyber attack behavior first seen?

This is where the capability to look back to the point in time of initial infection is critical. In order to do this successfully, companies need to be able to go as far back in history as required to recognize patient zero. The unfortunate state of affairs according to Gartner is that when a cyber breach happens, the average dwell time before a breach is identified is a shocking 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, attackers were able to penetrate companies within minutes. That’s why NGES systems that don’t continuously monitor and record activity but rather regularly poll or scan the endpoint can miss out on the preliminary vital penetration. Also, DBIR found that 95% of malware types appeared for less than a month, and four from five didn’t last a week. You need the capability to continually monitor endpoint activity and recall in time (however long ago the attack occurred) and reconstruct the initial infection.

How did it behave?

What occurred step by step after the initial infection? Did malware execute for a second every five minutes? Was it able to acquire intensified privileges? A continuous image of what took place at the endpoint behaviorally is critical to obtain an investigation began.

How and where did the cyber attack disperse after preliminary compromise?

Generally the attacker isn’t after the information available at the point of infection, however rather wish to utilize it as an initial beachhead to pivot through the network to find its way to the valuable data. Endpoints include the servers that the endpoints are connected to, so it is essential to be able to see a total picture of any lateral motion that happened after the infiltration to understand what assets were jeopardized and possibly likewise contaminated.

How did the infected endpoint(s) behavior(s) change?

What was going on prior to and after the infection? What network connections were being attempted? What does it cost? network traffic was flowing? What procedures were active prior to and after the attack? Immediate answers to these questions are important to fast triage.

What user activity took place, and was there any possible insider participation?

What actions did the user take in the past and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time interval outside their typical usage pattern? These and much more artifacts should be supplied to paint a complete picture.

What mitigation is needed to fix the cyber attack and avoid another one?

Reimaging the infected computer(s) is a lengthy and pricey solution however sometimes this is the only method to understand for sure that all of the harmful artifacts have actually been eliminated (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). However with a clear picture of all activity that happened, lesser actions such as eliminating malicious files from all systems affected may be adequate. Re-examining security policies will most likely be necessary, and NGES systems can assist automate actions in the future should comparable circumstances occur. Automatable actions consist of sandboxing, cutting off network access from infected machines, eliminating procedures, and much more.

Do not wait till after a cyber attack takes place and you need to hire an army of specialists and spend your time and money piecing the facts together. Make sure you are prepared to answer these six key concerns and have all the responses at your fingertips in minutes.


In All Probability Compromised Endpoints Will Have Started The IRS Hack – Charles Leaver

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Because of Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Classic attacks today involve phishing emails intended to get preliminary access to target systems where lateral movement is then performed until data exfiltration takes place. But the IRS hack was various – much of the data needed to perform it was already obtained. In this case, all the hackers needed to do was walk in the front door and submit the returns. How could this happen? Here’s exactly what we know:

The Internal Revenue Service site has a “Get Transcript” function for users to obtain previous tax return info. As long as the requester can supply the right details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, birth date and submitting status, the attackers might start the retrieval process of past filing year’s information. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the asked for users credit report.

KBA isn’t fool proof, though. The questions it asks can oftentimes be predicted based on other details already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers attempted to gather 660,000 transcripts of past tax payer information through Get Transcript, where they achieved success in 334,000 of those efforts. The unsuccessful efforts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the proper answers. It’s estimated that the attackers got away with over $50 million dollars. So, how did they do it?

Security researchers think that the assailants utilized info from previous attacks such as SSNs, DOBs, addresses and submission statuses to try to get previous tax return details on its target victims. If they succeeded and addressed the KBA questions correctly, they submitted a claim for the 2015 calendar year, often times increasing the withholdings amount on the tax return form to get a larger return. As pointed out formerly not all attempts achieved success, however over 50% of the attempts resulted in major losses for the Internal Revenue Service.

Detection and response services like Ziften are aimed at recognizing when there are compromised endpoints (such as through phishing attacks). We do this by supplying real time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the cyber attackers utilized information obtained from previous attacks beyond the Internal Revenue Service, the jeopardized businesses could have gained from the visibility Ziften provides and alleviated against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of initial victim – of these attacks.


Data Exfiltration And Shared Hacking Are Major Risks For Comcast Customers – Charles Leaver

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Consumers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private info of roughly 200,000 Comcast clients was compromised on November 5th 2015. Comcast was forced to make this announcement when it came to light that a list of 590,000 Comcast customer e-mails and passwords could be purchased on the dark web for a token $1,000. Comcast maintains that there was no security breach to their network but rather it was through past, shared hacks from other companies. Comcast even more declares that just 200,000 of these 590,000 consumers actually still exist in their system.

Less than two months earlier, Comcast had actually currently been slapped with a $22 million fine over its unintentional publishing of nearly 75,000 customers’ individual information. Somewhat ironically, these customers had actually specifically paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that stipulated that each client’s details would be kept private.

Comcast instituted a mass-reset of 200,000 customer passwords, who may have accessed these accounts before the list was offered. While a basic password reset by Comcast will to some extent protect these accounts moving forward, this doesn’t do anything to secure those consumers who may have reused the exact same email and password combination on banking and credit card logins. If the consumer accounts were accessed prior to being divulged it is definitely possible that other individual details – such as automated payment details and home address – were already obtained.

The bottom line is: Assuming Comcast wasn’t hacked directly, they were the victim of numerous other hacks that contained data related to their consumers. Detection and Response systems like Ziften can prevent mass data exfiltration and typically reduce damage done when these inevitable attacks happen.


Point Of Sale Vulnerabilities Exposed At Trump Hotels But Hack Could Have Been Stopped With Visibility – Charles Leaver

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point of Sale Susceptibility Emphasize Requirement for Quicker Detection of Anomalous Activity

Trump Hotels, suffered a cyber attack, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computers, POS systems, and restaurants. However, in their own words they declare that they “did not discover any proof that any client info was taken from our systems.” While it’s soothing to discover that no proof was discovered, if malware is present on point of sales systems it is most likely there to take information related to the payment cards that are swiped, or significantly tapped, inserted, or waved. A lack of evidence does not indicate the absence of criminal activity, and to Trump Hotel’s credit, they have actually provided totally free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system nevertheless you’ll discover something in abundance as an administrator: They hardly ever change, and software will be almost uniform throughout the deployment community. This can provide both positives and negatives when thinking about securing such an environment. Software application modifications are slow to happen, need rigorous screening, and are hard to roll out.

However, due to the fact that such an environment is so uniform, it is likewise much easier to identify Point of Sale vulnerabilities and when something new has altered.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they take place. If a single Point of Sale system started to make brand-new network connections, or began running brand-new software, despite its intent, it would be flagged for additional evaluation and examination. Ziften likewise gathers unrestricted historical data from your environment. If you would like to know what happened 6 to twelve months earlier, this is not an issue. Now dwell times and antivirus detection rates can be measured using our integrated risk feeds, in addition to our binary collection and submission technology. Likewise, we’ll inform you which users initiated which applications at exactly what time across this historical record, so you can learn your preliminary point of infection.

Point of Sale problems continue to plague the retail and hospitality industries, which is a pity given the fairly straightforward environment to monitor with detection and response.


If Continuous Endpoint Visibility Was In Place Then Marriott Could Have Avoided POS Attack – Charles Leaver

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

United States retail outlets still appear an attractive target for cyber criminals seeking charge card data as Marriott franchisee White Lodging Services Corp confirmed a data breach in the Spring of 2015, affecting clients at 14 hotels across the country from September 2014 to January 2015. This incident comes after White Lodging suffered a comparable breach in 2014. The attackers in both cases were supposedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The enemies were able to obtain names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were likewise the target of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Traditionally, Point-of-Sale (or POS) systems at many United States retail outlets were “locked down” Windows computers running a small set of applications tailored towards their function – phoning the sale and processing a deal with the Credit Card merchant or bank. Modern POS terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be reasonable, they are often released behind a firewall program, however are still ripe for exploit. The very best defenses can and will be breached if the target is valuable enough. For example, push-button control tools used for management and upgrading of the POS systems are typically pirated by hackers for their purposes.

The payment card or payment processing network is a completely different, air-gapped, and encrypted network. So how did hackers manage to steal the payment card data? They stole the data while it was in memory on the Point of Sale terminal while the payment process was being conducted. Even if retailers do not store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment transaction is verified. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data thieves to gather the charge card details in its unencrypted state. The data is then normally encrypted and recovered by the cyber attackers or sent out to the Web where it’s retrieved by the thieves.

Ziften’s system provides constant endpoint visibility that can find and remediate these kinds of dangers. Ziften’s MD5 hash analysis can detect brand-new and suspicious processes or.dll files running in the POS environment. Ziften can likewise kill the procedure and collect the binary for additional action or analysis. It’s likewise possible to discover POS malware by notifying to Command and Control traffic. Ziften’s integrated Risk Intel and Customized Threat Feed alternatives enables consumers to alert when POS malware communicates to C&C nodes. Lastly, Ziften’s historic data permits clients to begin the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for sellers to step up the game and look for brand-new solutions to protect their consumers’ payment cards.