Monthly Archives: February 2016

Charles Leaver – Ask These 6 Questions For Damage Control Before A Cyber Attack

Published by:

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern-day life is that if cyber hackers wish to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they connect with whatever information that a hacker seeks: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) systems, where Ziften is a leader, that supply the needed visibility and insight to assist minimize or prevent the opportunities or period of an attack. Methods of prevention consist of lowering the attack surface area through removing known vulnerable applications, curtailing version proliferation, eliminating destructive processes, and ensuring compliance with security policies.

However prevention can only go so far. No solution is 100% effective, so it is important to take a proactive, real time methodology to your environment, viewing endpoint habits, identifying when breaches have taken place, and reacting instantly with remediation. Ziften likewise provides these abilities, typically known as Endpoint Detection and Response, and organizations should alter their frame of mind from “How can we avoid attacks?” to “We will be breached, so exactly what do we do then?”

To understand the true breadth or depth of an attack, companies have to be able to rewind the clock and rebuild the conditions surrounding a breach. Security investigators need answers to the following 6 questions, and they need them quickly, given that Incident Response officers are outnumbered and handling restricted time windows to reduce damage.

Where was the cyber attack behavior initially seen?

This is where the capability to look back to the point in time of preliminary infection is critical. In order to do this effectively, organizations have to have the ability to go as far back in history as necessary to determine patient zero. The regrettable state of affairs in accordance with Gartner is that when a cyber breach happens, the typical dwell time prior to a breach is found is a stunning 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, cyber attackers had the ability to permeate organizations within minutes. That’s why NGES systems that do not continually monitor and record activity but rather periodically poll or scan the endpoint can lose out on the preliminary important penetration. Likewise, DBIR found that 95% of malware types appeared for less than four weeks, and 4 from five didn’t last 7 days. You need the ability to continually monitor endpoint activity and recall in time (however long ago the attack occurred) and reconstruct the preliminary infection.

How did it act?

What happened piece by piece after the preliminary infection? Did malware execute for a second every five minutes? Was it able to obtain escalated privileges? A constant image of what took place at the endpoint behaviorally is critical to get an investigation began.

How and where did the cyber attack disperse after preliminary compromise?

Normally the enemy isn’t after the details readily available at the point of infection, however rather want to utilize it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are connected to, so it is essential to be able to see a complete image of any lateral motion that occurred after the infiltration to know exactly what assets were jeopardized and potentially likewise contaminated.

How did the infected endpoint(s) behavior(s) change?

Exactly what was going on before and after the contamination? What network connections were being attempted? Just how much network traffic was flowing? What processes were active prior to and after the attack? Immediate answers to these concerns are critical to fast triage.

What user activity took place, and was there any potential insider involvement?

What actions did the user take before and after the infection happened? Was the user present on the device? Was a USB drive inserted? Was the time period outside their normal usage pattern? These and many more artifacts must be offered to paint a complete image.

What mitigation is needed to deal with the cyber attack and prevent another one?

Reimaging the contaminated machine(s) is a lengthy and costly solution however many times this is the only way to know for sure that all hazardous artifacts have been removed (although state-sponsored attacks might embed into system or drive firmware to stay immune even to reimaging). But with a clear picture of all activity that took place, simpler actions such as getting rid of malicious files from all systems affected might suffice. Re-examining security policies will most likely be necessary, and NGES solutions can assist automate future actions should comparable scenarios emerge. Automatable actions consist of sandboxing, cutting off network access from infected devices, eliminating processes, and a lot more.

Don’t wait till after a cyber attack takes place and you need to call in an army of experts and spend your time and cash piecing the realities together. Ensure you are prepared to respond to these six crucial concerns and have all the responses within your grasp in minutes.


Charles Leaver – It Is Believed That The IRS Hack Began With Compromised Endpoints

Published by:

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Due to Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails intended to obtain preliminary access to target systems where lateral motion is then carried out till data exfiltration takes place. But the IRS hack was various – much of the data required to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s exactly what we understand:

The Internal Revenue Service site has a “Get Transcript” function for users to recover previous income tax return details. As long as the requester can offer the proper details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the attackers could begin the retrieval procedure of past filing year’s info. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, however. The questions it asks can oftentimes be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer details via Get Transcript, where they were successful in 334,000 of those efforts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to obtain prior tax return details on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to obtain a bigger return. As discussed formerly not all attempts were successful, but over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are right and the attackers utilized details gleaned from previous attacks beyond the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften supplies and reduced against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of preliminary victim – of these cyber attacks.


Charles Leaver – Comcast Customers Are At Risk From Shared Hacks And Data Exfiltration

Published by:

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Consumers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private details of roughly 200,000 Comcast customers was compromised on November 5th 2015. Comcast was forced to make this announcement when it came to light that a list of 590,000 Comcast consumer emails and passwords could be bought on the dark web for a token $1,000. Comcast maintains that there was no security attack to their network but rather it was through past, shared hacks from other businesses. Comcast further claims that just 200,000 of these 590,000 customers actually still exist in their system.

Less than two months previously, Comcast had currently been slapped with a $22 million fine over its accidental publishing of almost 75,000 clients’ personal information. Somewhat ironically, these customers had actually particularly paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each client’s information would be kept private.

Comcast instituted a mass-reset of 200,000 client passwords, who might have accessed these accounts before the list was put up for sale. While a basic password reset by Comcast will to some extent secure these accounts moving forward, this doesn’t do anything to secure those consumers who might have recycled the same e-mail and password combination on banking and credit card logins. If the customer accounts were accessed prior to being disclosed it is certainly possible that other individual information – such as automatic payment info and home address – were already obtained.

The bottom line is: Assuming Comcast wasn’t attacked directly, they were the victim of numerous other hacks which contained data connected to their clients. Detection and Response solutions like Ziften can avoid mass data exfiltration and often reduce damage done when these inescapable attacks occur.


Charles Leaver – Trump Hotels Were Breached Because Of Point Of Sale Vulnerabilities That Were Not Visible

Published by:

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computers, POS systems, and restaurants. However, in their own words they declare that they “did not discover any evidence that any consumer information was taken from our systems.” While it’s soothing to discover that no evidence was found, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or increasingly tapped, inserted, or waved. A lack of evidence does not suggest the lack of a criminal offense, and to Trump Hotel’s credit, they have provided free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system however you’ll discover something in abundance as an administrator: They hardly ever alter, and software applications will be nearly uniform across the implementation environment. This can provide both positives and negatives when considering securing such an environment. Software changes are slow to happen, need extensive screening, and are hard to roll out.

However, since such an environment is so homogeneous, it is also a lot easier to determine Point of Sale vulnerabilities when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they take place. If a single Point of Sale system started to make new network connections, or started running brand-new software, no matter its intent, it would be flagged for further review and examination. Ziften also gathers endless historic data from your environment. If you want to know exactly what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be determined using our incorporated threat feeds, along with our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at exactly what time across this historic record, so you can learn your preliminary point of infection.

POS issues continue to plague the retail and hospitality industries, which is a shame provided the relatively uncomplicated environment to monitor with detection and response.


Charles Leaver – Marriott Could Have Prevented Their Point Of Sale Breach With Continuous Endpoint Visibility

Published by:

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

US retail outlets still appear an appealing target for cyber criminals looking for credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the nation from September 2014 to January 2015. This event follows White Lodging suffered a comparable cyber attack in 2014. The attackers in both cases were reportedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The cyber criminals were able to acquire names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and more.

Traditionally, Point-of-Sale (or POS) systems at lots of USA retail outlets were “locked down” Windows devices running a minor set of applications tailored towards their function – phoning the sale and processing a deal with the Charge card bank or merchant. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are usually released behind a firewall program, however are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are frequently hijacked by hackers for their purposes.

The credit card or payment processing network is an entirely different, air-gapped, and encrypted network. So how did cyber attackers manage to take the payment card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if retailers don’t store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment deal is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data thieves to gather the credit card info in its unencrypted state. The data is then normally encrypted and retrieved by the cyber attackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s service provides constant endpoint visibility that can discover and remediate these kinds of risks. Ziften’s MD5 hash analysis can spot new and suspicious processes or.dll files running in the POS environment. Ziften can also kill the procedure and collect the binary for further action or analysis. It’s also possible to spot POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Customized Risk Feed options allows customers to notify when Point of Sale malware communicates to C&C nodes. Finally, Ziften’s historical data enables clients to kick start the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for retailers to step up the game and search for brand-new solutions to secure their consumers’ payment cards.