Cyber Attackers Are Now Targeting Endpoints For Widespread Damage – Charles Leaver

Charles Leaver CEO Ziften

With the introduction of bring your own device (BYOD) techniques and cloud computing the protecting of particular endpoints has actually ended up being more difficult, as administrators could be making ease of data access of higher importance over security. The risks are there however, because the majority of the present generation of endpoint security software have not been customized to protect from aggressive hacking and harmful cyber attack techniques that target individual endpoints as the launch pad for attacks that are commonly distributed.

There was a really famous endpoint attack that took place in recent times where a malware family named Comfoo was used to jeopardize the networks of many multinational organizations back in 2010. The Comfoo malware included a number of custom developed backdoor Trojans and exploits that might continually distribute malware. A more major consequence was that this malware could cause damaging data leaks by scraping account and network info and monitor all user input, according to CRN contributor Robert Westervelt. It is believed that the Comfoo malware might have been a part of a sophisticated cyber espionage campaign, because of the method that was used and the evasion of conventional endpoint monitoring.

Using e-mail phishing and social engineering the malware had the ability to compromise targeted gadgets, which highlights how ripe endpoints have ended up being for malware infestation, so says Jason O’Reilly, security executive. When he was talking to ITWeb, O’Reilly stated that conventional endpoint software does not sufficiently account for access from places beyond the IT department most of the time, and it does not limit data exposure to authorized individuals through making use of access controls.

O’Reilly mentioned that “endpoint security services must offer layered protection that goes beyond signature-based detection just to include heuristic-based detection and polymorphic-based detection.” “Today’s networks are exposed to hazards from various sources.”

Real Time Hazard Catching And Report Creation

The high stakes for control techniques and endpoint security were recognized by business consulting company Frost & Sullivan, as they felt both of these areas were under pressure from both external attackers and the pressing demand from employees for gadget choice versatility.

Chris Rodriguez, Frost & Sullivan analyst specified “enterprise IT organizations now face significant pressure to make it possible for employees to access the corporate network and files from their own personal gadgets.” “Considering their apparently universal nature, fast data connections, and powerful hardware and operating systems, these devices represent prime targets for hackers.”

When asked exactly what organizations can do to tighten up on the unique weaknesses of mobile hardware, O’Reilly recommended that any solutions need to supply clear and extensive visibility into exactly what is happening on each endpoint so that action can be taken quickly when any threats are identified.


Why Do Two Thirds Of Organizations Believe That They Have Immunity From Cyber Attacks? Charles Leaver

By Charles Leaver Ziften Technologies CEO


A a great deal of organizations have the belief that there is no need for them to pursue assiduous data loss prevention, they concern cyber attacks as either extremely not likely to occur or have minimal financial impact if they do take place. There is a boost in the recorded cases of cyber attacks and advanced persistent threats have actually contributed to this complacency. These destructive attacks tend to evade conventional endpoint security software, and while they lack the teeth of denial-of-service attacks, they have the potential to cause considerable damage.

Over 67% of organizations declare that they have actually not been the victims of a cyber attack in the last 18 months, or that they had little or no visibility into whether an attack had jeopardized their network according to Infosecurity. The planners of the survey were skeptical about the outcomes and highlighted the many vulnerable desktop and mobile endpoints that are now typical in businesses.

Security specialist and study organizer Tom Cross said “Any system you link to the Web is going to be targeted by attackers extremely rapidly thereafter.” “I would assert that if you’re unsure whether your organization has had a security incident, the possibilities are extremely high that the answer is yes.”

Around 16% stated that they had actually experienced a DDoS attack over the very same duration, and 18% reported malware infestations. Regardless of this, most of the organizations evaluated the consequences as minor and not justifying the application of new endpoint security and control systems. Approximately 38% said that they had actually not experienced found security breaches, and just 20% were able to admit to financial losses.

The loss of reputation was more extensive, impacting around 25% of the respondents. Highlighting the possible impact of a cyber attack on finances and reputation, an event at The University of Delaware resulted in 74,000 individuals having their sensitive data exposed, according to Amy Cherry, WDEL contributor. The hackers targeted the school’s site and scraped information about university identifications and Social Security Numbers, which made it provide free credit monitoring of the impacted parties.

Charles Leaver – RSA President Keynote Speech Confirms Cyber Security Dark Ages Must Be Moved Away From

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies


A 5 Point Plan For A New Security Strategy Proposed By Amit Yoran

Amit Yoran’s, RSA President provided an exceptional keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to provide robust defenses in a brand-new period of advanced cyber attacks. Current organization security techniques were slammed as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “impressive fail”, and he detailed his vision for the future with five bottom lines, and commentary from Ziften’s viewpoint has been included.

Stop Believing That Even Advanced Protections Suffice

” No matter how high or smart the walls, focused adversaries will find methods over, under, around, and through.”

A great deal of the previous, more sophisticated attacks did not employ malware as the main technique. Standard endpoint antivirus, firewalls and standard IPS were criticized by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be easily scaled by experienced hackers and that they were largely inefficient. A signature based anti-virus system can only protect against formerly seen hazards, however hidden hazards are the most threatening to a company (considering that they are the most typical targeted attacks). Targeted cyber wrongdoers make use of malware only 50% of the time, perhaps just briefly, at the start of the attack. The attack artifacts are easily altered and not utilized ever again in targeted campaigns. The accumulation of short-term indicators of compromise and malware signatures in the billions in huge antivirus signature databases is a pointless defensive technique.

Embrace a Deep and Prevalent Level of Real Visibility Everywhere – from the Endpoint to the Cloud

“We require pervasive and true visibility into our business environments. You merely cannot do security today without the visibility of both constant complete packet capture and endpoint compromise evaluation visibility.”

This indicates continuous endpoint monitoring throughout the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that show timeless methods, not fleeting hex string happenstance. And any company executing consistent complete packet capture (relatively expensive) can easily pay for endpoint threat assessment visibility (relatively inexpensive). The logging and auditing of endpoint process activity supplies a wealth of security insight using only elementary analytics methods. A targeted hacker counts on the relative opacity of endpoint user and system activity to cloak and hide any attacks – while real visibility provides a bright light.

Identity and Authentication Matter More than Ever

” In a world with no border and with less security anchor points, identity and authentication matter even more … At some point in [any effective attack] campaign, the abuse of identity is a stepping stone the opponents use to enforce their will.”

Making use of more powerful authentication fine, but it only produces bigger walls that are still not impenetrable. What the hacker does when they get over the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for signs of abnormal user activity (insider attack or potential compromised credentials). Any activity that is observed that is different from normal patterns is potentially suspicious. One departure from normality does not make a case, however security analytics that triangulates several normality departures focuses security attention on the highest danger abnormalities for triage.

External Threat Intelligence Is A Core Capability

” There are incredible sources for the ideal threat intelligence … [which] must be machine-readable and automated for increased speed and leverage. It must be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly resolve the risks that pose the most risk.”

Many targeted attacks typically do not use readily signatured artifacts once again or recycle network addresses and C2 domains, but there is still value in risk intelligence feeds that aggregate prompt discoveries from millions of endpoint and network threat sensors. Here at Ziften we incorporate 3rd party risk feeds via the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure through our Open Visibility ™ architecture. With the evolving of more machine-readable threat intelligence (MRTI) feeds, this ability will effectively grow.

Understand What Matters Most To Your Company And Exactly what Is Mission Critical

” You need to comprehend what matters to your organization and what is mission critical. You need to … defend exactly what’s important and protect it with everything you have.”

This is the case for risk driven analytics and instrumentation that focuses security attention and action on areas of highest business threat exposure. Yoran advocates that asset worth prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most prominent dynamic risks (for instance by filtering, correlating and scoring SIEM alert streams for security triage) must be well-grounded in all sides of enterprise threat analysis.

At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market evolves beyond the current Dark Ages of facile targeted attacks and established exploitations.

Target Had To Endure Months Of Recovery Time And Financial Losses After Data Breach – Charles Leaver

By Charles Leaver CEO Ziften

After Target was breached it took several months for the business to recover and be offered a clean bill of health.

Constant Recovery Effort And Reports Of Financial Loss

It was a significant story when Target experienced its data breach. Like all significant news stories it faded into the background as far as being covered nationally, however as far as the store is concerned it was still a significant priority. The store lowered its revenue forecasts for 2014 once again, which implies that the company had actually underestimated the effect of the malicious attack that they were exposed to, according CNN Money.

The decrease in profits was truly significant and the company ended up stating 62% less earnings. In addition to this they had to pay out $111 million as a direct outcome of the breach in the 2nd financial quarter and all of this amounts to a business that was at one time robust now looking a shadow of its previous self because of a cyber attack.

As the fallout continued, the scale of the cyber attack started to emerge. Info for around 110 million individuals was compromised, and stolen charge card data was experienced by 40 million of those individuals. As news ventured out about the breach, the business made some significant changes that included the execution of more strict cyber security procedures and the change out of the system admin. Long standing CEO, Gregg Steinhafel, also resigned. However it is not deemed enough to reduce the effect of the attack. The stakeholders of Target are absorbing the unfavorable results of the attack as much as the company itself according to Brian Sozzi of Belus Capital.

In an email to CNN Money Sozzi stated “Target just dropped an epic complete year earnings warning onto the heads of its remaining investors.” “Target has provided financiers NO reason to be encouraged that a global turn-around is secretly emerging.”

Target Supplies A Lesson For All Organizations About Improved Pre-emptive Measures

No matter how proactive an organization is to a cyber attack, there is no guarantee that the recovery time will be quicker. The bottom line is that a data breach is bad news for any company no matter how you call it or aim to fix it. Preventative steps are the very best way forward and you need to take steps to make sure an attack does not happen to your company in the first place. Making use of endpoint threat detection software can have a considerable role in preserving strong defenses for any organization that opts to implement it.

Charles Leaver – If You Deploy Continuous Endpoint Monitoring You Can Protect Your Organization From Russian Hackers That Stole A Massive Amount Of Data

Charles Leaver Ziften CEO


It is thought that the biggest recognized cyber attack in the history of data breaches has actually been found by an American cyber security business. It is thought by the company that a team of cyber wrongdoers from Russia that they have actually been examining for numerous months is accountable for stealing passwords in the billions and other delicate personal data. It is declared that the Russian group took 4.5 billion credentials, although a lot were duplicated, and the final outcome was 1.2 billion unique data profiles being stolen. The group took the info from 420,000 websites of varying sizes, from large brand name sites to smaller sized mom and pop shops.

The New York Times stated that the cyber criminals consisted of about 12 individuals. Starting with small scale spamming approaches in 2011 they acquired the majority of the data by purchasing stolen databases.

In an interview with PCMag, the creator of the business that found the breach, Alex Holden, stated “the gang begun by simply purchasing the databases that were available online.” The group used to purchase at fire sales and were described as “bottom feeders”. As time went by they started the purchase of higher quality databases. It’s sort of like graduating from taking bikes to stealing costly cars.”

A Progression From Spamming To Using Botnets


The cyber criminal group began to change their habits. Botnets were employed by the team to collect the stolen data on a much larger scale. Through using the botnets the group had the ability to automate the process of determining websites that were vulnerable and this enabled them to work 24/7. Anytime that a contaminated user would go to a website, the bot would check to see if the vulnerability would be subject to an SQL injection automatically. Utilizing these injections, which is a typically utilized hacking tool, the database of the site would be forced to display its contents through the entering of a basic query. The botnets would flag those websites that were susceptible and the hackers returned later to extract the information from the website. Using the bot was the supreme failure of the group as they were found by the security company utilizing it.

It is believed by the security business that the billions of pieces of information that were taken were not taken at the same time, and that the majority of the records were most likely purchased from other cyber wrongdoers. According to the Times, very few of the records that were taken have actually been offered online, instead the hacking team have decided to utilize the info for the sending of spam messages on social networks for other groups so that they can generate income. Different cyber security specialists are asserting that the magnitude of this breach signifies a trend of cyber lawbreakers stockpiling big quantities of individual profiles over time and saving them for usage later on, according to the Wall Street Journal.

Security expert at the research study firm Gartner, Avivah Litan, stated “companies that depend on user names and passwords have to establish a sense of urgency about changing this.” “Up until they do, lawbreakers will simply keep stockpiling individuals’s credentials.”

Cyber attacks and breaches on this scale underline the need for companies to safeguard themselves with the latest cyber security defenses. Systems that use endpoint threat detection and response will assist organizations to develop a clearer picture of the hazards facing their networks and receive info that is actionable on how best to prevent attacks. Today, when substantial data breaches are going to take place increasingly more, the use of continuous endpoint visibility is crucial for the security of an organization. If the network of the company is constantly monitored, threats can be recognized in real time, and this will reduce the damage that a data breach can cause on the reputation and bottom line of a company.

Why Did Ziften And Splunk Create The Active Response Framework? – Charles Leaver

Written By Charles Leaver CEO Ziften

We were the sponsor in Las Vegas for an excellent Splunk.conf2014 show, we returned stimulated and chomping at the bit to push on even further forward with our servicen here at Ziften. A talk that was of particular interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Utilizing Splunk to Automatically Mitigate Risks” was the name of his presentation. If you wish to see his slides and a recording of the presentation then please go to

Using Splunk to help with mitigation, or as I like to describe it as “Active Response” is a great concept. Having all your intelligence data streaming into Splunk is really powerful, and it can be endpoint data, outside risk feeds etc, and then you will be able to act on this data really completes the loop. At Ziften we have our effective continuous monitoring on the endpoint system, and being married to Splunk is something that we are really extremely proud of. It is a really strong move in the right direction to have real time data analysis combined with the ability to react and act against incidents.

Ziften have actually created a mitigation action which utilizes the available Active Response code. There is a demo video included in this blog below. Here we were able to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is created, results within Splunk ES (Enterprise Security) can be observed and tracked. This really is a major addition and now users will have the ability to monitor and track mitigations within Splunk ES, which offers you with the major advantage of being able to complete the loop and develop a history of your actions.

The fact that Splunk is driving such an effort thrills us, this is most likely to progress and we are committed to continuously support it and make additional development with it. It is extremely exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework integrated into Splunk being added will definitely promote a high degree of interest in my opinion.

For any concerns concerning the Ziften App for Splunk, please send an e-mail to

Narrow Indicators Of Compromise Just Are Not Enough For Comprehensive Endpoint Monitoring – Charles Leaver

Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.


The Breadth Of The Indication – Broad Versus Narrow

A detailed report of a cyber attack will generally offer details of indicators of compromise. Frequently these are slim in their scope, referencing a particular attack group as viewed in a specific attack on an enterprise for a minimal period of time. Normally these slim indicators are particular artifacts of an observed attack that could constitute particular evidence of compromise by themselves. For the particular attack it suggests that they have high uniqueness, however typically at the expense of low level of sensitivity to comparable attacks with various artifacts.

Essentially, narrow indicators offer really minimal scope, and it is the reason that they exist by the billions in huge databases that are constantly broadening of malware signatures, network addresses that are suspicious, destructive pc registry keys, file and packet content snippets, file paths and intrusion detection guidelines etc. The continuous endpoint monitoring solution supplied by Ziften aggregates a few of these third party databases and risk feeds into the Ziften Knowledge Cloud, to take advantage of understood artifact detection. These detection elements can be used in real time in addition to retrospectively. Retrospective application is important with the short term characteristics of these artifacts as hackers continuously render conceal the information about their cyber attacks to annoy this slim IoC detection approach. This is the reason that a constant monitoring service needs to archive tracking results for a long time (in relation to industry reported common hacker dwell times), to supply an adequate lookback horizon.

Narrow IoC’s have substantial detection value but they are mostly inadequate in the detection of new cyber attacks by skilled hackers. New attack code can be pre evaluated against common enterprise security solutions in laboratory environments to verify non-reuse of artifacts that are noticeable. Security solutions that operate simply as black/white classifiers suffer from this weakness, i.e. by providing an explicit decision of destructive or benign. This approach is very easily evaded. The defended company is likely to be thoroughly attacked for months or years before any noticeable artifacts can be determined (after extensive examination) for the particular attack instance.

In contrast to the ease with which cyber attack artifacts can be obscured by typical hacker toolkits, the characteristic methods and strategies – the modus operandi – utilized by hackers have been sustained over numerous years. Typical techniques such as weaponized websites and docs, brand-new service installation, vulnerability exploitation, module injection, sensitive folder and pc registry area modification, brand-new arranged tasks, memory and drive corruption, credentials compromise, malicious scripting and lots of others are broadly common. The right use of system logging and monitoring can find a lot of this characteristic attack activity, when appropriately combined with security analytics to concentrate on the highest risk observations. This entirely eliminates the chance for hackers to pre test the evasiveness of their harmful code, since the quantification of dangers is not black and white, however nuanced shades of gray. In particular, all endpoint risk is differing and relative, across any network/ user environment and time period, and that environment (and its temporal characteristics) can not be duplicated in any lab environment. The fundamental hacker concealment method is foiled.

In future posts we will analyze Ziften endpoint threat analysis in greater detail, as well as the crucial relationship between endpoint security and endpoint management. “You can’t protect what you don’t manage, you can’t manage what you do not measure, you can’t measure what you do not track.” Organizations get breached because they have less oversight and control of their endpoint environment than the cyber assailants have. Watch out for future posts…

Charles Leaver – Carbanak Case Study 3 The Effects Of Ziften Continuous Endpoint Monitoring

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with comments on their discovery by the Ziften continuous endpoint monitoring solution. The Ziften system has a concentrates on generic indicators of compromise that have actually corresponded for years of hacker attacks and cyber security experience. IoC’s can be determined for any os such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that show C2 infrastructure or particular attack code instances, but these are not utilized long term and not normally used again in fresh attacks. There are billions of these artifacts in the cyber security world with thousands being included each day. Generic IoC’s are embedded for the supported os by the Ziften security analytics, and the particular IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a number of industry threat feeds and watch lists that aggregate these. These both have worth and will assist in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases utilized spear phishing e-mails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not actually a IoC, critical exposed vulnerabilities are a significant hacker manipulation and is a large warning that increases the risk rating (and the SIEM priority) for the end point, particularly if other signs are also present. These vulnerabilities are indications of lazy patch management and vulnerability lifecycle management which leads to a lessened cyber defense position.

2. Geographies That Are Suspect

Excerpt: Command and Control (C2) servers situated in China have actually been recognized in this campaign.

Comment: The geolocation of endpoint network touches and scoring by geography both contribute to the danger rating that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some organizations might have sites located in China, however this ought to be verified with spatial and temporal checking of anomalies. IP address and domain info must be included with a resulting SIEM alarm so that SOC triage can be carried out rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively manipulated, it installs Carbanak on the victim’s system.

Remark: Any brand-new binaries are always suspicious, however not all of them should raise alarms. The metadata of images must be evaluated to see if there is a pattern, for instance a new app or a new variation of an existing app from an existing vendor on a most likely file path for that vendor and so on. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared in addition to size, size of the file and filepath etc to filter out obvious instances.

4. Unusual Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, hidden and read-only.

Remark: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it goes through scrutiny by checking anomalies right away. A classic abnormality would be svchost.exe, which is a vital system procedure image, in the unusual area the com subdirectory.

5. New Autostarts Or Services

Excerpt: To guarantee that Carbanak has autorun privileges the malware creates a brand-new service.

Remark: Any autostart or brand-new service is common with malware and is constantly checked with the analytics. Anything low prevalence would be suspicious. If examining the image hash against market watchlists results in an unknown quantity to most of the anti-virus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Directory

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be performed.

Comment: This is a traditional example of “one of these things is not like the other” that is simple for the security analytics to check (continuous monitoring environment). And this IoC is absolutely generic, has definitely nothing to do with which filename or which folder is produced. Even though the technical security report lists it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the current Carbanak samples are digitally signed

Remark: Any suspect signer will raise suspicion. One case was where a signer supplies a suspect anonymous gmail e-mail address, which does not inspire confidence, and the risk score will be elevated for this image. In other cases no email address is provided. Signers can be easily noted and a Pareto analysis carried out, to identify the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive directory then this is really suspicious.

8. Remote Administration Tools

Excerpt: There seems a preference for the Ammyy Admin remote administration tool for remote control thought that the attackers used this remote administration tool because it is commonly whitelisted in the victims’ environments as a result of being utilized frequently by administrators.

Remark: Remote admin tools (RAT) constantly raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would happen to identify whether temporally or spatially each new remote admin tool corresponds. RAT’s go through abuse. Hackers will constantly choose to utilize the RAT’s of an organization so that they can prevent detection, so they need to not be provided access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools indicate that they were accessed from 2 dissimilar IPs, probably used by the attackers, and located in Ukraine and France.

Comment: Constantly suspect remote logins, since all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not want to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this ought to reveal low prevalence use (relative to peer systems) plus any suspect locations.

10. Atypical IT Tools

Excerpt: We have actually also found traces of many different tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools must always be examined for abnormalities, due to the fact that many hackers subvert them for malicious functions. It is possible that Metasploit could be utilized by a penetration tester or vulnerability scientist, however instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would lead to restorative action. It likewise highlights the issue where blanket whitelisting does not help in the identification of suspicious activity.

Here Is Part 2 Of The Carbanak Case Study Where You Will Learn Why Continuous Endpoint Monitoring Provides Greater Efficiency – Charles Leaver

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Really Efficient


Convicting and blocking destructive scripts before it has the ability to compromise an endpoint is fine. But this approach is largely inadequate against cyber attacks that have been pre checked to avert this type of approach to security. The genuine problem is that these hidden attacks are carried out by proficient human hackers, while standard defense of the endpoint is an automated procedure by endpoint security systems that rely mainly on basic anti-virus technology. The intelligence of humans is more creative and versatile than the intelligence of machines and will constantly be superior to automatic machine defenses. This underlines the findings of the Turing test, where automated defenses are trying to rise to the intellectual level of a skilled human hacker. At the current time, artificial intelligence and machine learning are not sophisticated enough to totally automate cyber defense, the human hacker is going to be victorious, while those infiltrated are left counting their losses. We are not living in a science fiction world where machines can out think humans so you must not think that a security software suite will automatically take care of all of your issues and avoid all attacks and data loss.

The only genuine method to prevent an undaunted human hacker is with a resolute human cyber defender. In order to engage your IT Security Operations Center (SOC) staff to do this, they should have full visibility of network and endpoint operations. This kind of visibility will not be achieved with conventional endpoint antivirus suites, rather they are created to stay silent unless implementing a capture and quarantining malware. This conventional technique renders the endpoints opaque to security workers, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security workers don’t know what was running across your endpoint population previously, or at this point in time, or what can be expected in the future. If thorough security workers find hints that need a forensic look back to reveal hacker traits, your antivirus suite will be unable to assist. It would not have actually acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is always working – offering real time visibility into endpoint operations, offering forensic look back’s to act against brand-new evidence of attacks that is emerging and find signs earlier, and providing a baseline for typical patterns of operation so that it understands exactly what to anticipate and alert any abnormalities in the future. Offering not just visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to spot operations that appear abnormal. Irregularities will be continuously analyzed and aggregated by the analytics and reported to SOC personnel, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious problems for security workers interest and action. Continuous endpoint monitoring will enhance and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A kid can play this game. It is simplistic because many items (called high prevalence) resemble each other, but one or a small amount (called low prevalence) are not the same and stand out. These different actions taken by cyber wrongdoers have actually been quite consistent in hacking for decades. The Carbanak technical reports that noted the signs of compromise are good examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is easy to acknowledge something suspicious or unusual. Cyber security personnel will be able to carry out rapid triage on these abnormal patterns, and quickly figure out a yes/no/maybe response that will distinguish uncommon but known to be good activities from destructive activities or from activities that require additional monitoring and more insightful forensics examinations to verify.

There is no chance that a hacker can pre test their attacks when this defense application remains in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that signals suspect activity) as well as a non-deterministic human element (that performs alert triage). Depending upon the current activities, endpoint population mix and the experience of the cyber security workers, cultivating attack activity may or may not be uncovered. This is the nature of cyber warfare and there are no warranties. But if your cyber security fighters are equipped with continuous endpoint monitoring analytics and visibility they will have an unfair advantage.

Carbanak Case Study Part One The Case For Endpoint Monitoring Continuously – Charles leaver

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 1 in a 3 part series

Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks throughout the world by a group of unknown cyber wrongdoers, has actually remained in the news. The attacks on the banks started in early 2014 and they have actually been expanding across the globe. Most of the victims suffered dreadful breaches for a variety of months across a number of endpoints prior to experiencing financial loss. The majority of the victims had executed security measures which included the execution of network and endpoint security systems, however this did not supply a great deal of warning or defense against these cyber attacks.

A variety of security businesses have produced technical reports about the incidents, and they have been codenamed either Carbanak or Anunak and these reports noted signs of compromise that were observed. The businesses consist of:

Fox-IT of Holland
Group-IB of Russia
Kaspersky Laboratory of Russia

This post will act as a case study for the cyber attacks and investigate:

1. The factor that the endpoint security and the conventional network security was not able to spot and resist the attacks?
2. Why continuous endpoint monitoring (as supplied by the Ziften solution) would have cautioned early about endpoint attacks and then activated a response to prevent data loss?

Traditional Endpoint Security And Network Security Is Inadequate

Based on the legacy security design that relies excessively on obstructing and prevention, standard endpoint and network security does not offer a well balanced strategy of blocking, prevention, detection and response. It would not be hard for any cyber criminal to pre test their attacks on a limited number of standard endpoint security and network security services so that they could be sure an attack would not be spotted. A number of the hackers have actually researched the security products that were in place at the victim companies and then ended up being competent in breaking through undetected. The cyber lawbreakers knew that the majority of these security services only respond after the occasion but otherwise will not do anything. Exactly what this means is that the regular endpoint operation stays primarily opaque to IT security workers, which suggests that destructive activity ends up being masked (this has actually already been inspected by the hackers to prevent detection). After a preliminary breach has taken place, the malicious software can extend to reach users with greater privileges and the more sensitive endpoints. This can be easily achieved by the theft of credentials, where no malware is required, and traditional IT tools (which have actually been white listed by the victim organization) can be utilized by cyber criminal created scripts. This means that the existence of malware that can be identified at endpoints is not utilized and there will be no alarms raised. Standard endpoint security software application is too over reliant on searching for malware.

Traditional network security can be manipulated in a similar way. Hackers test their network activities initially to prevent being identified by extensively distributed IDS/IPS guidelines, and they thoroughly monitor regular endpoint operation (on endpoints that have actually been compromised) to conceal their activities on a network within regular transaction durations and normal network traffic patterns. A new command and control infrastructure is developed that is not registered on network address blacklists, either at the IP or domain levels. There is very little to give the cyber criminals away here. Nevertheless, more astute network behavioral evaluation, particularly when connected to the endpoint context which will be gone over later in this series of posts, can be a lot more efficient.

It is not time to abandon hope. Would continuous endpoint monitoring (as supplied by Ziften) have supplied an early warning of the endpoint hacking to start the process of stopping the attacks and avoid data loss? Find out more in part 2.