Charles Leaver – These 6 Questions Will Provide Damage Control Before A Cyber Attack

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern life is that if cyber assailants wish to breach your network, then it is simply a matter of time before they will be successful. The endpoint is the most typical vector of cyber attacks, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they interact with whatever info that an enemy wants: intellectual property, credentials, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) systems, of which Ziften is a leader, that supply the required visibility and insight to help minimize or avoid the possibilities or duration of an attack. Methods of prevention consist of reducing the attack area through getting rid of known vulnerable applications, reducing version expansion, killing malicious procedures, and making sure compliance with security policies.

But avoidance can only go so far. No system is 100% efficient, so it is necessary to take a proactive, real-time approach to your environment, viewing endpoint behavior, detecting when breaches have occurred, and reacting immediately with the necessary action. Ziften also provides these capabilities, normally known as Endpoint Detection and Response, and companies should change their frame of mind from “How can we prevent attacks?” to “We will be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, companies need to be able to take a look back and rebuild the conditions surrounding a breach. Security investigators need answers to the following six questions, and they require them quick, since Incident Response officers are surpassed and handling restricted time windows to mitigate damage.

Where was the attack activity first seen?

This is where the capability to rewind the clock to the point in time of preliminary infection is vital. In order to do this successfully, companies have to have the ability to go as far back in time as required to recognize patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach takes place, the typical dwell time prior to a breach is detected is a shocking 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, assailants had the ability to penetrate organizations within minutes. That’s why NGES services that don’t continually monitor and record activity however rather periodically poll or scan the endpoint can miss out on the initial crucial penetration. Also, DBIR discovered that 95% of malware types showed up for less than four weeks, and four out of 5 didn’t last a week. You need the ability to continually monitor endpoint activity and look back in time (however long ago the attack occurred) and rebuild the initial infection.

How did it behave?

Exactly what occurred piece by piece after the preliminary infection? Did malware execute for a second every 5 minutes? Was it able to get escalated privileges? A constant image of what happened at the endpoint behaviorally is critical to obtain an examination began.

How and where did the cyber attack spread after preliminary compromise?

Normally the attacker isn’t really after the info readily available at the point of infection, but rather wish to utilize it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints consist of the servers that the endpoints are connected to, so it is important to be able to see a complete picture of any lateral movement that happened after the infiltration to know what assets were jeopardized and possibly likewise contaminated.

How did the contaminated endpoint(s) behavior(s) change?

What was going on before and after the contamination? What network connections were being attempted? What does it cost? network traffic was flowing? What procedures were active prior to and after the attack? Immediate answers to these questions are crucial to quick triage.

What user activity occurred, and was there any possible insider involvement?

What actions did the user take before and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time period outside their typical usage pattern? These and many more artifacts must be supplied to paint a full picture.

What mitigation is needed to resolve the cyber attack and prevent the next?

Reimaging the infected device(s) is a time-consuming and costly solution but lot of times this is the only method to understand for sure that all of the hazardous artifacts have actually been gotten rid of (although state-sponsored attacks might embed into system or drive firmware to remain immune even to reimaging). But with a clear image of all activity that occurred, lesser actions such as eliminating harmful files from all systems impacted might be adequate. Re-examining security policies will most likely be in order, and NGES systems can help automate future actions should comparable circumstances develop. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing processes, and much more.

Don’t wait until after a breach happens and you need to call in an army of experts and spend time and money piecing the truths together. Ensure you are prepared to address these 6 key questions and have all the responses at your fingertips in minutes.


Charles Leaver – We Are Pretty Certain That Compromised Endpoints Started The IRS Hack

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

IRS Hackers Make Early Returns Because of Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Classic attacks today involve phishing emails aimed to get preliminary access to target systems where lateral motion is then performed until data exfiltration happens. But the Internal Revenue Service hack was various – much of the data required to execute it was already acquired. In this case, all the attackers had to do was walk in the front door and submit the returns. How could this happen? Here’s exactly what we understand:

The IRS website has a “Get Transcript” function for users to recover previous income tax return information. As long as the requester can supply the proper information, the system will return past and present W2’s and old income tax returns, etc. With anyone’s SSN, birth date and filing status, the hackers could start the retrieval process of previous filing year’s information. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit rating.

KBA isn’t fool proof, though. The questions it asks can many times be predicted based on other details known about the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the following automobiles have you owned?”

After the dust settled, it’s predicted that the hackers tried to gather 660,000 transcripts of past tax payer information via Get Transcript, where they succeeded in 334,000 of those attempts. The not successful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot offer the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the attackers do it?

Security researchers think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and submission statuses to try to obtain previous income tax return info on its target victims. If they succeeded and answered the KBA questions correctly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to get a bigger return. As discussed previously not all efforts were successful, however over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response services like Ziften are targeted at recognizing when there are compromised endpoints (like through phishing attacks). We do this by offering real time visibility of Indicators of Compromise (IoC’s). If the theories are right and the assailants used details gleaned from previous attacks beyond the IRS, the jeopardized companies could have taken advantage of the visibility Ziften supplies and mitigated against mass-data exfiltration. Eventually, the Internal Revenue Service seems to be the vehicle – instead of initial victim – of these cyber attacks.


Charles Leaver – Customers Of Comcast Face Shared Hacking And Data Exfiltration Risk And Data Exfiltration

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Clients Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private info of around 200,000 Comcast clients was jeopardized on November 5th 2015. Comcast was required to make this announcement when it came to light that a list of 590,000 Comcast consumer e-mails and passwords could be purchased on the dark web for a token $1,000. Comcast maintains that there was no security breach to their network however rather it was via past, shared hacks from other companies. Comcast further claims that just 200,000 of these 590,000 customers in fact still exist in their system.

Less than two months previously, Comcast had already been slapped with a $22 million fine over its unintentional publishing of almost 75,000 clients’ individual information. Somewhat paradoxically, these customers had actually particularly paid Comcast for “unlisted voice-over-IP,” a line product on the Comcast bill that stated that each client’s info would be kept confidential.

Comcast instituted a mass-reset of 200,000 consumer passwords, who may have accessed these accounts prior to the list was put up for sale. While a simple password reset by Comcast will to some extent secure these accounts going forward, this does nothing to protect those customers who might have recycled the exact same e-mail and password combination on banking and credit card logins. If the client accounts were accessed before being divulged it is certainly possible that other individual information – such as automated payment info and home address – were already obtained.

The bottom line is: Presuming Comcast wasn’t attacked directly, they were the victim of many other hacks that contained data associated with their clients. Detection and Response services like Ziften can avoid mass data exfiltration and frequently alleviate damage done when these unavoidable attacks happen.


Charles Leaver – Trump Hotels Hack Could Have Been Avoided With Point Of Sale Vulnerabilities Visibility

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels POS Susceptibility Emphasize Need for Quicker Detection of Anomalous Activity

Trump Hotels, suffered a cyber attack, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computer systems, POS systems, and dining establishments. However, in their own words they claim that they “did not find any evidence that any customer information was taken from our systems.” While it’s soothing to find out that no proof was discovered, if malware exists on POS systems it is most likely there to take info related to the charge cards that are swiped, or significantly tapped, placed, or waved. A lack of proof does not imply the lack of a criminal offense, and to Trump Hotel’s credit, they have actually provided totally free credit tracking services. If one is to analyze a Point of Sale (or POS) system however you’ll observe one thing in abundance as an administrator: They seldom alter, and software will be almost uniform across the deployment community. This can present both positives and negatives when thinking about securing such an environment. Software application modifications are sluggish to happen, require rigorous screening, and are difficult to roll out.

However, since such an environment is so uniform, it is also much easier to identify POS vulnerabilities when something brand-new has altered.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they occur. If a single Point of Sale system started to make new network connections, or started running brand-new software, regardless of its intent, it would be flagged for additional evaluation and examination. Ziften also collects limitless historic data from your environment. If you wish to know what happened 6 to 12 months earlier, this is not a problem. Now dwell times and AV detection rates can be determined utilizing our integrated risk feeds, as well as our binary collection and submission technology. Likewise, we’ll inform you which users executed which applications at what time throughout this historic record, so you can find out your preliminary point of infection.

Point of Sale issues continue to afflict the retail and hospitality markets, which is a shame provided the fairly simple environment to monitor with detection and response.


Charles Leaver – Marriott Could Have Prevented Their POS Breach With Continuous Endpoint Visibility

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

USA retail outlets still appear an attractive target for hackers seeking charge card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting customers at 14 hotels across the country from September 2014 to January 2015. This incident follows White Lodging suffered a similar cyber attack in 2014. The attackers in both cases were supposedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at several locations run by White Lodging. The opponents were able to get names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Traditionally, Point-of-Sale (or POS) systems at many USA retail outlets were “locked down” Windows computers running a minor set of applications geared towards their function – calling the sale and processing a deal with the Payment card merchant or bank. Modern Point of Sale terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be fair, they are often deployed behind a firewall, but are still ripe for exploiting. The best defenses can and will be breached if the target is important enough. For instance, push-button control tools utilized for management and updating of the Point of Sale systems are often hijacked by hackers for their gains.

The credit card or payment processing network is a completely different, air-gapped, and encrypted network. So how did hackers manage to take the charge card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if sellers don’t store charge card details, the data can be in an unencrypted state on the POS device while the payment transaction is verified. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data burglars to collect the payment card info in its unencrypted state. The data is then normally encrypted and retrieved by the hackers or sent out to the Internet where it’s obtained by the thieves.

Ziften’s system offers continuous endpoint visibility that can find and remediate these kinds of risks. Ziften’s MD5 hash analysis can find new and suspicious processes or.dll files running in the Point of Sale environment. Ziften can likewise kill the process and gather the binary for more action or analysis. It’s likewise possible to spot POS malware by notifying to Command and Control traffic. Ziften’s integrated Threat Intel and Custom Risk Feed options permits clients to alert when Point of Sale malware communicates to C&C nodes. Lastly, Ziften’s historic data enables clients to kick start the forensic assessment of how the malware got in, exactly what it did after it was installed, and executed and other machines are contaminated.

It’s past time for sellers to step up the game and search for new solutions to secure their clients’ credit cards.