Don’t Risk Your Organization Security With Adobe Flash – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memo?

With Independence day looming a metaphor is needed: Flash is a bit like lighting fireworks. There might be less dangerous methods to do it, but the only sure method is simply to prevent it. And with Flash, you needn’t combat pyromaniac surges to avoid it, just handle your endpoint setups.


Why would you want to do this? Well, querying Google for “Flash vulnerability” returns thirteen-million results! Flash is old and finished and ready for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards like HTML5 have matured and offer much of the abilities that Flash introduced… Looking forward, we encourage content creators to develop with new web standards…

Run a vulnerability scanner throughout your endpoint population. See any Flash indication? Yes, in the typical business, zillions. Your hackers know that likewise, they are depending on it. Thanks for contributing! Just continue to disregard those annoying security blog writers, like Brian Krebbs:

I would advise that if you use Flash, you must highly consider removing it, or a minimum of hobbling it until and unless you need it.

Ignoring Brian Krebs’ suggestions raises the chances your business’s data breach will be the headline story in one of his future blogs.



Flash Exploits: the Preferred Exploit Kit Ingredient

The unlimited list of Flash vulnerabilities continues to extend with each brand-new patch cycle. Nation state enemies and the better resourced groups can call upon Flash zero days. They aren’t difficult to mine – launch your fuzz tester against the creaking Flash codebase and view them roll out. If an offending cyber group can’t call upon zero days, not to worry, there are lots of newly issued Flash Common Vulnerabilities and Exposures (CVE) to bring into play, before business patch cycles are brought up to date. For exploit package authors, Flash is the gift that keeps giving.

A current FireEye blog exhibits this normal Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime business exploit:

On May 8, 2016, FireEye detected an attack making use of a previously unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 simply 4 days later on (Published to FireEye Risk Research Blog on May 13, 2016).

As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero day even before it became a known vulnerability. Now that it is known, popular exploitation sets will find it. Be sure you are ready.

Start a Flash and QuickTime Obliteration Campaign

While we have not spoken about QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or just Windows? How do you discover the unsupported versions – when there are numerous drifting around?



By doing nothing, you can flirt with catastrophe, with Flash vulnerability exposures swarming throughout your client endpoint population. Otherwise, you can begin a Flash and QuickTime eradication project to move towards a Flash-free enterprise. Or, wait, perhaps you inform your users not to glibly open e-mail attachments or click on links. User education, that constantly works, right? I do not believe so.

One issue is that a few of your users work function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to hiring departments, or legal notices sent to legal departments.

Let’s take a closer look at the Flash exploitation described by FireEye in the blog post mentioned above:

Attackers had actually embedded the Flash exploitation inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this setup, the assailants could share their exploitation through URL or email attachment. Although this vulnerability lives within Adobe Flash Player, risk actors created this specific cyber attack for a target using Windows and Microsoft Office.


Even if the Flash-adverse enterprise had completely purged Flash enablement from all their numerous internet browsers, this exploitation would still have succeeded. To fully remove Flash needs purging it from all internet browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF documents. Definitely that is an action that needs to be taken as a minimum for those departments with a job function to open attachments from unsolicited e-mails. And extending outwards from there is a worthwhile setup solidifying objective for the security conscious enterprise.

Not to mention, we’re all awaiting the first post about QuickTime vulnerability which collapses a major business.


DBIR Report 2016 From Verizon Carries The Same Message – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has been released examining 64,199 security events resulting in 2,260 security breaches. Verizon specifies an incident as jeopardizing the integrity, confidentiality, or availability on an information asset, while a breach is a confirmed disclosure of data to an unapproved party. Because avoiding breaches is far less painful than enduring them Verizon offers several sections of recommended controls to be employed by security-conscious businesses. If you don’t care to read the full 80-page report, Ziften offers this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Recommended Controls

A strong EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability direct exposure timelines showing vulnerability management efficiency. The direct exposure timelines are essential since Verizon stresses a systematic method that highlights consistency and protection, versus haphazard convenient patching.

Phishing Advised Controls

Although Verizon suggests user training to prevent phishing vulnerability, still their data indicates nearly a 3rd of phishes being opened, with users clicking the link or attachment more than one time in 10. Not good odds if you have at least 10 users! Provided the unavoidable click compromise, Verizon recommends placing effort into detection of irregular networking activity indicative of rotating, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, but likewise filter it against network threat feeds determining destructive network targets. Ziften goes beyond this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC personnel have vital decision context to rapidly resolve network alerts.

Web App Cyber Attacks Recommended Controls

Verizon recommends multi-factor authentication and tracking of login activity to prevent compromise of web application servers. A strong EDR system will monitor login activity and will apply anomaly inspecting to spot unusual login patterns a sign of compromised credentials.

Point-of-Sale Invasions Recommended Controls

Verizon recommends (and this has actually likewise been highly recommended by FireEye/Mandiant) strong network segmentation of Point of Sale devices. Once again, a solid EDR system ought to be tracking network activity (to determine anomalous network contacts). ZFlow in particular is of great worth in offering critical decision context for suspect network activity. EDR solutions will also address Verizon’s suggestion for remote login tracking to POS devices. Together with this Verizon recommends multi-factor authentication, but a strong EDR ability will enhance that with extra login pattern anomaly checking (considering that even MFA can be defeated with MITM attacks).

Insider and Privilege Abuse Suggested Controls

Verizon recommends “monitor the heck out of [employee] authorized day-to-day activity.” Continuous endpoint monitoring by a strong EDR product naturally provides this capability. In Ziften’s case our product tracks user existence periods of time and user focus activities while present (such as foreground application usage). Anomaly checking can determine unusual discrepancies in activity pattern whether a temporal anomaly (i.e. something has modified this user’s normal activity pattern) or whether a spatial abnormality (i.e. this user behavior pattern differs considerably from peer habit patterns).

Verizon also suggests tracking use of USB storage devices, which solid EDR systems provide, considering that they can act as a “sneaker exfiltration” path.

Miscellaneous Errors Advised Controls

Verizon recommendations in this area focus on keeping a record of past errors to serve as a caution of errors to not repeat in the future. Solid EDR products do not forget; they preserve an archival record of endpoint and user activity going back to their first release. These records are searchable at any time, possibly after some future event has uncovered an intrusion and response groups have to go back and “discover patient zero” to decipher the incident and recognize where mistakes may have been made.

Physical Theft and Loss Recommended Controls

Verizon suggests (and many regulators need) full disk encryption, specifically for mobile phones. A strong EDR system will verify that endpoint configurations are certified with business file encryption policy, and will alert on offenses. Verizon reports that data assets are physically lost 100 times more often than they are physically taken, however the effect is essentially the same to the impacted enterprise.

Crimeware Advised Controls

Again, Verizon emphasizes vulnerability management and consistent comprehensive patching. As noted above, appropriate EDR tools determine and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it versus procedure image records from our endpoint tracking. This shows a precisely updated vulnerability evaluation at any time.

Verizon also advises recording malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s system can acquire samples of any binary present on business endpoints and send them for in-depth static and vibrant analysis by our malware research study partners.

Cyber-Espionage Advised Controls

Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon likewise suggests a variety of endpoint setup hardening actions that can be compliance-verified by EDR tools.

Verizon also advises strong network protections. We have actually currently gone over how Ziften ZFlow can considerably improve conventional network flow monitoring with endpoint context and attribution, supplying a blend of network and endpoint security that is truly end-to-end.

Finally, Verizon suggests tracking and logging, which is the first thing 3rd party occurrence responders request when they get on-scene to help in a breach crisis. This is the prime function of EDR tools, considering that the endpoint is the most regular entry vector in a significant data breach.

Denial-of-Service Attacks Advised Controls

Verizon suggests managing port access to prevent enterprise assets from being used to take part in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to recognize unusual application port usage that could show compromise.

Enterprise services migrating to cloud companies likewise require protection from DoS attacks, which the cloud service provider may supply. Nevertheless, looking at network traffic tracking in the cloud – where the business may lack cloud network visibility – options like Ziften ZFlow supply a method for collecting improved network flow data directly from cloud virtual servers. Don’t let the cloud be your network blind spot, otherwise opponents will exploit this to fly outside your radar.