Category Archives: Security Breaches

Chuck Leaver – Continuous Endpoint Monitoring And The Carbanak Case Study Part 3

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring service. The Ziften service has a concentrates on generic indicators of compromise that have actually been consistent for decades of hacker attacks and cyber security experience. IoC’s can be identified for any operating system such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that show C2 infrastructure or particular attack code instances, however these are not used long term and not generally used again in fresh attacks. There are billions of these artifacts in the security world with thousands being added every day. Generic IoC’s are embedded for the supported os by the Ziften security analytics, and the particular IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a variety of market risk feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing e-mails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not really a IoC, critical exposed vulnerabilities are a significant hacker exploit and is a large red flag that increases the risk score (and the SIEM priority) for the end point, particularly if other indicators are likewise present. These vulnerabilities are signs of lazy patch management and vulnerability lifecycle management which causes a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers located in China have actually been determined in this campaign.

Remark: The geolocation of endpoint network touches and scoring by geography both contribute to the threat score that drives up the SIEM priority. There are authorized reasons for having contact with Chinese servers, and some companies might have sites located in China, however this should be validated with spatial and temporal checking of anomalies. IP address and domain info ought to be added with a resulting SIEM alarm so that SOC triage can be carried out rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively exploited, it sets up Carbanak on the victim’s system.

Remark: Any brand-new binaries are constantly suspicious, however not all of them should be alerted. The metadata of images need to be examined to see if there is a pattern, for example a brand-new app or a brand-new variation of an existing app from an existing vendor on a likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared in addition to size, file size and filepath etc to filter out obvious circumstances.

4. Uncommon Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it undergoes analysis by checking abnormalities instantly. A traditional anomaly would be svchost.exe, which is a crucial system process image, in the uncommon place the com subdirectory.

5. New Autostarts Or Services

Excerpt: To make sure that Carbanak has autorun privileges the malware develops a new service.

Remark: Any autostart or new service prevails with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If examining the image hash versus market watchlists results in an unknown quantity to the majority of antivirus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be carried out.

Comment: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to inspect (continuous monitoring environment). And this IoC is absolutely generic, has absolutely nothing to do with which filename or which directory is created. Despite the fact that the technical security report notes it as a particular IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the most recent Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer supplies a suspect anonymous gmail email address, which does not inspire confidence, and the risk score will rise for this image. In other cases no email address is provided. Signers can be quickly noted and a Pareto analysis carried out, to recognize the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive folder then this is really suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control believed that the hackers used this remote administration tool due to the fact that it is frequently whitelisted in the victims’ environments as a result of being used regularly by administrators.

Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the company. Checking of abnormalities would occur to identify whether temporally or spatially each brand-new remote admin tool is consistent. RAT’s are subject to abuse. Hackers will constantly prefer to use the RAT’s of a company so that they can avoid detection, so they must not be given access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools suggest that they were accessed from two different IPs, most likely used by the hackers, and located in Ukraine and France.

Comment: Constantly suspect remote logins, due to the fact that all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not wish to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this should reveal low prevalence usage (relative to peer systems) plus any suspect geography.

10. Atypical IT Tools

Excerpt: We have actually likewise discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools ought to constantly be examined for abnormalities, because lots of hackers overturn them for harmful functions. It is possible that Metasploit could be used by a penetration tester or vulnerability scientist, but instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would lead to restorative action. It also highlights the problem where blanket whitelisting does not help in the identification of suspicious activity.


Part Two Of The Carbanak Case Study Reveals Why Continuous Monitoring Of Endpoints Is So Effective – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Really Effective


Capturing and blocking malicious scripts before it has the ability to jeopardize an endpoint is great. However this technique is largely inadequate against cyber attacks that have actually been pre checked to avert this sort of method to security. The genuine issue is that these hidden attacks are conducted by skilled human hackers, while conventional defense of the endpoint is an automatic procedure by endpoint security systems that rely largely on standard anti-virus technology. The intelligence of human beings is more innovative and versatile than the intelligence of machines and will always be superior to automatic machine defenses. This highlights the findings of the Turing test, where automated defenses are trying to rise to the intellectual level of an experienced human hacker. At present, artificial intelligence and machine learning are not sophisticated enough to completely automate cyber defense, the human hacker is going to win, while those infiltrated are left counting their losses. We are not residing in a science fiction world where machines can out think people so you must not think that a security software suite will automatically take care of all your problems and avoid all attacks and data loss.

The only genuine way to prevent a resolute human hacker is with an undaunted human cyber protector. In order to engage your IT Security Operations Center (SOC) personnel to do this, they need to have full visibility of network and endpoint operations. This type of visibility will not be attained with standard endpoint anti-viruses solutions, instead they are designed to stay quiet unless implementing a capture and quarantining malware. This conventional approach renders the endpoints opaque to security workers, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security personnel have no idea exactly what was running across your endpoint population previously, or at this moment, or what can be expected in the future. If persistent security personnel find hints that need a forensic look back to discover attacker traits, your anti-viruses suite will be not able to assist. It would not have actually acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is constantly working – supplying real time visibility into endpoint operations, providing forensic look back’s to take action against brand-new proof of attacks that is emerging and discover indications earlier, and offering a baseline for regular patterns of operation so that it understands exactly what to anticipate and notify any irregularities in the future. Providing not only visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to detect operations that appear irregular. Irregularities will be continually analyzed and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security workers attention and action. Continuous endpoint monitoring will magnify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simple due to the fact that a lot of items (known as high prevalence) look like each other, but one or a small amount (known as low prevalence) are not the same and stand apart. These dissimilar actions taken by cyber criminals have actually been quite constant in hacking for decades. The Carbanak technical reports that noted the indicators of compromise ready examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is basic to acknowledge something suspicious or unusual. Cyber security personnel will be able to perform rapid triage on these abnormal patterns, and quickly figure out a yes/no/maybe reaction that will identify uncommon but known to be good activities from destructive activities or from activities that need additional tracking and more informative forensics examinations to validate.

There is no way that a hacker can pre test their attacks when this defense application remains in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that informs suspect activity) as well as a non-deterministic human component (that performs alert triage). Depending on the existing activities, endpoint population mix and the experience of the cyber security personnel, developing attack activity may or may not be discovered. This is the nature of cyber warfare and there are no guarantees. But if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unjust advantage.

Chuck Leaver – Avoid A Doomsday Movie Cyber Attack By Reviewing Your Cyber Security

Chuck Leaver, Ziften CEO writes


Current proof recommends that the notion of cyber security will be a huge issue for banks and utilities over the next couple of years. A company that operates in an industry sector where a cyber attack could have a destabilizing impact, that includes the oil and gas and banking markets, truly needs to have a strategy on how it will protect its servers from such attacks. It may not be thought about as a major risk yet to the typical person however attempts to hack the environments of these companies could destabilize water supplies, power lines and more. The most efficient method for security groups within these organizations to prevent their servers from becoming breached by cyber crooks is to implement modern-day software in addition to other security strategies to develop robust defenses.

A recent review by the AP News agency revealed that cyber attacks on federal networks had actually increased from 30,000 to 50,000 since 2009 which is a 66% boost. A study of professionals by Pew Research center revealed that 60% of them believed that the U.S. would struggle with a major cyber attack by 2025, where the fallout would be devastating and widespread. Widespread indicated a considerable loss of life and property losses costing billions of dollars. It was felt that these events were most likely because the opportunity cost of waging a cyber war was so low. Cyber bad guys can attack the network then hide behind plausible deniability. Although this might appear like a caution for the federal government only, it is probable that any cyber criminal group wanting to attack at the federal level would initially practice on private servers in order to both test their cyber attacks and to get much needed cash and other resources.

What Is The Relationship Between Public And Private Security?

There might be a variety of various reasons that a hacker will target a company in the oil and gas or finance sectors, some resemblances do exist. If the intent was to destabilize the day-to-day lives of residents of the United States then either industry would suffice. This is the reason that cyber security for those institutions is a matter of national concern. Organizations in these sectors need to monitor the national understanding of cyber security so that they can safeguard themselves from the many possible cyber attacks that might present a problem for them. They need to understand the requirement for cyber security protection such as endpoint threat detection and response software, malware and antivirus suites, firewall programs and encryption is critical for these companies. In the future the risk from these advanced cyber attacks will increase, and those companies that are not completely prepared to handle these attacks and get breached will need to face a public that will be very mad about their data being taken.

Network security at the essential level includes making certain that constant updates are applied to security systems and executing the most appropriate security systems. The deployment of endpoint threat detection and response systems will alleviate a variety of these problems by placing a human in control of monitoring data as it flows through the network and provides user-assisted tools. Network use will be more easily noticeable utilizing this software application and it will be a lot simpler to determine if any services are being misused. Endpoint threat detection software has to be executed if a completely featured cyber security system that offers the highest level of defense is preferred.


Serious Malware Threats Are Very Real And You Must Protect Your Organization – Chuck Leaver

Written By Chuck Leaver CEO Ziften


If you remain in doubt about malware threats increasing then please check out the rest of this post. Over the past couple of years there have been a variety of cyber security studies that have actually disclosed that there are millions of new malware hazards being created each year. With limited security resources to manage the number of malware dangers this is a real issue. All companies need to look carefully at their cyber security procedures and try to find areas of improvement to resolve this real risk to data security.

Not all malware is similar. Some of the malware strains are more harmful than others, and security personnel have to know the malware risks that can inflict genuine damage on their organization. It was noted that some malware could be classified as more annoying than threatening according to George Tubin who is a security intelligence contributor. Yes they can inflict issues with the performance of computers and require elimination by tech support personnel, but they will not trigger the very same level of problems as the malware that affected Target and Sony with their cyber attacks.

Advanced malware attacks must be the focus of security teams explained Tubin. These malicious strains, which are little in number compared with common malware strains, can trigger substantial damage if they are allowed to penetrate an organization’s network.

Tubin stated “due to the fact that most malware detection software is developed to discover basic, recognized malware – and due to the fact that standard, known malware represents the vast bulk of enterprise malware – most organizations incorrectly think they are finding and eliminating virtually all malware hazards.” “This is precisely what the advanced malware attackers want them to believe. While numerous companies are pleased with their malware detection stats, this small sliver of innovative malware goes unnoticed and stays in position to cause terrible damage.”

The Integrity Of Data Is Under Serious Threat From Sophisticated Malware


There are zero day malware dangers, and these can infiltrate the defenses at the boundary of the network without being found and can remain active within the network for months without being seen. This means that cyber bad guys have a great deal of time to access to delicate data and take essential info. To combat advanced malware and keep the company environment safe and secure, security workers need to enact sophisticated endpoint threat detection and response systems.

It is important that companies can monitor all of their endpoints and ensure that they can determine malware dangers quick and eliminate the danger. Cyber lawbreakers have a variety of alternatives to take advantage of when they target a company, and this is a lot more of an issue as companies end up being more complex. Personal laptops can be a genuine gateway for cyber wrongdoers to penetrate the network explains Tubin. When a laptop links to a point that is unsecure beyond the environment, there is a likelihood that it can be compromised.

This is a real aspect underlining why security groups need to truthfully assess where the greatest vulnerabilities are and take corrective action to repair the issue. Endpoint security systems that continuously monitor endpoints can supply tremendous advantages to companies who are worried about their network defenses. At the end of the day, a company should enact cyber security procedures that match their requirements and resources.



Chuck Leaver

The Highest Number Of Cyber Attacks Is Happening In Chicago – Chuck Leaver

From the desk of Chuck Leaver CEO Ziften Technologies


If you live in Chicago or run a company or work there, you ought to focus on a report that reveals that Chicago is one of the most susceptible cities in the U.S.A for cyber attacks. The National Consumers League, who are Washington D.C. based group who focus on consumer assistance, published the report as specified by The Chicago Sun-Times. The report exposed some stressing findings and among these was the discovery that 43% of the city’s population reported that their data was taken and that their data was used to make purchases on the Internet. This suggests that cyber criminals are being more proactive when it comes to stealing individual data.

So if you suffer a hacking attack on your business you must expect the stolen data to be utilized for destructive purposes. The National Consumers League vice president of public policy, John Breyault, stated “Chicago citizens who get a data-breach alert must pay specific attention to purchases made via the Internet (in their name).”.

The citizens of Chicago are not being inactive and simply dismissing this crucial info. The Illinois state Attorney General Lisa Madigan, is leading the efforts to develop a federal group who will have the duty of investigating data security incidents, so state CBS Chicago. Madigan’s office are investigating the attacks on Neiman Marcus and Target in addition to others and Madigan feels that with the recent severity of attacks the government needs to take some responsibility and handle the issue.

Madigan said “It just makes good sense that somebody needs to take the responsibility in this day and age for putting in place security standards for our individual financial details, because otherwise you have disturbance and a substantial impact, potentially, to the general market.” The time frame for establishing this group is uncertain at the current time. Making things occur at the federal level can be very slow.

Endpoint Threat Detection And Response Software Will Supply Protection


If you run a business in Chicago (or anywhere else) then there is no requirement for you to wait for this federal team to be established to safeguard your business’s network. It is suggested that you install endpoint detection and response software since this will offer major defense for your network and make it essentially hacker attack proof. If you do not benefit from robust endpoint threat and detection systems then you are leaving the door wide open for cyber bad guys to enter your network and cause you a lot of trouble.


Avoid Legal Problems And Protect Your Organization From Cyber Attacks – Chuck Leaver

Chuck Leaver Ziften CEO writes

Many organizations require no reminder that the threat of a cyber attack is extremely genuine and could do some major damage to them; work is happening with the legislators to create data breach notification laws that are more extensive. This highlights the fact that organizations truly have to implement stronger security measures and secure their data from being taken. Organizations have to take responsibility and develop a system that will safeguard them from the risk of cyber attacks, they have to inform their employees, install cutting edge endpoint detection and response systems, and make sure that any delicate data on servers is encrypted. The general public have actually ended up being more security mindful and they are watching organizations so this is another factor why every company must protect itself from cyber attacks.

There is interest in standardizing the data breach laws even from companies that have been attacked already. The Hill states that there is “a basic consensus that federal requirements are needed on data breach notices.” This is crucial as at the moment a great deal of organizations are announcing data breaches without being able to follow a standard process. Without this procedure there is an incentive for organizations to hide the breach or under report the impact that it has actually had so that they can remain competitive.


Stopping A Malicious Infiltration


Organizations can use different strategies to keep the privacy of their data. 5W Public Relations PR Executive, Ronn Torossian, has assembled a list of actions that organizations can carry out to avoid cyber attacks. The list only has a few standard rules, and this consists of the implementation of cutting-edge endpoint detection and response systems. The other bottom lines are making use of file encryption and the regular change of passwords. These are certainly a good beginning point however what about the most recent cyber attack prevention innovation?

All companies ought to be utilizing encryption, anti malware and anti virus scanning and set up a endpoint risk detection and response software application and a firewall. This is an extremely effective combination and will make a network about as protected as is possible. Utilizing a mix of security techniques will supply a much greater level of defense than any single security procedure could. This does not indicate that any single approach is weak, however various tools carry out different security jobs.

The staff members of the organization should be educated to keep modifying passwords and that this simply one (but an important) element of a general security strategy. These passwords need to be strong as well. Making use of alphanumerics and unique characters in addition to long passwords ought to be encouraged. Password security is critical for workers dealing with sensitive data, such as those in the financial and oil and gas industries, as worker login pages need to be completely safeguarded from hackers. Other security devices such as optical scanners can be implemented in secure locations to minimize the possibility of an external attack. This is a big decision for organizations and deciding the best way to make everything safe can be difficult and it can even include experimentation.


Chuck Leaver – Identity Fraud Cases Up And Malware On The Rise

This post has actually been written by Chuck Leaver, Chief Executive Officer Ziften Technologies.



In a report it was revealed that breaches of consumer data means that there are increasingly more identity thefts being carried out nowadays. This is extremely worrying for all of us.

The report was carried out by the National Consumers League and it exposes that in the year 2013, around 33% of consumer data breaches resulted in identity fraud, and this means that the figure has tripled since the year 2010. This worrying rise can be explained by some clear reasons. Cyber lawbreakers are using a lot more advanced methods now and there is a lack of cyber attack laws that require companies to reveal when they have had an attack. To make matters worse there are few organizations using endpoint detection and response systems to protect their data. All this means that we are entering an environment where consumers are discovering that their data is continuously under attack by dishonest hackers.

John Breyault, who belongs to the National Consumers League, specified that cyber attack breach legislation like the one operating in California can assist with the minimization of breach reverberations by mandating the companies that have been attacked to rapidly get the word out.

He went on to state that after a breach prompt notice is required so that individuals can carry out a “harm analysis” once they know about an attack. This is everybody’s right and at the moment the type of problem that would set a notice in motion stays very broad.

Sadly, it is not just identification theft that is under the spotlight. Another report revealed that malware is now more widespread than it ever was.

Every Third Computer system Has A Malware Infection Revealed In A Report


The Anti Phishing Workers Group published a report specifying that malware was most likely to be present in as much as a third of the computer systems throughout the world by the last quarter of 2013. This is a considerable boost when compared with the previous quarter says Tech News World. The technical director of a security lab that investigates cyber attacks, Luis Corons, stated that brand-new malware strains are being developed at an incredibly rapid pace and that malware infections could rise even further.

He specified that the development of brand-new malware samples has just skyrocketed and it has doubled from the last quarter of 2013 to the very first quarter of 2014.

The findings of these 2 reports underlines the fact that there is no space for complacency in companies when it concerns security. Every organization needs to sure up its endpoint detection and response systems or deal with the fact that a cyber attack is significantly more likely to be coming their way.

Chuck Leaver

If You Don’t Enact Defenses Against Malware And Breaches You Risk Fines – Chuck Leaver

With malware ending up being more stealth and the fines that enterprises face when they suffer a breach from it makes the case for executing endpoint detection and response systems even more critical than it was in the past. Without the best defenses in place there is not only the danger of a significant cyber attack, but also fines and suits that can be really harmful to a business. If an enterprise thinks that it is insusceptible to cyber attacks then they are being conceited and ignorant. The cyber criminals out there are making their attacks almost undetected these days.


Serious Malware Threat Now Averting Detection


Embedding a secret message into something unexpected is called steganography and is not something new that has actually shown up with the Internet. In the 1600’s, Gaspar Schott developed a book which described how a secret message could be hidden in a musical score and that this could be decrypted by those that knew about it. The technique used was the notes on the score would represent a letter of the alphabet and for that reason the message could be checked out.

This practice has some stressing ramifications as it supplies a nearly sure-fire method of concealing info that should not exist. Cyber wrongdoers have been using steganography for several years now. It was reported in a Federal Plan Cyber Security which was released by the National Science and Technology Council in 2006, that steganography represents a specifically devious method for terrorists to infiltrate U.S. systems.

The report stated that these tools are economical and widespread making steganography an enabling technology for the foes of the U.S.

These days cyber security attacks are widespread and hackers are leveraging steganography to perform attacks that are nearly undetectable and really sophisticated. In a paper on the threats of steganography, it was specified that there is momentum gathering in its use among cyber criminals who can utilize the method to breach networks without detection. The report went on to state that Internet based steganography has become a lot more advanced and will only end up being more so in the years to come.

While steganography does pose a big hazard it can be alleviated by executing an endpoint detection and response system. This system will carefully see all locations where a cyber lawbreaker might gain access and it is recommended that organizations take this important action.


The Penalties Are High For Organizations That Are Exposed To A Malicious Breach


The risk of a steganographic attack need to definitely suffice for you to execute an endpoint detection and response system but if it isn’t then the substantial fines that your organization can be confronted with for a breach needs to be. Any organization is susceptible to attacks and fines. As an example of this the Women and Infant Hospital in Providence, Rhode Island, needed to pay $150,000 as a result of a cyber attack which saw the information of 12,000 individuals jeopardized. The Modesto Bee stated that the data that the health center lost consisted of Social Security numbers, dates of birth as well as ultrasound images.

The corporate world can also suffer at the hands of a malicious breach. eBay faced a law suit from a consumer in Louisiana after they were infiltrated according to Computerworld. Colin Green, who filed the law suit, is not alone in being discontented and represents millions of people who were not happy that their personal data was exposed when the cyber attack happened at eBay. The potential fines and law suits make the investment in a tested endpoint detection and response system really worthwhile.