Archive for September, 2014

There are 5 results found

Breaches – how prevalent are they?

Two days ago, we blogged about Home Depot and took the following quote about breaches from one of the articles: “There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet.” In fact, there are more breaches than we realize!

According to the Ponemon Institute, as reported in USA Today, “43% of companies have experienced a data breach in the past year”.

It looks like the Ponemon surveys are close to confirming that conviction that there’s something already looming in every company. As we said, APT attacks and the malware that is installed and propagates through and across networks can take years. The ultimate goal of the malware, usually stealing information, can occur over a number of years before breaches are detected.

This is why we’re introducing SigFree Cerberus, a zero day detection solution to take care of bugs that you don’t know are there, as soon as they start becoming active! We are trying to do our part to stem breaches by malware that other threat prevention solutions just cannot detect.

Home Depot – Prevention versus Detection

We’re all awaiting the forensics reports with bated breath.

It’s a tragedy for the 56 million affected individuals in this, the largest retail breach yet. And, we don’t yet know the facts from forensics analysis. Despite the blame being laid on antiquated systems and protection at Home Depot, it still begs the question: do we put too much attention on prevention and not enough on detection of what is already embedded in company systems?

The New York Times reported prior employees attesting to “the risks were clear to computer experts inside Home Depot. The home improvement chain, they warned for years, might be easy prey for hackers.” But how did they reach this conclusion? Through vulnerability analysis? By running regular scans? Did they have state-of-the-art detection tools, not signature-based tools, to really assess threats already present?

But, the initial reports seem to indicate these are valid points being made but again, we must await the forensic reports before making judgments.

That same NYT’s article stated that “Company officials said the malware used against Home Depot had not been seen before and would have been difficult to detect”. But the difficulty of detection is dependent on whether you’re using the right tools, isn’t it?

Both of those points seem to be drawing some corroboration. Brian Krebs called the malware that hit Home Depot a new “variant of the malware that was used against Target”. And, in a Times article, Krebs was quoted as saying, “Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?”. That same article brings up the point, “There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet.” In other words, those who do not know they have been breached yet are not using the right detection tools for the job.

We bring up all these points because we have a similar view. Too much is spent on prevention at the expense of detection. It’s possible that this malware at Home Depot was on their system for years. Time and time again, we see that breaches are the result of malware that has evaded detection for many months, if not years. And we’re facing zero day malware plus new variants of older software every day. Signature based detection is just not the solution anymore.

DayZero’s SigFree Cerberus, our soon to be released Client app, is directed specifically at this type of malware. It is signature-free and designed for detection of variants including self-mutation as well as self-propagation. It is designed for the type of malware that may possibly already be resident in 1000’s of other retailers’ systems right now! Think about it!

DayZero Explains the SigFree Technology Family!

Take a look at the DayZero SigFree Technologies used in DayZero Systems’ apps by visiting http://www.dayzerosystems.com/#technologies. These technologies are used in varying degrees in each DayZero app. Briefly, the SigFree branded set of technologies include:

  • Code Abstraction – a unique mapping process of each viable code segment in a data stream or suspect process.
  • Stealth – penetrates attempts by malware creators to disguise or protect their code.
  • Alarms – predictive techniques that raise “smoke signals” within milliseconds when a suspect malware process is detected.
  • Confinement – puts a suspect on hold while analysis proceeds, releases it quickly if the suspect is found to be legitimate.
  • Vulnerability Analysis – predictive techniques of “safe time” for network devices when malware is detected on any other device attached to the network that has Cerberus installed.
  • Malware Analytics – a set of techniques that make final determinations on the suspect and take appropriate action.
  • See more detail at http://www.dayzerosystems.com/#technologies and be sure to visit DayZero Systems

    Cerberus is coming soon, get a preview!

    Release of our newest app, Cerberus, is approaching soon. Read more about it below:

    There are many ways that malware becomes installed on your computer and existing defenses against their entrance are not perfect. Your own well-intentioned actions may allow malware to gain entrance or it may become attached to a normally trusted piece of software. And then there are phishing attacks which are becoming more and more successful, because the enticing come-ons that are used are becoming more and more believable and less obviously malicious. If you use a thumb drive, you may also inadvertently install malware on your machine that was unknowingly downloaded to the thumb drive, or any other type of removable media.

    So, Cerberus was designed to be a gateway to detect malicious software which is attempting to make connections to the outside for other than legitimate purposes. It may be trying to send your data to outside sites, it may be trying to spread itself to other computers, or it may be a bot that someone is using in order to launch other attacks anonymously.

    Cerberus uses several DayZero signature–free techniques but they can be split into three principal parts. First, Cerberus is listening to every process running on your computer, even those you don’t know are there. Cerberus is able to quickly detect suspect behavior. At this point, Cerberus raises a red flag, or, what we call a smoke signal.

    As soon as the smoke signal appears, Cerberus uses a containment technique while the malware’s communications are being analyzed. This containment technique is used for quick reaction to threats and also acts as both a deterrent and sometimes is the only solution needed as Cerberus may bring the malware under control or exhaust its useful life. Cerberus is able to contain a suspect within milliseconds versus the much longer reaction time of other techniques. This step also allows marginal suspects to be analyzed without disturbing legitimate processes. This is of growing importance as many sites attempt to gather data for marketing purposes and may utilize techniques very similar to some worms and spyware or even contain malware.

    The containment often results in modifying a worm’s behavior and if it stops its activity, and is not deemed a threat, it will be released. However, if it tries again, it will be contained again and analysis will begin again. One reason we allow releases to occur is that a legitimate site page may initially act much as a worm, and in fact could be infected. Also, worms are sometimes designed to act only once, or a limited number of times. But, even if a released worm self-mutates, Cerberus is designed to detect it again and take measures since Cerberus does not rely on signatures for detection.

    The proprietary analyses that Cerberus performs then determine if the suspect’s actions are malicious or otherwise illegitimate. If its actions persist and are judged malicious or not for legitimate purposes, Cerberus will quarantine the process originating the malicious activity.

    Cerberus provides a number of extra benefits:

  • Cerberus is a signature free malware detection solution. This means that it is designed to find malware at zero day or malware which is programmed to alter or mutate its identity to avoid detection while it is installed on your computer, or when it moves from one computer to another.
  • Cerberus is working all of the time. It does not depend on running scans periodically.
  • Cerberus targets some of the most dangerous malware that plagues consumer and business users alike – self-mutating and self-propagating worms and other malware that behave like worms. Self-mutating means that the malware is programmed to change its identity to make detection much harder. Self-propagating means that the malware duplicates itself to infect other devices to which your computer becomes connected.
  • Cerberus is easy to use. In fact, you can install it and forget about it. If Cerberus needs your attention, it will let you know but typically, it can run and do its job without bothering you at all.
  • Cerberus gives you added to protection should you fall victim to a phishing attack (where the attacker tempts you to invite it in by clicking on something you believe is valid).

    • Cerberus isn’t meant to protect you from every type of threat but it is expert at the targets described below. We still recommend using traditional protection particularly using regularly scheduled scans of your computer files for other types of threats as well.

      When the worst happens, Cerberus may be the only solution to keeping you safe!