Monthly Archives: February 2016

Charles Leaver – Six Damage Control Questions To Ask Prior To A Breach

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern life is that if cyber assailants want to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the most significant point of susceptibility in any organization. The endpoint device is where they connect with whatever information that a cyber attacker wants: intellectual property, credentials, cyber ransom, etc. There are brand-new Next Generation Endpoint Security (NGES) services, of which Ziften is a leader, that supply the required visibility and insight to assist reduce or prevent the possibilities or duration of an attack. Methodologies of avoidance include minimizing the attack surface area through getting rid of recognized vulnerable applications, cutting version expansion, eliminating harmful procedures, and guaranteeing compliance with security policies.

But avoidance can just go so far. No solution is 100% effective, so it is important to take a proactive, real-time approach to your environment, viewing endpoint behavior, identifying when breaches have actually taken place, and responding right away with remediation. Ziften also provides these capabilities, normally called Endpoint Detection and Response, and companies should change their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, organizations have to have the ability to take a look back and rebuild the conditions surrounding a breach. Security investigators need answers to the following six questions, and they need them quick, considering that Incident Response personnel are surpassed and dealing with limited time windows to alleviate damage.

Where was the cyber attack behavior initially seen?

This is where the ability to look back to the point in time of preliminary infection is important. In order to do this effectively, organizations have to be able to go as far back in time as necessary to recognize patient zero. The unfortunate state of affairs according to Gartner is that when a cyber breach takes place, the average dwell time prior to a breach is identified is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, assailants had the ability to permeate companies within minutes. That’s why NGES services that do not continuously monitor and record activity however rather regularly poll or scan the endpoint can miss out on the preliminary crucial penetration. Also, DBIR discovered that 95% of malware types appeared for less than a month, and four out of 5 didn’t last 7 days. You need the capability to continuously monitor endpoint activity and look back in time (however long ago the attack took place) and reconstruct the preliminary infection.

How did it act?

What took place step by step after the initial infection? Did malware execute for a second every 5 minutes? Was it able to get escalated privileges? A constant picture of what happened at the endpoint behaviorally is important to get an examination started.

How and where did the cyber attack spread after initial compromise?

Generally the enemy isn’t after the info readily available at the point of infection, but rather want to use it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are linked to, so it is essential to be able to see a complete image of any lateral motion that happened after the infiltration to understand exactly what assets were compromised and possibly also contaminated.

How did the infected endpoint(s) behavior(s) alter?

What was going on prior to and after the infection? What network connections were being made? Just how much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these questions are vital to quick triage.

What user activity happened, and was there any possible insider participation?

What actions did the user take in the past and after the infection took place? Was the user present on the device? Was a USB drive inserted? Was the time interval outside their typical use pattern? These and much more artifacts must be offered to paint a full picture.

What mitigation is required to deal with the attack and prevent the next?

Reimaging the infected computer(s) is a time-consuming and expensive solution but sometimes this is the only method to know for sure that all of the hazardous artifacts have actually been removed (although state-sponsored attacks might embed into system or drive firmware to remain immune even to reimaging). But with a clear image of all activity that occurred, simpler actions such as getting rid of harmful files from all systems affected might be adequate. Re-examining security policies will most likely be necessary, and NGES solutions can assist automate future actions should similar situations occur. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing processes, and far more.

Do not wait until after a breach happens and you have to contract an army of experts and spend time and finances piecing the facts together. Make sure you are prepared to respond to these 6 crucial concerns and have all the responses within your grasp in minutes.


Charles Leaver – Did The IRS Hack Begin With Compromised Endpoints?

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Because of Previous External Attacks

The IRS breach was the most distinct cyber attack of 2015. Traditional attacks today involve phishing emails aimed to obtain initial access to target systems where lateral motion is then performed till data exfiltration occurs. However the IRS hack was various – much of the data required to perform it was already obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this occur? Here’s what we know:

The Internal Revenue Service website has a “Get Transcript” function for users to retrieve previous tax return info. As long as the requester can supply the correct details, the system will return past and current W2’s and old tax returns, and so on. With anybody’s SSN, birth date and filing status, the hackers could start the retrieval process of previous filing year’s details. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, though. The questions it asks can many times be guessed based upon other information already learned the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s estimated that the hackers attempted to gather 660,000 transcripts of past tax payer details through Get Transcript, where they were successful in 334,000 of those attempts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot offer the proper answers. It’s estimated that the attackers made away with over $50 million dollars. So, how did the attackers do it?

Security researchers theorize that the attackers utilized info from previous attacks such as SSNs, DOBs, addresses and submission statuses to attempt to get prior income tax return information on its target victims. If they succeeded and addressed the KBA questions correctly, they submitted a claim for the 2015 calendar year, often times increasing the withholdings amount on the tax return form to get a bigger return. As discussed formerly not all attempts achieved success, but over 50% of the efforts resulted in significant losses for the IRS.

Detection and response services like Ziften are aimed at recognizing when there are jeopardized endpoints (like through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the cyber attackers utilized info gleaned from previous attacks beyond the Internal Revenue Service, the jeopardized companies might have benefited from the visibility Ziften offers and alleviated against mass-data exfiltration. Ultimately, the IRS seems to be the vehicle – rather than initial victim – of these attacks.


Charles leaver – Risks Are There For Comcast Clients From Shared Hacks And Data Exfiltration

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Customers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Businesses

The personal information of around 200,000 Comcast customers was compromised on November 5th 2015. Comcast was forced to make this announcement when it emerged that a list of 590,000 Comcast consumer e-mails and passwords could be acquired on the dark web for a mere $1,000. Comcast maintains that there was no security breach to their network however rather it was through past, shared hacks from other companies. Comcast further declares that only 200,000 of these 590,000 customers really still exist in their system.

Less than 2 months previously, Comcast had currently been slapped with a $22 million penalty over its accidental publishing of nearly 75,000 customers’ personal details. Somewhat paradoxically, these customers had particularly paid Comcast for “unlisted voice-over-IP,” a line product on the Comcast bill that stipulated that each consumer’s info would be kept private.

Comcast set up a mass-reset of 200,000 consumer passwords, who might have accessed these accounts prior to the list was put up for sale. While an easy password reset by Comcast will to some extent secure these accounts moving forward, this doesn’t do anything to protect those customers who may have recycled the same email and password mix on banking and charge card logins. If the client accounts were accessed before being revealed it is definitely possible that other personal details – such as automated payment info and home address – were currently acquired.

The conclusion to this: Presuming Comcast wasn’t attacked directly, they were the victim of numerous other hacks which contained data connected to their clients. Detection and Response systems like Ziften can prevent mass data exfiltration and frequently reduce damage done when these inevitable attacks happen.


Charles Leaver – Visibility Of Point Of Sale Vulnerabilities Would Maybe Have Prevented Trump Hotel Breach

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point-of-Sale Vulnerabilities Emphasize Need for Quicker Detection of Anomalous Activity

Trump Hotels, suffered a cyber attack, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computer systems, POS systems, and restaurants. Nevertheless, in their own words they declare that they “did not discover any proof that any client info was stolen from our systems.” While it’s comforting to learn that no proof was discovered, if malware exists on POS systems it is probably there to take information related to the credit cards that are swiped, or increasingly tapped, placed, or waved. A lack of evidence does not imply the lack of crime, and to Trump Hotel’s credit, they have provided free credit monitoring services. If one is to examine a Point of Sale (or POS) system nevertheless you’ll notice something in abundance as an administrator: They seldom alter, and software will be nearly homogeneous across the deployment community. This can present both positives and negatives when thinking about securing such an environment. Software application modifications are sluggish to take place, require extensive testing, and are tough to roll out.

Nevertheless, due to the fact that such an environment is so uniform, it is likewise much easier to recognize POS vulnerabilities when something new has altered.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they happen. If a single POS system began to make new network connections, or began running brand-new software applications, no matter its intent, it would be flagged for additional review and examination. Ziften likewise gathers unlimited historic data from your environment. If you wish to know what occurred six to twelve months ago, this is not an issue. Now dwell times and antivirus detection rates can be determined utilizing our integrated threat feeds, in addition to our binary collection and submission technology. Also, we’ll inform you which users executed which applications at what time throughout this historic record, so you can discover your initial point of infection.

POS problems continue to plague the retail and hospitality industries, which is a pity given the relatively simple environment to monitor with detection and response.


Charles leaver – Avoiding The POS Breach Would Have Been Possible If Marriott Employed Continuous Endpoint Visibility

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

USA retail outlets still appear an attractive target for cyber criminals looking for payment card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the country from September 2014 to January 2015. This event follows White Lodging suffered a similar cyber attack in 2014. The hackers in both cases were reportedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at numerous locations run by White Lodging. The enemies had the ability to acquire names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the target of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Typically, Point-of-Sale (or POS) systems at numerous USA retail outlets were “locked down” Windows devices running a minor set of applications geared toward their function – phoning the sale and processing a deal with the Payment card bank or merchant. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software. To be fair, they are often released behind a firewall, but are still ripe for exploiting. The very best defenses can and will be breached if the target is valuable enough. For example, remote control tools utilized for management and upgrading of the POS systems are typically pirated by hackers for their purposes.

The charge card or payment processing network is a totally different, air-gapped, and encrypted network. So how did hackers manage to take the payment card data? They took the data while it remained in memory on the Point of Sale terminal while the payment procedure was being carried out. Even if merchants do not store credit card information, the data can be in an unencrypted state on the Point of Sale device while the payment deal is confirmed. Memory-scraping Point of Sale malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data thieves to collect the payment card information in its unencrypted state. The data is then typically encrypted and obtained by the cyber attackers or sent to the Web where it’s recovered by the burglars.

Ziften’s solution provides constant endpoint visibility that can find and remediate these types of dangers. Ziften’s MD5 hash analysis can discover brand-new and suspicious processes or.dll files running in the POS environment. Ziften can likewise eliminate the process and gather the binary for additional action or analysis. It’s likewise possible to discover Point of Sale malware by notifying to Command and Control traffic. Ziften’s integrated Threat Intel and Customized Threat Feed options permits consumers to notify when POS malware talks to C&C nodes. Finally, Ziften’s historic data enables clients to kick start the forensic examination of how the malware got in, exactly what it did after it was installed, and executed and other devices are infected.

It’s past time for retailers to step up the game and try to find new services to safeguard their clients’ credit cards.