Kelly Sheridan

Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.

Cybercriminals take the path of least resistance — which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.

Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don’t need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.

Yet businesses still aren’t paying attention.

“Our focus in this industry is still on traditional attack vectors we’ve been dealing with for most of our careers,” says Heath Renfrow, CISO at Leo Cyber Security.

It’s time for businesses to take a closer look at how these threats work, how they can be detected, why they’re predicted to grow, and the steps they can take to protect themselves.

The Evolution of Modern Fileless Attacks

Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.

“What’s different about today is not the fact of fileless — both Code Red and Slammer used this — it’s the fact that the bulk of the attack chain, the steps of the attack, are all fileless,” she says. “If they do involve a payload it often looks legitimate and therefore, it’s very hard to detect.”

The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.

“Within a network, what’s breaking the backs of organizations is the theft of usernames and passwords,” he explains. “It’s not the malware that’s doing the trick.”

Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it’s oftentimes more valuable to access someone’s Office 365 or Amazon Web Services login, Johnston says.

All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they’re not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.

Why You’re Vulnerable

Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can’t monitor their full ecosystem. Many are “drowning in data” and are unable to bring account and user activity into a single place for analysis.

“If they can’t track it, they can’t understand which accounts have access to what,” Johnston explains. “They have no way to visualize, and no way to track and scale, all of these different identities that don’t always line up to a human.”

The challenge escalates when employees don’t adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.

Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.

“What hackers are doing is trying to get into personal accounts, and using that to get into corporate,” Buduri explains. Many threat actors target low-level employees with the idea that once they’re in, they can monitor email activity to learn the addresses of high-ranking workers.

Poised to Grow

Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking “significantly increases the risk to the infrastructure,” he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.

Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. “Think about a cloud environment,” he says. “How much insight does a CISO have into who’s logging in and where?” Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned — legitimate creds within attackers’ reach.

While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. “The sad reality is we’re seeing an increase in the number of destructive attacks that are being leveraged,” she points out.

What Can You Do About It?

Protecting against phishing starts with employee education. “Trick them, test them, teach them,” says Lovejoy. “The goal is to immunize enough people so the disease can’t take hold.” Employees should also have a means to report activity they feel is suspicious.

“Always enact the policy ‘If you see something, say something,'” she adds.

On top of this, businesses should take a close look at activity in their ecosystems.

“One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure,” says Renfrow. “It was eye-opening … we had more credentials running through our infrastructure than we had people.”

After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicine’s infrastructure, he says automation was necessary for this.

He advises organizations to go back to the “old-school” method of looking at their traditional identity and access management. From there, if they’re mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.

“I think it would be eye-opening for any organization,” Renfrow says.

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say

In a secret deal, a French company purchased code from a Kremlin-connected firm, incorporated it into its own software, and hid its existence from the FBI, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could compromise law enforcement computer systems.

Posted on 

BuzzFeed News; Getty Images

The fingerprint-analysis software used by the FBI and more than 18,000 other US law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.

The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.

In recent years, Russian hackers have gained access to everything from the Democratic National Committee’s email servers to the systems of nuclear power companies to the unclassified computers of the Joint Chiefs of Staff, according to US authorities.

The headquarters of the Russian cybersecurity company Kaspersky Lab.

Sergei Savostyanov / Sergei Savostyanov/TASS

The headquarters of the Russian cybersecurity company Kaspersky Lab.

This September, the Department of Homeland Security ordered all federal agencies to stop using products made by the Moscow-based company Kaspersky Lab, including its popular antivirus software, and media outlets reportedthat Russian hackers had exploited it to steal sensitive information on US intelligence programs. The department later clarified that the order didn’t apply to “Kaspersky code embedded in the products of other companies.” The company’s founder, Eugene V. Kaspersky, has denied any involvement in or knowledge of the hack.

The Russian company whose code ended up in the FBI’s fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service — the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of US targets.

“The fact that there were connections to the FSB would make me nervous to use this software.”

Cybersecurity experts said the danger of using the Russian-made code couldn’t be assessed without examining the code itself. But “the fact that there were connections to the FSB would make me nervous to use this software,” said Tim Evans, who worked as director of operational policy for the National Security Agency’s elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin.

The FBI’s overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau’s use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.

In hopes of winning the FBI contract, the Safran subsidiary Sagem Sécurité, later renamedMorpho, licensed the Papillon technology to boost the performance of its own fingerprint-recognition software, the whistleblowers said. Both of them worked for Morpho: Philippe Desbois was the former CEO of the company’s operations in Russia, and Georges Hala worked for Morpho’s business development team in Russia.

Sagem presented a new biometric passport in 2007.

Jean-Paul Ney / Getty Images

Sagem presented a new biometric passport in 2007.

BuzzFeed News reviewed an unsigned copy of the licensing agreement between the French and Russian companies, which both men said they had obtained while working for Morpho; it is dated July 2, 2008 — a year before the company beat out some of the world’s largest biometric firms, including an American competitor, to secure the FBI business. It grants Sagem Sécurité the right to incorporate the Papillon code into the French company’s software and to sell the finished product as its own technology. It also stipulates that Papillon would provide updates and improvements during the five-year period that ended on the last day of 2013. In return, Sagem Sécurité agreed to pay an initial fee of roughly 3.8 million euros — equivalent to almost $6 million at the time — plus annual fees.

Got a tip? You can email To learn how to reach us securely, go to

The contract, which is also referenced in court documents, says that to Papillon’s knowledge its software does not contain any “undisclosed ‘back door,’ ‘time bomb,’ ‘drop dead,’ or other software routine designed to disable the software automatically with the passage of time or under the positive control of any person” or any “virus, ‘Trojan horse,’ ‘worm,’ or other software routines or hardware components designed to permit unauthorized access, to disable, erase, or otherwise harm the software, hardware, or data.”

The contract reviewed by BuzzFeed News also contains a section titled “Publicity” that says, “The parties agree to keep strictly confidential and not to disclose by any means to any third party the existence and the contents of this Agreement.”

Desbois — who has filed a whistleblower lawsuit in US federal court accusing Safran of fraudulently collecting about $1 billion from federal, state, and local agencies — said at least three high-level company officials stressed to him on multiple occasions that the existence of the agreement needed to remain a closely held secret. Disclosure, he said he was told, might jeopardize contracts in the US market, which the company coveted.

“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm.’”

“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm,’” he recalled

Neither Desbois nor Hala was personally involved in the integration of Papillon code into the French company’s products or the sale of the software to the FBI, but both said they had conversations with engineers who did work on the integration. Desbois said multiple company officials told him that the technology sold to the FBI contained the Papillon algorithm.

“You know the word omertà?” Desbois said, referencing the Mafia code of silence made famous by the movie The Godfather. “It was always the intonation like we have done something bad that is a secret between us and that we should not repeat it to anybody.”

Sagem demonstrated a new biometric passport in 2007.

Jean-Paul Ney / Getty Images

Sagem demonstrated a new biometric passport in 2007.

“Deep collaboration”

In promotional material and on its website, Papillon boasts of its work with Russia’s Ministry of Internal Affairs, which oversees police and immigration agencies, among others, and is run by a longtime police official who was appointed to the post in 2012 by President Vladimir Putin. The products that Papillon sells “are created with the instructional assistance” of the ministry, and the company is “closely cooperating with the Ministry of the Interior, Ministry of Defense and Ministry of Justice of Russia,” according to company publications. A Russian government website says that the Internal Affairs Ministry “renders methodic assistance” to Papillon.

“Papillon is not an independent company,” said Hala, one of the whistleblowers. “Papillon was an emanation of the Internal Affairs Ministry, so Papillon was always under the control of the ministry.”

Papillon’s deputy director for marketing, Ivan Shapshal, disputed that. “We are fully a private company,” he said. “Do we do special tasks for the intelligence agencies of Russia? No, there is no reason for us to do this. It is just a risk. It does not help us make money.”

Among the Russian agencies that use the company’s fingerprint-recognition technology is the FSB. “Year by year,” one Papillon publication says, “the company expands its cooperation with” the FSB, as well as Russian agencies in charge of immigration, customs, and drug control. Other clients include the governments of Turkey, Kazakhstan, Serbia, and Albania.

“We will be happy to be close to any security agency in the world for money.”

Shapshal said his company’s fingerprint-recognition technology helps Russian police solve roughly 100,000 cases per year. “If our software can help police solve more crimes, we are happy to be ‘very close’ to them, as you say,” he said. “We will be happy to be close to any security agency in the world for money.”

Papillon’s founder and director is Pavel Zaitsev, who worked as an engineer and programmer at Russian military installations from 1985 to 1991, according to a biography published with an article he wrote for a trade publication. Many of the company’s staffers, a Russian government website says, “gained experience working at the plants of Military-Industrial Establishment in Miass” — the city in the Ural Mountains where the company later established its headquarters.

Hala said there was “deep collaboration” between Papillon and the FSB. “It’s not a secret,” he said. Hala said he attended multiple meetings involving Russian government officials and Papillon executives in which FSB officials expressed strong support for Papillon and “controlled absolutely the discussion.”

The Internal Affairs Ministry, the FSB, and the Russian Embassy in Washington, DC, did not respond to requests for comment.

Neither the FBI nor any of the companies involved denied directly that the fingerprint software used by the bureau contains Russian code.

The FBI declined to answer repeated questions about the software but said in a statement, “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”

Safran declined to respond to questions about its actions as owner of the subsidiary that provided the software to the FBI, noting that it has since sold that subsidiary. But in legal filings, Safran has not denied the existence of the contract to license the Russian code, instead arguing that the allegations of fraudulent sales were not specific enough and that the company was not legally responsible for the actions of its subsidiary.Safran sold the subsidiary this year to a US private-equity firm, which renamed the company Idemia. An Idemia spokesperson said the fingerprint-recognition technology was “almost entirely developed and manufactured in France or in the United States” but that two software components contained source code developed “by other companies.”

The spokesperson, Céline Stierlé, refused to name those companies.

“We don’t comment on such things because we cannot confirm or deny.”

More broadly, she said the whistleblowers’ claims “are old allegations that are not supported by facts and that have been rejected by federal and state authorities and by the courts,” referring to the lawsuit filed by Desbois, one of the former employees who spoke with BuzzFeed News.

This year, a federal judge dismissed the case but did not evaluate the merits of most of the allegations. Instead, the judge focused on technical issues, finding that the suit hadn’t alleged enough specifics about, for example, when and how fraudulent claims for payment may have been submitted to the government. Also, the judge wrote, any false claims would have been submitted by a subsidiary that was not named as a defendant in the case — and the parent companies that were named couldn’t necessarily be held legally responsible. The case is on appeal.

As for the Russian company, Papillon, executive Shapshal responded to a question about the contract giving the French company rights to its code by saying, “We don’t comment on such things because we cannot confirm or deny.”

But he insisted that the company’s code did not include any vulnerabilities, saying that if anyone were to check “then you will see there is no back door.”

A Safran Group building in France.

Regis Duvignau / Reuters

A Safran Group building in France.

“Weigh carefully the risks”

As the FBI evaluated the companies vying to provide the fingerprint-recognition software in 2009, the possibility that the contract might go to a company subject to influence by a foreign government, even an ally, unsettled some members of Congress. The part-ownership of Safran by the French government prompted a letter to then-FBI director Robert Mueller from former Rep. John Kline of Minnesota, a Republican member of the House Intelligence Committee.

“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat to the US government,” Kline wrote. “I urge the FBI to assess whether any domestic companies are capable of this work and weigh carefully the risks versus the benefits of granting a foreign government access to this sensitive data.”

“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat.

An FBI spokesman at the time said that the bureau “assesses all risks and vulnerabilities associated with any foreign influence or security concerns for vendors under consideration for contracts, including subcontracts, with the FBI.”

Later that year, the FBI and Lockheed Martin — the primary contractor in charge of incorporating various vendors’ products into the bureau’s system — announced the selection of a Morpho subsidiary, MorphoTrak. Among the competitors not chosen was the US company Cogent Systems.

A Lockheed Martin spokesman refused to discuss the contracting process and said the company had divested its unit responsible for the FBI program. A representative for Leidos, which is now the project’s primary contractor, declined to comment.

Desbois’s whistleblower lawsuit alleges that a US-based MorphoTrak engineer named Frank Barret was aware of the Papillon deal and led a team that helped prepare the software for use by the FBI. On the front step of his home in California, Barret refused to read and respond to the allegations in the complaint but said, “Everything I’ve said to the investigators, everything I’ve said in this trial, is true.” Asked to clarify, he closed his front door. When BuzzFeed News followed up the next day, Barret threatened to call the police.

Both Desbois and Hala said they discovered the existence of the agreement licensing the Russian company’s code after they questioned their bosses’ instructions not to compete with Papillon for certain contracts. It was then, they said, that company officials explained that the two companies had an unwritten agreement not to encroach on each other’s business in certain countries — an arrangement that violates antitrust laws, the whistleblower claim alleges. Desbois and Hala said that they obtained a copy of the licensing agreement because they wanted to see for themselves whether it spelled out the terms of the noncompete pact; it did not.

Papillon executive Shapshal declined to comment on the antitrust allegations. Idemia spokesperson Stierlé said that “this allegation, like the others, was part of the litigation” and that “it too was found to be deficient and lacking in even the most basic level of detail and was rejected by the court.” The judge found that the whistleblower suit did not provide specifics on who falsely certified to the US government that the company hadn’t violated antitrust laws, or when and how this had occurred.

Desbois’s whistleblower lawsuit accuses Safran of defrauding the US government out of about $1 billion, and if the suit is successful he stands to collect millions. Hala is not involved in the case. Both Desbois and Hala said they left Morpho voluntarily and on good terms.

Inside the FBI's background check center.

The Washington Post / Getty Images

Inside the FBI’s background check center.

 The federal government so far has declined to intervene in the lawsuit, as it has the option to do in whistleblower suits alleging fraudulent claims for payment. In court filings, however, Justice Department lawyers noted that this wasn’t necessarily an indication that the case lacked merit, and they preserved their right to step in later. The complaint also accuses the defendants of misrepresenting the fingerprint technology in sales to the government of California; lawyers for the state also have declined to intervene.

The FBI contract is now a centerpiece in much of MorphoTrak’s marketing material. In 2011, the FBI said the new fingerprint-recognition software significantly increased both the speed and accuracy of matches, boosting the latter from 92% to more than 99.6%.

“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales.”

“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales,” said former employee Stephane Guichard, who led a US-based team that implemented and maintained the fingerprint-matching software for state and local agencies that had purchased it but was not involved in the software’s development or the FBI contract.

Guichard and two other former MorphoTrak employees who worked on government contracts in the US said they didn’t know about the licensing agreement with Papillon, and they expressed surprise that their former employer would use Russian technology. “Personally, it would have concerned me a little bit,” said Phillip Moore, who worked as an account manager and sales manager. It would have raised “basic trust issues with what they would supply us,” he said.

By the end of 2013, as the final stage of the FBI project phase-in became operational, Morpho reported that the US market accounted for more than a third of its roughly $2 billion in revenues.

Safran recently announced that it planned to refocus solely on aerospace and defense, and, earlier this year, it sold Morpho, which had recently been renamed Safran Identity & Security, to the US private-equity firm Advent International, with the French government investment bank Bpifrance also taking a stake. The reported price was about $2.5 billion.

The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department. Through its subsidiaries, Idemia is a powerful lobbying force in Washington, and it is currently fighting to kill legislation that would endanger its status as the sole provider of fingerprint services for the TSA PreCheck program. ●

Chris Hamby is an investigative reporter for BuzzFeed News and is based in Washington, D.C. He won the 2014 Pulitzer Prize for Investigative Reporting and was a finalist for the 2017 Pulitzer Prize for International Reporting.

Contact Chris Hamby at

Got a confidential tip? Submit it here.

Identity Based Attacks – Insights on the DNC Hack

Why do corporate breaches continue to succeed? Corporate breaches continue to succeed because attackers are able to steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how analytics, deception, and data streams are saving the security industry, or would have at least saved the Democratic National Committee.

BY Tishin Donkersley

According to a recent survey by Norton, 94 percent of users on the internet think they can spot phishing emails. Unfortunately, they couldn’t be more wrong.

The fact is that hackers are becoming savvier when it comes to finding personal information and tricking not only you, but your friends into providing more.

Jere L. Simpson, CEO and founder of Arlington-based KITEWIRE said these days hackers are using social engineering to nab your personal information and use it for mining information, gaining account access and blackmail.

“Social engineering is the easiest method to breach accounts. Your best friend, date of birth and mother’s maiden name are extremely easy to find on Facebook. Criminals will duplicate one of your friend’s accounts using the same photo and private message you that they created two accounts for business and friends in order to gain access to your information.” Jere said.

Once cyber criminals gather enough information about a person/owner of a company, then they go to work in figuring out details to breach the network.

Colonel Timothy Evans (Ret), cofounder and vice president of strategy of Arlington-based Adlumin said, “Health care data is the most valuable because it provides enough information for an intruder to apply for credit, loans, etc. without the individual even knowing that someone else has applied for credit in their name.


“Once the intruder steals legitimate credentials, they can move freely throughout the network without setting off any alerts. Their next task is to escalate their privileges to administrator so they can move about the network freely.”

Then you’re really screwed.

For a small startup or business owner, dishing out tons of cash for a high performing network server and IT consultant isn’t a reality when you’re bootstrapping. However, our cyber experts have some advice and inexpensive ways to protect your data from potential threats.

Let’s Start With the Facebook Feed

Taking photos at work to show off the team, work environment or the latest coffee machine is great, but you need to consider what is in the background of your photos, and if are you unintentionally posting personal or confidential information.

“Be extremely careful what information is put on social media. Look for information that is in the background of photos like screen or paper information. Latergram as many photos as you can instead of posting them in the moment,” Jere said.

Don’t Open The Flood Gates

Reducing the number of people who have administrative access to files, a network, etc. can decrease chances for a breach.

“Probably the key for a small company is to limit the user’s authority on its network to conducting activities that a general user should do. In other words, do not make everyone on the network an administrator, they do not need that authority,” Timothy said.

It’s also a good idea to have monitor logs to understand who is accessing certain files and online tools.

“Ensure that your users are doing what their logs say they are doing. If the system says that you used a USB drive to download gigabytes of information, the follow-up question is, did you do that. There are free tools that you can use to check your own logs to ensure that the actions that are being taken on your network. At a minimum, a small company should audit the company’s privileged access users to ensure that their activities are in line with their duties and actual activities,” Timothy said.

instagram social media, facebook

Newbie Doesn’t Get the Keys to the Kingdom

While founders want to trust that every tech employee is honest, Jere said it’s not a bad idea to gradually ease them into full access of the network. Most importantly, change your network password often enough to avoid any potential problems.

“Don’t give every new tech SaaS access to your calendar, email, contacts, drive, location etc. Also, use a formula for your passwords so that each password is unique and you can always figure it out…and never write it down.” Jere said.

Yes, You Must Change the Passwords

Changing your passwords is the oldest, yet most important, advice any cyber expert can offer you, because it works, so do it. Also, our experts want you and your employees to stop sending your username and password over the network, email or communication tools like Slack.

“If you need to give someone a username and password, don’t send both over the same communication,” Jere said. “Calling on the phone or video chat is often the most secure method.”

Did I mention changing the password? Timothy recommends conducting privileged account password resets every 30 days. Seriously.

Employees Can Be Your Superheroes

Your employees can be the first line of defense when it comes to thwarting cyber attacks. Take time to educate them on what to look for if faced with a potential threat.

“Be very unified as a small company that no employee will click on an email link or document received without being sure that the document or link is from a known vendor, partner, or trusted party. This takes a lot of discipline, however, it is the absolute best method to prevent an attack,” Timothy said.


“Talk with your employees and let them know that simple carelessness could result in putting a company out of business.  Breaches of customer data or credit card information will result in damage to the company’s name at a very minimum.”

Adlumin is please to announce that it will be bringing its Adlumin Platform User & Entity Behavior Analytics (UEBA) technology to the NH-ISAC Spring Summit in Orlando at the Disney World Dolphin Hotel.

Adlumin is revolutionizing the way corporations secure sensitive data and intellectual property while achieving their compliance objectives. These tenants of business are routinely under attack by insider and outsider threats using rogue accounts, credential theft, and identity-based attacks to subvert defenses, damaging reputation and the bottom line. Organizations simply can’t wait weeks to get the answers. Adlumin offers real time detection and flexible options.

Adlumin provides real time visibility and analysis into every identity within the enterprise — even across the largest networks — using machine learning and industry expertise from the world’s finest investigators and the U.S. Intelligence Community. Furthermore, using confirmation technology, Adlumin goes beyond detection and is capable of confirming anomalies as malicious.

Adlumin significantly reduces PCI / HIPAA compliance costs, satisfies multiple NIST / SANS (CIS) critical security control requirements, and enhances your privileged account access management strategy. To see Adlumin in action, visit, call (571) 334-4777 or email

Tim Evans will be speaking at the 2017 Insider Threat Summit Conference in Monterey California.

Agenda Item:  Bob Palmer, VP, Solutions and Innovation at SAPNS2 with Timothy Evans, J.D., LL.M. Co-Founder & Vice President Strategy at Adlumin

Time: 4:00 to 4:45 p.m.

Day: Wednesday 29 March 2017

KNOXVILLE, Tenn. – Sword & Shield Enterprise Security, Inc. is pleased to announce the addition of Adlumin, Inc. as a NASA SEWP V sales agent providing a User & Entity Behavior Analytics (UEBA) platform as a part of Sword & Shield’s Government Wide Acquisition Contract (GWAC).

Sword & Shield, as a NASA Solutions for Enterprise-Wide Procurement (SEWP) V prime contract holder, allows companies to act as sales agents to expand its capabilities in providing IT and IT security products and solutions to federal agencies. Sword & Shield Federal, a division of Sword & Shield Enterprise Security, administers the sales agent program in addition to providing a variety of federal cybersecurity solutions.

“Cyber threats are real,” Sword & Shield Federal Vice President Raymond Kahre said. “We hear all too frequently about agencies being breached or threatened by hackers. Adlumin has proven to be a very capable partner in providing real-time visibility of every user account and endpoint to detect, monitor, prioritize and defend your network. We are excited to have them as part of portfolio.”

Adlumin’s Platform was developed as a direct result of the Adlumin team’s experience in investigating the intrusions against the Office of Personnel Management, Pentagon Joint Chiefs of Staff, the attacks against the Democratic National Committee, and many others.

The Adlumin team’s years of experience within the Intelligence Community will now directly protect the entire federal government against the sophisticated adversaries it faces.

“Sword & Shield’s years of experience in working directly with the federal government under the NASA SEWP V and NITAAC contracts will allow Adlumin to get its revolutionary technology to the right federal customers today, by-passing the years of time it would have taken to go through the normal GSA procurement chain,” said Adlumin Co-Founder and Vice President of Strategy Timothy Evans.

SEWP V is a multi-award GWAC vehicle focused on commercial IT products and product-based services. The 145 pre-competed contract holders offer a wide range of commercial technology solutions, including tablets, desktops and servers; IT peripherals; network equipment; storage systems; security tools; software products; cloud-based services; telecommunications; health IT; sensors; video conferencing systems and other IT, communications and audio-visual products.

Products-based services such as installation, training, maintenance and warranty and a full-range of product-based services are also available through SEWP V.

About Sword & Shield Enterprise Security 

Protecting critical data for 20 years, Sword & Shield Enterprise Security, Inc. is a nationally recognized cybersecurity provider with solutions designed to meet the needs of a dynamic security and compliance landscape. Headquartered in Knoxville, Tennessee, Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions. Sword & Shield services a broad spectrum of industries, including healthcare, retail, legal, banking and finance, manufacturing, and the public sector.

Sword & Shield Federal is a division of Sword & Shield Enterprise Security, Inc. The federal division holds two government contracts to provide technology solutions to federal agencies. Sword & Shield Federal blends an active and engaged community of partners and our own core cybersecurity intelligence to offer our customers the right solutions to combat emerging threats.

In 2016, Sword & Shield hosted the inaugural Edge Security Conference, EDGE2016, a world-class cybersecurity conference where complex business problems meet real world solutions. The second annual Edge Security Conference, EDGE2017, will take place on Oct. 17-18, 2017 at the Knoxville Convention Center. Early registration is available now through March 31, 2017. To learn more about EDGE2017 and to sign up, visit

For more information about Sword & Shield Federal visit

About Adlumin Inc.

Adlumin provides real time visibility and analysis into every identity within the enterprise — even across the largest networks — using machine learning and industry expertise from the world’s finest investigators and the U.S. Intelligence Community.   Adlumin developed the Adlumin platform that analyzes behavior over time to flag unusual activity that could indicate illicit activity on a network.

Furthermore, using confirmation technology, Adlumin goes beyond detection and is capable of confirming anomalies as malicious.  Adlumin significantly reduces HIPAA compliance costs, satisfies multiple NIST / SANS (CIS) critical security control requirements, and enhances privileged account access management strategy.

The Adlumin team includes Founder and CEO Robert Johnston and Co-Founder and Vice President of Strategy Timothy Evans. Johnston worked in the private sector as a principal consultant at CrowdStrike, Inc and served as a captain in the U.S. Marine Corp. Evans, a retired Air National Guard Colonel, commanded the 175th Network Warfare Squadron at the National Security Agency for six years.  Evans represented NSA at the White House for two-years on several working groups.and committees.

To see Adlumin in action, visit, call (571) 334-4777 or email them at

Timothy Evans
Adlumin Inc.
P: (571) 334-4777

Arlington, VA Feb. 14, 2017 — Adlumin™ brings its User & Entity Behavior Analytics (UEBA) technology to provide visibility into every account and endpoint for the  at the Orange County Convention Center in Orlando, Fla. from Feb. 19–23, 2017. “We’re thrilled to be a first-time exhibitor at HIMSS 2017 and to share Adlumin™ Platform with attendees,” said Tim Evans, Cofounder of Adlumin Inc.   The exhibit floor is open February 20-22, 2017.

Adlumin provides real time visibility and analysis into every identity within the enterprise — even across the largest networks — using machine learning and industry expertise from the world’s finest investigators and the U.S. Intelligence Community. Furthermore, using confirmation technology, Adlumin goes beyond detection and is capable of confirming anomalies as malicious.  Adlumin significantly reduces PCI / HIPAA compliance costs, satisfies multiple NIST / SANS (CIS) critical security control requirements, and enhances your privileged account access management strategy. To see Adlumin in action, visit, call (571) 334-4777 or email

by Kim Zetter.

Rob Joyce, NSA Hacker Chief said “In the world of advanced persistent threat actors (APT) like the National Security Agency (NSA), credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.”

Advanced Persistent Threats (APTs) are one of the most dangerous and difficult threats to discover and respond to in cybersecurity today. In the past, APTs were only used against nation states and their government agencies in espionage and to gain political intelligence. However, today, APT actors are more prevalent than ever in day-to-day cyber-attacks. The recent attack on the Office of Personnel Management, Target, Anthem Health Care, and the Democratic National Committee (DNC) are just a few examples where millions of records were stolen over a long period of time and the organization that was attacked did not even know there was an adversary in their networks. The DNC dwell time is estimated to be in excess of one (1) year.

APTs most typically involve pre-planning, lateral movement, and remote code execution. They sometimes include brute force attacks. The reality is, even if malware is involved in the ultimate attack, prior to planting malware on your network more than 70% of APTs include substantial reconnaissance of your network and significant lateral movement.

Three Signs that you have an Ongoing APT?

  • Elevated Logons at Night. APTs almost always steal valid credentials, dump passwords, and elevate permissions, then they move laterally throughout your network. Ultimately, they find the data they really want and store it within your network or filtrate it externally. Often, the authenticated credentials look like valid users, but act differently. They move throughout the network, often at night, when the legitimate user is sleeping.
  • Finding Malware (Trojans) – APT actors often install backdoor Trojans within the target network. This way, they can maintain access to your network even if you find their less sophisticated access ports. They also dump passwords just in case their initial credentials are changed by users.
  • Anomalous Data Flows – The final sign is to look for data flows within the internal organization that are different than before. This means that your authenticated users are logging on to systems that they never log onto. It might be servers, servers-toclient or, network-to-network connections. They way to discover this is by watching the disposition of every user account on the network. Geo-locating where logons are occurring will help, since most of your authenticated users logon locally rather than remotely.

What Does an APT Solution Require?

APT actors compromise organizations in minutes but persist for months to years. They can do this because of the defensive and detection tactics that organizations currently use. Detection tactics include Network Device Events, Logging, Network Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), Host IDS/IPS, Antivirus, File Integrity Monitoring (FIM) and Whitelisting, and Security Information and Event Management (SIEM).5

  • Logging – Centralized logging is a primary control used by large organizations to detect security incidents and changes on the network. Most organizations however, do not have sufficient personnel, nor resources to search or hunt through petabytes of data to look for anomalies.
  • Network Device Events – Network and Host IDSs/IPSs detect well-known signatures of attacks or unusual patterns in traffic but they also generate lots of false alarms. They do provide lots of useful data about attacks directed at endpoints on the network.
  • Antivirus – While it appears that antivirus is becoming less important over time, it still provides the ability to recognize the well-known signatures that are often used by attackers.

Organizations must have effective tools that increase their detection capabilities, especially when it comes to stolen credentials. Organizations need to be able to know the disposition of each of their users on the network. This is very difficult, if not impossible, to do without automation.

The Solution – You need Adlumin’s Sentry Platform

Sentry Platform analyzes user behavior and continuously monitors the authentication of credentials. It analyzes every user’s behavior on the network and creates a pattern of life for those users utilizing intelligent mathematical algorithms to determine when anomalies occur and what events need to be further investigated. Sentry Platform helps you detect, prioritize, and reduce the time necessary to respond to threats within your network.

Sentry Platform consists of:

  • Detects remote execution of code, user activity and behavior, and lateral movement and adversarial activity.
  • Targeted User & Entity Behavioral Analytic algorithms to discover anomalous user activity.
  • Active Defense capabilities that help you bait and trap the adversary into giving away his position within your network.
  • Responsive dashboard that provides real-time detections and de-tailed visualizations of event sequences across multiple systems.

• An easy software deployment strategy that begins defending your network in minutes with no time for environmental learning.