Monthly Archives: June 2016

Charles Leaver – Ransomware Threats Are Increasing So Take Action To Protect Your Organization

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to business attack campaigns has emerged in the wild. This is an apparent development of consumer-grade ransomware, driven by the bigger bounties which enterprises have the ability to pay out paired to the sheer scale of the attack area (internet facing endpoints and un-patched software applications). To the cyber attacker, your business is an appealing target with a huge fat wallet simply pleading to be overturned.

Your Company is an Enticing Target

Easy Google queries may currently have determined unpatched internet facing servers by the ratings throughout your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them most likely authored by people they are familiar with.

The weaponized invoices are sent to your accounting department, the weaponized legal notices go to your legal department, the weaponized resumes go to your personnels department, and the weaponized trade publication articles go to your public relations company. That must cover it, to begin with. Add the watering hole drive-by’s planted on industry websites often visited by your employees, the social networks attacks targeted to your key executives and their families, the infected USB sticks strewn around your facilities, and the compromises of your providers, customers, and organization partners.

Business compromise isn’t really an “if” but a “when”– the when is consistent, the who is legion.

The Arrival Of Targeted Ransomware

Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the money making of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:

” During the past few weeks, we have actually gotten information about a new campaign of targeted ransomware attacks. Instead of the typical modus operandi (phishing attacks or drive-by downloads that cause automatic execution of ransomware), the hackers gained persistent access to the victim’s network through susceptibility exploitation and spread their access to any connected systems that they could. On each system, several tools were utilized to discover, encrypt, and erase the original files as well as any backups.”

Careful reading of this citation immediately reveals actions to be taken. Preliminary penetration was by “vulnerability exploitation,” as is typically the case. A sound vulnerability management program with tracked and implemented exposure tolerances (determined in days) is mandatory. Because the cyber attackers “spread their access to any connected system,” it is also requisite to have robust network division and access controls. Think about it as a water tight compartment on a warship to prevent sinking when the hull is breached. Of unique note, the assailants “delete the initial files along with any backups,” so there must be no delete access from a compromised system to its backup files – systems must just have the ability to append to their backups.

Your Backups Are Not Current Are They?

Naturally, there must be current backups of any files that need to survive a business intrusion. Paying the ransom is not an effective alternative because any files created by malware are naturally suspicious and should be considered polluted. Business auditors or regulators can decline files excreted from some malware orifice as legally legitimate, the chain of custody having been completely broken. Financial data may have been altered with deceitful transactions, configuration data may have been interfered with, infections may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in this data, and accepting it as valid might even more compromise all future downstream data dependent upon or originated from it. Treat ransomware data as trash. Either have a robust backup plan – regularly evaluated and confirmed – or prepare to suffer your losses.

Exactly what is Your Preparation for a Breach?

Even with sound backups privacy of impacted data must be presumed to be breached due to the fact that it was read by malware. Even with comprehensive network logs, it would be unwise to show that no data had actually been exfiltrated. In a targeted attack the cyber attackers generally take data stock, examining a minimum of samples of the data to assess its potential value – they could be leaving money on the table otherwise. Data ransom demands might simply be the last monetization phase in a business breach after mining all other worth from the intrusion given that the ransom demand exposes the compromise.

Have a Thorough Remediation Strategy

One need to assume that qualified enemies have actually organized numerous, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis group has actually stood down and costly consultants flown off to their next gig). Any roaming proof remaining was thoroughly staged to misguide detectives and deflect blame. Expensive re-imaging of systems should be exceedingly extensive, touching every sector of the disk throughout its whole recording surface area and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to compromise MBR’s.

Likewise, don’t assume system firmware has not been jeopardized. If you can upgrade the firmware, so can hackers. It isn’t hard for hacking organizations to check out firmware hacking options when their business targets standardize system hardware setups, permitting a little lab effort to go a long way. The industrialization of cyber crime enables the advancement and sale of firmware hacks on the dark net to a wider criminal market.

Assistance Is Available With Great EDR Tools

After all of this bad news, there is an answer. When it concerns targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less unpleasant. An excellent Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are good for determining exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for instance). EDR tools are likewise proficient at tracking all significant endpoint incidents, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers count on endpoint opacity to assist with hiding their actions from security personnel, however EDR is there to allow open visibility of significant endpoint incidents that might signal an attack in progress. EDR isn’t really limited to the old anti-virus convict-or-acquit model, that allows newly remixed attack code to evade AV detection.

Great EDR tools are constantly alert, always reporting, constantly tracking, readily available when you need it: now or retroactively. You wouldn’t turn a blind eye to business network activity, so don’t turn a blind eye to enterprise endpoint activity.


Charles Leaver – New Verizon DBIR Report Continues With The Same Message

Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been released reviewing 64,199 security incidents resulting in 2,260 security breaches. Verizon defines an incident as jeopardizing the integrity, privacy, or accessibility on an info asset, while a breach is a validated disclosure of data to an unapproved party. Considering that avoiding breaches is far less unpleasant than enduring them Verizon offers a number of sections of recommended controls to be utilized by security-conscious enterprises. If you don’t care to check out the complete 80-page report, Ziften provides this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled advised controls:

Vulnerabilities Recommended Controls

A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines showing vulnerability management efficiency. The exposure timelines are essential since Verizon stresses a systematic technique that stresses consistency and protection, versus haphazard convenient patching.

Phishing Suggested Controls

Although Verizon advises user training to avoid phishing vulnerability, still their data indicates almost a third of phishes being opened, with users clicking on the link or attachment more than one time in 10. Bad odds if you have at least ten users! Provided the inevitable click compromise, Verizon advises putting effort into detection of unusual networking activity a sign of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, however likewise filter it against network risk feeds recognizing harmful network targets. Ziften exceeds this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC staff have crucial decision context to rapidly resolve network alerts.

Web App Attacks Advised Controls

Verizon recommends multi-factor authentication and monitoring of login activity to prevent compromise of web application servers. A solid EDR solution will monitor login activity and will apply anomaly inspecting to spot uncommon login patterns indicative of jeopardized credentials.

Point-of-Sale Invasions Suggested Controls

Verizon advises (and this has actually likewise been strongly recommended by FireEye/Mandiant) strong network division of POS devices. Once again, a solid EDR service should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of excellent value in providing important choice context for suspect network activity. EDR solutions will likewise address Verizon’s recommendation for remote login tracking to POS devices. Together with this Verizon advises multi-factor authentication, but a strong EDR capability will augment that with additional login pattern anomaly monitoring (because even MFA can be beaten with MITM attacks).

Insider and Privilege Misuse Advised Controls

Verizon recommends “monitor the heck out of [staff member] licensed day-to-day activity.” Continuous endpoint monitoring by a solid EDR system naturally supplies this capability. In Ziften’s case our product tracks user presence time periods and user focus activities while present (such as foreground application usage). Abnormality checking can identify uncommon discrepancies in activity pattern whether a temporal anomaly (i.e. something has modified this user’s normal activity pattern) or whether a spatial abnormality (i.e. this user behavior pattern differs substantially from peer habit patterns).

Verizon also suggests tracking usage of USB storage devices, which solid EDR products offer, because they can serve as a “sneaker exfiltration” route.

Miscellaneous Errors Advised Controls

Verizon recommendations in this area focus on preserving a record of previous errors to serve as a caution of mistakes to not repeat in the future. Solid EDR systems do not forget; they maintain an archival record of endpoint and user activity going back to their very first deployment. These records are searchable at any time, perhaps after some future occurrence has actually uncovered an invasion and response groups need to return and “find patient zero” to decipher the incident and determine where errors might have been made.

Physical Theft and Loss Advised Controls

Verizon suggests (and lots of regulators demand) complete disk encryption, especially for mobile phones. A strong EDR product will confirm that endpoint configurations are compliant with business file encryption policy, and will notify on offenses. Verizon reports that data assets are physically lost one hundred times more often than they are physically stolen, however the impact is basically the same to the impacted enterprise.

Crimeware Advised Controls

Again, Verizon stresses vulnerability management and constant extensive patching. As noted above, proper EDR tools determine and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it versus procedure image records from our endpoint tracking. This shows a precisely updated vulnerability assessment at any moment.

Verizon also suggests capturing malware analysis data in your very own enterprise environment. EDR tools do track arrival and execution of new binaries, and Ziften’s system can acquire samples of any binary present on business endpoints and send them for comprehensive static and vibrant analysis by our malware research study partners.

Cyber-Espionage Recommended Controls

Here Verizon particularly calls out usage of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon also recommends a number of endpoint configuration solidifying actions that can be compliance-verified by EDR tools.

Verizon also suggests strong network protections. We have already talked about how Ziften ZFlow can considerably boost standard network flow tracking with endpoint context and attribution, providing a blend of network and endpoint security that is really end-to-end.

Lastly, Verizon advises monitoring and logging, which is the first thing third party incident responders demand when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, since the endpoint is the most regular entry vector in a significant data breach.

Denial-of-Service Attacks Recommended Controls

Verizon advises handling port access to prevent enterprise assets from being utilized to take part in a DoS attack. EDR products can track port use by applications and employ anomaly checks to recognize unusual application port usage that might indicate compromise.

Enterprise services migrating to cloud providers likewise require defense from DoS attacks, which the cloud company might provide. However, taking a look at network traffic tracking in the cloud – where the enterprise might lack cloud network visibility – choices like Ziften ZFlow offer a method for gathering improved network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, or else assailants will exploit this to fly outside your radar.