Category Archives: Cyber Attacks

Tool For Endpoint Security Visibility And Event Remediation – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver


Ziften assists with event response, remediation, and examination, even for endpoints that are not connected to your network.

When events occur, security analysts need to act quickly and thoroughly.

With telecommuting labor forces and business “cloud” infrastructures, remediation and analysis on an endpoint present a genuinely difficult job. Below, watch how you can use Ziften to do something on the endpoint and determine the origin and propagation of a compromise in minutes – no matter where the endpoints are located.

First, Ziften alerts you to harmful activities on endpoints and steers you to the reason for the alarm. In seconds, Ziften lets you take remediation actions on the endpoint, whether it’s on the business network, an employee’s home, or the local cafe. Any removal action you ‘d generally carry out via a direct access to the endpoint, Ziften provides through its web console.

Just that rapidly, remediation is looked after. Now you can use your security expertise to go threat hunting and do a bit of forensics work. You can instantly dive into much more information about the process that resulted in the alert; and after that ask those vital questions to find how prevalent the problem is and where it spread from. Ziften provides extensive incident removal for security experts.

See directly how Ziften can help your security team zero in on risks in your environment with our Thirty Days complimentary trial.

Endpoint Management Is Vital To Stop Cyber Attacks – Chuck Leaver

Written By Chuck Leaver, CEO Ziften


Determine and control any device that requires access to your business network.

When an organization grows so does its asset footprint, and this makes the job of handling the whole set of IT assets a lot more tough. IT management has actually changed from the days where IT asset management included recording devices such as printers, making an inventory of all set up applications and ensuring that antivirus suites were updated.

Today, organizations are under consistent threat of cyber attacks and using malicious code to infiltrate the corporate network. Lots of devices now have network access abilities. Gone are the days when only desktop PC’s connected to a business network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all likely to connect to the network.
While this offers versatility for the companies with the capability for users to link remotely, it opens up an entire new variety of vulnerabilities as these different endpoints make the challenge of business IT security a lot more complex.

What Is Endpoint Management?

It is essential that you have a policy based approach to the endpoint devices that are linked to your network to lessen the risk of cyber attacks and data breaches. Making use of laptop computers, tablets, mobile phones and other devices may be convenient, however they can expose companies to a huge array of security threats. The main objective of a sound endpoint management strategy need to be that network activities are carefully kept an eye on and unauthorized devices can not access the network.

A lot of endpoint management software is most likely to inspect that the device has an operating system that has actually been authorized, as well as anti-virus software applications, and examine the device for upgraded private virtual network systems.

Endpoint management systems will recognize and manage any device that requires access to the organization’s network. If anyone is trying to access the organization’s environment from a non compliant device they will be denied access. This is vital to combat attacks from cyber crooks and infiltrations from malicious groups.

Any device which does not abide by endpoint management policies are either quarantined or granted restricted access. Local administrative rights might be eliminated and browsing the Internet limited.

Organizations Can Do More

There are a number of methods that a company can utilize as part of their policy on endpoint management. This can include firewall programs (both network and individual), the file encryption of delicate data, stronger authentication methods which will certainly consist of making use of difficult to break passwords that are regularly altered and device and network level antivirus and anti-malware protection.

Endpoint management systems can work as a client and server basis where software is deployed and centrally handled on a server. The client program will need to be installed on all endpoint devices that are licensed to access the network. It is also possible to use a software as a service (SaaS) model of endpoint management where the vendor of the service will host and take care of the server and the security applications from another location.

When a client device tries a log in then the server based application will scan the device to see if it complies with the organization’s endpoint management policy, and after that it will validate the credentials of the user prior to access to the network can be approved.

The Problem With Endpoint Management Systems

Most businesses see security software as a “cure all” however it is not that clear cut. Endpoint security software that is bought as a set and forget solution will never ever be enough. The experienced hackers out there understand about these software services and are developing destructive code that will avert the defenses that a set and forget application can provide.

There needs to be human intervention and Jon Oltsik, contributor at Network World said “CISOs must take ownership of endpoint security and designate a group of experts who own endpoint security controls as part of an overall obligation for incident prevention, detection, and response.”

Ziften’s endpoint security services supply the constant monitoring and look-back visibility that a cyber security group requires to identify and act on to prevent any destructive infiltrations spreading and stealing the delicate data of the organization.

It’s Time To Eradicate Adobe Flash To Keep The Hackers Out – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


Get Tough or Get Attacked.

Highly experienced and skilled cyber attack teams have actually targeted and are targeting your business. Your large endpoint population is the most typical point of entry for experienced attack groups. These enterprise endpoints number in the thousands, are loosely managed, laxly set up, and swarming with vulnerability direct exposures, and are run by partially trained, credulous users – the ideal target-rich opportunity. Mikko Hypponen, chief research officer at F-Secure, often remarks at industry symposia: “How many of the Fortune 500 are attacked today? The response: 500.”

And for how long did it take to penetrate your business? White hat hackers performing penetration screening or red group workouts generally compromise target enterprises within the very first couple of hours, despite the fact that ethically and lawfully limited in their approaches. Black hat or state sponsored hackers may accomplish penetration even more quickly and secure their existence indefinitely. Given average assailant dwell duration’s determined in numerous days, the time-to-penetration is negligible, not an obstacle.

Exploit Packages

The industrialization of hacking has actually developed a black market for attack tools, consisting of a variety of software for recognizing and exploiting customer endpoint vulnerabilities. These exploitation sets are marketed to cyber assailants on the dark web, with lots of exploit package families and vendors. An exploit package runs by assessing the software configuration on the endpoint, determining exposed vulnerabilities, and applying an exploitation to a vulnerability exposure.

A relative handful of typically deployed endpoint software represent the bulk of exploitation set targeted vulnerabilities. This arises from the unfortunate reality that complex software applications have the tendency to show a continual flow of vulnerabilities that leave them continuously vulnerable. Each patch release cycle the exploitation kit designers will download the most recent security patches, reverse engineer them to find the underlying vulnerabilities, and update their exploit packages. This will often be done more quickly than organizations apply patches, with some vulnerabilities staying unpatched and ripe for exploitation even years after a patch is provided.

Adobe Flash

Prior to prevalent adoption of HTML 5, Adobe Flash was the most frequently utilized software application for rich Internet material. Even with increasing adoption of HTML 5, legacy Adobe Flash preserves a significant following, keeping its long-held position as the beloved of exploitation set authors. A recent study by Digital Shadows, In the Business of Exploitation, is instructive:

This report analyzes 22 exploitation kits to understand the most frequently exploited software. We searched for trends within the exploitation of vulnerabilities by these 22 packages to show exactly what vulnerabilities had actually been exploited most commonly, coupled with how active each exploit set was, in order to inform our evaluation.

The vulnerabilities exploited by all 22 exploit kits showed that Adobe Flash Player was most likely to be the most targeted software, with 27 of the seventy six identified vulnerabilities exploited relating to this software application.

With relative consistency, dozens of fresh vulnerabilities are revealed in Adobe Flash every month. To exploitation kit designers, it is the gift that continues giving.

The industry is learning its lesson and moving beyond Flash for rich web material. For instance, a Yahoo senior developer blogging recently in Streaming Media noted:

” Adobe Flash, once the de-facto requirement for media playback on the web, has lost favor in the industry due to increasing concerns over security and performance. At the same time, needing a plugin for video playback in browsers is losing favor amongst users also. As a result, the market is moving toward HTML5 for video playback.”

Amit Jain, Sep 21, 2016

Eliminating Adobe Flash

One step businesses may take today to harden their endpoint configurations is to get rid of Adobe Flash as a matter of organization security policy. This will not be an easy task, it might be painful, but it will be valuable in reducing your enterprise attack surface area. It involves blacklisting Adobe Flash Player and imposing web browser security settings disabling Flash content. If done properly, this is exactly what users will see where Flash material appears on a legacy web page:


This message validates 2 realities:

1. Your system is correctly configured to refuse Flash material.

Praise yourself!

2. This website would jeopardize your security for their convenience.

Ditch this website!

A New Era For Endpoints With Illumination – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


The dissolving of the conventional border is taking place quick. So what about the endpoint?

Financial investment in border security, as specified by firewall programs, managed gateways and intrusion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns not able to overcome the costs and complexity to develop, preserve, and validate these antiquated defenses.

Not only that, the paradigm has altered – employees are no longer solely working in the workplace. Lots of people are logging hours from home or while traveling – neither place is under the umbrella of a firewall program. Instead of keeping the cyber criminals out, firewall software frequently have the inverse effect – they prevent the good guys from being productive. The paradox? They develop a safe haven for enemies to breach and conceal for months, then pass through to crucial systems.

So Exactly what Has Altered A lot?

The endpoint has actually become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile all over” workforce, we should now impose trust at the endpoint. Easier stated than done, nevertheless.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust exceeds simple recognition, authentication, and authorization.

File encryption is a 2nd effort at securing entire libraries and specific assets. In the most recent (2016) Ponemon research study on data breaches, encryption only conserved 10% of the expense per breached record (from $158 to $142). This isn’t the remedy that some make it appear.

The Whole Picture is changing.

Organizations must be prepared to accept new paradigms and attack vectors. While companies must supply access to trusted groups and individuals, they have to resolve this in a much better method.

Important company systems are now accessed from anywhere, at any time, not simply from desks in corporate office complexes. And professionals (contingent workforce) are quickly consisting of over half of the total business workforce.

On endpoint devices, the binary is primarily the problem. Presumably benign incidents, such as an executable crash, might suggest something simple – like Windows 10 Desktop Manager (DWM) restarting. Or it might be a much deeper problem, such as a harmful file or early indicators of an attack.

Trusted access does not resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human aspects. This requires more than basic IAM – it requires behavioral analysis.

Rather than making good better, border and identity access companies made bad faster.

When and Where Does the Good News Start?

Going back a little, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made considerable development. Other enterprises – from corporations to federal governments – have done this (in silence and less severe), but BeyondCorp has actually done this and revealed its solution to the world. The design approach, endpoint plus (public) cloud displacing cloistered enterprise network, is the crucial principle.

This changes the whole discussion on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint really is the last line of defense, and should be safeguarded – yet also report its activity.

Unlike the conventional border security design, BeyondCorp doesn’t gate access to services and tools based upon a user’s physical place or the stemming network; rather, access policies are based upon information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be completely untrusted, and gates access to apps by dynamically asserting and enforcing levels, or “tiers,” of access.

By itself, this appears innocuous. However the truth is that this is a radical brand-new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a centralized design with capacity for breaches, hacks, and dangers at the human level (the “soft chewy center”).

The bright side? Breaching the perimeter is incredibly challenging for potential attackers, while making network pivoting next to impossible when past the reverse proxy (a common mechanism used by cyber attackers today – proving that firewall software do a better job of keeping the bad guys in rather than letting the genuine users go out). The opposite design even more applies to Google cloud servers, most likely securely managed, inside the boundary, versus client endpoints, who are all out in the wild.

Google has done some great refinements on tested security techniques, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this important? Exactly what are the gaps?

Ziften believes in this method since it emphasizes device trust more than network trust. Nevertheless, Google does not particularly show a device security agent or emphasize any form of client-side tracking (apart from extremely rigorous configuration control). While there may be reporting and forensics, this is something which every organization ought to be knowledgeable about, since it’s a question of when – not if – bad things will happen.

Because implementing the initial stages of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a common rate of about 3 million daily, totaling over 80 terabytes. Retaining historical data is vital in permitting us to understand the end-to-end lifecycle of a particular device, track and analyze fleet-wide patterns, and carry out security audits and forensic examinations.

This is a costly and data-heavy procedure with two imperfections. On ultra-high-speed networks (utilized by organizations such as Google, universities and research study organizations), adequate bandwidth permits this kind of communication to take place without flooding the pipes. The first concern is that in more pedestrian business and federal government situations, this would cause excessive user disruption.

Second, computing devices need to have the horsepower to constantly collect and transfer data. While most staff members would be delighted to have current developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them on a regular basis makes this excessive.

A Lack of Lateral Visibility

Few systems really produce ‘enhanced’ netflow, enhancing conventional network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ offers network flow information on data generated from the endpoint, otherwise accomplished utilizing brute force (human labor) or expensive network devices.

ZFlow acts as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, allowing security teams to make faster and more educated and accurate decisions. In essence, buying Ziften services lead to a labor cost saving, plus an increase in speed-to-discovery and time-to-remediation due to technology acting as a replacement for human resources.

For companies moving/migrating to the public cloud (as 56% are preparing to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften offers unequaled visibility into cloud servers to better monitor and protect the complete infrastructure.

In Google’s environment, just corporate owned devices (COPE) are allowed, while crowding out bring your own device (BYOD). This works for a business like Google that can distribute brand-new devices to all personnel – smart phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device needs to meet Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to verify device identity and to assist in device-specific traffic file encryption. There needs to be numerous agents on each endpoint to validate the device validation predicates called out in the access policy, which is where Ziften would need to partner with the systems management agent service provider, because it is most likely that agent cooperation is vital to the procedure.


In summary, Google has established a first-rate service, but its applicability and practicality is limited to companies like Alphabet.

Ziften offers the same level of functional visibility and security defense to the masses, using a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingestion of data and triggering response actions).

This yields the benefits of the BeyondCorp design to the masses, while safeguarding network bandwidth and endpoint (machine) computing resources. As companies will be sluggish to move entirely far from the business network, Ziften partners with firewall program and SIEM vendors.

Finally, the security landscape is steadily moving towards managed detection & response (MDR). Managed security companies (MSSP’s) offer conventional tracking and management of firewall software, gateways and perimeter intrusion detection, however this is inadequate. They lack the skills and the technology.

Ziften’s solution has been evaluated, integrated, authorized and implemented by a number of the emerging MDR’s, highlighting the standardization (ability) and flexibility of the Ziften platform to play an essential function in remediation and incident response.

The Security Of Your Organization Is Threatened By Adobe Flash – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is needed: Flash is a bit like firework lighting. There might be less dangerous methods to achieve it, however the only sure way is simply to avoid it. And with Flash, you need not fight pyromaniac surges to abstain from it, just manage your endpoint configurations.



Why would you want to do this? Well, querying Google for “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards such as HTML5 have matured and supply a number of the abilities that Flash introduced… Looking ahead, we encourage content developers to build with brand-new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash indication? Yes, in the typical business, zillions. Your cyber attackers know that likewise, they are relying on it. Thank you for contributing! Simply continue to disregard those bothersome security bloggers, like Brian Krebbs:

I would suggest that if you use Flash, you must strongly consider removing it, or a minimum of hobbling it till and unless you need it.

Overlooking Brian Krebs’ recommendations raises the opportunities your business’s data breach will be the feature story in one of his future blogs.




Flash Exploits: the Preferred Exploit Kit Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Country state attackers and the much better resourced groups can call upon Flash zero days. They aren’t difficult to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to fret, there are lots of freshly issued Flash Common Vulnerabilities and direct Exposures (CVE) to bring into play, prior to enterprise patch cycles are brought up to date. For exploit set authors, Flash is the gift that continues to give.

A recent FireEye blog exhibits this normal Flash vulnerability progression – from virgin zero-day to freshly hatched CVE and prime business exploit:

On May 8, 2016, FireEye spotted an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the problem to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 just four days later on (Published to FireEye Risk Research Blog on May 13, 2016).

As a fast test then, check your vulnerability report for that entry, for CVE-2016-4117. It was utilized in targeted cyber attacks as a zero-day even before it became a known vulnerability. Now that it is understood, popular exploit packages will locate it. Be sure you are ready.

Start a Flash and QuickTime Eradication Job

While we haven’t spoken about QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you remove all support for QuickTime? Aslo on macOS? Or just Windows? How do you find the unsupported versions – when there are lots of floating around?



By doing nothing, you can flirt with catastrophe, with Flash vulnerability exposures swarming across your client endpoint environment. Otherwise, you can start a Flash and QuickTime elimination project to move towards a Flash-free enterprise. Or, wait, perhaps you inform your users not to readily open email attachments or click links. User education, that always works, right? I don’t think so.

One issue is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.

Let’s take a better look at the Flash exploit explained by FireEye in the blog post mentioned above:

Attackers had actually embedded the Flash exploitation inside a Microsoft Office document, which they then hosted on their web server, and utilized a Dynamic DNS (DDNS) domain to reference the doc and payload. With this setup, the enemies might share their exploit by means of URL or email attachment. Although this vulnerability lives within Adobe Flash Player, threat actors created this particular cyber attack for a target operating Windows and Microsoft Office.




Even if the Flash-adverse enterprise had actually thoroughly purged Flash enablement from all their different internet browsers, this exploit would still have actually succeeded. To completely remove Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF files. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthwhile configuration solidifying goal for the security-conscious enterprise.

Not to mention, we’re all waiting on the first post about QuickTime vulnerability which devastates a major business.



UEBA Report From Gartner Identifies New Trends In Behavioral Analytics – Chuck Leaver

Written By Josh Linder And Presented By Ziften CEO Chuck Leaver


The market for business behavioral analytics is evolving – again – to support the security usage case. In the recent Gartner User and Entity Behavior (UEBA) Trends Report, Ziften is delighted to be noted as a “Vendor to Watch.” We believe that our recognized relationships with risk intelligence feeds and visualization tools shows our inclusion within this research study note.

In the UEBA Market Report, Experts Eric Ahlm and Avivah Litan discuss that there is a potential merging in the sophisticated threat and analytics markets. The idea of UEBA – which extends user behavioral analytics to now include organizations, business processes, and autonomous devices such as the Internet of Things – requires deep understanding and the ability to respond rapidly and efficiently.

At Ziften our recognized relationships with risk intelligence feeds and visualization tools reflects our addition within this research study note. Our platform provides threat detection across different behavior vectors, rather than taking a look at a single-threaded signature feed. With integrations to orchestration and response systems, Ziften distinctively couples signature-based and behavioral analysis, while bridging the gap from protecting the endpoint to protecting the entity. Continuous tracking from the endpoint – consisting of network flow – is vital to comprehending the total risk landscape and essential for a holistic security architecture.

We applaud Gartner on recognizing four areas for security and analytic suppliers to focus on: User Habits, Host/App Behavior, Network Habits, and External Communications Habits. We are the only endpoint vendor – today – to monitor both network behavior and external communications habits. Ziften’s ZFLow ™ utilizes network telemetry to surpass the basic IPFIX flow data, and enhance with Layer 4 and Layer 5 operating system and user habits. Our threat intelligence integration – with Blue Coat, iSIGHT Partners, AlienVault and the National Vulnerability Database – is second to none. In addition, our special relationship with ReversingLabs provides binary analysis directly within the Ziften administration console.

Eventually, our constant endpoint visibility system is instrumental in helping to find behavioral risks that are challenging to correlate without using sophisticated analytics.

Gartner Report

6 extra technology trend takeaways which Gartner readers must consider:

– Application of Analytics to Finding Breaches Varies
– Data Science for Analytics Technologies Still Up and Coming
– The Need for Extended Telemetry Drives Analytics Market Convergence
– Merging Between Analytics-Based Detection Vendors and Orchestration/Response Vendors Likely
– SIEM Technologies Positioned to Be Central to Consolidation for Analytics Detection
– Advanced Behavioral Analytics Providers Extending Their Reach to Security Purchasers


Gartner does not back any supplier, service or product portrayed in its research publications, and does not advise technology users to select only those vendors with the greatest ratings or other designation. Gartner research publications consist of the viewpoints of Gartner’s research study organization and ought to not be interpreted as statements of reality. Gartner disclaims all warranties, expressed or implied, with respect to this research study, including any warranties of merchantability or fitness for a particular function.

These 6 Questions Will Provide Damage Control Prior To A Breach – Chuck Leaver

Written By Michael Bunyard And Presented By Ziften CEO Chuck Leaver


The reality of contemporary life is that if cyber hackers want to breach your network, then it is just a matter of time before they will do it. The endpoint is the most common vector of attack, and the people are the most significant point of susceptibility in any organization. The endpoint device is where they connect with whatever information that an enemy is after: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) systems, of which Ziften is a leader, that supply the needed visibility and insight to help decrease or avoid the possibilities or duration of an attack. Methodologies of avoidance consist of reducing the attack surface area through removing known vulnerable applications, cutting version proliferation, eliminating malicious procedures, and guaranteeing compliance with security policies.

However avoidance can just go so far. No service is 100% reliable, so it is very important to take a proactive, real-time methodology to your environment, watching endpoint behavior, discovering when breaches have actually taken place, and responding instantly with remediation. Ziften also offers these capabilities, typically called Endpoint Detection and Response, and organizations should alter their mindset from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To understand the true ramifications of an attack, organizations have to be able to take a look back and rebuild the conditions surrounding a breach. Security analysts require answers to the following 6 concerns, and they require them quickly, since Incident Response personnel are surpassed and handling limited time windows to mitigate damage.

Where was the attack activity initially seen?

This is where the ability to look back to the point in time of initial infection is important. In order to do this efficiently, organizations have to have the ability to go as far back in history as necessary to recognize patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach occurs, the average dwell time prior to a breach is identified is a stunning 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, enemies were able to permeate organizations within minutes. That’s why NGES services that do not continuously monitor and record activity however rather occasionally poll or scan the endpoint can miss out on the initial crucial penetration. Likewise, DBIR found that 95% of malware types appeared for less than four weeks, and 4 out of five didn’t last 7 days. You need the ability to continuously monitor endpoint activity and recall in time (however long ago the attack occurred) and reconstruct the preliminary infection.

How did it act?

What occurred piece by piece after the initial infection? Did malware execute for a second every five minutes? Was it able to acquire escalated privileges? A continuous picture of what took place at the endpoint behaviorally is important to obtain an examination started.

How and where did the cyber attack spread after initial compromise?

Typically the attacker isn’t really after the info available at the point of infection, but rather wish to utilize it as a preliminary beachhead to pivot through the network to get to the sensitvie data. Endpoints include the servers that the endpoints are linked to, so it is important to be able to see a total image of any lateral movement that occurred after the infection to know what assets were compromised and possibly also infected.

How did the infected endpoint(s) behavior(s) change?

What was going on prior to and after the infection? What network connections were being attempted? How much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these concerns are critical to fast triage.

What user activity happened, and was there any possible insider involvement?

What actions did the user take in the past and after the contamination occurred? Was the user present on the computer? Was a USB drive used? Was the time period outside their typical usage pattern? These and many more artifacts should be offered to paint a full image.

What mitigation is required to fix the cyber attack and prevent another one?

Reimaging the infected machine(s) is a lengthy and costly solution but sometimes this is the only way to understand for sure that all of the damaging artifacts have been gotten rid of (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). But with a clear picture of all activity that took place, lesser actions such as removing malicious files from all systems affected may be adequate. Re-examining security policies will most likely be necessary, and NGES systems can assist automate future actions should comparable circumstances emerge. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing procedures, and far more.

Don’t wait until after a cyber attack happens and you have to hire an army of experts and spend time and finances piecing the realities together. Make sure you are prepared to answer these six key questions and have all the answers at your fingertips in minutes.

The IRS Hack Probably Began With Compromised Endpoints – Chuck Leaver

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften


IRS Hackers Make Early Returns Because of Previous External Attacks


The IRS breach was the most distinct cyber attack of 2015. Classic attacks today include phishing emails aimed to obtain preliminary access to target systems where lateral movement is then performed until data exfiltration happens. However the IRS hack was different – much of the data needed to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s what we understand:

The IRS website has a “Get Transcript” function for users to recover previous income tax return info. As long as the requester can supply the correct details, the system will return past and current W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and filing status, the hackers might begin the retrieval procedure of past filing year’s info. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based upon the requested users credit history.

KBA isn’t fool proof, however. The questions it asks can oftentimes be predicted based on other information already known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer info through Get Transcript, where they were successful in 334,000 of those efforts. The not successful efforts appear to have gotten as far as the KBA questions where the hackers failed to provide the correct answers. It’s estimated that the attackers made away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the assailants utilized information from previous attacks such as SSNs, DOBs, addresses and filing statuses to try to obtain previous tax return info on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, many times increasing the withholdings quantity on the tax return form to obtain a bigger return. As mentioned formerly not all attempts succeeded, however over 50% of the efforts resulted in major losses for the Internal Revenue Service.

Detection and response solutions like Ziften are focused on determining when there are jeopardized endpoints (like through phishing attacks). We do this by providing real time visibility of Indicators of Compromise (IoC’s). If the theories are right and the enemies utilized information gleaned from previous attacks outside of the IRS, the jeopardized businesses might have taken advantage of the visibility Ziften supplies and mitigated against mass-data exfiltration. Ultimately, the Internal Revenue Service seems to be the vehicle – instead of preliminary victim – of these cyber attacks.

Shared Hacks And Data Exfiltration Are Leaving Comcast Customers At Risk – Chuck Leaver

Written By Michael Pawloski And Presented By Ziften CEO Chuck Leaver


The Customers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Businesses


The personal info of around 200,000 Comcast consumers was jeopardized on November 5th 2015. Comcast was forced to make this announcement when it emerged that a list of 590,000 Comcast consumer emails and passwords could be acquired on the dark web for a mere $1,000. Comcast argues that there was no security attack to their network but rather it was by means of past, shared hacks from other companies. Comcast further claims that just 200,000 of these 590,000 customers actually still exist in their system.

Less than two months earlier, Comcast had currently been slapped with a $22 million penalty over its unintentional publishing of almost 75,000 customers’ personal details. Rather ironically, these customers had specifically paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each customer’s info would be kept confidential.

Comcast instituted a mass-reset of 200,000 customer passwords, who may have accessed these accounts prior to the list was put up for sale. While a basic password reset by Comcast will to some extent secure these accounts going forward, this doesn’t do anything to secure those customers who might have reused the exact same email and password combination on banking and credit card logins. If the consumer accounts were accessed before being revealed it is certainly possible that other personal information – such as automatic payment info and street address – were currently obtained.

The bottom line is: Assuming Comcast wasn’t hacked directly, they were the victim of various other hacks which contained data connected to their consumers. Detection and Response systems like Ziften can avoid mass data exfiltration and typically alleviate damage done when these inevitable attacks happen.

No Visibility Of Point Of Sale Vulnerabilities Was Responsible For Trump Hotel Breach – Chuck Leaver

Written By Matthew Fullard Presented By Chuck Leaver CEO Ziften


Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity


Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and infected their front desk computer systems, POS systems, and restaurants. However, in their own words they declare that they “did not discover any proof that any customer information was removed from our systems.” While it’s soothing to find out that no evidence was discovered, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or progressively tapped, placed, or waved. An absence of proof does not suggest the absence of crime, and to Trump Hotel’s credit, they have actually offered totally free credit tracking services. If one is to take a look at a Point-of-Sale (or POS) system however you’ll discover one thing in abundance as an administrator: They hardly ever change, and software will be nearly homogeneous throughout the deployment community. This can present both positives and negatives when thinking about securing such an environment. Software changes are slow to happen, need strenuous screening, and are hard to roll out.

Nevertheless, due to the fact that such an environment is so uniform, it is also much easier to determine Point of Sale vulnerabilities and when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that take place within a community the second they occur. If a single POS system started to make brand-new network connections, or started running brand-new software, despite its intent, it would be flagged for additional evaluation and assessment. Ziften also gathers limitless historical data from your environment. If you need to know what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be measured using our integrated threat feeds, as well as our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at what time throughout this historical record, so you can learn your preliminary point of infection.

POS problems continue to plague the retail and hospitality industries, which is a pity given the fairly uncomplicated environment to monitor with detection and response.