Archive for February, 2016

Chuck Leaver – 6 Damage Control Questions You Should Ask Before A Breach

Written By Michael Bunyard And Presented By Ziften CEO Chuck Leaver


The real truth of modern-day life is that if cyber attackers want to breach your network, then it is simply a matter of time before they will do it. The endpoint is the most typical vector of cyber attacks, and individuals are the biggest point of susceptibility in any organization. The endpoint device is where they interact with whatever info that a hacker is after: intellectual property, information, cyber ransom, etc. There are brand-new Next Generation Endpoint Security (NGES) services, where Ziften is a leader, that supply the needed visibility and insight to help reduce or avoid the opportunities or period of an attack. Approaches of prevention consist of minimizing the attack surface area through getting rid of recognized susceptible applications, reducing version expansion, killing destructive procedures, and ensuring compliance with security policies.

But avoidance can just go so far. No system is 100% effective, so it is necessary to take a proactive, real-time methodology to your environment, watching endpoint habits, finding when breaches have occurred, and reacting immediately with remediation. Ziften also supplies these capabilities, typically known as Endpoint Detection and Response, and organizations should change their mindset from “How can we avoid attacks?” to “We will be breached, so exactly what do we do then?”

To understand the true ramifications of an attack, companies need to be able to take a look back and reconstruct the conditions surrounding a breach. Security analysts require answers to the following 6 questions, and they require them quick, given that Incident Response personnel are surpassed and handling limited time windows to alleviate damage.

Where was the attack activity first seen?

This is where the ability to look back to the point in time of preliminary infection is vital. In order to do this effectively, companies have to have the ability to go as far back in history as necessary to determine patient zero. The regrettable state of affairs in accordance with Gartner is that when a cyber breach happens, the average dwell time prior to a breach is discovered is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, cyber attackers were able to permeate organizations within minutes. That’s why NGES services that don’t continuously monitor and record activity however rather periodically poll or scan the endpoint can miss out on the initial vital penetration. Likewise, DBIR found that 95% of malware types showed up for less than a month, and four out of five didn’t last a week. You need the ability to continually monitor endpoint activity and recall in time (however long ago the attack happened) and reconstruct the preliminary infection.

How did it act?

Exactly what happened piece by piece after the initial infection? Did malware execute for a second every 5 minutes? Was it able to acquire intensified privileges? A constant image of exactly what happened at the endpoint behaviorally is vital to get an examination started.

How and where did the cyber attack spread after preliminary compromise?

Typically the enemy isn’t really after the info readily available at the point of infection, however rather wish to utilize it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are linked to, so it is necessary to be able to see a total image of any lateral movement that took place after the infiltration to understand exactly what assets were jeopardized and possibly also infected.

How did the contaminated endpoint(s) behavior(s) alter?

Exactly what was going on prior to and after the infection? What network connections were being made? How much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these concerns are vital to rapid triage.

What user activity occurred, and was there any prospective insider participation?

What actions did the user take previously and after the contamination occurred? Was the user present on the machine? Was a USB drive used? Was the time period outside their typical use pattern? These and much more artifacts should be offered to paint a full picture.

What mitigation is required to deal with the attack and prevent the next?

Reimaging the contaminated machine(s) is a time-consuming and costly solution but many times this is the only way to understand for sure that all of the hazardous artifacts have been removed (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). However with a clear picture of all activity that happened, lesser actions such as removing malicious files from all systems affected might be adequate. Re-examining security policies will most likely be in order, and NGES systems can assist automate actions in the future should similar situations arise. Automatable actions consist of sandboxing, cutting off network access from infected devices, killing processes, and a lot more.

Don’t wait until after a breach takes place and you have to employ an army of professionals and spend time and finances piecing the facts together. Ensure you are prepared to answer these 6 crucial questions and have all the answers within your reach in minutes.

Chuck Leaver – Compromised Endpoints Were The Likely Starting Point For IRS Hack

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften

Internal Revenue Service Attackers Make Early Returns Because of Previous External Attacks

The IRS breach was the most unique cyber attack of 2015. Classic attacks today involve phishing e-mails intended to obtain initial access to target systems where lateral motion is then performed till data exfiltration happens. But the IRS hack was different – much of the data needed to perform it was previously acquired. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s what we understand:

The Internal Revenue Service site has a “Get Transcript” feature for users to retrieve previous tax return information. As long as the requester can provide the appropriate information, the system will return past and present W2’s and old income tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the hackers might begin the retrieval procedure of previous filing year’s details. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based upon the requested users credit rating.

KBA isn’t fool proof, though. The questions it asks can often times be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers attempted to gather 660,000 transcripts of previous tax payer info by means of Get Transcript, where they achieved success in 334,000 of those efforts. The unsuccessful attempts appear to have gotten as far as the KBA questions where the hackers failed to offer the correct answers. It’s estimated that the attackers got away with over $50 million dollars. So, how did the attackers do it?

Security researchers theorize that the enemies used details from previous attacks such as SSNs, DOBs, addresses and submission statuses to try to obtain previous income tax return info on its target victims. If they succeeded and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, many times increasing the withholdings quantity on the income tax return form to get a bigger return. As pointed out previously not all attempts were successful, however over 50% of the attempts resulted in major losses for the Internal Revenue Service.

Detection and response systems like Ziften are targeted at identifying when there are jeopardized endpoints (like through phishing attacks). We do this by offering real time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the assailants used details gleaned from previous attacks beyond the IRS, the jeopardized companies might have benefited from the visibility Ziften provides and reduced against mass-data exfiltration. Ultimately, the IRS seems to be the vehicle – instead of initial victim – of these attacks.

Chuck Leaver – Data Exfiltration And Shared Hacks Putting Comcast Customers At Risk

Written By Michael Pawloski And Presented By Ziften CEO Chuck Leaver

The Customers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Businesses

The private details of around 200,000 Comcast customers was jeopardized on November 5th 2015. Comcast was forced to make this statement when it came to light that a list of 590,000 Comcast client e-mails and passwords could be bought on the dark web for a mere $1,000. Comcast argues that there was no security breach to their network however rather it was via past, shared hacks from other businesses. Comcast even more claims that only 200,000 of these 590,000 clients really still exist in their system.

Less than two months previously, Comcast had already been slapped with a $22 million fine over its accidental publishing of almost 75,000 customers’ individual details. Rather paradoxically, these clients had actually specifically paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that stipulated that each client’s information would be kept confidential.

Comcast set up a mass-reset of 200,000 consumer passwords, who may have accessed these accounts prior to the list was put up for sale. While an easy password reset by Comcast will to some extent safeguard these accounts going forward, this doesn’t do anything to protect those consumers who may have recycled the same email and password mix on banking and credit card logins. If the client accounts were accessed prior to being disclosed it is definitely possible that other personal details – such as automatic payment information and home address – were currently obtained.

The bottom line is: Assuming Comcast wasn’t hacked directly, they were the victim of various other hacks that contained data connected to their customers. Detection and Response solutions like Ziften can prevent mass data exfiltration and typically reduce damage done when these inevitable attacks take place.

Chuck Leaver – Point Of Sale Vulnerabilities Caused Trump Hotel Breach

Written By Matthew Fullard Presented By Chuck Leaver CEO Ziften

Trump Hotels Point-of-Sale Vulnerabilities Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection used was malware, and infected their front desk computers, point of sales systems, and restaurants. However, in their own words they declare that they “did not find any proof that any consumer information was stolen from our systems.” While it’s soothing to learn that no proof was discovered, if malware exists on point of sales systems it is most likely there to take details related to the charge cards that are swiped, or significantly tapped, inserted, or waved. An absence of proof does not imply the lack of crime, and to Trump Hotel’s credit, they have provided complimentary credit monitoring services. If one is to take a look at a Point of Sale (or POS) system however you’ll discover something in abundance as an administrator: They seldom alter, and software applications will be almost homogeneous throughout the implementation ecosystem. This can present both positives and negatives when thinking about protecting such an environment. Software application changes are slow to happen, need extensive testing, and are hard to roll out.

Nevertheless, due to the fact that such an environment is so homogeneous, it is also a lot easier to recognize Point of Sale vulnerabilities when something brand-new has altered.

At Ziften we monitor all executing binaries and network connections that happen within a community the second they take place. If a single POS system began to make new network connections, or started running brand-new software, regardless of its intent, it would be flagged for additional evaluation and examination. Ziften likewise collects endless historic data from your environment. If you need to know exactly what occurred 6 to 12 months back, this is not an issue. Now dwell times and AV detection rates can be measured using our incorporated threat feeds, in addition to our binary collection and submission technology. Likewise, we’ll inform you which users executed which applications at exactly what time throughout this historical record, so you can learn your preliminary point of infection.

POS problems continue to plague the retail and hospitality industries, which is a shame given the relatively simple environment to monitor with detection and response.



Chuck Leaver – With Continuous Endpoint Visibility Marriott Point Of Sale Breach Could Have Been Avoided

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

United States retail outlets still appear an appealing target for hackers looking for payment card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the nation from September 2014 to January 2015. This breach follows White Lodging suffered a similar breach in 2014. The hackers in both cases were supposedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at several hotels run by White Lodging. The hackers had the ability to obtain names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were also the target of current breaches at Target, Neiman Marcus, Home Depot, and more.

Traditionally, Point-of-Sale (or POS) systems at numerous US retail outlets were “locked down” Windows devices running a minor set of applications geared toward their function – phoning the sale and processing a deal with the Credit Card merchant or bank. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are almost always released behind a firewall, but are still ripe for exploit. The very best defenses can and will be breached if the target is important enough. For instance, push-button control tools utilized for management and upgrading of the Point of Sale systems are typically hijacked by hackers for their gains.

The credit card or payment processing network is a totally separate, air-gapped, and encrypted network. So how did hackers manage to take the charge card data? They took the data while it remained in memory on the Point of Sale terminal while the payment process was being carried out. Even if sellers do not store credit card information, the data can be in an unencrypted state on the POS machine while the payment deal is verified. Memory-scraping Point of Sale malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data burglars to gather the payment card info in its unencrypted state. The data is then typically encrypted and recovered by the hackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s service provides continuous endpoint visibility that can find and remediate these kinds of hazards. Ziften’s MD5 hash analysis can identify new and suspicious procedures or.dll files running in the POS environment. Ziften can likewise eliminate the procedure and gather the binary for more action or analysis. It’s also possible to discover POS malware by notifying to Command and Control traffic. Ziften’s integrated Risk Intel and Customized Threat Feed alternatives permits consumers to alert when POS malware talks to C&C nodes. Finally, Ziften’s historical data permits consumers to kick start the forensic assessment of how the malware got in, what it did after it was set up, and executed and other devices are infected.

It’s past time for retailers to step up the game and try to find brand-new services to protect their customers’ payment cards.