Reverse engineering & forensics for incident response

Responder Pro

Behavior-based malware detection and analysis

Active Defense

Endpoint Detection & Response for the enterprise

Ponemon Nation State Attacks Report CTA
Blue Coat Joint Solution

A Case for Security Prioritization in Retail

Posted by Tom Bain    Nov 20, 2015 4:54:41 PM

I was shoppping with my daughter the other night for indoor soccer socks at a major sporting goods retailer here in Massachusetts. As we rolled up to the register with bright pink and purple options, I noticed something at checkout - the retailer was not ready for chip and pin credit cards. 

As I swiped my chip and pin credit card, I got to thinking...there are cyber risks everywhere, during every transaction, before and after every transaction, at any store, any company, coffee shop, airplane, airport, organization you visit...but back to the example here. 

Read More

Topics: Cyber Security, APT, CounterTack, Breaches, Breach, retail data breach, data breach, EDR, chip and pin, retail security

The Students Have Become the Masters

Posted by Nate Buell    Nov 9, 2015 11:30:00 AM

Computer hacking has long been considered a young person’s game.  Since the first hackers really got started in the early 1980’s, the vision most people have in their head is a guy in his parent’s dingy basement, wearing some type of Marvel Super Hero tee shirt, surrounded by monitors and video game systems. 

There is no doubt that this particular stereotype exists for a reason.  On numerous occasions, attacks have been conducted by basement those dwellers.  Movies like “War Games” and “Hackers” perpetuated the teen hacker mantra, possibly even inspiring the next-generation of cyber attackers as computers and the internet began to hit its stride for personal and corporate use throughout the world.  With so many different avenues to take now between social media, smart phones and susceptible corporations, teenage cyber criminals are thriving. 

Read More

Topics: data breach, talktalk, hackers, teen hackers

Data Quality in Incident Response

Posted by Phil March    Nov 2, 2015 5:59:05 PM

One of the key elements contributing to the success of IR operation is the quality of data IR team has access to. It is of no surprise that organizations today already collect vast amounts of data. However, a high quantity does not always ensure success.  In fact, sometimes the quality of the information is inversely proportional to the raw quantity of the data. 

Just like the journalist chasing a news story, the IR analyst has to be able to answer the essential questions of “Who, What, When, Where, How and Why”. With the endpoint being the primary field of battle operation today, an organization that has prepared itself for a response to an attack should be able to help Incident Responders answer those essential questions.

Read More

Topics: data breach, endpoint security solutions, Incident Response

The Tall Tale of Endpoint Security: How Do We get from Nice-to-Have to Need-to-Have

Posted by Tom Bain    Jun 11, 2015 3:01:00 PM

After spending two days at the Gartner Security & Risk Summit in DC this week, a few very interesting topics stood out. (I’ll post more on specific talks from the events later)

First, as if RSA and InfoSec Europe weren’t enough to prove this, its clear that easily 50% of cybersecurity vendors are starting to tell an endpoint story - whether they can actually collect valuable, actionable system-level data or not – they are saying they can.

Read More

Topics: endpoint security, Gartner Security and Risk Management Summit 2015, threat detection and response

Attacker Lateral Movement: Visualize Infiltration and Treat as Behaviors

Posted by Nenad Kreculj    Jun 8, 2015 4:45:54 PM

In the game of whack-a-mole, the player’s objective is to hit a target that keeps popping up in different places. It’s a fun game that exercises one’s reflexes and motor skills.

Unfortunately, similar games are played every day in security operation centers across many organizations, irrespective of their size (which is not fun). What makes it hard for the incident responders is the movement of the adversary – hopping from one endpoint to another, from one workstation to another. This is called lateral movement. There are many reasons why attackers move laterally – they do so to establish another persistence point in the network (the so-called “beachhead”), to steal data from a server, and sometimes to prepare the workstation for the next phase of attack (network enumeration or credentials stealing, for example).

Read More

Topics: endpoint security, endpoint security solutions

Five Hard Truths About Critical Infrastructure Protection: Truth 5

Posted by Tom Bain    Jun 1, 2015 10:13:00 AM

In last week’s blog, we walked through the various reasons why it’s important for critical infrastructure providers to develop and implement cybersecurity countermeasures tailored to the specific needs of physical and digital infrastructure. 

Truth #5: Most critical infrastructure providers lack the tools, skills and mindset to deal with cyberattacks and APTs 

Read More

Topics: Critical Infrastructure

The Thin Line Between the Insider and the Outsider

Posted by Nenad Kreculj    May 18, 2015 10:57:17 AM

Two very recent defining events are helping the industry see the bigger picture of the state of cybersecurity: the Verizon Business’ DBIR report and the RSA conference. Both the report and the conference reinforce the fact that cybersecurity has now reached boardroom level.

This year, yet again, one common denominator between the two was the message that organizations now do understand that being attacked is not a matter of “if” but “when”1. That awakening is good news.

Read More

Topics: endpoint security, RSA Conference 2015, Verizon DBIR Report

Detecting and Remediating Against File Distribution Attacks

Posted by Kirby Kuehl    May 5, 2015 3:23:54 PM

Enterprise teams have varying means to some degree, of how they “see” attacks. There is often incongruence between what events they can detect, what their intelligence means, and the potential impact of an attack. 

At CounterTack, we are developing new technologies to help customers better detect and understand their threat tolerance. We are innovating methods to help customers improve security response by contextualizing threat impact into actionable intelligence.

Read More

Topics: cybersecurity, Sentinel, CounterTack, EDR, endpoint detection and response, Shamoon, file distribution attacks, Kirby Kuehl, cyber attacks

Five Hard Truths About Critical Infrastructure Protection: Truth 4

Posted by Tom Bain    May 1, 2015 10:12:00 AM

In last week’s blog, we discussed why it’s important for critical infrastructure providers to recognize that by solely deploying preventative solutions, they are actually setting themselves up for failure. Cost-effective, scalable, post-intrusion detection solutions will help strengthen overall security strategy through proactive measures. 

Truth #4: Most critical infrastructure providers don’t know what digital vulnerabilities they have, where to find them or how to fix them 

Each critical infrastructure provider must develop and implement cybersecurity countermeasures tailored to its specific physical and digital infrastructure. This is hugely unfamiliar territory for most providers, who have relied on their equipment vendors to handle both ICS/SCADA and IT security. 

Unfortunately, neither traditional critical infrastructure vendors nor IT security vendors are fully equipped to counter the unique hybrid threat of cyber-enabled critical infrastructure attacks: The former aren’t schooled in IT security, while the latter aren’t used to protecting non-IT physical assets. Even worse, sometimes ICS/SCADA vendors don’t reveal vulnerabilities or even purposely install capabilities – such as unremovable backdoors – that attackers could easily co-opt. 

Scared they might overlook dangerous threats already on their systems, providers are reaching out to private forensic analysis companies and government authorities for help. A key, trusted government component is the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Control Systems Security Program (CSSP) at the U.S. Department of Homeland Security (DHS). ICSCERT specializes in forensic incident response and vulnerability assessment throughout the critical infrastructure spectrum, from sectors as a whole to individual owners and operators. 

ICS-CERT’s June 2012 Incident Response Summary Report stated that the organization fielded nine incident reports in 2009, 41 in 2010 and 198 in 2011 – a 2,100-percent increase in only two years. Most incidents were not actual attacks, but of the 17 incidents that warranted on-site assessments: 

Read More

Topics: Critical Infrastructure

The Next Generation Endpoint Is Truly Here

Posted by Tom Bain    Apr 27, 2015 10:09:00 PM

The RSA Conference was an interesting experience, particularly for those in the endpoint security market, or those attempting to break into this emerging market. It seems everyone at this point has some type of endpoint play, regardless of their technology heritage, or prior security focus.

It was at the America’s Growth Capital conference, a simultaneous gathering of investors and security types, that perhaps one of the more interesting panels took place, albeit, the final panel session of the day. With 1 billion endpoints in need of help, its clear this is the hottest market across the broadening security industry. 

Read More

Topics: Cyber Attack, APT, cybersecurity, Tom Bain, Sentinel, endpoint security, CounterTack, Breaches, Zero-day Attack, Neal Creighton, data breach, Big Data Security, EDR, Big Data EDR, RSA Conference 2015, endpoint detection and response, AGC

Blog covers topics related to detecting and monitoring in-progress cyber attacks for IT security operations teams.

Subscribe to Email Updates

2014 Gartner Cool Vendor Report

Ponemon Nation State Attacks Report CTA

Posts by Topic

see all