Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Still Supporting Adobe Flash and Apple QuickTime for Windows? Didn’t Get the Memo?

On the heels of Independence Day, there is a good time for a metaphor: Flash is a bit like lighting fireworks. There may be less risky ways to do it, but the only sure way is just to avoid it. And with Flash, you needn’t fight pyromaniac surges to abstain from it, just manage your endpoint configurations.


Why would you wish to do this? Well, Googling “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards like HTML5 have matured and provide many of the capabilities that Flash ushered in. … Looking ahead, we encourage content creators to build with new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the average enterprise, zillions. Your attackers know that also, they are counting on it. Thank you for your contribution! Just continue to ignore those pesky security bloggers, like Brian Krebbs:

I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it.

Ignoring Brian Krebs’ advice raises the chances your enterprise’s data breach will be the feature story in one of his future blogs.


Flash Exploits: the Preferred Exploit Kit Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to worry, there are plenty of freshly issued Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps on giving.

A recent FireEye blog exemplifies this typical Flash vulnerability progression—from virgin zero-day to freshly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).

As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploit kits will pick it up. Be prepared.

Start a Flash and QuickTime Eradication Project

While we haven’t talked about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are many floating around?


By doing nothing, you can flirt with disaster, with Flash vulnerability exposures rife across your client endpoint population. Otherwise, you can start a Flash and QuickTime eradication project to move towards a Flash-free enterprise. Or, wait, maybe you educate your users not to glibly open email attachments or click on links. User education, that always works, right? Hmmm.

One problem is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.

Let’s take a closer look at the Flash exploit described by FireEye in the blog cited above:

Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.


Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their various browsers, this exploit would still have succeeded. To fully eradicate Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF documents. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration hardening goal for the security-conscious enterprise.

Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.


Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is tailored to enterprise attack campaigns has emerged in the wild. This is an obvious evolution of consumer-grade ransomware, driven by the larger bounties which enterprises are able to pay out coupled to the sheer scale of the attack surface area (internet-facing endpoints and unpatched software). To the attacker, your enterprise is a tempting target with a big fat wallet just begging to be knocked over.

Your Enterprise Presents a Tempting Target

Simple Google queries may already have identified unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” emails crafted just for them presumably authored by people they know.

The weaponized invoices go to your accounting department, the weaponized resumes to your human resources department, the weaponized legal notices to your legal department, and the weaponized trade publication articles to your public relations firm. That should cover it, for starters. Add the watering hole drive-by’s planted on industry websites frequented by your employees, the social media attacks targeted to your key executives and their family members, the infected USB sticks strewn around your facilities, and the compromises of your suppliers, customers, and business partners.

Enterprise compromise isn’t an if but a when — the when is continual, the who is legion.

Targeted Ransomware Has Arrived

Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the monetization of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:

“During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were used to find, encrypt, and delete the original files as well as any backups.”

Careful reading of this citation immediately reveals steps to be taken. Initial penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and enforced exposure tolerances (measured in days) is mandatory. Since the attackers “spread their access to any connected system,” it is also requisite to have robust network segmentation and access controls. Think of it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the attackers “delete the original files as well as any backups,” so there must be no delete access from a compromised system to its backup files — systems must only be able to append to their backups.

You Do Have Current Backups, Right?

Of course, there must be current backups of any files that must survive an enterprise intrusion. Paying the ransom is not an effective option since any files created by malware are inherently suspect and must be considered tainted. Enterprise auditors or regulators cannot accept files excreted from some malware orifice as legally valid, the chain of custody having been completely broken. Financial data may have been altered with fraudulent transactions, configuration data may have been tampered with, viruses may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in such data, and accepting it as valid could further compromise all future downstream data dependent upon or derived from it. Treat ransomware data as garbage. Either have a robust backup plan — regularly tested and validated — or prepare to suffer your losses.

Do You Have a Breach Plan?

Even with sound backups confidentiality of affected data must be assumed to be breached because it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the attackers typically take data inventory, reviewing at least samples of the data to assess its potential value — they could be leaving money on the table otherwise. Data ransom demands may simply be the final monetization stage in an enterprise breach after mining all other value from the intrusion since the ransom demand exposes the compromise.

Your Remediation Plan Must Be Thorough

One should assume that competent attackers have arranged multiple, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis team has stood down and pricey consultants flown off to their next gig). Any stray evidence left behind was carefully staged to mislead investigators and deflect blame. Expensive re-imaging of systems must be exceedingly thorough, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is known to compromise MBR’s.

Also, don’t assume system firmware has not been compromised. If you can update the firmware, so can hackers. It isn’t hard for hacking organizations to explore firmware hacking options when their enterprise targets standardize system hardware configurations, allowing a little lab effort to go a long way. The industrialization of cybercrime allows for the development and sale of firmware hacks on the dark net to a broader criminal market.

Good EDR Tools Can Help

After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less painful. A good Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are also good at tracking all significant endpoint events, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to help conceal their actions from security staff, but EDR is there to enable open visibility of notable endpoint events that could signal an attack in progress. EDR isn’t limited to the old antivirus convict-or-acquit model, that allows freshly remixed attack code to evade AV detection.
Good EDR tools are always vigilant, always reporting, always tracking, available when you need it: now or retroactively. You wouldn’t turn a blind eye to enterprise network activity, so don’t turn a blind eye to enterprise endpoint activity.


Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO

Verizon Enterprise has released its annual Data Breach Investigations Report reviewing 64,199 security incidents resulting in 2,260 security breaches. Verizon defines an incident as compromising the integrity, confidentiality, or availability on an information asset, while a breach is a confirmed disclosure of data to an unauthorized party. Since preventing breaches is far less painful than enduring them Verizon offers several sections of recommended controls to be employed by security-conscious enterprises. If you don’t care to read the full 80-page report, Ziften offers this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Recommended Controls


A solid EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines illustrating vulnerability management effectiveness. The exposure timelines are important since Verizon stresses a methodical approach that emphasizes consistency and coverage, versus haphazard expedient patching.


Phishing Recommended Controls


Although Verizon recommends user training to avoid phishing susceptibility, still their data shows nearly a third of phishes being opened, with users clicking on the link or attachment more than one time in ten. Not good odds if you have at least ten users! Given the inevitable click compromise, Verizon recommends placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, but also filter it against network threat feeds identifying malicious network targets. Ziften goes beyond this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC staff have vital decision context to rapidly resolve network alerts.


Web App Attacks Recommended Controls


Verizon recommends multi-factor authentication and monitoring of login activity to prevent compromise of web application servers.  A solid EDR solution will monitor login activity and will apply anomaly checking to detect unusual login patterns indicative of compromised credentials.


Point-of-Sale Intrusions Recommended Controls


Verizon recommends (and this has also been strongly recommended by FireEye/Mandiant) strong network segmentation of POS devices. Again, a solid EDR solution should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of great value in providing critical decision context for suspicious network activity. EDR solutions will also address Verizon’s recommendation for remote login tracking to POS devices. Along with this Verizon recommends multi-factor authentication, but a strong EDR capability will augment that with additional login pattern anomaly checking (since even MFA can be defeated with MITM attacks).


Insider and Privilege Misuse Recommended Controls


Verizon recommends “monitor the heck out of [employee] authorized daily activity.” Continuous endpoint monitoring by a solid EDR product naturally provides this capability. In Ziften’s case our product tracks user presence time periods and user focus activities while present (such as foreground application usage). Anomaly checking can identify unusual deviations in activity pattern whether a temporal anomaly (i.e. something has altered this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs significantly from peer behavior patterns).


Verizon also recommends tracking usage of USB storage devices, which solid EDR products provide, since they can serve as a “sneaker exfiltration” route.


Miscellaneous Errors Recommended Controls


Verizon recommendations in this section focus on maintaining a record of past errors to server as a warning of mistakes to avoid in the future. Solid EDR products do not forget; they maintain an archival record of endpoint and user activity going back since their first deployment. These records are searchable at any time, perhaps after some future incident has uncovered an intrusion and response teams need to go back and “find patient zero” to unravel the incident and identify where mistakes may have been made.


Physical Theft and Loss Recommended Controls


Verizon recommends (and many regulators demand) full disk encryption, especially for mobile devices. A proper EDR product will verify that endpoint configurations are compliant with enterprise encryption policy, and will alert on violations. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically stolen, but the impact is essentially the same to the affected enterprise.


Crimeware Recommended Controls


Again, Verizon stresses vulnerability management and consistent thorough patching. As noted above, proper EDR tools identify and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This reflects an accurately updated vulnerability assessment at any point in time.


Verizon also recommends capturing malware analysis data in your own enterprise environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can obtain samples of any binary present on enterprise endpoints and submit them for detailed static and dynamic analysis by our malware research partners.


Cyber-Espionage Recommended Controls


Here Verizon specifically calls out usage of endpoint threat detection and response (ETDR) tools, referring to the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also recommends a number of endpoint configuration hardening steps that can be compliance-verified by EDR tools.


Verizon also recommends strong network protections. We have already discussed how Ziften ZFlow can greatly enhance traditional network flow monitoring with endpoint context and attribution, providing a fusion of network and endpoint security that is truly end-to-end.


Finally, Verizon recommends monitoring and logging, which is the first thing third party incident responders request when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, since the endpoint is the most frequent entry vector in a major data breach.


Denial-of-Service Attacks Recommended Controls


Verizon recommends managing port access to prevent enterprise assets from being used to participate in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to identify unusual application port usage that could indicate compromise.


Enterprise services migrating to cloud providers also require protection from DoS attacks, which the cloud provider may provide. However, looking at network traffic tracking in the cloud — where the enterprise may lack cloud network visibility — options like Ziften ZFlow provide a means for collecting enhanced network flow data directly from cloud virtual servers. Don’t let the cloud be your network blind spot, or else attackers will exploit this to fly outside your radar.