Tag Archives: CrowdStrike

Firms Ally to Respond to Data Breaches

More companies than ever realize they’ve been breached, and many more than you might think have begun to put processes in place to respond to breaches.

A survey of 567 U.S. executives conducted by the Ponemon Institute and Experian found that 43% of organizations reported suffering at least one security incident, up from 10% in 2013. And 73% of the companies surveyed have data breach response plans in place, up from just 12% in 2013.

“Compared with last year’s study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done,” says Larry Ponemon, namesake founder of Ponemon Institute.

Major data breaches have become a staple of news headlines. So it can’t be that companies are complacent. The problem seems to be that big organizations just can’t move quickly enough.

Home Depot was blind to intruders plundering customer data even as Target endured exposure and criticism for being similarly victimized just months before, possibly by the same gang.

In our connected world, it’s hard to keep pace. The Ponemon study found 78% of companies do not account for changes in threats or as processes at a company change.

Rise of threat intelligence

That’s where the trend toward correlating data from disparate threat sensors could begin to close the gap. It’s a promising sign that ultra-competitive security companies have begun to collaborate more on sharing and analyzing threat intelligence.

Boulder, Colo.-based security vendor LogRhythm, for instance, has formed an alliance with CrowdStrike, Norse, Symantec, ThreatStream and Webroot to share sensor data and compare notes on traffic that looks suspicious.

LogRhythm supplies a platform for culling and analyzing data from its partner vendors “to help identify threats in our customers’ IT environments more quickly, with fewer false positives and fewer false negatives,” says Matt Winter, LogRhythm’s vice president of corporate and business development.

Since announcing its Threat Intelligence Ecosystem last month, LogRhythm has received “considerable inbound interest from customers and channel partners,” Winter says. “Feedback has been very positive.”

Similar threat intelligence alliances, both formal and informal, are taking shape throughout the tech security world. The business model of Hexis Cyber Solutions, a year-old startup, relies on pooling threat sensor data from several security vendors, including antivirus giant Symantec and social media malware detection firm ZeroFOX.

Hexis applies analytics with the goal of accurately identifying – and automatically removing – clearly malicious programs.

“The state of the art today is a single-point security product triggering alerts on particular things and putting a warning on a screen,” says Chris Fedde, president of Hexis. “We’re all about analyzing alerts and taking action on them. Anything that’s malicious we go ahead and remove.”

In one recent pilot study, Hexis tracked 5,000 computing devices and 13,000 user accounts of a U.S. medical center for 30 days. Hexis intercepted 35,000 incidences of suspicious outside contacts and removed 23 malicious files.

Those malicious files that got inside the medical center’s network included: Dirtjumper, a tool used to conduct denial of service attacks; Tsumani, malware used for spamming and data theft; a remote access tool (RAT) used to take full control of a compromised computer; and an adware Trojan.

There’s a long way to go. But alliances to share threat sensor information, like the ones being pioneered by LogRhythm, Hexis and many other security vendors, seem destined to take root.

Someday in the not too distant future, it may not matter if intruders get inside the network, if robust threat intelligence systems are poised to cut them off from doing damage.

Geopolitical Goals for Healthcare Hacking?

Did China orchestrate the massive hack of Anthem, the nation’s No. 2 healthcare insurer, to steal intellectual property it needs to jump start a domestic healthcare system?

That’s one scenario being discussed by the security community and would fit the pattern of not just China, but other nations, stepping up cyber attacks to pursue geo-political goals.

CrowdStrike’s 2014 Global Threat Report details how China remains by far the most active nation conducting cyber espionage campaigns. Hot on China’s heels, in terms of executing concerted hacks for nationalistic gain, are Russia, Iran and North Korea, the nation President Obama blamed for the Sony Pictures hack.

“China is a giant vacuum cleaner for intelligence,” Adam Meyers, CrowdStrike’s vice president of intelligence, tells ThirdCertainty. “They’re targeting dozens and dozens of organizations, going after intellectual property and trade secrets.”

3C’s  newsletter: Free subscription to fresh analysis of emerging exposures

One particularly active Chinese hacking collective, dubbed Hurricane Panda, specializes in cracking the networks of Internet services, engineering and aerospace firms. Hurricane Panda uses “an arsenal of exploits” and has pioneered ways to slip into a network, then stealthily escalate privileges to roam deeper.

While some of the data stolen by nation state-backed hackers most likely gets sold for profit, these attackers exist primarily to pursue strategic goals — in China’s case to accelerate the development of domestic infrastructure to serve its massive population, which is rapidly becoming more Westernized.

CrowdStrike’s threat report follows news pointing to Chinese hackers, referred to as Deep Panda, as the culprits behind stealing healthcare personal information for 80 million Anthem plan members and employees.

CrowdStrike is not directly involved in the Anthem investigation. That said, Myers tells ThirdCertainty that his firm has monitored Deep Panda targeting other healthcare organizations in the past.

China is dealing with a rising middle class for the first time in its history, he says. Smoking, drinking and poor eating habits are on the rise, with associated medical conditions sure to follow that are all too familiar in the West.

“They are dealing with diabetes, heart conditions and cancers at a large scale for the first time,” Meyers said. Rather than import healthcare services, China prefers to rapidly build a homegrown system and appears to be willing to steal intellectual property to do so.

“They want to be able serve their own domestic market for heart splints, diagnostic equipment and the like,” Meyers says. Hacking healthcare organizations could give China “the ability to leapfrog the design, test and build phases.”

New attack model

While China may run the most focused cyber spying operation, smaller nations, like Iran and North Korea, are discovering how cyber attacks can tilt the balance in geo-political disputes against a much more powerful adversary, namely the U.S.

In response to economic sanctions imposed by the U.S. to stem Iran’s development of nuclear capability, Iran-backed hacking groups heavily targeted the financial sector in 2013, and in 2014 turned their focus to U.S. aerospace, defense and energy targets, CrowdStrike reports.

And North Korea appears to have derived a model that could stir smaller nations to develop cyber attack strategies to gain political leverage on the global stage. The Sony Pictures hack embarrassed a Fortune 100 company and compelled President Obama to chastise North Korea.

Cyber attacks have become a kind of twisted diplomacy. “It’s a viable way to coerce an adversary into doing something,” Meyers says. “I think we’re going to see this practice continue.”