The Impact of IoT on Your Attack Surface

Posted by Wade Williamson on Sep 29, 2015 8:12:00 AM

Researchers from Vectra Threat Labs recently performed an in-depth analysis of vulnerabilities found in a common Belkin wireless repeater. Today in an article on Dark Reading, Vectra CTO Oliver Tavakoli digs into why seemingly innocuous vulnerabilities can become serious problems in the context of the Internet of Things (IoT). Read the full article here.

Of particular importance to security teams, IoT is not only bringing far more devices into the network, but they are also devices that very rarely get patches and updates. This means that vulnerabilities can be left unaddressed for months or even years.  Likewise, these devices are unlikely to be protected by signatures and will almost assuredly be unable to run client-based security.

Read More »

Topics: Vulnerabilities, IoT

Cybersecurity and machine learning: The right features can lead to success

Posted by David Pegna on Sep 15, 2015 9:52:24 AM

Big data is around us. However, it is common to hear from a lot of data scientists and researchers doing analytics that they need more data. How is that possible, and where does this eagerness to get more data come from?

Very often, data scientists need lots of data to train sophisticated machine-learning models. The same applies when using machine-learning algorithms for cybersecurity. Lots of data is needed in order to build classifiers that identify, among many different targets, malicious behavior and malware infections. In this context, the eagerness to get vast amounts of data comes from the need to have enough positive samples — such as data from real threats and malware infections — that can be used to train machine-learning classifiers.

Is the need for large amounts of data really justified? It depends on the problem that machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should always be associated with the choice of features that are used.

Read More »

Topics: Data Science, cyber security

The industry needs a real alternative to signatures

Posted by Wade Williamson on Sep 9, 2015 10:20:00 AM

For years, security professionals have become increasingly aware of the limitations of signatures. And yet for all this awareness, the industry is still focused on making signatures faster instead of addressing the fundamental problem.

Threat feeds deliver signatures faster and faster and malware sandboxes generate new signatures for newly discovered malware. Nonetheless, attackers continue to evade them and are wining at an ever-increasing rate.

Read More »

Topics: Cyberattacks, Signatures

Belkin F9K1111 V1.04.10 Firmware Analysis

Posted by Chris Morales on Aug 18, 2015 5:02:00 PM


Recently, it came to our attention that HP DVLabs has uncovered at least ten vulnerabilities in the Belkin N300 Dual-Band Wi-Fi Range Extender (F9K1111).  In response to this, Belkin released firmware version 1.04.10.  As this is the first update issued for the F9K1111 and there were not any public triggers for the vulnerabilities, we thought it would be interesting to take a deeper look.

Unpacking the Update

To begin our analysis, we downloaded the firmware update from the vendor [1]. We used a firmware tool called binwalk [2] to unpack the update:

Read More »

Microsoft Internet Explorer 11 Zero-day

Posted by Chris Morales on Jul 14, 2015 10:35:00 AM


On July 6th, information spread that the Italian company known as the Hacking Team were themselves the victims of a cyber attack. In the aftermath of this leak, Vectra researchers have analyzed the leaked data, and identified a previously unknown vulnerability in Internet Explorer 11 that impacts a fully patched IE 11 on both Windows 7 and Windows 8.1.

The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability.

While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.

Read More »

Topics: Vulnerabilities

Is your thermostat spying? Cyberthreats and the Internet of Things

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Jul 13, 2015 10:22:27 AM

The Internet of Things (IoT) is beginning to have a huge impact on our daily lives, and it will grow by orders of magnitude. However, the multitude of IoT devices with zero, limited or outdated security could produce disastrous results. It will be a formidable task to secure every small IoT device or toy. Security solutions that watch device behavior and identify anomalies might be our only hope.

The IoT is on the rise...

The genesis of IoT goes back to the early ’90s when PARC chief scientist Mark Weiser came up with the vision of Ubiquitous Computing and Calm Technology. In this vision, computing becomes “your quiet, invisible servant” and disappears from conscious actions and the environment of the user.

Read More »

Topics: Cyberattacks

Think outside the sandbox

Posted by Jerish Parapurath on Jul 8, 2015 2:31:12 PM

As cyber attacks increase in frequency and complexity, organizations continue to invest in prevention-centric technologies to secure their network perimeter. However, prevention-centric technologies are less than prefect. They protect networks from known threats using a combination of security rules, signatures and reputation lists.

A critical component of today’s network perimeter security is the file-based sandboxThey were created to analyze suspicious files on isolated hosts – many with different operating systems – in a contained environment.

Read More »

Topics: Malware Attacks, Cyberattacks, Automated Breach Detection

What cyber threats are lurking about in your network?

Posted by Wade Williamson on Jun 23, 2015 5:00:00 AM

Today, Vectra Networks published its second edition Post-Intrusion Report that offers a first-hand look at modern threats that get past perimeter security and spread inside the network.

In the latest report, we analyzed behaviors and techniques across the entire lifecycle of real-world cyber attacks. We also looked back and saw alarming changes in the threat landscape and observed emerging trends in attack techniques.

Read More »

Topics: Cyberattacks, Post Breach Detection, Tor, cyber security

Duqu: The Sequel

Posted by Wade Williamson on Jun 12, 2015 12:54:00 PM

Doqu_2.0_Wade_Williamson_Blog_Image_Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.

The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.

Read More »

Topics: Cyberattacks, cyber security

Insider threats surge while budgets retreat

Posted by Wade Williamson on Jun 4, 2015 5:00:00 AM

The Information Security Community on LinkedIn recently completed a survey of more than 500 cybersecurity professionals on the topic of insider threats. This report reveals the real-world trends and challenges of combating insider threats from the viewpoint of the security professionals who do it every day.

Let’s take a look at some of these trends and what they may mean for information security.

Insider threats are on the rise, but budgets are not
Security teams have long been asked to do more with less, but this trend is particularly stark in the area of malicious insiders.

The study shows that 62% of respondents saw more insider threats over the past year, but only 34% expect to get more budget to address the problem. Underscoring this problem, 68% feel vulnerable and less than half feel they have appropriate control over insider threats.

Read More »

Topics: Insider Threats

Technical analysis of Hola

Posted by Chris Morales on Jun 1, 2015 7:19:00 AM

Updated June 3, 2015 11:00 AM (see details)

Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.

Read More »

Topics: Targeted Attacks, Automated Breach Detection, P2P

Automate detection of cyber threats in real time. Why wait?

Posted by Jerish Parapurath on May 15, 2015 10:01:43 AM

Time is a big expense when it comes to detecting cyber threats and malware. The proliferation of new malware variants makes it impossible to detect and prevent zero-day threats in real-time. Sandboxing takes at least 30 minutes to analyze a file and deliver a signature – and by then, threats will have spread to many more endpoints. 

Read More »

Topics: Targeted Attacks, Malware Attacks, Data Science, machine learning

Cybersecurity, data science and machine learning: Is all data equal?

Posted by David Pegna on May 9, 2015 9:00:00 AM

Big Data Sends Cybersecurity back to the future In big-data discussions, the value of data sometimes refers to the predictive capability of a given data model and other times to the discovery of hidden insights that appear when rigorous analytical methods are applied to the data itself. From a cybersecurity point of view, I believe the value of data refers first to the "nature" of the data itself. Positive data, i.e. malicious network traffic data from malware and cyberattacks, have much more value than some other data science problems. To better understand this, let's start to discuss how a wealth of network traffic data can be used to build network security models through the use of machine learning techniques.

Read More »

Topics: Data Science, cyber security, machine learning

Dyre Malware Games the Test

Posted by Wade Williamson on May 7, 2015 12:45:23 PM

The Dyre family of banking malware is back in the news after researchers recently observed that the malware incorporated tricks to avoid detection in malware sandboxes. Previously, Dyre was most notable for targeting high-value bank accounts, including business accounts, and incorporating sophisticated social engineering components to overcome the 2-factor authentication used by most banks.

In this latest twist, the Dyre malware aims to identify when it is being run in a malware sandbox by counting the cores of the machine on which it is running. The trick, in this case, is that many malware sandboxes will run as a virtual machine with only a single processor and single core in order to conserve resources. Malware sandboxes have to analyze a very large number of files, so each virtual machine often gets provisioned with a bare minimum of resources in order to run as many VMs as possible. 

Read More »

Topics: Malware Attacks

Big Data Sends Cybersecurity Back to the Future

Posted by David Pegna on Apr 1, 2015 12:56:43 PM

Big Data Sends Cybersecurity back to the future The main reason behind the rising popularity of data science is the incredible amount of digital data that gets stored and processed daily. Usually, this abundant data is referred to as "big data" and it's no surprise that data science and big data are often paired in the same discussion and used almost synonymously. While the two are related, the existence of big data prompted the need for a more scientific approach – data science – to the consumption and analysis of this incredible wealth of data.

Read More »

Topics: Data Science, cyber security

Do you know how to protect your key assets?

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Mar 27, 2015 10:26:34 AM

Security breaches did not stop making headlines in recent months, and while hackers still go after credit card data, the trends goes towards richer data records and exploiting various key assets inside an organization. As a consequence, organizations need to develop new schemes to identify and track key information assets.

The biggest recent breach in the financial industry occurred at JP Morgan Chase, with an estimated 76 million customer records and another 8 million records belonging to businesses stolen from several internal servers. At Morgan Stanley, an employee of the company’s wealth management group was fired after information from up to 10% of Morgan Stanley’s wealthiest clientele was leaked. Even more sensitive was the largest health-care breach thus far: at Anthem, over 80 million records containing personally identifiable information (PII) including social security numbers were exposed. Less well-known, but potentially more costly in terms of damage and litigation is the alleged theft of trade secrets by the former CEO of Chesapeake’s Energy (NYSE: CHK).

Read More »

Topics: Insider Threats, Data Science

Cybersecurity Sensors – Threat Detection Throughout a Distributed Network

Posted by Hitesh Sheth on Mar 24, 2015 5:00:00 AM

width="578"Keeping data from getting out into the wild or being damaged by cyber attackers is what keeps CISOs, the executive team and boards of directors up at night. To protect organizations, cybersecurity needs to be automated and real-time, it needs to learn contextually like we do and it needs to monitor for threats at every corner of the network in a way that organizations can afford without sacrificing coverage.

Read More »

Topics: cyber security, Automated Breach Detection

Creating Cyber Security That Thinks

Posted by David Pegna on Mar 9, 2015 1:50:00 PM

Until recently, using the terms “data science” and ”cybersecurity” in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of “data science” have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be “detectable.” For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

Read More »

Topics: Data Science, cyber security

Superfish: When Bloatware Goes Bad

Posted by Wade Williamson on Mar 4, 2015 10:33:00 AM

The recent Superfish debacle is yet another reminder that as security professionals we live in an inherently post-prevention world. Increasingly everyone must assume that despite all our best efforts, users on our networks are may already compromised. While the focus is often on the many ways that a user can be infected with malware, Superfish is a reminder that a device can be compromised before it ever comes out of the box.

As a quick recap, Superfish is software that acts as an SSL man-in-the-middle in order to control the ads a user sees while browsing the Web – it’s “adware” which pretends to provide a service you would want.  To break SSL encryption without triggering a browser warning, Superfish installs a signed root certificate on the machine. More specifically, the software installs the exact same root cert on a series of laptops, and researchers (and attackers) are able to quickly extract the cert. Rob Graham at Errata Security provides a nice write-up on how he was able to do this. 

Read More »

Topics: SSL Encryption, Post-prevention

Cyber Attackers Are Digital Termites

Posted by Mike Banic, VP of Marketing on Mar 1, 2015 9:00:00 AM

Each of the publicized breaches over the past 15 months have been followed by the same question: “How did these attackers go undetected for several weeks or months?” The 80 million Americans covered by Anthem, whose personally identifiable information (PII) was stolen, are now asking this very question.

Let me liken this attack to a recent experience in my own life. After finding a small pile of what looked like sawdust on our hardwood floor of our guest room, it was like the “oh-crap” moment a CXO experiences when a 3-letter agency informs them that their organization’s crown jewels have been discovered in Kazakhstan. “Oh crap, we have termites.” Just like Sony Entertainment called in the FBI or Anthem called in a forensics agency, we called the termite guy.

Read More »

Topics: Cyberattacks

The Carbanak APT - Redefining Banking Malware

Posted by Wade Williamson on Feb 19, 2015 3:00:00 PM

Recent research from Kaspersky has revealed a massive criminal campaign that was able to infiltrate more than 100 different banks and steal upwards of $1 billion from the affected institutions. Kaspersky dubbed this operation the Carbanak APT due to a connection between the malware used in the attacks and the now infamous Carberp banking botnet.

Read More »

Topics: Malware Attacks, Cyberattacks, Finance

The Anthem Breach and Security Going Forward

Posted by Wade Williamson on Feb 6, 2015 3:52:00 PM

Yesterday Anthem became the latest company to suffer a massive, high-profile data breach that almost certainly will become the largest data breach to date in the healthcare industry. Attackers were able to infiltrate the network and steal personal information for over 80 million customers. The stolen data included a variety of Personally Identifiable Information (PII) including Social Security numbers, contact details as well as employment and income information.

This is a particularly dangerous combination of data that is worth significantly more on the black market than stolen credit card numbers. Unlike a credit card, which can be easily cancelled and replaced, a full identity can be used for long-term fraud such as taking out loans in the victim’s name. Employment information is particularly sought after when selling an identity. The one silver lining is that it does not appear that medical records and other Personal Health Information (PHI) were exposed in the breach.

Read More »

Topics: Targeted Attacks, Cyberattacks

Detecting the Insider Threat – how to find the needle in a haystack?

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Jan 10, 2015 10:00:00 AM

In the previous posts, we have examined the insider threat from various angles and we have seen that insider threat prevention involves the information security, legal and human resources (HR) departments of an organization. In this post, we want to examine what information security departments can actually do to detect ongoing insider threats, and even prevent them before they happen.

The literal needle in the haystack

Overall, insider threats represent only a small proportion of employee behavior. And while only the ‘black swan’ incidents become public knowledge, minor incidents such as theft of IP or customer contact lists will add up to major costs for organizations.

In addition, insiders are by default authorized to be inside the network and are both granted access to and make use of key resources of an organization. Given the large pile of access patterns visible in an organization’s network, how is one to know which ones are negligent, harmful or malicious behavior?

Read More »

Topics: Insider Threats, Data Science

Morgan Stanley Meets the Insider Threat

Posted by Wade Williamson on Jan 6, 2015 1:58:00 PM

Earlier today news broke that financial services firm Morgan Stanley had experienced an insider breach, which resulted in customer data being posted online. The breach was initially detected when data related to a portion of the firm’s wealth management clients was observed on Pastebin. Pastebin is a popular site for sharing text-based data, and while it is widely used for sharing code between developers, it has also long been a thriving marketplace for advertising and selling stolen data for everything from compromised user accounts, cracked passwords, credit card numbers, and in this case account data.

Read More »

Topics: Cyberattacks, Insider Threats

Malicious Insider Psychology – when the personal bubble bursts

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Dec 22, 2014 3:00:00 PM

In the previous post, we examined the motivations and constraints that make an insider ‘malicious,’ and we saw that external and mental pressure, an opportunity to steal confidential information and rationalization of the potential theft are the factors that contribute for an insider to turn against his employer.

While these three factors are necessary triggers for becoming malicious, there is much more going on in an insider’s mind before, during and after an attack. What are the mental stages that a ‘turning’ insider goes through? And what are potential indicators for each stage?

Read More »

Topics: Insider Threats

Malicious Insider Psychology – when pressure builds up in the Fraud Triangle

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Dec 13, 2014 9:00:00 AM

In previous posts, we have discussed various types of insider threats that affect US government, companies and organizations in charge of critical infrastructure. We have discussed various insider attack patterns, but what are the motivations and constraints that make an insider turn against his employer?

We have seen that so called ‘whistle blowers’ may act upon their own convictions and turn against their employer, but their numbers are very limited.As the majority of cases involves the theft of information and assets in an organization for own personal gain, what are the motivations and constraints in this case? 

Read More »

Topics: Insider Threats

Community Threat Analysis Uncovers Insider Attacks

Posted by Mike Banic, VP of Marketing on Dec 10, 2014 1:28:56 PM

Today, we announced the new Community Threat Analysis for the Vectra X-series that puts your organizations key assets at the center of real-time investigations of Insider and targeted attacks.

2014 has been the year of the breach, and as a result companies are increasing their investment in cyber security. However, the majority of cyber security products focus exclusively on malware and external attacks, and are effectively blind to insider threats. At Vectra we believe that security should protect your most important assets regardless of whether the threat is from an external attacker or a malicious insider. You don’t get to choose your attacker, so why should your security solutions protect only against one type? Let’s take a closer look at why stopping the insider threat is crucial, and what Vectra can do to help.

Read More »

Topics: Insider Threats

Insider attacks pose a serious threat to critical U.S. infrastructure

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Dec 7, 2014 7:00:00 AM

A scary 70 percent of critical infrastructure organization suffered security breaches in the last year, including water, oil and gas, and electric utilities. An almost equally high number of 64 percent anticipate one or more serious attacks in the coming year. 

In the previous posts of this series, we highlighted insider threat risks for US companies and how they respond to them. While the insider threat in government agencies and big companies is a known problem with somewhat implemented mitigation strategies, less is known about the insider threat to critical US infrastructure, such as water purification or nuclear power plants. To illustrate the nature of the threats, let me provide two examples from a Department of Homeland Security report – the Insider Threat to Utilities report.

Read More »

Topics: Insider Threats

Applying Vectra to the Regin Malware

Posted by Wade Williamson on Dec 3, 2014 7:20:18 AM

Researchers at Symantec have recently disclosed the presence of a highly sophisticated malware platform known as ‘Regin’. This new strain of malware instantly joins Stuxnet, Flame, and Duqu on the list of some of the most advanced malware ever seen. And like the other members of this elite state-sponsored fraternity, Regin malware appears to be purpose-built for espionage with the ability to quietly infect, spread, and persist within a target network for long periods of time.

Read More »

Topics: Malware Attacks, Cyberattacks, Nation-State Attacks

Insider Threats - the myth of the black swan

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Nov 30, 2014 9:00:00 AM

Insider Threats - the myth of the black swan While the reported $40 billion of insider threat losses for the US economy seem scary, many companies consider insider threats to be more like a ‘black swan’ event – highly visible, but extremely rare, abstract, and too hard-to-predict in order for it to constitute a real threat. But it is the gray areas companies should be wary of.

In previous posts of this series, we described how companies are affected by malicious insider incidents, and what impact and cost these incidents might cause. Most think of highly publicized whistleblower cases such as Edward Snowden and Bradley Manning. Overall, these seem like natural disasters (e.g., earth quakes), you can take some precautions, but then you just hope it will not happen to you … and if it does, it will be disastrous (and you just have to accept it).

In addition, I often hear arguments from small and medium sized companies that they do not feel exposed to the insider threat because:

Read More »

Topics: Insider Threats

Insider Threats - how they affect US companies

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Nov 22, 2014 7:00:00 AM

Oliver_B_Blog_Image_Week_3In the second post of this series, we looked at basic definitions of insider threat incidents and their impact on organizations. Now, let’s have a closer look at how malicious insider threat actions affect companies in the United States, and how companies can respond to these threats.

From the most recent consolidated data available on this subject, over 50% of organizations report having encountered an insider cyberattack in 2012, with insider threat cases making up roughly 23% of all cybercrime incidents. This percentage has stayed consistent over the prior couple of years, but the total number of attacks has increased significantly.

The result is $2.9 trillion in employee fraud losses globally per year, with $40 billion in losses due to employee theft and fraud in the US in 2012 alone. The damage and negative impact caused by insider threat incidents is reported to be higher than that of outsider or other cybercrime incidents.

Interestingly, in contrast to outsider attacks on networks, insider cyberattacks are under-reported. Only a few cases make it into public media or are even known to insider threat experts. Reasons for such under-reporting areinsufficient damage or evidence to warrant prosecution, and concerns about negative publicity. The risk of revealing confidential data and business processes during investigations may be another reason why many companies don’t report and prosecute insider threat incidents.

Read More »

Topics: BYOD, Insider Threats

Insider Threats - is your organization safe?

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Nov 15, 2014 6:39:00 PM

In the previous post of this blog series, we discussed highly publicized whistleblower cases such as Chelsea Manning and Edward Snowden. While government agencies are ramping up their protections of data and infrastructure against these cases, what danger do malicious or negligent insiders constitute for organizations, including corporations and small businesses, and what kind of insider threats exist? Is your organization safe?

Let’s first look at a more formal definition of the malicious insider. According to the computer emergency response team (CERT) at CMU, a malicious insider is a current or former employee or contractor who deliberately exploited or exceeded his or her authorized level of network, system or data access in a way that affected the security of the organization’s data, systems, or daily business operations.

Read More »

Topics: Insider Threats

Insiders – Threat or Blessing?

Posted by Oliver Brdiczka, Principal Data Scientist, Vectra Networks on Nov 12, 2014 11:30:00 AM

Insiders leaking information about secretive government practices and decision-making have had their impact on public opinion and United States policies in recent years, but are these leaks for the benefit of society, or do they push a hidden agenda?
The most prominent example is  Edward Snowden who leaked significant amounts of classified information from the National Security Agency (NSA) about its practices. On September 23,  Edward Snowden received the Swedish human rights award, also referred to as the alternative Nobel prize, for his revelations in 2013. Snowden, who “blew the whistle,” got rewarded  “for his courage and skill in revealing the unprecedented extent of state surveillance violating basic democratic processes and constitutional rights.” 
Read More »

Topics: Insider Threats

Don't Shed Tears When Peeling the Onion Router

Posted by Oliver Tavakoli, CTO, Vectra Networks on Nov 11, 2014 12:27:06 PM

Periodically, articles are published highlighting the difficulty authorities have investigating illegal activity on the Internet when the perpetrators make use of the anonymity that Tor provides.

Last week saw another such article appear in The Wall Street Journal, highlighting an operation that took down more than four hundred Web sites accessible only via Tor, which are essentially Tor “services”, arrested 17 people and confiscated plenty of Bitcoins associated with running these web sites. These web sites are referred to as “darknet marketplaces” and basically connect purveyors of illegal goods (e.g., drugs, guns) and services (e.g., contract killings) with people seeking these things. An August article in Wired spent more time detailing how the FBI goes about fighting the demand side of the problem – by infecting machines belonging to potential seekers of such goods and services via drive-by-downloads.

Read More »

Topics: Targeted Attacks, Tor

Attackers Lurk in my Network, but Nothing Reports it

Posted by Jerish Parapurath on Nov 10, 2014 12:29:00 PM

Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.

The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses.

Read More »

Topics: Targeted Attacks, Malware Attacks, Post Breach Detection

Catch Attackers Attempting to Shellshock You

Posted by Oliver Tavakoli, CTO, Vectra Networks on Sep 29, 2014 10:48:00 AM

The recent discovery of Shellshock, the bash shell bug, has something in common with the discovery of Heartbleed earlier this year. Both vulnerabilities existed for many years before they were discovered – over two years for Heartbleed and over 22 years for Shellshock. Both affect a very large number of computer and communications systems. Both have induced a gut-wrenching panic.

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before you patch the affected systems. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle. That doesn’t mean there is nothing you can do to catch them.

Read More »

Topics: Heartbleed, Shellshock

Vectra detections will enable Juniper to block cyberattacks via API

Posted by Mike Banic, VP of Marketing on Sep 9, 2014 11:37:00 AM

Vectra detections will enable Juniper to block cyberattacks via API
Today, Vectra Networks participated in Juniper Networks announcement on the expansion of Spotlight Secure threat intelligence platform. Part of the technology expansion includes an open API that enables the Vectra X-series to communicate detection of in-progress cyber attacks to Juniper’s Spotlight Secure platform.

The integration enabled by this open API delivers three important benefits:

  • The ability to block the attack;
  • A single pane of glass; and
  • The flexibility and choice to deploy best-of-breed solutions
Read More »

Topics: Cyberattacks

Detecting Future Heartbleed Security Exploits

Posted by Oliver Tavakoli, CTO, Vectra Networks on Aug 22, 2014 2:47:00 PM

Reading Steve Ragan's write-up on the recent Community Health Systems breach in CSO online took me back to my blog post on Heartbleed from the Inside from May 1, 2014 that included this cautionary note.

"It's only a matter of time – actually, it's probably already happening – before we see targeted attacks that utilize Heartbleed as one of the weapons in the attackers' arsenal to acquire key account credentials and use those credentials to get to the crown jewels."

Read More »

Topics: Malware Attacks, Heartbleed

Art of Scoring Malware Detections – Friend or Foe?

Posted by Oliver Tavakoli, CTO, Vectra Networks on Aug 15, 2014 7:00:00 AM

As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.

One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.

Read More »

Topics: Malware Attacks

Packet Pushers Shines Critical Light on New Cyber Security Solution

Posted by Tom Canty, Vectra Marketing on Aug 14, 2014 10:30:00 AM

Salespeople. They're charismatic, they're informative, and if they're good, they'll convince you that what they have is exactly what you need. I remember being tasked with finding a new corporate travel solution by a former manager. When information I found online looked promising, or was too vague, I'd request a sales demo. During the meeting, I would experience total clarity. What a perfect solution. This is exactly what we need. I'm not an easy sell, am I? The assurance salespeople provide is comforting, but the thing is, not all solutions are an ideal fit, and a salesperson isn't in the business of helping you find an ideal fit.

Read More »

Topics: Targeted Attacks

Reducing the Cyber Security Risk for BYOD – Can you have your gadgets and use them too?

Posted by Tom Canty, Vectra Marketing on Aug 1, 2014 11:00:00 AM

A few things ring true of today's working world. First is that no one in the year 2014 should have to work in a cubicle. Defenders will say "it's been this way for years," or "you'd be surprised by how common it is." That doesn't make working in a small felted cubby any less ridiculous. In the brief time I occupied one it was best used for sleeping on the job, and I've discovered that's a terrifying idea when sitting in a room full of your peers.

The second is that personal devices should be encouraged and ubiquitous fixtures of the workplace. One simple reason is that employer-provided technology is often clunky, out-of-date, or unsightly, so using personal devices can mean using better devices.
Read More »

Topics: BYOD

The hidden risk of not detecting bitcoin mining

Posted by Mike Banic, VP of Marketing on Jun 6, 2014 8:30:00 AM

On June 6th, Forbes reporter Kashmir Hill wrote about an NSF researcher who misused NSF-funded supercomputing resources to mine Bitcoin valued between $8,000 and $10,000. The article points to a student at London Imperial College and a researcher at Harvard University who are also alleged to have used their University’s computers to mine a similar virtual currency called Dogecoin.

As a CISO, your first reaction might be that inappropriate uses of your organization’s resources should be stopped, but this is probably not your highest priority. Someone using your computer(s) and network to mine virtual currency is a bit like someone charging his or her electric car from a power outlet on your home. Yes, they are using your electricity without permission or reimbursing you. However, they aren’t stealing something of high value and threatening your life or livelihood. Still, this is something we probably want to know about and stop if we can.

Read More »

Topics: Virtual Currency

Are We Secure?

Posted by Dain Perkins, Senior System Engineer, Vectra Networks on May 28, 2014 2:45:00 PM

Meaningful information security metrics seem to come in as many shapes and sizes as there are CISAs, CISMs, and CISSPs brave enough to weigh in on the subject. There are plenty of risk and security frameworks available to help guide a security team to a reasonable answer to nearly any question posed regarding the appropriate allocation of resources required to reduce a given business risk to a specific level.

Read More »

Topics: Targeted Attacks, Heartbleed

Responding to a Priority One Malware Attack

Posted by Jason Tesarz, System Engineer, Vectra Networks on May 7, 2014 9:00:00 AM

If you are an SE like me, then you have probably experienced a 'priority one' incident response with your customer. Things are on fire and you call in all the reinforcements you can. If you are an IT or security guy, then you have probably placed the call for help. Either way, you will understand.

Here's the customer scenario. It's fire drill time. Internet connectivity and applications are going down and everyone is panicking. Your organization has been either compromised by malware or you are being actively attacked. Now is the time that all of your security products need to be working, and working well.
Read More »

Topics: Malware Attacks

Heartbleed on the Inside

Posted by Oliver Tavakoli, CTO, Vectra Networks on May 1, 2014 5:00:00 PM

A lot has been said about the global impact of Heartbleed. First, we had all the descriptions of Heartbleed – my favorite one was on xkcd. Then we saw warnings that we would need to change our password on public websites. That was followed by a warning that, since the private keys of certificates could be retrieved by exploiting Heartbleed, we should change our passwords now, wait for Web sites to change their certificates and then change our passwords again.

What has received far less attention is the fact that many of our common enterprise products (e.g., routers, firewalls, web proxies) inside our infrastructure are also susceptible to Heartbleed. Bulletins from Cisco, Juniper Networks and Blue Coat indicate widespread use of OpenSSL, the software in which the Heartbleed bug exists, in these products. Even industrial control systems from companies like Siemens have this vulnerability, which Arik Hesseldahl wrote about recently on Re/ And, unlike public-facing web sites, many of which have already undergone updates to fix the bug, the availability and deployment of patches for all your infrastructure systems hits you in unexpected ways, including the need to upgrade to the newer versions of software than you are probably running, necessitating testing cycles before you can deploy it.

Read More »

Topics: Heartbleed

I'll Have Two BYOD and One Mobile, Hold the Malware Threats Please

Posted by Mike Banic, VP of Marketing on Apr 29, 2014 8:00:00 AM

While meeting with a customer last week, we looked through the detections report to see if some of the new algorithms we released had produced detections. I noticed the lines for all categories of detections dropped precipitously and then increased nearly as rapidly two days later. Nearly as fast as I pointed my finger at the screen, he said, "Yeah, that's the weekend."

It took 3 seconds for us both to say, "Laptops." If you ever wanted evidence that most malware is walked in the front door on mobile devices like laptops, tablets and smartphones, then this is the graph for you.
Read More »

Topics: BYOD, Targeted Attacks

Finding Signals in Security's White Noise

Posted by Mike Banic, VP of Marketing on Apr 22, 2014 12:30:00 PM

A customer recently shared her perspective in the growing security white noise – a term she uses to describe the increasingly high volume of alerts coming out of the defense in depth security. To punctuate her point, she pulled up a recent Wall Street Journal blog with an example from Gartner analyst Avivah Litan of a client who receives over 135,000 security alerts a day. As Avivah aptly stated, "It becomes like the car alarms going off in a parking lot – no one takes them seriously because generally there are too many false car alarms."

Looking back at the Bloomberg BusinessWeek coverage of the Target breach, the article focused on multiple security alerts of the malware used to initiate the attack. While these alerts were marked as high priority, it is easy to imagine that an enterprise the size of Target may have been receiving hundreds or thousands of security alerts of varying priority that created white noise.

Read More »

Topics: Targeted Attacks

Divining Attacker Intent

Posted by Oliver Tavakoli, CTO, Vectra Networks on Apr 16, 2014 5:51:00 PM

In talking to customers, I am frequently reminded of the fact that people's understanding of how malware is built and delivered hasn't kept up with the changing landscape over the past few years. While most people expect actual targeted attacks to evolve through multiple stages, much of the run-of-the-mill botnet malware no longer infects a system in a single stage either.

Much of this multi-stage malware starts off with a small dropper that only represents the initial stage of an exploit. We’ve seen small droppers come bundled in Microsoft Word documents, PDF files and spreadsheets attached to emails or be retrieved when browsers access URLs – whether the user clicks on a link embedded in an email or visits a compromised web site.
Read More »

Topics: Targeted Attacks, Malware Attacks

Security Report Season: what malware does versus what it is.

Posted by Oliver Tavakoli, CTO, Vectra Networks on Apr 2, 2014 9:47:00 AM

The first quarter of every year in the security business brings every imaginable retrospective of all the bad things that happened the prior year. This year is no different. As I read this year's crop of reports (this required several cups of coffee), I was struck by the fact that much of the focus continues to be on malware families, which I call "the race to win the naming game," and the number of zero-day threats found.

The naming game is always an interesting one. It leads to names like Kelihos (aka Hlux), ZeroAccess (aka Sirefef), Zeus (aka Zbot) and the usual rogues' gallery of malware. While the desire to name things is all too human (after all, it helps us communicate about complex things with very little effort), when you juxtapose the number of malware variants against the desire to name them all, you can see that we're facing an uphill battle.
Read More »

Topics: Malware Attacks

Does Your Security Architecture Adapt to Changing Threats?

Posted by Mike Banic, VP of Marketing on Mar 25, 2014 6:12:00 AM

Target, Neiman Marcus, Michael’s. There’s no doubt that the retail sector is under attack, but prominent retailers are not alone. Criminals are targeting banks, healthcare providers, government agencies and even high schools—anyone with high-value data or a reputation to protect. Whether your business is big or small, chances are that hackers have already penetrated your network.

But what do you do?

A new Gartner report, “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” advises: “All organizations should now assume that they are in a state of continuous compromise.” The challenges outlined are the insufficiency of blocking and prevention capabilities to protect against motivated, advanced hackers.

Read More »

Topics: Targeted Attacks, Malware Attacks

Subscribe to the Vectra Blog

Recent Posts

Posts by Topic

Follow us