Category Archives: Cyber Attacks

Calling Microsoft Channel Partners Don’t Miss This Security Opportunity – Chuck Leaver

Written By Greg McCreight And Presented By Chuck Leaver


Windows Defender Advanced Threat Protection (WDATP) is very good, popular with Microsoft channel partners around the globe. It is probable that you’re already working with Microsoft customers to set up and look after WDATP on their Windows endpoints.

I’m delighted to tell you about a brand-new opportunity: Get a fast start with an industry leading solution that integrates right into WDATP: Ziften Zenith. For a minimal time, Microsoft channel partners can leverage our new “Fast Start” program to collaborate with Ziften.

With “Fast Start,” you enjoy all the benefits of Ziften’s top tier partner status for a full year, and we’ll assist you to get up to speed rapidly with joint market and business advancement resources – and with a waiver of the usual sales volume dedication connected with Gold Status.

If you don’t know Ziften, we supply infrastructure visibility and collaborated risk detection, avoidance, and response across all endpoint devices and cloud environments. Zenith, our flagship security platform, easily deploys to client devices, servers, and virtual machines.

When installed, Zenith continuously collects all the info required to accurately evaluate the present and historical state of all handled devices consisting of system, user habits, network connectivity, application, binary, and procedure data. Zenith provides your customers’ IT and security teams with continuous visibility and control of all managed assets consisting of constant tracking, signaling, and automated or manual actions.

Zenith is cross platform – it works with and protects Windows, Mac, Linux, and other endpoints.

What’s specifically notable – and here’s the chance – is that Ziften has teamed up with Microsoft to incorporate Zenith with Windows Defender ATP. That means your customers can use WDATP on Windows systems and Zenith on their macOS and Linux systems to detect, see, and react to cyberattacks all utilizing only the WDATP Management Console for all the systems. Zenith is concealed in the background.

A single pane of glass, to handle Windows, Mac, Linux endpoints, which can include desktops, notebooks, and servers. That makes Zenith the best service to offer your existing WDATP customers… and to make your bids for brand-new WDATP business more complete for multi-platform enterprise potential customers.

What’s more, providing Zenith can help you speed customer migrations to Windows 10, and offer more Business E5 commercial editions.

” Fast Start” for a Year with Gold Status

Ziften is completely concentrated on the channel: 96% of our sales in 2017 were through the channel. We are delighted to bring the “Fast Start” program to existing Microsoft channel partners, throughout the world.

With “Fast Start,” you can sign up for the Ziften Channel Program with these benefits:

Expedited Approval and On-Boarding – Ziften channel managers and field sales work directly with you to get working providing the Zenith endpoint security solution incorporated with Windows Defender ATP.

Superior Security Worth – You’ll be uniquely positioned to offer clients and potential customers greater security worth across more of their overall environment than ever, increasing the number of supported and secured Windows, Mac, and Linux systems.

Hands-On Collaboration – Ziften dedicates field sales, sales engineers, and marketing to support your day-to-day pre-sales engagements, drive new sales opportunities, and help to close more deals with Microsoft and Ziften endpoint security.

Here’s what one significant Microsoft channel partner, says about this – this is Ronnie Altit, founder and CEO of Insentra, a “partner-obsessed” Australian IT services business that works specifically through the IT channel:

” As a big Microsoft reseller, teaming with Ziften to use their Zenith security platform integrated with Microsoft Windows Defender ATP was a no-brainer. We’re thrilled at the seamless integration between Zenith and Windows Defender ATP offering our customers holistic security and visibility across their Windows and non-Windows systems. Ziften has been a pleasure to deal with, and helpful at every step of the procedure. We expect to be exceptionally successful offering this effective security solution to our customers.”

Here 4 Steps To Prevent And Tackle Ransomware – Chuck Leaver

Written By Alan Zeichick And Presented By Chuck Leaver


Ransomware is real, and is striking people, services, schools, hospitals, governments – and there’s no sign that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s face it: Ransomware is most likely the single most efficient attack that hackers have ever created. Anyone can create ransomware using easily offered tools; any cash gotten is likely in untraceable Bitcoin; and if something goes wrong with decrypting somebody’s hard drive, the cyber criminal isn’t impacted.

A business is hit with ransomware every forty seconds, according to some sources, and 60% of malware problems were ransomware. It hits all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na get worse.

Fortunately: We can fight back. Here’s a 4 step battle plan.

Good Fundamental Hygiene

It begins with training workers how to handle malicious e-mails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will get through email spam/malware filters; staff members have to be taught not to click links in those messages, or naturally, not to permit for apps or plug-ins to be installed.

Nevertheless, some malware, like ransomware, is going to get through, frequently making use of obsolete software applications or unpatched systems, as in the Equifax breach. That’s where the next step comes in:

Making sure that all end points are thoroughly patched and entirely updated with the current, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the endpoint is healthy, and has the ability to best eradicate the infection.

Ransomware isn’t really an innovation or security issue. It’s an organization problem. And it’s so much more than the ransom that is demanded. That’s peanuts compared with loss of performance due to downtime, bad public relations, disgruntled customers if service is interrupted, and the expense of rebuilding lost data. (Which presumes that important copyright or protected monetary or consumer health data isn’t really taken.).

What else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, protected backups, you can’t bring back data and core infrastructure in a timely fashion. That consists of making daily snapshots of virtual machines, databases, applications, source code, and configuration files.

Companies need tools to detect, identify, and avoid malware like ransomware from dispersing. This needs constant monitoring and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that have not been seen before. Part of that is monitoring end points, from the mobile phone to the desktop to the server to the cloud, to guarantee that all end points are up-to-date and protected, which no unforeseen changes have actually been made to their underlying setup. That way, if a device is infected by ransomware or other malware, the breach can be detected quickly, and the device isolated and shut down pending forensics and healing. If an end point is breached, fast containment is vital.

The 4 Tactics.

Good user training. Updating systems with patches and repairs. Backing up whatever as frequently as possible. And utilizing tracking tools to help both IT and security groups discover problems, and react quickly to those issues. When it comes to ransomware, those are the four battle-tested tactics we need to keep our companies safe.

You can find out more about this in a brief 8 minute video, where I talk with several industry experts about this concern:

Protect Yourself With Microsoft And Ziften – Chuck Leaver

Written By David Shefter And Presented By Chuck Leaver


This week we revealed a cooperation with Microsoft that unites Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud-based, “single pane of glass” to find, see, examine, and respond to innovative cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that enables business consumers to identify, examine, respond and remediate advanced dangers on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your business, supplying scalable, cutting-edge security in a cost-efficient and simple to use platform. Making it possible for business throughout the world to secure and manage devices through this ‘single pane of glass’ provides the guarantee of lower operational expenses with true enhanced security providing real time global hazard defense with information collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The image below supplies an introduction of the service elements and integration struck between Windows Defender ATP and Ziften Zenith.

Endpoint investigation abilities allow you to drill down into security signals and understand the scope and nature of a prospective breach. You can send files for deep analysis, receive the results and take action without leaving the Windows Defender ATP console.

Discover and Contain Dangers

With the Windows Defender ATP and Ziften Zenith integration, companies can easily find and contain dangers on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith supply:

Behavior-based, cloud-powered, innovative attack detection. Discover the attacks that make it past all other defenses (after a breach has been detected).

Abundant timeline for forensic investigation and mitigation. Easily examine the scope of any breach or suspected behaviors on any device through an abundant, 6-month machine timeline.

Integrated in unique danger intelligence knowledge base. Risk intelligence to quickly identify attacks based on tracking and data from millions of devices.

The diagram shown below illustrates much of the macOS and Linux danger detection and response abilities now available with Windows Defender ATP.

In conclusion, if you’re seeking to secure your endpoints and infrastructure, you have to take a tough look at Windows Defender ATP and Ziften Zenith.

You Will Be Secure With Ziften Services – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver


Having the correct tools to hand is a given in our industry. However having the correct tools and services is one thing. Getting the best value out of them can be an obstacle. Even with all the ideal objectives and sufficiently experienced workers, there can be gaps. Ziften Services can assist to fill those spaces and keep you on track for success.

Ziften Services can enhance, or perhaps outright lead your IT Operations and Security groups to much better equip your organization with three great offerings. Every one is customized for a specific need and in light of the statistics from a current report by ESG (Enterprise Strategy Group) entitled “Patterns in Endpoint Security Study”, which mentioned 51% of responders in the research study stated they will be releasing and utilizing an EDR (endpoint detection and response) solution now and 35% of them plan to utilize managed services for the application, shows the need is out there for appropriate services around these products and solutions. Therefore, Ziften is offering our services knowing that numerous companies do not have the scale or know-how to implement and completely use needed tools such as EDR.

Ziften services are as follows:

Ziften Assess Service
Ziften Hunt Service
Ziften Respond Service

While each of the 3 services cover a special function, the latter 2 are more complementary to each other. Let’s take a look at each in a bit more information to better understand the advantages.

Assess Service

This service covers both IT functional and security groups. To determine your success in appropriate documentation and adherence of processes and policies, you have to start with an excellent strong baseline. The Assess services start by performing in-depth interviews with crucial decision makers to truly understand what is in place. From there, a Ziften Zenith implementation provides monitoring and data collection of key metrics within customer device networks, data centers and cloud implementations. The reporting covers asset management and efficiency, licensing, vulnerabilities, compliance and even anomalous habits. The outcome can cover a series of concerns such as M&An assessments, pre-cloud migration preparation and regular compliance checks.

Hunt Service

This service is a true 24 × 7 managed endpoint detection and response (MDR) offering. Organizations struggle to completely cover this essential element to security operations. That could be because of restricted personnel or important proficiency in threat searching strategies. Again, making use of the Ziften Zenith platform, this service uses constant tracking across client devices, servers, cloud VMs supporting Windows, Mac OSX and Linux os. One of the primary outcomes of this service is considerably minimizing threat dwell times within the environment. This has actually been spoken about quite often in the past couple of years and the numbers are shocking, usually in the order of 100s of days that hazards stay concealed within companies. You need somebody that can actively search for these enemies as well as can historically look back to previous occasions to discover habits you were not knowledgeable about. This service does use some hours of devoted Incident Response too, so you have all your bases covered.

Respond Service

When you up against it and have a real emergency, this service is exactly what you need. This is a tried and true IR team prepared for war 24 × 7 with a broad series of response tool sets at their disposal. You will get instant event evaluation and triage. Recommended actions line up with the intensity of the danger and what response actions have to happen. The teams are really versatile and will work from another location or if needed, can be on site where conditions necessitate. This could be your whole IR team, or will enhance and mix right in with your current team.

At the end of the day, you need services to assist optimize your possibilities of success in today’s world. Ziften has three excellent offerings and wants all our clients to feel secured and lined up with the very best functional and security posture available. Please connect to us so we can assist you. It’s what we are here to do!

We Show You Our Endpoint Security Architecture Now Show Us Yours – Chuck Leaver

Written By Mike Hamilton And Presented By Ziften CEO Chuck Leaver


Endpoint security is really in vogue nowadays. And there are lots of different vendors out there promoting their wares in this market. However it’s sometimes difficult to comprehend exactly what each supplier offers. What’s much more difficult is to comprehend how each supplier service is architected to offer their services.

I believe that the back-end architecture of whatever you select can have an extensive effect on the future scalability of your execution. And it can produce great deals of unexpected work and costs if you’re not mindful.

So, in the spirit of openness, and because we think our architecture is different, unique and effective, we invite all endpoint security vendors to “show us your architecture”.

I’ll kick this off in the video below where I reveal to you the Ziften architecture, and a couple of exactly what I consider legacy architectures for contrast. Particularly, I’ll talk about:

– Ziften’s architecture designed utilizing next-gen cloud concepts.
– One company’s peer-to-peer “mish-mash” architecture.
– Tradition hub-spoke-hub architectures.

I have actually shown you the power of our genuinely cloud based platform. Now it’s my rival’s turn. What are you waiting for folks – reveal to us your architectures!

With Ziften And Splunk You Can Detect And Respond To WannCry – Chuck Leaver

Written by Joel Ebrahami and presented by Chuck Leaver


WannaCry has generated a lot of media attention. It might not have the enormous infection rates that we have actually seen with much of the previous worms, but in the current security world the quantity of systems it had the ability to infect in one day was still rather shocking. The goal of this blog is NOT to provide an in-depth analysis of the threat, however rather to look how the exploit behaves on a technical level with Ziften’s Zenith platform and the combination we have with our technology partner Splunk.

Visibility of WannaCry in Ziften Zenith

My very first action was to connect to Ziften Labs threat research team to see what details they might provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, directs our research study group and informed me that they had samples of WannaCry currently running in our ‘Red Lab’ to take a look at the habits of the threat and perform additional analysis. Josh sent me over the details of what he had actually found when examining the WannaCry samples in the Ziften Zenith console. He sent over those details, which I present herein.

The Red Laboratory has systems covering all the most typical os with different services and configurations. There were currently systems in the laboratory that were purposefully vulnerable to the WannaCry exploit. Our international hazard intelligence feeds utilized in the Zenith platform are upgraded in real-time, and had no trouble spotting the infection in our lab environment (see Figure 1).

Two laboratory systems have been determined running the destructive WannaCry sample. While it is great to see our international danger intelligence feeds updated so rapidly and recognizing the ransomware samples, there were other habits that we found that would have identified the ransomware threat even if there had not been a danger signature.

Zenith agents collect a huge amount of data on what’s happening on each host. From this visibility info, we develop non-signature based detection techniques to take a look at generally harmful or anomalous habits. In Figure 2 shown below, we reveal the behavioral detection of the WannaCry threat.

Examining the Breadth of WannaCry Infections

When detected either through signature or behavioral approaches, it is very simple to see which other systems have actually likewise been infected or are displaying similar behaviors.

Detecting WannaCry with Ziften and Splunk

After evaluating this information, I chose to run the WannaCry sample in my own environment on a susceptible system. I had one vulnerable system running the Zenith agent, and in this case my Zenith server was already configured to integrate with Splunk. This enabled me to look at the exact same information inside Splunk. Let me elucidate about the integration we have with Splunk.

We have 2 Splunk apps for Zenith. The very first is our technology add on (TA): its role is to consume and index ALL the raw data from the Zenith server that the Ziften agents generate. As this info arrives it is massaged into Splunk’s Common Info Model (CIM) so that it can be stabilized and easily browsed in addition to used by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA likewise includes Adaptive Response abilities for taking actions from events that are rendered in Splunk ES. The 2nd app is a control panel for displaying our data with all the charts and graphs readily available in Splunk to facilitate digesting the data a lot easier.

Considering that I currently had the information on how the WannaCry exploit behaved in our research lab, I had the advantage of knowing exactly what to search for in Splunk using the Zenith data. In this case I had the ability to see a signature alert by utilizing the VirusTotal integration with our Splunk app (see Figure 4).

Hazard Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to wear my “incident responder hat” and examine this in Splunk utilizing the Zenith agent information. My very first thought was to search the systems in my lab for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I knew that I would most likely find SMB data in the running process message type, however, I used Splunk’s * regex with the Zenith sourcetype so I could browse all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I received 1 result back for the system that was running SMB (see Figure 5).

My next step was to use the exact same behavioral search we have in Zenith that looks for normal CryptoWare and see if I might get outcomes back. Once again this was extremely simple to do from the Splunk search panel. I used the same wildcard sourcetype as previously so I could browse throughout all Zenith data and this time I added the ‘delete shadows’ string search to see if this behavior was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, shown in Figure 6, that revealed me in detail the procedure that was developed and the full command line that was carried out.

Having all this info within Splunk made it very easy to determine which systems were susceptible and which systems had actually currently been jeopardized.

WannaCry Remediation Using Splunk and Ziften

Among the next steps in any kind of breach is to remediate the compromise as quick as possible to prevent more destruction and to take action to prevent any other systems from being compromised. Ziften is one of the Splunk initial Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to alleviate these threats through extensions on Zenith.

In the case of WannaCry we actually might have used nearly any of the Adaptive Response actions presently readily available by Zenith. When aiming to minimize the effect and avoid WannaCry initially, one action that can occur is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is understood to be susceptible. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the vulnerable systems where we wished to stop the SMB service, hence preventing the threat from ever occurring and allowing the IT Operations group to get those systems patched before beginning the SMB service again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the event that we have actually already been compromised, it is vital to prevent further exploitation and stop the possible exfiltration of sensitive info or company intellectual property. There are really 3 actions we might take. The first two are similar where we might eliminate the destructive process by either PID (process ID) or by its hash. This is effective, however since oftentimes malware will just spawn under a brand-new procedure, or be polymorphic and have a various hash, we can apply an action that is ensured to prevent any inbound or outgoing traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already lessening, however ideally this technical blog reveals the worth of the Ziften and Splunk integration in handling ransomware dangers against the end point.

Ziften Leads The Way In End To End Protection – Chuck Leaver

Written By Ziften CEO Chuck Leaver


Do you wish to manage and safeguard your end points, your data center, the cloud and your network? In that case Ziften has the right solution for you. We gather data, and allow you to correlate and use that data to make decisions – and be in control over your enterprise.

The details that we obtain from everyone on the network can make a real world distinction. Think about the proposition that the 2016 U.S. elections were influenced by hackers from another nation. If that holds true, cyber criminals can do almost anything – and the concept that we’ll go for that as the status quo is simply ludicrous.

At Ziften, our company believe the way to combat those threats is with greater visibility than you’ve ever had. That visibility goes across the entire business, and links all the major players together. On the back end, that’s real and virtual servers in the data center and the cloud. That’s applications and containers and infrastructure. On the other side, it’s laptops and desktop computers, irrespective of where and how they are connected.

End-to-end – that’s the believing behind everything at Ziften. From endpoint to the cloud, all the way from an internet browser to a DNS server. We tie all that together, with all the other parts to give your service a total service.

We likewise capture and save real-time data for as much as 12 months to let you know what’s taking place on the network today, and provide historic trend analysis and warnings if something changes.

That lets you identify IT faults and security concerns immediately, and also have the ability to ferret out the source by looking back in time to see where a breach or fault might have first happened. Active forensics are an absolute need in this business: After all, where a breach or fault initiated an alarm may not be the place where the problem started – or where a hacker is running.

Ziften provides your security and IT groups with the visibility to understand your current security posture, and identify where improvements are required. Endpoints non-compliant? Found. Rogue devices? Found. Penetration off-network? This will be detected. Out-of-date firmware? Unpatched applications? All discovered. We’ll not just assist you find the issue, we’ll help you repair it, and make certain it stays fixed.

End to end IT and security management. Real-time and historical active forensics. In the cloud, offline and onsite. Incident detection, containment and response. We have actually got it all covered. That’s exactly what makes Ziften better.

First Part Of Why Edit Difference Is Important – Chuck Leaver

Written By Jesse Sampson And Presented By Chuck Leaver CEO Ziften


Why are the same tricks being utilized by assailants all of the time? The basic response is that they are still working today. For instance, Cisco’s 2017 Cyber Security Report informs us that after years of wane, spam e-mail with destructive attachments is once again growing. In that conventional attack vector, malware authors typically conceal their activities by using a filename much like a typical system procedure.

There is not always a connection with a file’s path name and its contents: anyone who has aimed to hide delicate details by providing it a boring name like “taxes”, or changed the extension on a file attachment to circumvent e-mail guidelines is aware of this principle. Malware creators understand this too, and will typically name malware to resemble common system procedures. For example, “explore.exe” is Internet Explorer, however “explorer.exe” with an additional “r” could be anything. It’s easy even for professionals to ignore this minor distinction.

The opposite problem, known.exe files running in uncommon locations, is simple to fix, utilizing string functions and SQL sets.


How about the other case, discovering close matches to the executable name? Most people start their search for near string matches by arranging data and visually looking for disparities. This usually works well for a little set of data, maybe even a single system. To discover these patterns at scale, nevertheless, needs an algorithmic method. One recognized technique for “fuzzy matching” is to utilize Edit Distance.

What’s the best method to calculating edit distance? For Ziften, our technology stack includes HP Vertica, which makes this job easy. The web has lots of data researchers and data engineers singing Vertica’s praises, so it will be adequate to discuss that Vertica makes it simple to develop custom functions that maximize its power – from C++ power tools, to statistical modeling scalpels in R and Java.

This Git repo is kept by Vertica lovers working in industry. It’s not an official offering, however the Vertica team is absolutely aware of it, and moreover is thinking every day about ways to make Vertica better for data scientists – a great space to view. Best of all, it contains a function to compute edit distance! There are also some other tools for the natural processing of langauge here like word tokenizers and stemmers.

By using edit distance on the leading executable paths, we can quickly find the closest match to each of our top hits. This is an intriguing data-set as we can sort by distance to discover the nearest matches over the whole dataset, or we can sort by frequency of the top path to see what is the closest match to our frequently used procedures. This data can likewise appear on contextual “report card” pages, to reveal, e.g. the top 5 nearest strings for a given path. Below is a toy example to give a sense of use, based on real data ZiftenLabs observed in a client environment.


Setting an upper limit of 0.2 seems to discover excellent results in our experience, but the take away is that these can be adapted to fit specific usage cases. Did we find any malware? We notice that “teamviewer_.exe” (needs to be just “teamviewer.exe”), “iexplorer.exe” (must be “iexplore.exe”), and “cvshost.exe” (should be svchost.exe, unless maybe you work for CVS pharmacy…) all look strange. Considering that we’re currently in our database, it’s likewise trivial to obtain the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.


In this specific real life environment, it turned out that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the client with additional investigation on the user and system where we observed the portable applications considering that use of portable apps on a USB drive could be evidence of naughty activity. The more troubling find was cvshost.exe. Ziften’s intelligence feeds indicate that this is a suspect file. Searching for the md5 hash for this file on VirusTotal validates the Ziften data, suggesting that this is a possibly serious Trojan virus that may be part of a botnet or doing something even more malicious. Once the malware was discovered, nevertheless, it was easy to fix the problem and make sure it remains resolved using Ziften’s ability to kill and constantly block procedures by MD5 hash.

Even as we develop innovative predictive analytics to identify destructive patterns, it is very important that we continue to improve our abilities to hunt for recognized patterns and old techniques. Just because brand new dangers emerge doesn’t mean the old ones disappear!

If you liked this post, watch this space for the second part of this series where we will apply this technique to hostnames to find malware droppers and other malicious websites.

In 2017 We Have Defined Three Tiers Of Espionage In The Cyber World – Chuck Leaver

Written By Jesse Sampson And Presented By Ziften CEO Chuck Leaver


There is a lot of controversy at the moment about the hacking risk from Russia and it would be simple for security specialists to be overly worried about cyber espionage. Because the objectives of any cyber espionage campaign determine its targets, ZiftenLabs can assist address this question by diving into the reasons why states perform these campaigns.

Last Friday, the 3 significant United States intelligence agencies launched a thorough statement on Russia’s activities related to the 2016 US elections: Assessing the Activities of Russia and Objectives in Recent US Elections (Activities and Intents). While some doubters remain unsure by the new report, the dangers identified by the report that are covered in this post are compelling sufficient to require assessment and realistic countermeasures – in spite of the near impossibility of incontrovertibly determining the source of the attack. Of course, the official Russian position has actually been winking denial of hacks.

“Usually these kinds of leaks occur not since cyber attackers gained access, but, as any professional will inform you, since someone merely forgot the password or set the easy password 123456.” German Klimenko, Putin’s leading Internet consultant

While agencies get criticized for bureaucratic language like “high confidence,” the thought about rigor of rundowns like Activities and Intents contrasts with the headline friendly “1000% certainty” of a mathematically-disinclined hustler of the media like Julian Assange.

Activities and Objectives is most perceptive when it finds making use of hacking and cyber espionage in “multifaceted” Russian teaching:

” Moscow’s use of disclosures during the US election was unmatched, however its influence campaign otherwise followed a longstanding Russia messaging strategy that mixes concealed intelligence operations – such as cyber activity – with obvious efforts by Russian Government agencies, state-funded media, third party intermediaries, and paid social networks users or “trolls.”

The report is at its weakest when examining the intentions behind the teaching, or the method. Apart from some incantations about intrinsic Russian hostility to the liberal democratic order, it declares that:.

” Putin probably wanted to reject Secretary Clinton because he has publicly blamed her since 2011 for prompting mass protests against his regime in late 2011 and early 2012, and since he deeply resents remarks he probably viewed as disparaging him.”.

A more nuanced examination of Russian inspiration and their cyber manifestations will help us better determine security techniques in this environment. Ziften Labs has actually determined 3 significant tactical imperatives at work.

Initially, as Kissinger would say, through history “Russia decided to see itself as a beleaguered station of civilization for which security could be found only through exerting its absolute will over its next-door neighbors (52)”. United States policy in the William Clinton era threatened this notion to the expansion of NATO and dislocating economic interventions, possibly adding to a Russian choice for a Trump presidency.

Russia has actually utilized cyber warfare tactics to safeguard its impact in previous Soviet areas (Estonia, 2007, Georgia, 2008, Ukraine, 2015).

Second, President Putin desires Russia to be a great force in geopolitics again. “Above all, we ought to acknowledge that the demise of the Soviet Union was a significant geopolitical catastrophe of the century,” he stated in 2005. Hacking identities of popular individuals in political, scholastic, defense, innovation, and other institutions that operatives might leak to awkward or outrageous effect is a simple method for Russia to reject the United States. The understanding that Russia can influence election outcomes in the US with keystrokes calls into question the legitimacy of US democracy, and muddles discussion around similar concerns in Russia. With other prestige-boosting efforts like pioneering the ceasefire talks in Syria (after leveling many cities), this strategy might enhance Russia’s global profile.

Finally, President Putin might have concerns about his job security. In spite of incredibly beneficial election outcomes, according to Activities and Intentions, demonstrations in 2011 and 2012 still loom large in his mind. With numerous regimes altering in his area in the 2000s and 2010s (he called it an “epidemic of disintegration”), a few of which came about as a result of NATO intervention and the United States, President Putin is wary of Western interventionists who wouldn’t mind a similar outcome in Russia. A collaborated campaign might help reject rivals and put the least hawkish prospects in power.

Due to these reasons for Russian cyber attacks, who are the likely targets?

Due to the overarching goals of discrediting the authenticity of the United States and NATO and helping non-interventionist prospects where possible, government agencies, particularly those with functions in elections are at greatest threat. So too are campaign agencies and other NGOs close to politics like think tanks. These have supplied softer targets for cyber criminals to access to delicate details. This suggests that organizations with account info for, or access to, prominent individuals whose information could lead to shame or confusion for US political, company, academic, and media organizations should be extra mindful.

The next tier of danger comprises important infrastructure. While current Washington Post reports of a jeopardized United States electrical grid ended up being over hyped, Russia actually has hacked power networks and perhaps other parts of physical infrastructure like gas and oil. Beyond crucial physical infrastructure, technology, financing, telecoms, and media could be targeted as happened in Estonia and Georgia.

Finally, although the intelligence agencies work over the past weeks has actually captured some heat for presenting “obvious” recommendations, everyone actually would gain from the suggestions provided in the Homeland Security/FBI report, and in this blog about solidifying your setup by Ziften’s Dr. Al. With major elections coming up this year in important NATO members Germany, France, and The Netherlands, only one thing is certain: it will be a hectic year for Russian hackers and these recs need to be a leading concern.

You Are Not Immune From A Cyber Attack But You Can Do This – Chuck Leaver

Written By Chuck Leaver CEO Ziften


No business, however small or big, is resistant from a cyberattack. Whether the attack is initiated from an outside source or from the inside – no business is fully safeguarded. I have lost count of the variety of times that senior managers from companies have said to me, “why would anyone want to hack us?”

Cyberattacks Can Take Lots of Types

The expansion of devices that can link to organization networks (laptop computers, cell phones and tablets) indicate an increased threat of security vulnerabilities. The goal of a cyberattack is to exploit those vulnerabilities.


Among the most common cyber attack methods is using malware. Malware is code that has a malicious intent and can include viruses, Trojans and worms. The goal with malware is frequently to take delicate data or even destroy computer networks. Malware is often in the type of an executable file that will distribute across your network.

Malware is becoming a lot more sophisticated, and now there is rogue malware that will masquerade itself as genuine security software that has been developed to protect your network.

Phishing Attacks

Phishing attacks are likewise common. Most often it’s an e-mail that is sent from a supposedly “trusted authority” requesting that the user supply personal data by clicking on a link. A few of these phishing e-mails look very genuine and they have actually deceived a lot of users. If the link is clicked and data input the info will be taken. Today an increasing number of phishing emails can contain ransomware.

Password Attacks

A password attack is one of the simplest kinds of cyber attacks. This is where an unapproved 3rd party will attempt to access to your systems by “breaking” the login password. Software applications can be utilized here to carry out brute force attacks to predict passwords, and combination of words utilized for passwords can be compared using a dictionary file.

If a hacker gains access to your network through a password attack then they can quickly release malicious malware and trigger a breach of your delicate data. Password attacks are one of the simplest to avoid, and strict password policies can provide an extremely effective barrier. Changing passwords frequently is likewise suggested.

Denial of Service

A Denial of Service (DoS) attack is everything about causing maximum interruption of the network. Attackers will send really high volumes of traffic through the network and generally make lots of connection demands. The outcome is an overload of the network and it will close down.

Several computers can be used by hackers in DoS attacks that will create extremely significant levels of traffic to overload the network. Just recently the biggest DoS attack in history utilized botnets versus Krebs On Security. On a regular basis, endpoint devices linked to the network such as PC’s and laptop computers can be pirated and will then add to the attack. If a DoS attack is experienced, it can have serious repercussions for network security.

Man in the Middle

Man in the middle attacks are accomplished by impersonating endpoints of a network throughout an information exchange. Details can be taken from the end user or perhaps the server that they are interacting with.

How Can You Entirely Prevent Cyber Attacks?

Total prevention of a cyber attack is not possible with present innovation, but there is a lot that you can do to secure your network and your sensitive data. It is essential not to think that you can just purchase and execute a security software suite then relax. The more advanced cyber crooks are aware of all the security software application services on the market, and have designed approaches to overcome the safeguards that they offer.

Strong and regularly changed passwords is a policy that you should embrace, and is one of the simplest safeguards to put in place. The encryption of your delicate data is another easy thing to do. Beyond installing antivirus and malware security suites in addition to an excellent firewall program, you ought to guarantee that routine backups are in place and that you have a data breach occurrence response/remediation strategy in case the worst takes place. Ziften helps businesses continuously monitor for threats that may get through their defenses, and do something about it instantly to eliminate the risk entirely.