Adobe Flash Continues As An Enterprise Security Nemesis

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Still Supporting Adobe Flash and Apple QuickTime for Windows? Didn’t Get the Memo?

On the heels of Independence Day, there is a good time for a metaphor: Flash is a bit like lighting fireworks. There may be less risky ways to do it, but the only sure way is just to avoid it. And with Flash, you needn’t fight pyromaniac surges to abstain from it, just manage your endpoint configurations.


Why would you wish to do this? Well, Googling “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards like HTML5 have matured and provide many of the capabilities that Flash ushered in. … Looking ahead, we encourage content creators to build with new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the average enterprise, zillions. Your attackers know that also, they are counting on it. Thank you for your contribution! Just continue to ignore those pesky security bloggers, like Brian Krebbs:

I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it.

Ignoring Brian Krebs’ advice raises the chances your enterprise’s data breach will be the feature story in one of his future blogs.



Flash Exploits: the Preferred Exploit Kit Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to worry, there are plenty of freshly issued Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps on giving.

A recent FireEye blog exemplifies this typical Flash vulnerability progression—from virgin zero-day to freshly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).

As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploit kits will pick it up. Be prepared.

Start a Flash and QuickTime Eradication Project

While we haven’t talked about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are many floating around?


By doing nothing, you can flirt with disaster, with Flash vulnerability exposures rife across your client endpoint population. Otherwise, you can start a Flash and QuickTime eradication project to move towards a Flash-free enterprise. Or, wait, maybe you educate your users not to glibly open email attachments or click on links. User education, that always works, right? Hmmm.

One problem is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.

Let’s take a closer look at the Flash exploit described by FireEye in the blog cited above:
Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.


Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their various browsers, this exploit would still have succeeded. To fully eradicate Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF documents. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration hardening goal for the security-conscious enterprise.

Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.


Ransomware Is Targeting Your Enterprise

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is tailored to enterprise attack campaigns has emerged in the wild. This is an obvious evolution of consumer-grade ransomware, driven by the larger bounties which enterprises are able to pay out coupled to the sheer scale of the attack surface area (internet-facing endpoints and unpatched software). To the attacker, your enterprise is a tempting target with a big fat wallet just begging to be knocked over.

Your Enterprise Presents a Tempting Target

Simple Google queries may already have identified unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” emails crafted just for them presumably authored by people they know.

The weaponized invoices go to your accounting department, the weaponized resumes to your human resources department, the weaponized legal notices to your legal department, and the weaponized trade publication articles to your public relations firm. That should cover it, for starters. Add the watering hole drive-by’s planted on industry websites frequented by your employees, the social media attacks targeted to your key executives and their family members, the infected USB sticks strewn around your facilities, and the compromises of your suppliers, customers, and business partners.

Enterprise compromise isn’t an if but a when — the when is continual, the who is legion.

Targeted Ransomware Has Arrived

Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the monetization of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:

“During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were used to find, encrypt, and delete the original files as well as any backups.”

Careful reading of this citation immediately reveals steps to be taken. Initial penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and enforced exposure tolerances (measured in days) is mandatory. Since the attackers “spread their access to any connected system,” it is also requisite to have robust network segmentation and access controls. Think of it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the attackers “delete the original files as well as any backups,” so there must be no delete access from a compromised system to its backup files — systems must only be able to append to their backups.

You Do Have Current Backups, Right?

Of course, there must be current backups of any files that must survive an enterprise intrusion. Paying the ransom is not an effective option since any files created by malware are inherently suspect and must be considered tainted. Enterprise auditors or regulators cannot accept files excreted from some malware orifice as legally valid, the chain of custody having been completely broken. Financial data may have been altered with fraudulent transactions, configuration data may have been tampered with, viruses may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in such data, and accepting it as valid could further compromise all future downstream data dependent upon or derived from it. Treat ransomware data as garbage. Either have a robust backup plan — regularly tested and validated — or prepare to suffer your losses.

Do You Have a Breach Plan?

Even with sound backups confidentiality of affected data must be assumed to be breached because it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the attackers typically take data inventory, reviewing at least samples of the data to assess its potential value — they could be leaving money on the table otherwise. Data ransom demands may simply be the final monetization stage in an enterprise breach after mining all other value from the intrusion since the ransom demand exposes the compromise.

Your Remediation Plan Must Be Thorough

One should assume that competent attackers have arranged multiple, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis team has stood down and pricey consultants flown off to their next gig). Any stray evidence left behind was carefully staged to mislead investigators and deflect blame. Expensive re-imaging of systems must be exceedingly thorough, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is known to compromise MBR’s.

Also, don’t assume system firmware has not been compromised. If you can update the firmware, so can hackers. It isn’t hard for hacking organizations to explore firmware hacking options when their enterprise targets standardize system hardware configurations, allowing a little lab effort to go a long way. The industrialization of cybercrime allows for the development and sale of firmware hacks on the dark net to a broader criminal market.

Good EDR Tools Can Help

After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less painful. A good Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are also good at tracking all significant endpoint events, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to help conceal their actions from security staff, but EDR is there to enable open visibility of notable endpoint events that could signal an attack in progress. EDR isn’t limited to the old antivirus convict-or-acquit model, that allows freshly remixed attack code to evade AV detection.
Good EDR tools are always vigilant, always reporting, always tracking, available when you need it: now or retroactively. You wouldn’t turn a blind eye to enterprise network activity, so don’t turn a blind eye to enterprise endpoint activity.

2016 Verizon DBIR Analysis Shows More Of The Same

Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO

Verizon Enterprise has released its annual Data Breach Investigations Report reviewing 64,199 security incidents resulting in 2,260 security breaches. Verizon defines an incident as compromising the integrity, confidentiality, or availability on an information asset, while a breach is a confirmed disclosure of data to an unauthorized party. Since preventing breaches is far less painful than enduring them Verizon offers several sections of recommended controls to be employed by security-conscious enterprises. If you don’t care to read the full 80-page report, Ziften offers this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Recommended Controls

A solid EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines illustrating vulnerability management effectiveness. The exposure timelines are important since Verizon stresses a methodical approach that emphasizes consistency and coverage, versus haphazard expedient patching.

Phishing Recommended Controls

Although Verizon recommends user training to avoid phishing susceptibility, still their data shows nearly a third of phishes being opened, with users clicking on the link or attachment more than one time in ten. Not good odds if you have at least ten users! Given the inevitable click compromise, Verizon recommends placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, but also filter it against network threat feeds identifying malicious network targets. Ziften goes beyond this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC staff have vital decision context to rapidly resolve network alerts.

Web App Attacks Recommended Controls

Verizon recommends multi-factor authentication and monitoring of login activity to prevent compromise of web application servers.  A solid EDR solution will monitor login activity and will apply anomaly checking to detect unusual login patterns indicative of compromised credentials.

Point-of-Sale Intrusions Recommended Controls

Verizon recommends (and this has also been strongly recommended by FireEye/Mandiant) strong network segmentation of POS devices. Again, a solid EDR solution should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of great value in providing critical decision context for suspicious network activity. EDR solutions will also address Verizon’s recommendation for remote login tracking to POS devices. Along with this Verizon recommends multi-factor authentication, but a strong EDR capability will augment that with additional login pattern anomaly checking (since even MFA can be defeated with MITM attacks).

Insider and Privilege Misuse Recommended Controls

Verizon recommends “monitor the heck out of [employee] authorized daily activity.” Continuous endpoint monitoring by a solid EDR product naturally provides this capability. In Ziften’s case our product tracks user presence time periods and user focus activities while present (such as foreground application usage). Anomaly checking can identify unusual deviations in activity pattern whether a temporal anomaly (i.e. something has altered this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs significantly from peer behavior patterns).

Verizon also recommends tracking usage of USB storage devices, which solid EDR products provide, since they can serve as a “sneaker exfiltration” route.

Miscellaneous Errors Recommended Controls

Verizon recommendations in this section focus on maintaining a record of past errors to server as a warning of mistakes to avoid in the future. Solid EDR products do not forget; they maintain an archival record of endpoint and user activity going back since their first deployment. These records are searchable at any time, perhaps after some future incident has uncovered an intrusion and response teams need to go back and “find patient zero” to unravel the incident and identify where mistakes may have been made.

Physical Theft and Loss Recommended Controls

Verizon recommends (and many regulators demand) full disk encryption, especially for mobile devices. A proper EDR product will verify that endpoint configurations are compliant with enterprise encryption policy, and will alert on violations. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically stolen, but the impact is essentially the same to the affected enterprise.

Crimeware Recommended Controls

Again, Verizon stresses vulnerability management and consistent thorough patching. As noted above, proper EDR tools identify and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This reflects an accurately updated vulnerability assessment at any point in time.

Verizon also recommends capturing malware analysis data in your own enterprise environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can obtain samples of any binary present on enterprise endpoints and submit them for detailed static and dynamic analysis by our malware research partners.

Cyber-Espionage Recommended Controls

Here Verizon specifically calls out usage of endpoint threat detection and response (ETDR) tools, referring to the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also recommends a number of endpoint configuration hardening steps that can be compliance-verified by EDR tools.

Verizon also recommends strong network protections. We have already discussed how Ziften ZFlow can greatly enhance traditional network flow monitoring with endpoint context and attribution, providing a fusion of network and endpoint security that is truly end-to-end.

Finally, Verizon recommends monitoring and logging, which is the first thing third party incident responders request when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, since the endpoint is the most frequent entry vector in a major data breach.

Denial-of-Service Attacks Recommended Controls

Verizon recommends managing port access to prevent enterprise assets from being used to participate in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to identify unusual application port usage that could indicate compromise.

Enterprise services migrating to cloud providers also require protection from DoS attacks, which the cloud provider may provide. However, looking at network traffic tracking in the cloud — where the enterprise may lack cloud network visibility — options like Ziften ZFlow provide a means for collecting enhanced network flow data directly from cloud virtual servers. Don’t let the cloud be your network blind spot, or else attackers will exploit this to fly outside your radar.

Gartner UEBA Report New Trends In Behavioral Analytics

Written By Josh Linder And Presented By Ziften CEO Charles Leaver

The market for enterprise behavioral analytics is evolving — again — to support the security use case. In the recent Gartner User and Entity Behavior (UEBA) Trends Report, Ziften is excited to be listed as a “Vendor to Watch.” We believe that our established relationships with threat intelligence feeds and visualization tools reflects our inclusion within this research note.

In the UEBA Market Report, Analysts Eric Ahlm and Avivah Litan explain that there is a potential convergence in the advanced threat and analytics markets. The notion of UEBA — which extends user behavioral analytics to now include organizations, business processes, and autonomous devices such as the Internet of Things — requires deep understanding and the ability to respond quickly and efficiently.

At Ziften our established relationships with threat intelligence feeds and visualization tools reflects our inclusion within this research note. Our platform offers threat detection across various behavior vectors, rather than a looking at a single-threaded signature feed. With integrations to orchestration and response systems, Ziften uniquely couples signature-based and behavioral analysis, while bridging the gap from securing the endpoint to protecting the entity. Continuous monitoring from the endpoint – including network flow – is critical to understanding the complete threat landscape and vital for a holistic security architecture.

We commend Gartner on identifying four areas for security and analytic vendors to focus on: User Behavior, Host/App Behavior, Network Behavior, and External Communications Behavior. We are the only endpoint vendor – today – to monitor both network behavior and external communications behavior. Ziften’s ZFLow™ utilizes network telemetry to go beyond the standard IPFIX flow data, and augment with Layer 4 and Layer 5 operating system and user behavior. Our threat intelligence integration – with Blue Coat, iSIGHT Partners, AlienVault and the National Vulnerability Database – is second to none. Additionally, our unique relationship with ReversingLabs provides binary analysis directly within the Ziften administration console.

Ultimately, our continuous endpoint visibility solution is instrumental in helping to discover behavioral threats that are difficult to correlate without the use of advanced analytics.

Gartner Report

Six additional technology trend takeaways which Gartner readers should consider:

•    Application of Analytics to Discovering Breaches Varies
•    Data Science for Analytics Technologies Still Emerging
•    The Need for Extended Telemetry Drives Analytics Market Convergence
•    Convergence Between Analytics-Based Detection Vendors and Orchestration/Response Vendors Likely
•    SIEM Technologies Positioned to Be Central to Consolidation for Analytics Detection
•    Advanced Behavioral Analytics Providers Extending Their Reach to Security Buyers


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Damage Control. 6 Questions Organizations Should Be Asking Before A Breach.

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

I wouldn’t exactly be going out on a limb stating that if hackers want to breach your network, it’s only a matter of time before they succeed. The endpoint is the most common vector of attack, and the people are the biggest point of vulnerability in any organization. The endpoint device is where they interact with whatever information that an attacker is after: intellectual property, credentials, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) solutions, of which Ziften is a leader, that provide the needed visibility and insight to help reduce or prevent the chances or duration of an attack. Methodologies of prevention include reducing the attack surface area through removing known vulnerable applications, curtailing version proliferation, killing malicious processes, and ensuring compliance with security policies.

But prevention can only go so far. No solution is 100% effective, so it is important to take a proactive, real-time approach to your environment, watching endpoint behavior, detecting when breaches have occurred, and responding immediately with remediation. Ziften also provides these capabilities, generally known as Endpoint Detection and Response, and organizations should change their mindset from “How can we prevent attacks?” to “We are going to be breached, so what do we do then?”

To understand the true breadth or depth of an attack, organizations need to be able to rewind the clock and reconstruct the conditions surrounding a breach. Security investigators need answers to the following 6 questions, and they need them fast, since Incident Response personnel are outnumbered and dealing with limited time windows to mitigate damage.

Where was the attack behavior first seen?

This is where the ability to rewind the clock to the point in time of initial infection is critical. In order to do this effectively, organizations need to be able to go as far back in time as necessary to identify patient zero. The unfortunate state of affairs according to Gartner is that when a cyber breach occurs, the average dwell time before a breach is detected is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, attackers were able to penetrate organizations within minutes. That’s why NGES solutions that don’t continuously monitor and record activity but rather periodically poll or scan the endpoint can miss out on the initial critical penetration. Also, DBIR found that 95% of malware types showed up for less than a month, and four out of five didn’t last a week. You need the ability to continuously monitor endpoint activity and look back in time (however long ago the attack occurred) and reconstruct the initial infection.

How did it behave?


What happened step by step after the initial infection? Did malware execute for a second every 5 minutes? Was it able to obtain escalated privileges? A continuous picture of what occurred at the endpoint behaviorally is critical to get an investigation started.

How and where did the attack spread after initial compromise?

Usually the adversary isn’t after the information available at the point of infection, but rather want to use it as an initial beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are connected to, so it is important to be able to see a complete picture of any lateral movement that occurred after the infection to know what assets were compromised and potentially also infected.

How did the infected endpoint(s) behavior(s) change?

What was going on before and after the infection? What network connections were being made? How much network traffic was flowing? What processes were active before and after the attack? Immediate answers to these questions are critical to rapid triage.

What user activity occurred, and was there any potential insider involvement?

What actions did the user take before and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time interval outside their normal usage pattern? These and many more artifacts must be provided to paint a full picture.

What mitigation is required to resolve the attack and prevent the next?

Reimaging the infected machine(s) is a time-consuming and costly solution, but many times this is the only way to know for sure that all harmful artifacts have been removed (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). But with a clear picture of all activity that occurred, lesser actions such as removing malicious files from all systems affected may suffice. Re-examining security policies will probably be in order, and NGES solutions can help automate future actions should similar situations arise. Automatable actions include sandboxing, cutting off network access from infected machines, killing processes, and much more.

Don’t wait until after a breach occurs and you need to call in an army of specialists and spend time and money piecing the facts together. Make sure you are prepared to answer these 6 key questions and have all the answers at your fingertips in minutes.


IRS Hack Likely Began With Compromised Endpoints

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Early Returns For IRS Hackers Thanks to Previous, Outside Attacks

No other cyber security hack in 2015 was quite as unique as the IRS breach. Classic attacks today involve phishing emails aimed to get initial access to target systems where lateral movement is then performed until data exfiltration occurs. But the IRS hack was different — much of the data needed to perform it was already acquired. In this case, all the hackers had to do was walk in the front door and file the returns. How could this happen? Here’s what we know:

The IRS website has a “Get Transcript” feature for users to retrieve previous tax return information. As long as the requester can provide the correct information, the system will return past and present W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and filing status, the hackers could begin the retrieval process of past filing year’s information. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t fool proof, though. The questions it asks can often times be guessed based on other information known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s estimated that the hackers attempted to gather 660,000 transcripts of past tax payer information via Get Transcript, where they were successful in 334,000 of those attempts. The unsuccessful attempts appear to have gotten as far as the KBA questions where the hackers failed to provide the proper answers. It’s estimated that the hackers made away with over $50 million dollars. So, how did they do it?

Security researchers theorize that the attackers used information from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to get prior tax return information on its target victims. If they were successful and answered the KBA questions correctly, they filed a claim for the 2015 calendar year, often times increasing the withholdings amount on the tax return form to get a larger return. As mentioned previously not all attempts were successful, but over 50% of the attempts resulted in major losses for the IRS.

Detection and response solutions like Ziften are aimed at identifying when there are compromised endpoints (like through phishing attacks). We do this by providing real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the attackers used information gleaned from previous attacks outside of the IRS, the compromised companies could have benefited from the visibility Ziften provides and mitigated against mass-data exfiltration. Ultimately, the IRS seems to be the vehicle — rather than initial victim — of these attacks.


Comcast Customers At Risk Due To Shared Hacks And Data Exfiltration

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

Comcast Customers are Victims of Data Exfiltration and Shared Hacks via Other Companies

On November 5th of this year, the private information of approximately 200,000 Comcast customers was compromised. Comcast was forced to make this announcement when it came to light that a list of 590,000 Comcast customer emails and passwords could be purchased on the dark web for a mere $1,000. Comcast maintains that there was no security breach to their network but rather it was via past, shared hacks from other companies. Comcast further claims that only 200,000 of these 590,000 customers actually still exist in their system.

Less than 2 months earlier, Comcast had already been slapped with a $22 million fine over its accidental publishing of nearly 75,000 customers’ personal details. Somewhat ironically, these customers had specifically paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that stipulated that each customer’s information would be kept private.

Comcast instituted a mass-reset of 200,000 customer passwords, who might have accessed these accounts before the list was put up for sale. While a simple password reset by Comcast will to some extent protect these accounts going forward, this does nothing to protect those customers who may have reused the same email and password combination on banking and credit card logins. If the customer accounts were accessed prior to being disclosed it is certainly possible that other personal details — such as automatic payment information and home address — were already obtained.

The bottom line: Assuming Comcast wasn’t hacked directly, they were the victim of numerous other hacks that contained data related to their customers. Detection and Response solutions like Ziften can prevent mass data exfiltration and often mitigate damage done when these inevitable attacks occur.


Trumped By Hackers, Breached Via Point Of Sale Vulnerabilities

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Point-of-Sale Vulnerabilities at Trump Hotels Emphasize Need for Faster Detection of Anomalous Activity

Between May 19th 2014 and June 2, 2015 Trump Hotels, suffered a data breach. The point of infection used was malware, and infected their front desk computers, point of sales systems, and restaurants. However, in their own words they claim that they “did not find any evidence that any customer information was removed from our systems.” While it’s comforting to find out that no evidence was found, if malware is present on point of sales systems it is probably there to steal information related to the credit cards that are swiped, or increasingly tapped, inserted, or waved. A lack of evidence does not imply the absence of crime, and to Trump Hotel’s credit, they have offered free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system however you’ll notice one thing in abundance as an administrator: They rarely change, and software will be nearly homogeneous across the deployment ecosystem. This can present both positives and negatives when thinking about securing such an environment. Software changes are slow to occur, require rigorous testing, and are difficult to roll out.

However, because such an environment is so homogeneous, it is also much easier to identify Point-of-Sale vulnerabilities and when something new has changed.

At Ziften we monitor all executing binaries and network connections that occur within an ecosystem the second they happen. If a single POS system began to make new network connections, or started running new software, regardless of its intent, it would be flagged for further review and examination. Ziften also collects unlimited historical data from your environment. If you want to know what happened six to twelve months ago, this is not a problem. Now dwell times and AV detection rates can be measured using our integrated threat feeds, as well as our binary collection and submission technology. Also, we’ll tell you which users executed which applications at what time across this historical record, so you can find out your initial point of infection.

POS problems continue to plague the retail and hospitality industries, which is a shame given the fairly straightforward environment to monitor with detection and response.

To discover other 2015 breaches like this, check out our full list of the 12 Worst Breaches of 2015.


Marriott Point Of Sale Breach. Continuous Endpoint Visibility Is The Key

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

Continuous Endpoint Visibility Renders Future Point-of-Sale System Breaches Less Likely

US retail outlets still appear an attractive target for hackers seeking credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, affecting customers at 14 hotels across the country from September 2014 to January 2015. This incident comes after White Lodging suffered a similar breach in 2014.  The attackers in both cases were reportedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at several locations run by White Lodging. The attackers were able to obtain names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were also the target of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Traditionally, Point-of-Sale (or POS) systems at many US retail outlets were “locked down” Windows machines running a small set of applications geared toward their function—ringing up the sale and processing a transaction with the Credit Card merchant or bank. Modern POS terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be fair, they are almost always deployed behind a firewall, but are still ripe for exploit. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are often hijacked by hackers for their purposes.

The credit card or payment processing network is a completely separate, air-gapped, and encrypted network. So how did hackers managed to steal the credit card data? They stole the data while it was in memory on the POS terminal while the payment process was being conducted. Even if retailers don’t store credit card information, the data can be in an unencrypted state on the POS machine while the payment transaction is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data thieves to harvest the credit card information in its unencrypted state. The data is then usually encrypted and retrieved by the hackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s solution provides continuous endpoint visibility that can find and remediate these types of threats. Ziften’s MD5 hash analysis can detect new and suspicious processes or .dll files running in the POS environment. Ziften can also kill the process and collect the binary for further action or analysis. It’s also possible to detect POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Custom Threat Feed options allows customers to alert when POS malware communicates to C&C nodes. Finally, Ziften’s historical data allows customers to kick start the forensic examination of how the malware got in, what it did after it was installed, and executed and other machines are infected.

It’s past time for retailers to step up the game and look for new solutions to protect their customers’ credit cards.


Experian Hack. Continuous Monitoring Keeps History From Repeating.

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Could Learn from Past Mistakes with a Continuous Monitoring Solution

Being in the security industry, I’ve always felt my job was hard to explain to the average person. Over the last few years, that has changed. Unfortunately, we are seeing a new data breach announced every few weeks, with many more that are kept private. These breaches are getting front page attention, and I can now explain to my friends what I do without losing them after a few sentences. However, I still question what it is we’re learning from all of this. As it turns out, many companies are not learning from their own mistakes.

Experian, the global credit reporting firm, is a company with a lot to learn. Several months ago Experian announced it had discovered its servers had been breached and that customer data had been stolen. When Experian announced the breach they reassured customers that “[our] consumer credit database was not accessed in this incident, and no payment card or banking information was obtained.” Although Experian took the time in their announcement to reassure their customers that their financial information had not been stolen, they further elaborated on what data actually was stolen: customers’ names, addresses, Social Security numbers, date of birth, driver’s license numbers, military ID numbers, passport numbers, and additional information used in T- Mobile’s own credit assessment. This is scary for two reasons: the first is the type of data that was stolen; the second is the fact that this isn’t the first time this has happened to Experian.

Although the hackers didn’t walk away with “payment card or banking information” they did walk away with personal data that could be exploited to open new credit card, banking, and other financial accounts. This in itself is a reason the T-Mobile customers involved should be nervous. However, all Experian customers should be a little nervous.

As it turns out, this isn’t the first time the Experian servers have been compromised by hackers. In early 2014, T-Mobile had announced that a “relatively small” number of their customers had their personal information stolen when Experian’s servers were breached. Brian Krebs has a very well-written blog post about how the hackers breached the Experian servers the first time, so we won’t get into too much detail here. In the first breach of Experian’s servers, hackers had exploited a vulnerability in the company’s support ticket system that was left exposed without first requiring a user to authenticate before using it. Now to the scary part: although it has become widely known that the hackers utilized a vulnerability in the company’s support ticket system to gain access, it wasn’t until soon after the second hack that their support ticket system was shut down.

It would be hard to believe that it was a coincidence that Experian decided to take down their support ticket system mere weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: what did Experian learn from the first breach where customers got away with sensitive customer data? Companies who store their customers’ sensitive information should be held accountable to not only secure their customers’ data, but if also to ensure that if breached they patch the holes that are discovered while investigating the attack.

When companies are investigating a breach (or potential breach) it is imperative that they have access to historical data so investigators can try to piece back together the puzzle of how the attack unfolded. At Ziften, we provide a solution that allows our customers to have a continuous, real-time view of everything that happens in their environment. In addition to providing real-time visibility for detecting attacks as they occur, our continuous monitoring solution records all historical data to allow customers to “rewind the tape” and piece together what had happened in their environment, regardless of how far back they need to look. With this new visibility, it is now possible to not only learn that a breach occurred, but to also learn why a breach occurred, and hopefully learn from past mistakes to keep them from happening again.