These 6 Questions Will Provide Damage Control Prior To A Breach – Chuck Leaver

Written By Michael Bunyard And Presented By Ziften CEO Chuck Leaver


The reality of contemporary life is that if cyber hackers want to breach your network, then it is just a matter of time before they will do it. The endpoint is the most common vector of attack, and the people are the most significant point of susceptibility in any organization. The endpoint device is where they connect with whatever information that an enemy is after: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) systems, of which Ziften is a leader, that supply the needed visibility and insight to help decrease or avoid the possibilities or duration of an attack. Methodologies of avoidance consist of reducing the attack surface area through removing known vulnerable applications, cutting version proliferation, eliminating malicious procedures, and guaranteeing compliance with security policies.

However avoidance can just go so far. No service is 100% reliable, so it is very important to take a proactive, real-time methodology to your environment, watching endpoint behavior, discovering when breaches have actually taken place, and responding instantly with remediation. Ziften also offers these capabilities, typically called Endpoint Detection and Response, and organizations should alter their mindset from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To understand the true ramifications of an attack, organizations have to be able to take a look back and rebuild the conditions surrounding a breach. Security analysts require answers to the following 6 concerns, and they require them quickly, since Incident Response personnel are surpassed and handling limited time windows to mitigate damage.

Where was the attack activity initially seen?

This is where the ability to look back to the point in time of initial infection is important. In order to do this efficiently, organizations have to have the ability to go as far back in history as necessary to recognize patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach occurs, the average dwell time prior to a breach is identified is a stunning 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, enemies were able to permeate organizations within minutes. That’s why NGES services that do not continuously monitor and record activity however rather occasionally poll or scan the endpoint can miss out on the initial crucial penetration. Likewise, DBIR found that 95% of malware types appeared for less than four weeks, and 4 out of five didn’t last 7 days. You need the ability to continuously monitor endpoint activity and recall in time (however long ago the attack occurred) and reconstruct the preliminary infection.

How did it act?

What occurred piece by piece after the initial infection? Did malware execute for a second every five minutes? Was it able to acquire escalated privileges? A continuous picture of what took place at the endpoint behaviorally is important to obtain an examination started.

How and where did the cyber attack spread after initial compromise?

Typically the attacker isn’t really after the info available at the point of infection, but rather wish to utilize it as a preliminary beachhead to pivot through the network to get to the sensitvie data. Endpoints include the servers that the endpoints are linked to, so it is important to be able to see a total image of any lateral movement that occurred after the infection to know what assets were compromised and possibly also infected.

How did the infected endpoint(s) behavior(s) change?

What was going on prior to and after the infection? What network connections were being attempted? How much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these concerns are critical to fast triage.

What user activity happened, and was there any possible insider involvement?

What actions did the user take in the past and after the contamination occurred? Was the user present on the computer? Was a USB drive used? Was the time period outside their typical usage pattern? These and many more artifacts should be offered to paint a full image.

What mitigation is required to fix the cyber attack and prevent another one?

Reimaging the infected machine(s) is a lengthy and costly solution but sometimes this is the only way to understand for sure that all of the damaging artifacts have been gotten rid of (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). But with a clear picture of all activity that took place, lesser actions such as removing malicious files from all systems affected may be adequate. Re-examining security policies will most likely be necessary, and NGES systems can assist automate future actions should comparable circumstances emerge. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing procedures, and far more.

Don’t wait until after a cyber attack happens and you have to hire an army of experts and spend time and finances piecing the realities together. Make sure you are prepared to answer these six key questions and have all the answers at your fingertips in minutes.

The IRS Hack Probably Began With Compromised Endpoints – Chuck Leaver

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften


IRS Hackers Make Early Returns Because of Previous External Attacks


The IRS breach was the most distinct cyber attack of 2015. Classic attacks today include phishing emails aimed to obtain preliminary access to target systems where lateral movement is then performed until data exfiltration happens. However the IRS hack was different – much of the data needed to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s what we understand:

The IRS website has a “Get Transcript” function for users to recover previous income tax return info. As long as the requester can supply the correct details, the system will return past and current W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and filing status, the hackers might begin the retrieval procedure of past filing year’s info. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based upon the requested users credit history.

KBA isn’t fool proof, however. The questions it asks can oftentimes be predicted based on other information already known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer info through Get Transcript, where they were successful in 334,000 of those efforts. The not successful efforts appear to have gotten as far as the KBA questions where the hackers failed to provide the correct answers. It’s estimated that the attackers made away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the assailants utilized information from previous attacks such as SSNs, DOBs, addresses and filing statuses to try to obtain previous tax return info on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, many times increasing the withholdings quantity on the tax return form to obtain a bigger return. As mentioned formerly not all attempts succeeded, however over 50% of the efforts resulted in major losses for the Internal Revenue Service.

Detection and response solutions like Ziften are focused on determining when there are jeopardized endpoints (like through phishing attacks). We do this by providing real time visibility of Indicators of Compromise (IoC’s). If the theories are right and the enemies utilized information gleaned from previous attacks outside of the IRS, the jeopardized businesses might have taken advantage of the visibility Ziften supplies and mitigated against mass-data exfiltration. Ultimately, the Internal Revenue Service seems to be the vehicle – instead of preliminary victim – of these cyber attacks.

Shared Hacks And Data Exfiltration Are Leaving Comcast Customers At Risk – Chuck Leaver

Written By Michael Pawloski And Presented By Ziften CEO Chuck Leaver


The Customers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Businesses


The personal info of around 200,000 Comcast consumers was jeopardized on November 5th 2015. Comcast was forced to make this announcement when it emerged that a list of 590,000 Comcast consumer emails and passwords could be acquired on the dark web for a mere $1,000. Comcast argues that there was no security attack to their network but rather it was by means of past, shared hacks from other companies. Comcast further claims that just 200,000 of these 590,000 customers actually still exist in their system.

Less than two months earlier, Comcast had currently been slapped with a $22 million penalty over its unintentional publishing of almost 75,000 customers’ personal details. Rather ironically, these customers had specifically paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each customer’s info would be kept confidential.

Comcast instituted a mass-reset of 200,000 customer passwords, who may have accessed these accounts prior to the list was put up for sale. While a basic password reset by Comcast will to some extent secure these accounts going forward, this doesn’t do anything to secure those customers who might have reused the exact same email and password combination on banking and credit card logins. If the consumer accounts were accessed before being revealed it is certainly possible that other personal information – such as automatic payment info and street address – were currently obtained.

The bottom line is: Assuming Comcast wasn’t hacked directly, they were the victim of various other hacks which contained data connected to their consumers. Detection and Response systems like Ziften can avoid mass data exfiltration and typically alleviate damage done when these inevitable attacks happen.

No Visibility Of Point Of Sale Vulnerabilities Was Responsible For Trump Hotel Breach – Chuck Leaver

Written By Matthew Fullard Presented By Chuck Leaver CEO Ziften


Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity


Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and infected their front desk computer systems, POS systems, and restaurants. However, in their own words they declare that they “did not discover any proof that any customer information was removed from our systems.” While it’s soothing to find out that no evidence was discovered, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or progressively tapped, placed, or waved. An absence of proof does not suggest the absence of crime, and to Trump Hotel’s credit, they have actually offered totally free credit tracking services. If one is to take a look at a Point-of-Sale (or POS) system however you’ll discover one thing in abundance as an administrator: They hardly ever change, and software will be nearly homogeneous throughout the deployment community. This can present both positives and negatives when thinking about securing such an environment. Software changes are slow to happen, need strenuous screening, and are hard to roll out.

Nevertheless, due to the fact that such an environment is so uniform, it is also much easier to determine Point of Sale vulnerabilities and when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that take place within a community the second they occur. If a single POS system started to make brand-new network connections, or started running brand-new software, despite its intent, it would be flagged for additional evaluation and assessment. Ziften also gathers limitless historical data from your environment. If you need to know what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be measured using our integrated threat feeds, as well as our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at what time throughout this historical record, so you can learn your preliminary point of infection.

POS problems continue to plague the retail and hospitality industries, which is a pity given the fairly uncomplicated environment to monitor with detection and response.

Continuous Endpoint Visibility Could Have Prevented Marriott Point Of Sale Breach – Chuck Leaver

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver


US retail outlets still appear an attractive target for hackers looking for credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels throughout the nation from September 2014 to January 2015. This event follows White Lodging suffered a comparable breach in 2014. The attackers in both cases were reportedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at numerous locations run by White Lodging. The opponents were able to acquire names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were likewise the focus of current breaches at Target, Neiman Marcus, Home Depot, and more.

Generally, Point-of-Sale (or POS) systems at many US retail outlets were “locked down” Windows computers running a minor set of applications tailored towards their function – ringing up the sale and processing a deal with the Charge card bank or merchant. Modern POS terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be fair, they are often deployed behind a firewall, but are still ripe for exploiting. The best defenses can and will be breached if the target is important enough. For example, push-button control tools used for management and upgrading of the POS systems are typically hijacked by hackers for their purposes.

The credit card or payment processing network is a totally separate, air-gapped, and encrypted network. So how did hackers manage to steal the charge card data? They stole the data while it remained in memory on the POS terminal while the payment procedure was being carried out. Even if retailers do not store payment card information, the data can be in an unencrypted state on the POS machine while the payment deal is confirmed. Memory-scraping Point of Sale malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data thieves to gather the credit card information in its unencrypted state. The data is then typically encrypted and obtained by the cyber attackers or sent to the Internet where it’s recovered by the burglars.

Ziften’s service supplies constant endpoint visibility that can discover and remediate these types of dangers. Ziften’s MD5 hash analysis can discover new and suspicious processes or.dll files running in the Point of Sale environment. Ziften can likewise kill the procedure and gather the binary for additional action or analysis. It’s also possible to discover Point of Sale malware by notifying to Command and Control traffic. Ziften’s integrated Risk Intel and Custom Threat Feed options allows clients to alert when Point of Sale malware talks to C&C nodes. Finally, Ziften’s historical data enables consumers to kick start the forensic examination of how the malware got in, what it did after it was set up, and executed and other devices are contaminated.

It’s past time for merchants to step up the game and search for brand-new services to secure their clients’ charge cards.