From The Desk Of Ziften CEO, Charles Leaver

With the introduction of bring your own device (BYOD) strategies and cloud computing the protecting of specific endpoints has actually become much harder, as administrators could be making ease of data access of higher importance over security. The threats exist nevertheless, because the majority of the existing generation of endpoint security software have not been customized to safeguard from aggressive hacking and destructive cyber attack tactics that target specific endpoints as the launch pad for attacks that are extensively dispersed.

There was a very well-known endpoint attack that took place in recent times where a malware strain named Comfoo was utilized to jeopardize the networks of many multinational organizations back in 2010. The Comfoo malware consisted of a number of custom designed backdoor Trojans and exploits that could constantly distribute malware. A more severe consequence was that this malware could cause destructive data leaks by scraping account and network information and monitor all user input, according to CRN contributor Robert Westervelt. It is believed that the Comfoo malware might have been a part of an innovative cyber espionage project, because of the method that was used and the evasion of conventional endpoint tracking.

Utilizing email phishing and social engineering the malware was able to jeopardize targeted gadgets, which highlights how ripe endpoints have ended up being for malware infestation, so says Jason O’Reilly, security executive. When he was speaking to ITWeb, O’Reilly stated that traditional endpoint software does not sufficiently account for access from locations beyond the IT department most of the time, and it does not limit data exposure to authorized parties through making use of access controls.

O’Reilly stated that “endpoint security solutions need to offer layered protection that goes beyond signature-based detection only to consist of heuristic-based detection and polymorphic-based detection.” “Today’s networks are exposed to hazards from several sources.”

Real Time Threat Catching And Report Creation

The high stakes for control techniques and endpoint security were recognized by business consulting firm Frost & Sullivan, as they felt both of these areas were under pressure from both external attackers and the pressing demand from staff members for device choice flexibility.

Chris Rodriguez, Frost & Sullivan analyst stated “enterprise IT organizations now face significant pressure to enable workers to access the business network and files from their own individual devices.” “Considering their seemingly universal nature, quick data connections, and powerful hardware and os, these devices represent prime targets for hackers.”

When asked exactly what companies can do to tighten up on the special weak points of mobile hardware, O’Reilly advised that any solutions must provide clear and comprehensive visibility into exactly what is taking place on each endpoint so that action can be taken rapidly when any risks are identified.

 

 

By Charles Leaver Ziften Technologies CEO

A a great deal of organizations have the belief that there is no need for them to pursue assiduous data loss prevention, they regard cyber attacks as either extremely unlikely to occur or have very little monetary effect if they do occur. There is a boost in the recorded cases of cyber attacks and advanced persistent risks have actually contributed to this complacency. These harmful attacks tend to avert conventional endpoint security software applications, and while they do not have the teeth of denial-of-service attacks, they have the potential to cause significant damage.

Over 67% of companies declare that they have not been the victims of a cyber attack in the last 18 months, or that they had little or no visibility into whether an attack had jeopardized their network according to Infosecurity. The coordinators of the survey were skeptical about the results and highlighted the numerous vulnerable desktop and mobile endpoints that are now very common in companies.

Security expert and survey organizer Tom Cross stated “Any system you link to the Internet is going to be targeted by attackers really rapidly thereafter.” “I would assert that if you’re not sure whether or not your company has had a security event, the possibilities are extremely high that the answer is yes.”

Around 16% said that they had experienced a DDoS attack over the same duration, and 18% reported malware infiltrations. In spite of this, the majority of the companies examined the effects as minor and not justifying the implementation of new endpoint security and control systems. Roughly 38% stated that they had actually not struggled with discovered security breaches, and only 20% were able to admit to monetary losses.

The loss of reputation was more prevalent, impacting around 25% of the respondents. Highlighting the possible effect of a cyber attack on finances and credibility, an incident at The University of Delaware resulted in 74,000 people having their sensitive data exposed, according to Amy Cherry, WDEL contributor. The hackers targeted the school’s site and scraped information about university identifications and Social Security Numbers, which made it supply complimentary credit monitoring of the affected parties.

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies

 

A 5 Point Plan For A New Security Approach Proposed By Amit Yoran

Amit Yoran’s, RSA President delivered an exceptional keynote speech at the RSA Conference which reinforced the Ziften strategy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to supply robust defenses in a new age of sophisticated cyber attacks. Current organization security techniques were slammed as being stuck in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “epic fail”, and he described his vision for the future with five bottom lines, and commentary from Ziften’s point of view has been added.

Stop Believing That Even Advanced Protections Are Sufficient

” No matter how high or clever the walls, focused adversaries will discover methods over, under, around, and through.”

A great deal of the previous, more sophisticated attacks did not use malware as the main strategy. Traditional endpoint anti-viruses, firewall software and traditional IPS were criticized by Yoran as examples of the Dark Ages. He mentioned that these legacy defenses could be easily scaled by knowledgeable hackers and that they were mainly inadequate. A signature based anti-virus system can just protect against previously seen hazards, but hidden risks are the most threatening to an organization (since they are the most typical targeted attacks). Targeted cyber criminals utilize malware just 50% of the time, possibly just quickly, at the start of the attack. The attack artifacts are easily altered and not used ever again in targeted attacks. The build-up of transient indicators of compromise and malware signatures in the billions in large antivirus signature databases is a pointless defensive approach.

Adopt a Deep and Pervasive Level of Real Visibility Everywhere – from the Endpoint to the Cloud

“We need pervasive and true visibility into our enterprise environments. You just can’t do security today without the visibility of both constant complete packet capture and endpoint compromise assessment visibility.”

This means continuous endpoint monitoring throughout the business endpoint population for generic indicators of compromise (not stale attack artifacts) that show classic strategies, not short lived hex string happenstance. And any organization carrying out consistent full packet capture (comparatively expensive) can easily pay for endpoint threat evaluation visibility (relatively low-cost). The logging and auditing of endpoint process activity supplies a wealth of security insight using only primary analytics techniques. A targeted hacker counts on the relative opacity of endpoint user and system activity to cloak and conceal any attacks – while true visibility offers a bright light.

Identity and Authentication Matter More than Ever

” In a world with no border and with fewer security anchor points, identity and authentication matter more than ever … Eventually in [any successful attack] campaign, the abuse of identity is a stepping stone the opponents use to enforce their will.”

The use of more powerful authentication is good, however it just produces higher walls that are still not impenetrable. What the hacker does when they get over the wall is the most crucial thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indicators of abnormal user activity (insider attack or potential jeopardized credentials). Any activity that is observed that is varies from typical patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates multiple normality departures concentrates security attention on the greatest danger anomalies for triage.

External Risk Intelligence Is A Core Capability

” There are unbelievable sources for the best threat intelligence … [which] should be machine-readable and automated for increased speed and leverage. It should be operationalized into your security program and tailored to your company’s assets and interests so that analysts can quickly deal with the threats that present the most risk.”

Most targeted attacks normally do not utilize readily signatured artifacts again or recycle network addresses and C2 domains, but there is still worth in threat intelligence feeds that aggregate timely discoveries from countless endpoint and network threat sensors. Here at Ziften we incorporate 3rd party risk feeds via the Ziften Knowledge Cloud, plus the direct exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure by means of our Open Visibility ™ architecture. With the evolving of more machine-readable risk intelligence (MRTI) feeds, this ability will efficiently grow.

Understand What Matters Most To Your Organization And Exactly what Is Mission Critical

” You need to comprehend what matters to your organization and what is mission critical. You have to … protect what is essential and protect it with everything you have.”

This is the case for threat driven analytics and instrumentation that focuses security attention and effort on areas of greatest business risk exposure. Yoran promotes that asset worth prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most common dynamic threats (for instance by filtering, associating and scoring SIEM alert streams for security triage) need to be well-grounded in all sides of business risk analysis.

At Ziften we applaud Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security industry progresses beyond the current Dark Ages of facile targeted attacks and entrenched exploitations.

Ziften CEO Charles Leaver

 

After Target was breached it took several months for the company to recuperate and be provided a clean bill of health.

Constant Recovery Effort And Reports Of Financial Loss

It was a major story when Target struggled with its data breach. Like all significant news releases it faded into the background as far as being covered nationally, but as far as the company is concerned it was still a significant priority. The store reduced its profit projections for 2014 once again, which implies that the company had undervalued the effect of the destructive attack that they were exposed to, according CNN Money.

The reduction in revenues was actually considerable and the company wound up stating 62% less earnings. In addition to this they needed to pay out $111 million as a direct result of the breach in the second financial quarter and all of this amounts to a company that was once robust now looking a shadow of its previous self because of a cyber attack.

As the fallout continued, the scale of the cyber attack started to emerge. Info for around 110 million people was jeopardized, and taken charge card data was experienced by 40 million of those individuals. As news went out about the breach, the business made some significant modifications which included the execution of more strict cyber security procedures and changing of the system admin. Long standing CEO, Gregg Steinhafel, also resigned. But it is not considered enough to alleviate the effect of the attack. The stakeholders of Target are soaking up the unfavorable results of the attack as much as the company itself according to Brian Sozzi of Belus Capital.

In an email to CNN Money Sozzi stated “Target simply dropped an epic full year profits warning onto the heads of its remaining investors.” “Target has actually given investors NO reason to be encouraged that a global turn-around is secretly emerging.”

Target Offers A Lesson For All Organizations About Improved Pre-emptive Measures

No matter how proactive an organization is to a cyber attack, there is no assurance that the recovery time will be quicker. The bottom line is that a data breach is bad news for any organization no matter how you call it or try to fix it. Preventative procedures are the very best way forward and you have to take steps to ensure an attack does not happen to your organization in the first place. Making use of endpoint threat detection systems can have a significant role in preserving strong defenses for any company that chooses to implement it.

 

Charles Leaver Ziften CEO

 

It is thought that the greatest known cyber attack in the history of data breaches has actually been found by an American cyber security company. It is believed by the company that a group of cyber criminals from Russia that they have actually been examining for numerous months is accountable for taking passwords in the billions and other sensitive personal data. It is alleged that the Russian group stole 4.5 billion credentials, although a lot were duplicated, and the final outcome was 1.2 billion unique data profiles being stolen. The group stole the info from 420,000 websites of varying sizes, from big brand websites to smaller mom and pop shops.

The New York Times specified that the cyber criminals consisted of about 12 individuals. Starting with small scale spamming approaches in 2011 they acquired the majority of the data by buying stolen databases.

In an interview with PCMag, the creator of the company that found the breach, Alex Holden, said “the gang begun by just purchasing the databases that were available online.” The group used to buy at fire sales and were referred to as “bottom feeders”. As time progressed they began the purchase of higher quality databases. It’s sort of like graduating from stealing bicycles to taking pricey automobiles.”

A Progression From Spamming To Using Botnets

The cyber criminal team began to change their habits. Botnets were employed by the team to collect the stolen data on a much larger scale. Through the use of the botnets the group were able to automate the procedure of recognizing sites that were susceptible and this enabled them to work 24/7. Anytime that a contaminated user would check out a website, the bot would examine to see if the vulnerability would be subject to an SQL injection automatically. Utilizing these injections, which is a frequently utilized hacking tool, the database of the site would be forced to reveal its contents through the entering of a basic query. The botnets would flag those sites that were vulnerable and the hackers returned later on to extract the details from the site. The use of the bot was the ultimate failure of the group as they were discovered by the security business using it.

It is believed by the security company that the billions of pieces of data that were taken were not taken at the same time, and that most of the records were most likely purchased from other cyber bad guys. According to the Times, very few of the records that were taken have been sold online, rather the hacking team have chosen to utilize the information for the sending of spam messages on social media for other groups so that they can make money. Various cyber security experts are asserting that the magnitude of this breach signifies a trend of cyber bad guys stockpiling huge quantities of personal profiles gradually and conserving them for usage in the future, according to the Wall Street Journal.

Security expert at the research study firm Gartner, Avivah Litan, said “businesses that depend on user names and passwords need to cultivate a sense of urgency about altering this.” “Up until they do, crooks will simply keep stockpiling people’s credentials.”

Cyber attacks and breaches on this scale underline the requirement for organizations to safeguard themselves with the latest cyber security defenses. Systems that utilize endpoint threat detection and response will assist companies to produce a clearer picture of the threats facing their networks and receive information that is actionable on how best to resist attacks. Today, when substantial data breaches are going to occur more and more, making use of continuous endpoint visibility is critical for the security of an organization. If the network of the organization is continuously monitored, threats can be recognized in real time, and this will minimize the damage that a data breach can cause on the reputation and bottom line of an organization.

Written By Charles Leaver CEO Ziften

 

We were the sponsor in Las Vegas for a fantastic Splunk.conf2014 program, we returned energized and chomping at the bit to push on even more forward with our solution here at Ziften. A talk that was of particular interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Utilizing Splunk to Automatically Reduce Threats” was the name of his presentation. If you wish to see his slides and a recording of the talk then please go to http://conf.splunk.com/sessions/2014

The use of Splunk to help with mitigation, or as I prefer to refer to it as “Active Response” is a great concept. Having all of your intelligence data streaming into Splunk is extremely effective, and it can be endpoint data, outside threat feeds etc, and after that you will be able to act on this data actually finishes the loop. At Ziften we have our effective continuous monitoring on the endpoint service, and being married to Splunk is something that we are really extremely proud of. It is a really strong move in the right direction to have real time information analysis paired with the ability to react and take action against events.

Ziften have developed a mitigation action which uses the offered Active Response code. There is a demo video included in this blog below. Here we had the ability to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is produced, results within Splunk ES (Enterprise Security) can be observed and tracked. This really is a major addition and now users will have the ability to monitor and track mitigations within Splunk ES, which offers you with the major advantage of being able to complete the loop and establish a history of your actions.

That Splunk is driving such an initiative thrills us, this is most likely to progress and we are committed to constantly support it and make more development with it. It is extremely exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework integrated into Splunk being added will definitely promote a high degree of interest in my viewpoint.

For any concerns relating to the Ziften App for Splunk, please send an email to sales@ziften.com

Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.

 

The Breadth Of The Indicator – Broad Versus Narrow

A comprehensive report of a cyber attack will generally offer information of indicators of compromise. Frequently these are slim in their scope, referencing a particular attack group as seen in a specific attack on an organization for a limited amount of time. Generally these slim indicators are specific artifacts of an observed attack that could constitute particular proof of compromise by themselves. For the attack it implies that they have high specificity, however typically at the expense of low sensitivity to comparable attacks with other artifacts.

Essentially, slim indicators provide really restricted scope, and it is the factor that they exist by the billions in enormous databases that are continually expanding of malware signatures, network addresses that are suspicious, malicious computer system registry keys, file and packet content snippets, file paths and intrusion detection guidelines and so on. The continuous endpoint monitoring solution provided by Ziften aggregates a few of these third party databases and threat feeds into the Ziften Knowledge Cloud, to gain from understood artifact detection. These detection elements can be applied in real time as well as retrospectively. Retrospective application is essential given the short-term qualities of these artifacts as hackers constantly render hide the info about their cyber attacks to frustrate this narrow IoC detection method. This is the factor that a constant monitoring system needs to archive monitoring results for a long period of time (in relation to market reported typical attacker dwell times), to offer an enough lookback horizon.

Slim IoC’s have substantial detection worth but they are mainly inadequate in the detection of brand-new cyber attacks by competent hackers. New attack code can be pre tested against typical business security products in lab environments to confirm non-reuse of artifacts that are noticeable. Security solutions that operate merely as black/white classifiers experience this weakness, i.e. by offering a specific determination of harmful or benign. This method is very easily averted. The protected company is most likely to be thoroughly hacked for months or years prior to any detectable artifacts can be recognized (after intensive examination) for the specific attack instance.

In contrast to the ease with which cyber attack artifacts can be obscured by normal hacker toolkits, the particular techniques and strategies – the modus operandi – used by attackers have been sustained over several decades. Common strategies such as weaponized sites and documents, new service installation, vulnerability exploitation, module injection, sensitive directory and computer system registry area adjustment, brand-new arranged tasks, memory and drive corruption, credentials compromise, destructive scripting and numerous others are broadly typical. The proper use of system logging and monitoring can discover a lot of this particular attack activity, when properly paired with security analytics to concentrate on the greatest threat observations. This totally removes the opportunity for hackers to pre test the evasiveness of their harmful code, given that the quantification of risk is not black and white, but nuanced shades of gray. In particular, all endpoint threat is varying and relative, across any network/ user environment and period of time, and that environment (and its temporal characteristics) can not be duplicated in any laboratory environment. The essential attacker concealment approach is foiled.

In future posts we will examine Ziften endpoint threat analysis in more detail, as well as the crucial relationship between endpoint security and endpoint management. “You can’t protect what you don’t manage, you cannot manage what you do not measure, you cannot measure what you don’t track.” Organizations get breached because they have less oversight and control of their endpoint environment than the cyber attackers have. Keep an eye out for future posts…

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series

 

Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with comments on their discovery by the Ziften continuous endpoint monitoring service. The Ziften system has a focus on generic indicators of compromise that have actually corresponded for decades of hacker attacks and cyber security experience. IoC’s can be recognized for any operating system such as Linux, OS X and Windows. Specific indicators of compromise also exist that show C2 infrastructure or specific attack code circumstances, but these are not used long term and not typically made use of once again in fresh attacks. There are billions of these artifacts in the security world with thousands being included every day. Generic IoC’s are ingrained for the supported operating systems by the Ziften security analytics, and the specific IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a variety of market risk feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not really a IoC, critical exposed vulnerabilities are a significant hacker manipulation and is a large warning that increases the risk rating (and the SIEM priority) for the end point, particularly if other indications are also present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which leads to a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers located in China have actually been determined in this project.

Remark: The geolocation of endpoint network touches and scoring by location both add to the risk score that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some organizations might have sites situated in China, however this should be verified with spatial and temporal checking of abnormalities. IP address and domain information should be added with a resulting SIEM alarm so that SOC triage can be performed rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is successfully exploited, it installs Carbanak on the victim’s system.

Remark: Any new binaries are always suspicious, however not all of them need to raise alarms. The metadata of images need to be examined to see if there is a pattern, for example a new app or a new variation of an existing app from an existing vendor on a likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared along with size, size of the file and filepath etc to filter out obvious circumstances.

4. Uncommon Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, hidden and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it goes through examination by examining anomalies right away. A classic anomaly would be svchost.exe, which is an essential system procedure image, in the uncommon area the com subdirectory.

5. New Autostarts Or Services

Excerpt: To guarantee that Carbanak has autorun privileges the malware produces a brand-new service.

Remark: Any autostart or new service is common with malware and is always checked with the analytics. Anything low prevalence would be suspicious. If inspecting the image hash against market watchlists leads to an unknown quantity to the majority of antivirus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Directory

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be carried out.

Comment: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to check (continuous monitoring environment). And this IoC is totally generic, has absolutely nothing to do with which filename or which directory is created. Although the technical security report lists it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the latest Carbanak samples are digitally signed

Remark: Any suspect signer will be treated as suspicious. One case was where a signer provides a suspect anonymous gmail e-mail address, which does not inspire confidence, and the threat rating will rise for this image. In other cases no email address is provided. Signers can be quickly noted and a Pareto analysis carried out, to recognize the more versus less trusted signers. If a less trusted signer is discovered in a more delicate directory then this is really suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control believed that the attackers utilized this remote administration tool since it is typically whitelisted in the victims’ environments as a result of being used frequently by administrators.

Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would occur to recognize whether temporally or spatially each new remote admin tool corresponds. RAT’s go through abuse. Hackers will always prefer to use the RAT’s of an organization so that they can prevent detection, so they should not be provided access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools show that they were accessed from 2 different IPs, probably used by the attackers, and located in Ukraine and France.

Remark: Constantly suspect remote logins, due to the fact that all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not wish to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this should reveal low prevalence use (relative to peer systems) plus any suspect geography.

10. Atypical IT Tools

Excerpt: We have actually also discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools must always be checked for anomalies, due to the fact that numerous hackers subvert them for malicious functions. It is possible that Metasploit could be utilized by a penetration tester or vulnerability scientist, but instances of this would be uncommon. This is a prime example where an unusual observation report for the vetting of security personnel would lead to corrective action. It also highlights the problem where blanket whitelisting does not assist in the recognition of suspicious activity.

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 2 in a 3 part series

 

Continuous Endpoint Monitoring Is Really Effective

 

Convicting and obstructing harmful software before it is able to compromise an endpoint is fine. However this approach is mainly inadequate against cyber attacks that have actually been pre checked to avert this type of approach to security. The genuine issue is that these hidden attacks are carried out by competent human hackers, while traditional defense of the endpoint is an automated procedure by endpoint security systems that rely mainly on basic antivirus innovation. The intelligence of people is more creative and versatile than the intelligence of machines and will always be superior to automatic machine defenses. This underlines the findings of the Turing test, where automated defenses are trying to rise to the intellectual level of a skilled human hacker. At present, artificial intelligence and machine learning are not sophisticated enough to fully automate cyber defense, the human hacker is going to win, while those infiltrated are left counting their losses. We are not residing in a sci-fi world where machines can out think people so you should not think that a security software suite will automatically take care of all your problems and avoid all attacks and data loss.

The only genuine method to prevent an undaunted human hacker is with an undaunted human cyber protector. In order to engage your IT Security Operations Center (SOC) staff to do this, they must have complete visibility of network and endpoint operations. This type of visibility will not be accomplished with standard endpoint anti-viruses solutions, instead they are designed to remain silent unless enabling a capture and quarantining malware. This traditional approach renders the endpoints opaque to security personnel, and the hackers use this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security workers don’t know what was running across your endpoint population previously, or at this point in time, or what can be expected in the future. If diligent security workers find hints that require a forensic look back to uncover attacker characteristics, your antivirus suite will be not able to help. It would not have actually acted at the time so no events will have been recorded.

In contrast, continuous endpoint monitoring is always working – supplying real time visibility into endpoint operations, offering forensic look back’s to take action against new proof of attacks that is emerging and identify indications earlier, and providing a baseline for typical patterns of operation so that it understands what to anticipate and alert any abnormalities in the future. Supplying not just visibility, continuous endpoint monitoring offers informed visibility, with the application of behavioral analytics to find operations that appear unusual. Abnormalities will be continuously examined and aggregated by the analytics and reported to SOC staff, through the company’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security workers interest and action. Continuous endpoint monitoring will enhance and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A kid can play this game. It is simplified because most items (known as high prevalence) look like each other, but one or a small number (known as low prevalence) are different and stand out. These different actions taken by cyber lawbreakers have been pretty constant in hacking for decades. The Carbanak technical reports that noted the indicators of compromise are good examples of this and will be covered below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is easy to acknowledge something suspicious or unusual. Cyber security workers will have the ability to carry out rapid triage on these abnormal patterns, and rapidly identify a yes/no/maybe reaction that will differentiate uncommon but known to be good activities from harmful activities or from activities that need additional monitoring and more informative forensics examinations to validate.

There is no chance that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic threat analytics component (that notifies suspect activity) in addition to a non-deterministic human element (that carries out alert triage). Depending on the existing activities, endpoint population mix and the experience of the cyber security personnel, cultivating attack activity might or may not be discovered. This is the nature of cyber warfare and there are no warranties. But if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unreasonable advantage.

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 1 in a 3 part series

 

Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber crooks, has actually remained in the news. The attacks on the banks started in early 2014 and they have actually been expanding around the world. The majority of the victims suffered devastating infiltrations for a variety of months throughout numerous endpoints prior to experiencing financial loss. Most of the victims had carried out security procedures that included the implementation of network and endpoint security systems, but this did not supply a great deal of caution or defense against these cyber attacks.

A variety of security businesses have actually produced technical reports about the attacks, and they have been codenamed either Carbanak or Anunak and these reports noted indications of compromise that were observed. The companies include:

Fox-IT from Holland
Group-IB from Russia
Kaspersky Lab from Russia

This post will work as a case study for the cyber attacks and investigate:

1. The reason that the endpoint security and the traditional network security was not able to spot and resist the attacks?
2. Why continuous endpoint monitoring (as provided by the Ziften solution) would have alerted early about endpoint attacks and after that activated a response to prevent data loss?

Standard Endpoint Security And Network Security Is Inadequate

Based upon the legacy security design that relies excessively on obstructing and prevention, traditional endpoint and network security does not offer a well balanced strategy of obstructing, prevention, detection and response. It would not be tough for any cyber criminal to pre test their attacks on a small number of traditional endpoint security and network security services so that they could be sure an attack would not be discovered. A number of the hackers have in fact looked into the security products that were in place at the victim companies then ended up being skilled in breaking through undetected. The cyber bad guys knew that the majority of these security services only respond after the occasion however otherwise will do nothing. What this means is that the normal endpoint operation remains primarily nontransparent to IT security workers, which suggests that harmful activity ends up being masked (this has already been checked by the hackers to avoid detection). After a preliminary breach has actually taken place, the malicious software can extend to reach users with greater privileges and the more delicate endpoints. This can be quickly attained by the theft of credentials, where no malware is needed, and traditional IT tools (which have been white listed by the victim organization) can be used by cyber criminal developed scripts. This means that the existence of malware that can be found at endpoints is not made use of and there will be no red flags raised. Standard endpoint security software is too over reliant on looking for malware.

Traditional network security can be manipulated in a comparable way. Hackers evaluate their network activities initially to avoid being found by extensively distributed IDS/IPS guidelines, and they thoroughly monitor regular endpoint operation (on endpoints that have been jeopardized) to hide their activities on a network within regular transaction durations and normal network traffic patterns. A new command and control infrastructure is created that is not registered on network address blacklists, either at the IP or domain levels. There is not much to give the hackers away here. However, more astute network behavioral evaluation, specifically when connected to the endpoint context which will be talked about later on in this series of posts, can be a lot more efficient.

It is not time to abandon hope. Would continuous endpoint monitoring (as supplied by Ziften) have supplied an early caution of the endpoint hacking to begin the process of stopping the attacks and avoid data loss? Find out more in part two.