Category Archives: Cyber Attacks

Charles Leaver – Beware Of Adding Subtitle Packages To Popular Movie Apps

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Do you like watching motion pictures with all the rage apps like Kodi, SmartTV or VLC on your devices? How about needing or desiring subtitles with those films and simply getting the most recent pack from OpenSubtitles. No problem, sounds like a great evening in your home. Problem is, according to research by Check Point, there could be a nasty surprise waiting for you.

For the bad guys to take control of your ‘world’, they require a vector or some way to acquire entry to your system. There are some typical ways that takes place nowadays, such as smart (and not so clever) social engineering tricks. Getting e-mails that appear to come from buddies or co-workers which were spoofed and you opened an attachment, or went to some website and if the stars lined up, you were pwned. Usually the star positioning part is not that tough, just that you have some susceptible software running that can be accessed.

Since the technique is getting users to work together, the target market can often be difficult to discover. But with this newest research study posted, many of the significant media players have an unique vulnerability when it concerns accessing and decoding subtitle plans. The 4 primary media players noted in the article are fixed to date, however as we have seen in the past (just take a look at the current SMB v1 vulnerability concern) even if a repair is available, does not imply that users are upgrading. The research has also declined to reveal the technical information around the vulnerability to enable other suppliers time to patch. That is a good indication and the appropriate method I believe researchers must take. Notify the vendor so they can repair the issue as well as announce it openly so ‘we individuals’ are notified and understand exactly what to watch out for.

It’s tough to keep up with the numerous ways you can get infected, but at least we have scientists who tirelessly attempt to ‘break’ things to find those vulnerabilities. By carrying out the appropriate disclosure techniques, they help everyone take pleasure in a more secure experience with their devices, and in this case, a terrific night in viewing motion pictures.

Charles Leaver – Ziften Customers Secure From Troublesome Petya Variant Flaw

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Another infestation, another problem for those who were not prepared. While this latest attack is similar to the earlier WannaCry threat, there are some distinctions in this most current malware which is an alternative or new strain much like Petya. Called, NotPetya by some, this strain has a lot of issues for anyone who experiences it. It might encrypt your data, or make the system entirely unusable. And now the email address that you would be needed to contact to ‘perhaps’ unencrypt your files, has been removed so you’re out of luck getting your files back.

A lot of information to the actions of this threat are publicly readily available, however I wanted to discuss the fact that Ziften customers are secured from both the EternalBlue threat, which is one mechanism used for its propagation, and even much better still, a shot based upon a possible defect or its own kind of debug check that gets rid of the hazard from ever operating on your system. It could still spread nevertheless in the environment, but our protection would currently be rolled out to all existing systems to stop the damage.

Our Ziften extension platform allows our customers to have defense in place versus particular vulnerabilities and destructive actions for this danger and others like Petya. Besides the particular actions taken versus this specific variant, we have taken a holistic approach to stop particular strains of malware that conduct different ‘checks’ against the system prior to operating.

We can likewise utilize our Search ability to search for residues of the other propagation techniques used by this threat. Reports reveal WMIC and PsExec being used. We can search for those programs and their command lines and usage. Although they are legitimate processes, their use is usually uncommon and can be alerted.

With WannaCry, and now NotPetya, we anticipate to see an ongoing rise of these types of attacks. With the release of the current NSA exploits, it has actually provided enthusiastic cyber criminals the tools required to push out their malware. And though ransomware dangers can be a high product vehicle, more damaging threats could be launched. It has always been ‘how’ to obtain the risks to spread out (worm-like, or social engineering) which is most challenging to them.

Charles Leaver – Design Insecurities Need Fixing After UK Parliament Email Breach

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


In the online world the sheep get shorn, chumps get chomped, dupes get deceived, and pawns get pwned. We have actually seen another great example of this in the current attack on the United Kingdom Parliament e-mail system.

Instead of admitting to an e-mail system that was not secure by design, the main statement read:

Parliament has robust procedures in place to protect all of our accounts and systems.

Tell us another one. The one protective procedure we did see in action was deflecting the blame – the Russians did it, that constantly works, while accusing the victims for their policy violations. While information of the attack are limited, combing numerous sources does assist to assemble a minimum of the gross scenario. If these descriptions are reasonably close, the UK Parliament email system failings are egregious.

What failed in this case?

Count on single element authentication

“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, irrespective of the password strength. Please, no 2FA here, might restrain attacks.

Do not impose any limitation on unsuccessful login efforts

Assisted by single factor authentication, this allows simple brute force attacks, no skill required. However when violated, blame elite foreign hackers – no one can confirm.

Do not implement brute force attack detection

Allow hackers to carry out (otherwise trivially detectable) brute force attacks for extended periods (twelve hours against the United Kingdom Parliament system), to make the most of account compromise scope.

Do not enforce policy, treat it as simply recommendations

Integrated with single aspect authentication, no limitation on failed logins, and no brute force violation detection, do not enforce any password strength validation. Supply attackers with extremely low hanging fruit.

Count on unsigned, unencrypted email for delicate interactions

If enemies do succeed in jeopardizing email accounts or sniffing your network traffic, offer a lot of opportunity for them to score high worth message content entirely in the clear. This likewise conditions constituents to rely on easily spoofable email from Parliament, creating an ideal constituent phishing environment.

Lessons learned

In addition to including “Good sense for Dummies” to their summertime reading lists, the United Kingdom Parliament email system administrators might want to take further actions. Reinforcing weak authentication practices, implementing policies, enhancing network and end point visibility with constant monitoring and anomaly detection, and completely reassessing protected messaging are suggested steps. Penetration testing would have discovered these foundational weak points while remaining outside the news headlines.

Even a few intelligent high-schoolers with a totally free weekend might have replicated this violation. And finally, stop blaming Russia for your very own security failings. Presume that any weak points in your security architecture and policy structure will be penetrated and made use of by some cyber criminals someplace across the global web. Even more incentive to discover and fix those weak points before the enemies do, so turn those pen testers loose. And after that if your defenders don’t have visibility to the attacks in progress, upgrade your monitoring and analytics.

Charles Leaver – Security And IT Teams Work Together Using SysSecOps

Written By Charles Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with hundreds of organizations he understood that one of the most significant difficulties is that security and operations are 2 different departments – with significantly different objectives, different tools, and different management structures.

Scott and his expert firm, Futuriom, recently completed a study, “Endpoint Security and SysSecOps: The Growing Pattern to Build a More Secure Business”, where one of the essential findings was that conflicting IT and security goals hamper experts – on both teams – from achieving their goals.

That’s precisely what our company believe at Ziften, and the term that Scott produced to speak about the merging of IT and security in this domain – SysSecOps – describes perfectly what we have actually been speaking about. Security teams and the IT groups should get on the exact same page. That implies sharing the same goals, and in some cases, sharing the same tools.

Think of the tools that IT individuals use. The tools are developed to make sure the infrastructure and end devices are working appropriately, when something goes wrong, helps them repair it. On the end point side, those tools help ensure that devices that are enabled onto the network, are configured appropriately, have software that’s licensed and effectively patched/updated, and haven’t registered any faults.

Think of the tools that security people use. They work to enforce security policies on devices, infrastructure, and security devices (like firewall programs). This may involve active tracking occurrences, scanning for abnormal habits, taking a look at files to guarantee they do not include malware, adopting the latest risk intelligence, matching against recently found zero-days, and carrying out analysis on log files.

Discovering fires, combating fires

Those are two varying worlds. The security teams are fire spotters: They can see that something bad is taking place, can work rapidly to separate the issue, and identify if damage took place (like data exfiltration). The IT teams are on the ground firefighters: They leap into action when an event occurs to ensure that the systems are made safe and revived into operation.

Sounds good, right? Regrettably, all frequently, they don’t talk to each other – it resembles having the fire spotters and fire fighters using dissimilar radios, dissimilar jargon, and different city maps. Worse, the teams can’t share the very same data directly.

Our approach to SysSecOps is to offer both the IT and security groups with the very same resources – and that means the very same reports, presented in the appropriate ways to experts. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry virus, for example. On one hand, Microsoft provided a patch back in March 2017 that attended to the underlying SMB flaw. IT operations teams didn’t install the patch, since they didn’t think this was a big deal and didn’t talk to security. Security teams didn’t know if the patch was set up, since they don’t talk with operations. SysSecOps would have had everybody on the same page – and could have potentially avoided this problem.

Missing data implies waste and threat

The dysfunctional space between IT operations and security exposes companies to risk. Avoidable danger. Unnecessary threats. It’s just undesirable!

If your organization’s IT and security groups aren’t on the exact same page, you are sustaining risks and costs that you should not need to. It’s waste. Organizational waste. It’s wasteful due to the fact that you have so many tools that are supplying partial data that have spaces, and each of your teams just sees part of the picture.

As Scott concluded in his report, “Collaborated SysSecOps visibility has already proven its worth in assisting companies evaluate, analyze, and prevent significant dangers to the IT systems and endpoints. If these objectives are pursued, the security and management risks to an IT system can be considerably diminished.”

If your teams are interacting in a SysSecOps sort of way, if they can see the very same data at the same time, you not only have much better security and more effective operations – however also lower danger and lower costs. Our Zenith software can help you attain that performance, not only dealing with your existing IT and security tools, but also completing the spaces to make sure everyone has the right data at the right time.

Charles Leaver – Are You Paranoid About Enterprise Security? This Will Make You.

Written By Charles Leaver Ziften CEO


Whatever you do don’t undervalue cyber security criminals. Even the most paranoid “normal” individual would not stress over a source of data breaches being taken qualifications from its heating, ventilation and a/c (HVAC) professional. Yet that’s what occurred at Target in November 2013. Hackers got into Target’s network utilizing qualifications offered to the professional, presumably so they could monitor the heating, ventilation and air conditioning system. (For a good analysis, see Krebs on Security). And after that hackers were able to utilize the breach to inject malware into point-of-sale (POS) systems, and then unload payment card information.

A variety of ridiculous mistakes were made here. Why was the HEATING AND COOLING specialist provided access to the business network? Why wasn’t the HVAC system on a separate, completely separated network? Why wasn’t the POS system on a different network? And so on.

The point here is that in a really complex network, there are uncounted prospective vulnerabilities that could be exploited through recklessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You understand.

Whose job is it to find and repair those vulnerabilities? The security group. The CISO’s office. Security experts aren’t “regular” people. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was exploited, this was a CISO failure to anticipate the worst and prepare accordingly.

I cannot speak with the Target A/C breach specifically, however there is one overwhelming reason breaches like this occur: A lack of budgetary concern for cyber security. I’m unsure how often companies fail to finance security just since they’re inexpensive and would rather do a share buy-back. Or maybe the CISO is too timid to request for exactly what’s needed, or has been told that she gets a 5% boost, irrespective of the requirement. Maybe the CEO is worried that disclosures of big allocations for security will alarm investors. Maybe the CEO is simply naïve enough to think that the enterprise will not be targeted by hackers. The problem: Every organization is targeted by cyber criminals.

There are substantial competitions over budget plans. The IT department wants to finance upgrades and improvements, and attack the backlog of demand for brand-new and enhanced applications. On the other side, you have operational leaders who see IT jobs as directly assisting the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department too often has to defend crumbs. They are seen as a cost center. Security lowers organization danger in a way that matters to the CFO, the CRO (chief risk officer, if there is one), the basic counsel, and other pessimists who care about compliance and track records. These green-eyeshade individuals think of the worst case circumstances. That does not make buddies, and budget plan dollars are allocated reluctantly at too many companies (till the company gets burned).

Call it naivety, call it established hostility, however it’s a genuine difficulty. You can’t have IT given terrific tools to move the business forward, while security is starved and making do with second best.

Worse, you do not want to wind up in situations where the rightfully paranoid security teams are working with tools that don’t mesh well with their IT counterpart’s tools.

If IT and security tools don’t mesh well, IT might not have the ability to rapidly act to react to risky scenarios that the security groups are keeping an eye on or are worried about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that suggest dangerous or suspicious activity.

One tip: Discover tools for both departments that are developed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to provide some minimal security ability. One budget plan product (take it out of IT, they have more finances), however two workflows, one developed for the IT professional, one for the CISO team. Everybody wins – and next time someone wants to give the A/C contractor access to the network, perhaps security will discover what IT is doing, and head that catastrophe off at the pass.

Charles Leaver – The WannaCry Ransomware Threat Is Real And Here Is How Ziften Can Help

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Questions About WannaCry Ransomware

The WannaCry ransomware attack has actually infected more than 300,000 computer systems in 150 nations up until now by exploiting vulnerabilities in Microsoft’s Windows os.
In this short video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can help organizations safeguard themselves from the vulnerability referred to as “EternalBlue.”.

As mentioned in the video, the issue with this Server Message Block (SMB) file-sharing service is that it’s on a lot of Windows os and discovered in the majority of environments. Nevertheless, we make it simple to identify which systems in your environment have actually or have not been patched yet. Significantly, Ziften Zenith can likewise remotely disable the SMB file sharing service totally, providing organizations important time to make sure that those computers are correctly patched.

If you’re curious about Ziften Zenith, our 20 minute demonstration consists of a consultation with our professionals around how we can help your company prevent the worst digital disaster to strike the internet in years.

Charles Leaver – Ziften Is Better At Total End To End Protection Than Anybody Else

Written By Ziften CEO Charles Leaver


Do you want to handle and secure your end points, your network, the cloud and your data center? In that case Ziften can provide the ideal solution for you. We gather data, and allow you to associate and use that data to make decisions – and keep control over your business.

The information that we obtain from everybody on the network can make a real world difference. Think about the inference that the U.S. elections in 2016 were affected by cyber criminals in another country. If that’s the case, hackers can do practically anything – and the concept that we’ll choose that as the status quo is just ridiculous.

At Ziften, we believe the best method to combat those dangers is with greater visibility than you have actually ever had. That visibility goes across the entire enterprise, and connects all the major players together. On the back end, that’s genuine and virtual servers in the cloud and in the data center. That’s containers and infrastructure and applications. On the other side, it’s laptops and PC’s, irrespective of where and how they are linked.

End to end – that’s the thinking behind all that we do at Ziften. From endpoint to cloud, all the way from a web browser to a DNS server. We connect all that together, with all the other components to provide your company a total service.

We likewise capture and store real-time data for as much as 12 months to let you understand what’s occurring on the network today, and supply historic trend analysis and warnings if something is modified.

That lets you spot IT faults and security concerns instantly, as well as be able to ferret out the root causes by looking back in time to see where a fault or breach may have initially taken place. Active forensics are an outright must in this business: After all, where a fault or breach triggered an alarm might not be the place where the issue began – or where a hacker is operating.

Ziften offers your IT and security groups with the visibility to understand your existing security posture, and recognize where enhancements are needed. Endpoints non-compliant? Found. Rogue devices? These will be discovered. Penetration off-network? This will be detected. Obsolete firmware? Unpatched applications? All found. We’ll not only assist you discover the issue, we’ll assist you fix it, and make certain it remains fixed.

End-to-end security and IT management. Real-time and historical active forensics. Onsite, offline, in the cloud. Incident detection, containment and response. We have actually got it all covered. That’s what makes Ziften so much better.

Charles Leaver – Why Using Edit Difference Is Essential Part Two

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


In the very first about edit distance, we took a look at searching for destructive executables with edit distance (i.e., how many character edits it takes to make 2 text strings match). Now let’s take a look at how we can utilize edit distance to hunt for harmful domains, and how we can develop edit distance features that can be integrated with other domain name functions to identify suspect activity.

Here is the Background

Exactly what are bad actors doing with destructive domains? It may be merely utilizing a similar spelling of a typical domain name to fool reckless users into viewing advertisements or getting adware. Legitimate websites are gradually picking up on this method, in some cases called typo squatting.

Other destructive domains are the result of domain generation algorithms, which might be used to do all sorts of dubious things like avert countermeasures that block recognized compromised sites, or overwhelm domain servers in a dispersed DOS attack. Older variations use randomly-generated strings, while more advanced ones include tricks like injecting common words, further confusing protectors.

Edit distance can help with both use cases: let’s see how. Initially, we’ll leave out common domains, since these are typically safe. And, a list of regular domains supplies a standard for spotting abnormalities. One excellent source is Quantcast. For this conversation, we will stick to domains and avoid sub domains (e.g., not

After data cleaning, we compare each prospect domain name (input data observed in the wild by Ziften) to its prospective next-door neighbors in the same top level domain (the tail end of a domain name –,. org, and so on now can be almost anything). The standard task is to discover the nearby next-door neighbor in regards to edit distance. By discovering domains that are one step away from their nearby next-door neighbor, we can easily spot typo-ed domain names. By discovering domain names far from their neighbor (the stabilized edit distance we introduced in the initial post is beneficial here), we can also discover anomalous domains in the edit distance area.

What were the Outcomes?

Let’s take a look at how these outcomes appear in real life. Use caution when browsing to these domain names given that they might include harmful material!

Here are a couple of possible typos. Typo-squatters target well known domains because there are more possibilities somebody will visit. Numerous of these are suspect according to our risk feed partners, but there are some false positives too with cute names like “wikipedal”.

Here are some odd looking domain names far from their neighbors.

So now we have produced two helpful edit distance metrics for hunting. Not just that, we have three features to potentially add to a machine-learning design: rank of nearby next-door neighbor, range from neighbor, and edit distance 1 from neighbor, suggesting a danger of typo tricks. Other functions that might be used well with these include other lexical functions like word and n-gram distributions, entropy, and string length – and network functions like the total count of unsuccessful DNS demands.

Simplified Code that you can Play Around with

Here is a simplified version of the code to have fun with! Created on HP Vertica, however this SQL will probably run with many sophisticated databases. Keep in mind the Vertica editDistance function may differ in other implementations (e.g. levenshtein in Postgres or UTL_MATCH. EDIT_DISTANCE in Oracle).

Charles Leaver – Be Prepared For These Consequences When Machine Learning Takes A Hold

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


If you study history you will see many examples of severe unintentional repercussions when new technology has been presented. It frequently surprises individuals that brand-new technologies may have wicked purposes in addition to the positive intentions for which they are launched on the market but it takes place on a very regular basis.

For instance, Train robbers using dynamite (“You think you utilized enough Dynamite there, Butch?”) or spammers using email. Just recently using SSL to hide malware from security controls has actually ended up being more typical just because the legitimate use of SSL has actually made this method more useful.

Since brand-new technology is typically appropriated by bad actors, we have no reason to believe this will not be true about the new generation of machine-learning tools that have reached the marketplace.

To what effect will there be misuse of these tools? There are probably a couple of ways that assailants might use machine-learning to their benefit. At a minimum, malware authors will test their new malware against the brand-new class of innovative danger protection solutions in a quest to modify their code so that it is less probable to be flagged as malicious. The effectiveness of protective security controls constantly has a half-life due to adversarial learning. An understanding of artificial intelligence defenses will help attackers become more proactive in decreasing the effectiveness of machine learning based defenses. An example would be an assailant flooding a network with phony traffic with the hope of “poisoning” the machine-learning model being developed from that traffic. The goal of the assailant would be to trick the protector’s artificial intelligence tool into misclassifying traffic or to produce such a high degree of false positives that the defenders would dial back the fidelity of the signals.

Artificial intelligence will likely also be utilized as an attack tool by attackers. For example, some researchers forecast that assailants will use artificial intelligence methods to refine their social engineering attacks (e.g., spear phishing). The automation of the effort that is required to tailor a social engineering attack is especially troubling given the effectiveness of spear phishing. The capability to automate mass modification of these attacks is a powerful economic incentive for assailants to embrace the strategies.

Anticipate the kind of breaches that deliver ransomware payloads to increase sharply in 2017.

The need to automate tasks is a significant driver of investment choices for both attackers and protectors. Machine learning guarantees to automate detection and response and increase the operational pace. While the technology will increasingly become a basic element of defense in depth methods, it is not a magic bullet. It ought to be understood that assailants are actively working on evasion approaches around machine learning based detection products while likewise utilizing machine learning for their own attack functions. This arms race will need defenders to progressively attain incident response at machine pace, additionally worsening the requirement for automated incident response abilities.

Charles Leaver – Monitor These Commands For Potential Threats

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


The repeating of a concept when it pertains to computer security is never a negative thing. As sophisticated as some cyber attacks can be, you truly have to watch for and understand using typical readily available tools in your environment. These tools are generally utilized by your IT personnel and probably would be whitelisted for usage and can be missed by security groups mining through all the appropriate applications that ‘might’ be executed on an endpoint.

As soon as somebody has breached your network, which can be performed in a variety of ways and another post for another day, indications of these tools/programs running in your environment needs to be checked to guarantee appropriate usage.

A couple of commands/tools and their features:

Netstat – Details on the existing connections on the system. This may be used to recognize other systems within the network.

Powershell – Integrated Windows command line function and can perform a range of actions for example getting important info about the system, killing processes, including files or removing files and so on

WMI – Another effective integrated Windows function. Can shift files around and gather important system information.

Route Print – Command to see the local routing table.

Net – Including domains/groups/users/accounts.

RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.

AT – Arranged tasks.

Looking for activity from these tools can be time consuming and often be overwhelming, however is essential to manage who might be moving around in your network. And not just what is occurring in real time, but in the past as well to see a course somebody may have taken through the network. It’s often not ‘patient zero’ that is the target, once they get a grip, they could make use of these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral motion that you wish to discover.

You need to have the capability to gather the info gone over above and the means to sift through to find, alert, and investigate this data. You can utilize Windows Events to track numerous changes on a device then filter that down.

Taking a look at some screen shots shown below from our Ziften console, you can see a quick distinction between exactly what our IT group used to push out changes in the environment, versus someone running an extremely similar command themselves. This may be much like what you discover when somebody did that remotely say by means of an RDP session.

An interesting side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You would not observe this detail during a live examination or if you were not constantly gathering the data. However because we are gathering all the info continuously, you have this historic data to take a look at. If in case you were seeing the Status as ‘Running’, this could show that somebody is live on that system right now.

This only scratches the surface of what you should be gathering and the best ways to evaluate what is right for your network, which obviously will be distinct from that of others. However it’s a start. Harmful actors with intent to do you damage will normally try to find the path of least resistance. Why attempt and produce new and intriguing tools, when a lot of exactly what they need is currently there and all set to go.