Six Questions For Damage Control Prior To A Cyber Attack – Chuck Leaver

Written By Michael Bunyard And Presented By Ziften CEO Chuck Leaver


The reality of modern-day life is that if cyber attackers wish to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and the people are the most significant point of susceptibility in any company. The endpoint device is where they interact with whatever info that a cyber attacker seeks: intellectual property, information, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) systems, where Ziften is a leader, that supply the needed visibility and insight to assist reduce or avoid the chances or duration of an attack. Methods of avoidance consist of lowering the attack surface area through getting rid of recognized susceptible applications, reducing version proliferation, eliminating malicious procedures, and guaranteeing compliance with security policies.

However avoidance can only go so far. No service is 100% reliable, so it is important to take a proactive, real time approach to your environment, viewing endpoint behavior, detecting when breaches have taken place, and responding right away with the necessary action. Ziften also supplies these abilities, usually called Endpoint Detection and Response, and organizations should alter their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, companies need to be able to take a look back and reconstruct the conditions surrounding a breach. Security analysts require answers to the following 6 questions, and they require them fast, considering that Incident Response officers are outnumbered and dealing with limited time windows to reduce damage.

Where was the attack behavior first seen?

This is where the capability to rewind the clock to the point in time of preliminary infection is critical. In order to do this successfully, organizations have to have the ability to go as far back in time as required to identify patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach happens, the average dwell time prior to a breach is spotted is a stunning 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, cyber attackers were able to penetrate organizations within minutes. That’s why NGES solutions that do not constantly monitor and record activity but rather occasionally poll or scan the endpoint can lose out on the preliminary critical penetration. Likewise, DBIR discovered that 95% of malware types appeared for less than four weeks, and 4 out of 5 didn’t last 7 days. You require the ability to continually monitor endpoint activity and look back in time (however long ago the attack occurred) and reconstruct the initial infection.

How did it act?

Exactly what took place piece by piece after the initial infection? Did malware execute for a second every 5 minutes? Was it able to obtain intensified privileges? A constant image of what took place at the endpoint behaviorally is vital to obtain an examination began.

How and where did the cyber attack disperse after initial compromise?

Normally the adversary isn’t really after the info readily available at the point of infection, however rather wish to utilize it as a preliminary beachhead to pivot through the network to find its way to the valuable data. Endpoints consist of the servers that the endpoints are linked to, so it is necessary to be able to see a total picture of any lateral movement that took place after the infiltration to know exactly what assets were compromised and potentially likewise contaminated.

How did the infected endpoint(s) behavior(s) change?

What was going on prior to and after the contamination? What network connections were being attempted? Just how much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these concerns are vital to quick triage.

What user activity happened, and was there any potential insider participation?

What actions did the user take previously and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time period outside their typical use pattern? These and much more artifacts must be offered to paint a full picture.

What mitigation is needed to solve the cyber attack and avoid the next?

Reimaging the infected computer(s) is a lengthy and pricey solution but lot of times this is the only way to understand for sure that all harmful artifacts have been removed (although state-sponsored attacks might embed into system or drive firmware to stay immune even to reimaging). However with a clear image of all activity that took place, simpler actions such as getting rid of harmful files from all systems affected might be sufficient. Re-examining security policies will most likely be in order, and NGES systems can help automate future actions should comparable circumstances occur. Automatable actions consist of sandboxing, cutting off network access from infected machines, killing processes, and a lot more.

Don’t wait till after a cyber attack happens and you need to employ an army of specialists and spend valuable time and cash piecing the realities together. Make certain you are prepared to answer these six key questions and have all the responses within your grasp in minutes.

The IRS Hack Is Likely To Have Begun With Compromised Endpoints – Chuck Leaver

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften Internal Revenue Service Attackers Make Early Returns Because of Previous External Attacks The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails aimed to obtain initial access to target systems where lateral motion is then […] Continue reading →

Risks For Comcast Customers Due To Data Exfiltration And Shared Hacking – Chuck Leaver

Written By Michael Pawloski And Presented By Ziften CEO Chuck Leaver The Clients Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Businesses The private information of roughly 200,000 Comcast customers was compromised on November 5th 2015. Comcast was required to make this announcement when it emerged that a list of 590,000 […] Continue reading →

Point Of Sale Vulnerabilities Need Visibility And This Is Why Trump Hotels Were Breached – Chuck Leaver

Written By Matthew Fullard Presented By Chuck Leaver CEO Ziften Trump Hotels POS Vulnerabilities Emphasize Requirement for More Rapid Detection of Anomalous Activity Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection used was malware, and contaminated their front desk computer systems, point of sales systems, […] Continue reading →

Continuous Endpoint Visibility May Have Averted The Marriott Point Of Sale Attack – Chuck Leaver

Written By Andy Wilson And Presented By Ziften CEO Chuck Leaver US retail outlets still appear an appealing target for hackers seeking payment card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, affecting customers at 14 hotels throughout the nation from September 2014 to January 2015. […] Continue reading →