Monthly Archives: March 2017

Charles Leaver – Monitor These Commands For Potential Threats

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


The repeating of a concept when it pertains to computer security is never a negative thing. As sophisticated as some cyber attacks can be, you truly have to watch for and understand using typical readily available tools in your environment. These tools are generally utilized by your IT personnel and probably would be whitelisted for usage and can be missed by security groups mining through all the appropriate applications that ‘might’ be executed on an endpoint.

As soon as somebody has breached your network, which can be performed in a variety of ways and another post for another day, indications of these tools/programs running in your environment needs to be checked to guarantee appropriate usage.

A couple of commands/tools and their features:

Netstat – Details on the existing connections on the system. This may be used to recognize other systems within the network.

Powershell – Integrated Windows command line function and can perform a range of actions for example getting important info about the system, killing processes, including files or removing files and so on

WMI – Another effective integrated Windows function. Can shift files around and gather important system information.

Route Print – Command to see the local routing table.

Net – Including domains/groups/users/accounts.

RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.

AT – Arranged tasks.

Looking for activity from these tools can be time consuming and often be overwhelming, however is essential to manage who might be moving around in your network. And not just what is occurring in real time, but in the past as well to see a course somebody may have taken through the network. It’s often not ‘patient zero’ that is the target, once they get a grip, they could make use of these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral motion that you wish to discover.

You need to have the capability to gather the info gone over above and the means to sift through to find, alert, and investigate this data. You can utilize Windows Events to track numerous changes on a device then filter that down.

Taking a look at some screen shots shown below from our Ziften console, you can see a quick distinction between exactly what our IT group used to push out changes in the environment, versus someone running an extremely similar command themselves. This may be much like what you discover when somebody did that remotely say by means of an RDP session.

An interesting side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You would not observe this detail during a live examination or if you were not constantly gathering the data. However because we are gathering all the info continuously, you have this historic data to take a look at. If in case you were seeing the Status as ‘Running’, this could show that somebody is live on that system right now.

This only scratches the surface of what you should be gathering and the best ways to evaluate what is right for your network, which obviously will be distinct from that of others. However it’s a start. Harmful actors with intent to do you damage will normally try to find the path of least resistance. Why attempt and produce new and intriguing tools, when a lot of exactly what they need is currently there and all set to go.

Charles Leaver – What’s The Key Difference Between Forensic Analysis And Incident Response?

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There might be a joke someplace concerning the forensic analyst that was late to the incident response party. There is the seed of a joke in the idea at least but naturally, you need to comprehend the differences between forensic analysis and incident response to appreciate the potential for humor.

Forensic analysis and incident response are associated disciplines that can leverage comparable tools and related data sets but likewise have some important distinctions. There are four especially important distinctions between incident response and forensic analysis:

– Objectives.
– Requirements for data.
– Team abilities.
– Advantages.

The distinction in the objectives of incident response and forensic analysis is possibly the most important. Incident response is concentrated on figuring out a fast (i.e., near real-time) reaction to an immediate threat or concern. For example, a home is on fire and the firemen that show up to put that fire out are involved in incident response. Forensic analysis is usually performed as part of a scheduled compliance, legal discovery, or law enforcement investigation. For example, a fire investigator may examine the remains of that house fire to identify the total damage to the property, the cause of the fire, and whether the origin was such that other homes are also at risk. To puts it simply, incident response is focused on containment of a threat or concern, while forensic analysis is concentrated on a full understanding and thorough removal of a breach.

A 2nd significant difference between the disciplines is the data resources needed to attain the goals. Incident response groups typically just require short-term data sources, often no greater than a month or so, while forensic analysis teams typically need a lot longer lived logs and files. Keep in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonness in the workers abilities of incident response and forensic analysis teams, and in fact incident response is frequently considered a subset of the border forensic discipline, there are important differences in job requirements. Both kinds of research study require strong log analysis and malware analysis capabilities. Incident response needs the ability to rapidly separate an infected device and to establish ways to reconcile or quarantine the device. Interactions tend to be with other operations and security staff member. Forensic analysis normally needs interactions with a much broader set of departments, consisting of HR, compliance, operations and legal.

Not remarkably, the perceived advantages of these activities likewise differ.

The ability to eliminate a danger on one machine in near real time is a significant determinate in keeping breaches isolated and restricted in effect. Incident response, and proactive danger hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. However, the advantages of this work are undeniable. A comprehensive forensic examination allows the removal of all threats with the careful analysis of a whole attack chain of events. And that is nothing to laugh about.

Do your endpoint security processes accommodate both instant incident response, and long-term historical forensic analysis?

Charles Leaver – Why Using Edit Difference Is Essential Part One

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


Why are the same techniques being used by cyber criminals all of the time? The easy response is that they continue to work. For instance, Cisco’s 2017 Cybersecurity Report tells us that after years of decline, spam e-mail with malicious attachments is again on the rise. Because conventional attack vector, malware authors usually mask their activities by utilizing a filename similar to a typical system process.

There is not necessarily a connection with a file’s path name and its contents: anybody who has actually aimed to hide sensitive information by giving it a dull name like “taxes”, or altered the extension on a file attachment to get around email rules knows this idea. Malware authors understand this too, and will frequently name their malware to resemble common system processes. For instance, “explore.exe” is Internet Explorer, however “explorer.exe” with an additional “r” could be anything. It’s easy even for experts to overlook this minor distinction.

The opposite problem, known.exe files running in unusual locations, is easy to solve, utilizing string functions and SQL sets.

How about the other scenario, finding close matches to the executable name? The majority of people start their hunt for near string matches by sorting data and visually looking for disparities. This generally works well for a little set of data, perhaps even a single system. To find these patterns at scale, however, needs an algorithmic approach. One recognized strategy for “fuzzy matching” is to use Edit Distance.

Exactly what’s the very best method to computing edit distance? For Ziften, our technology stack includes HP Vertica, that makes this task simple. The internet has lots of data scientists and data engineers singing Vertica’s praises, so it will be enough to point out that Vertica makes it easy to create customized functions that make the most of its power – from C++ power tools, to analytical modeling scalpels in R and Java.

This Git repo is maintained by Vertica enthusiasts working in industry. It’s not an official offering, but the Vertica group is definitely knowledgeable about it, and additionally is thinking everyday about ways to make Vertica better for data scientists – a great space to watch. Best of all, it includes a function to determine edit distance! There are likewise some other tools for the natural processing of langauge here like word stemmers and tokenizers.

By utilizing edit distance on the top executable paths, we can quickly discover the closest match to each of our leading hits. This is a fascinating data-set as we can arrange by distance to discover the nearest matches over the entire data-set, or we can arrange by frequency of the top path to see exactly what is the nearest match to our frequently used processes. This data can likewise appear on contextual “report card” pages, to reveal, e.g. the leading five closest strings for a given path. Below is an example to provide a sense of use, based on genuine data ZiftenLabs observed in a client environment.

Setting a threshold of 0.2 appears to find good results in our experience, but the point is that these can be edited to fit specific usage cases. Did we find any malware? We see that “teamviewer_.exe” (needs to be just “teamviewer.exe”), “iexplorer.exe” (must be “iexplore.exe”), and “cvshost.exe” (ought to be svchost.exe, unless maybe you work for CVS drug store…) all look odd. Considering that we’re currently in our database, it’s also insignificant to obtain the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a much deeper dive.

In this particular real life environment, it ended up that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the client with more examination on the user and system where we observed the portable applications given that use of portable apps on a USB drive might be proof of naughty activity. The more disturbing find was cvshost.exe. Ziften’s intelligence feeds show that this is a suspicious file. Searching for the md5 hash for this file on VirusTotal confirms the Ziften data, showing that this is a possibly major Trojan infection that could be a component of a botnet or doing something much more destructive. Once the malware was found, nevertheless, it was simple to fix the problem and ensure it stays solved using Ziften’s ability to eliminate and persistently obstruct procedures by MD5 hash.

Even as we develop innovative predictive analytics to discover malicious patterns, it is necessary that we continue to improve our capabilities to hunt for recognized patterns and old tricks. Even if new dangers emerge doesn’t suggest the old ones go away!

If you enjoyed this post, watch this space for part 2 of this series where we will use this approach to hostnames to detect malware droppers and other destructive websites.

Charles Leaver – Defining An Endpoint And Protecting It Will Increase In Difficulty As Connected Devices Rise

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


In the very recent past everyone understood exactly what you suggested if you raised the issue of an endpoint. If someone wanted to sell you an endpoint security product, you understood what devices that software was going to protect. However when I hear someone casually talk about endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep using that word. I don’t think it suggests exactly what you think it implies.” Today an endpoint could be nearly any type of device.

In truth, endpoints are so varied these days that people have actually taken to calling them “things.” According to Gartner at the close of 2016 there were greater than six billion “things” connected to the internet. The consulting company predicts that this number will grow to twenty one billion by the year 2020. The business utilization of these things will be both generic (e.g. connected light bulbs and Heating and Cooling systems) and market specific (e.g. oil well safety tracking). For IT and security groups responsible for linking and protecting endpoints, this is just half of the brand-new difficulty, nevertheless. The acceptance of virtualization innovation has actually redefined exactly what an endpoint is, even in environments in which these groups have generally run.

The previous ten years has actually seen an enormous change in the method end users access information. Physical devices continue to be more mobile with lots of info workers now doing the majority of their computing and communication on laptops and smart phones. More importantly, everybody is becoming an info employee. Today, better instrumentation and monitoring has permitted levels of data collection and analysis that can make the insertion of information technology into almost any task lucrative.

At the same time, more standard IT assets, especially servers, are becoming virtualized to remove some of the traditional constraints in actually having those assets tied to physical devices.

These 2 patterns together will impact security groups in important ways. The totality of “endpoints” will include billions of long-lived and unsecure IoT endpoints as well as billions of virtual endpoint instances that will be scaled up and down as needed as well as moved to various physical areas as needed.

Enterprises will have very different worries about these two general kinds of endpoints. Over their life times, IoT devices will have to be protected from a host of risks some of which have yet to be thought up. Tracking and protecting these devices will need advanced detection abilities. On the plus side, it will be possible to preserve distinct log data to enable forensic examination.

Virtual endpoints, on the other hand, provide their own crucial issues. The capability to move their physical location makes it far more hard to guarantee right security policies are constantly attached to the endpoint. The practice of reimaging virtual endpoints can make forensic examination tough, as important data is normally lost when a new image is applied.

So it is irrelevant what word or phrases are used to explain your endpoints – endpoint, systems, client device, user device, mobile phone, server, virtual machine, container, cloud workload, IoT device, and so on – it is important to comprehend exactly what someone indicates when they utilize the term endpoint.

Charles Leaver – Focus On Detection Not Perimeter Breach

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Avoidance Has Failed Then Detection Is Important

The last scene in the well known Vietnam War film Platoon portrays a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire boundary of an American Army battalion, overrunning it, and slaughtering the startled protectors. The desperate company commander, grasping their dire protective dilemma, orders his air assistance to strike his own position: “For the record, it’s my call – Dump everything you’ve got left on my position!” Moments later on the battlefield is immolated in a napalm hellscape.

Although physical dispute, this shows two aspects of cybersecurity (1) You have to handle inevitable perimeter breaches, and (2) It can be bloody hell if you do not find early and respond forcefully. MITRE Corporation has actually been leading the call for re-balancing cybersecurity priorities to position due focus on detecting breaches in the network interior rather than simply focusing on penetration prevention at the network border. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it would be breached,” discusses Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and chief security officer. “Today, companies are asking ‘For how long have the trespassers been within? How far have they gone?'”.

Some call this the “presumed breach” approach to cybersecurity, or as published to Twitter by F-Secure’s Chief Research Officer:.

Q: What number of the Fortune 500 are jeopardized – Response: 500.

This is based upon the probability that any adequately complicated cyber environment has an existing compromise, and that Fortune 500 businesses are of superbly intricate scale.

Shift the Burden of Perfect Execution from the Protectors to the Attackers.

The standard cybersecurity viewpoint, stemmed from the legacy perimeter defense model, has been that the opponent just has to be right one time, while the defender must be right all the time. An adequately resourced and persistent opponent will ultimately attain penetration. And time to effective penetration decreases with increasing size and complexity of the target business.

A border or prevention-reliant cyber-defense design essentially demands the best execution by the defender, while delivering success to any sufficiently sustained attack – a plan for particular cyber disaster. For example, a leading cybersecurity red team reports successful enterprise penetration in under three hours in greater than 90% of their client engagements – and these white hats are limited to ethical ways. Your business’s black hat attackers are not so constrained.

To be viable, the cyber defense strategy needs to turn the tables on the attackers, moving to them the unreachable problem of perfect execution. That is the rationale for a strong detection ability that constantly monitors endpoint and network behavior for any unusual signs or observed hacker footprints inside the boundary. The more sensitive the detection ability, the more caution and stealth the assailants must work out in committing their kill chain series, and the more time and labor and talent they need to invest. The protectors require but observe a single hacker tramp to reveal their foot tracks and loosen up the attack kill chain. Now the protectors end up being the hunter, the hackers the hunted.


MITRE supplies a comprehensive taxonomy of hacker footprints, covering the post-compromise sector of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task team leader Blake Strom says, “We decided to concentrate on the post-attack period [portion of kill chain lined in orange below], not only because of the strong possibility of a breach and the scarcity of actionable information, however likewise because of the many chances and intervention points offered for efficient protective action that do not necessarily rely on anticipation of enemy tools.”



As displayed in the MITRE figure above, the ATT&CK design offers additional granularity on the attack kill chain post-compromise phases, breaking these out into ten tactic classifications as revealed. Each tactic classification is additionally detailed into a list of techniques an attacker might utilize in performing that strategy. The January 2017 model update of the ATT&CK matrix lists 127 techniques across its ten strategy classifications. For instance, Windows registry Run Keys/ Start Folder is a strategy in the Determination classification, Strength is a method in the Credentials classification, and Command Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model.

Endpoint Detection and Response (EDR) solutions, such as Ziften provides, offer vital visibility into opponent use of strategies noted in the ATT&CK model. For example, Computer system registry Run Keys/ Start Folder method use is reported, as is Command-Line Interface use, given that these both include readily observable endpoint habits. Brute Force usage in the Credentials classification must be obstructed by design in each authentication architecture and be viewable from the resulting account lockout. However even here the EDR product can report events such as unsuccessful login attempts, where an opponent might have a couple of guesses to attempt this, while staying under the account lockout attempt threshold.

For attentive defenders, any method usage may be the attack giveaway that unravels the entire kill chain. EDR products contend based upon their strategy observation, reporting, and notifying abilities, as well as their analytics potential to carry out more of the attack pattern detection and kill chain restoration, in support of defending security experts staffing the business SOC. Here at Ziften we will detail more of EDR solution capabilities in support of the ATT&CK post-compromise detection model in future blog posts in this series.

Charles Leaver – Gives Us Customized Security Solutions Say RSA 2017 Delegates

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO


More tailored options are needed by security, network and functional groups in 2017

Many of us have actually attended security conventions over the years, but none bring the very same high level of enjoyment as RSA – where security is talked about by the world. Of all the conventions I have actually gone to and worked, absolutely nothing comes close the passion for new technology individuals showed this past week in downtown San Francisco.

After taking a few days to digest the dozens of discussions about the needs and limitations with existing security tech, I’ve had the ability to synthesize a particular theme amongstparticipants: Individuals desire customized solutions that match their environment and will work throughout multiple internal teams.

When I describe the term “people,” I indicate everyone in attendance regardless of technological segment. Operational professionals, security professionals, network veterans, as well as user habits analysts often visited the Ziften cubicle and shared their experiences.

Everyone appeared more prepared than ever to discuss their wants and needs for their environment. These attendees had their own set of objectives they wanted to obtain within their department and they were desperate for responses. Since the Ziften Zenith solution offers such broad visibility on enterprise devices, it’s not surprising that our cubicle stayed crowded with individuals eager to learn more about a brand-new, refreshingly easy endpoint security innovation.

Guests came with grievances about myriad enterprise-centric security problems and looked for deeper insight into what’s actually taking place on their network and on devices traveling in and out of the workplace.

End users of old-school security products are on the hunt for a newer, more essential software applications.

If I could choose simply one of the regular questions I received at RSA to share, it’s this one:

” Exactly what is endpoint discovery?”

1) Endpoint discovery: Ziften reveals a historical view of unmanaged devices which have actually been connected to other business endpoints at some stage. Ziften permits users to discover known
and unidentified entities which are active or have actually been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften uses our extension platform to expose these unidentified entities operating on the network.

b. Extensions: These are custom fit solutions tailored to the user’s particular wants and
requirements. The Ziften Zenith agent can execute the appointed extension on a single occasion, on a schedule or on a continuous basis.

Generally after the above description came the genuine reason they were attending:

People are searching for a vast array of services for numerous departments, including executives. This is where working at Ziften makes answering this concern a treat.

Just a part of the RSA participants are security professionals. I spoke to lots of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They plainly all utilize and comprehend the requirement for quality security software applications however relatively find the translation to service value missing among security vendors.

NetworkWorld’s Charles Araujo phrased the problem rather well in an article a short article recently:

Businesses should also rationalize security data in a business context and manage it holistically as part of the overall IT and organization operating model. A group of suppliers is also trying to tackle this obstacle …

Ziften was among only 3 companies mentioned.

After listening to those wants and needs of individuals from different business critical backgrounds and describing to them the abilities of Ziften’s Extension platform, I typically described how Ziften would modulate an extension to solve their need, or I provided a quick demo of an extension that would permit them to overcome a difficulty.

2) Extension Platform: Tailored, actionable solutions.

a. SKO Silos: Extensions based upon fit and requirement (operations, network, endpoint, etc).

b. Custom Requests: Require something you do not see? We can repair that for you.

3) Enhanced Forensics:

a. Security: Danger management, Risk Assessment, Vulnerabilities, Metadata that is suspicious.

b. Operations: Compliance, License Rationalization, Unmanaged Assets.

c. Network: Ingress/Egress IP movement, Domains, Volume metadata.

4) Visibility within the network– Not simply exactly what enters and goes out.

a. ZFlow: Lastly see the network traffic inside your enterprise.

Needless to say, everybody I spoke to in our booth rapidly understood the crucial significance of having a product such as Ziften Zenith running in and across their enterprise.

Forbes author, Jason Bloomberg, said it best when he just recently described the future of business security software and how all indications point toward Ziften blazing a trail:

Perhaps the broadest disruption: vendors are improving their ability to understand how bad actors behave, and can thus take steps to prevent, detect or reduce their malicious activities. In particular, today’s vendors comprehend the ‘Cyber Kill Chain’ – the actions a competent, patient hacker (known in the biz as an advanced persistent threat, or APT) will require to attain his or her wicked goals.

The product of U.S. Defense specialist Lockheed Martin, The Cyber Kill Chain consists of 7 links: reconnaissance, weaponization, shipment, exploitation, setup, establishing command and control, and actions on goals.

Today’s more innovative suppliers target one or more of these links, with the goal of avoiding, discovering or reducing the attack. Five vendors at RSA emerged in this category.

Ziften offers an agent based  technique to tracking the habits of users, devices, applications, and
network components, both in real-time along with throughout historic data.

In real time, analysts utilize Ziften for threat identification and prevention, while they utilize the historic data to uncover steps in the kill chain for mitigation and forensic functions.