Archive for March, 2017

Chuck Leaver – Watch Out For These Commands As They Could Be A Threat

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


The repeating of a concept when it concerns computer system security is never ever a bad thing. As sophisticated as some cyber attacks can be, you truly need to look for and understand making use of common easily available tools in your environment. These tools are usually utilized by your IT staff and most likely would be whitelisted for usage and can be missed out on by security teams mining through all the appropriate applications that ‘might’ be carried out on an endpoint.

As soon as someone has penetrated your network, which can be done in a range of ways and another blog post for another day, indications of these programs/tools running in your environment needs to be looked at to guarantee appropriate use.

A couple of commands/tools and their purpose:

Netstat – Details on the current connections on the network. This may be utilized to recognize other systems within the network.

Powershell – Built-in Windows command line function and can perform a variety of activities such as obtaining important information about the system, eliminating processes, adding files or deleting files and so on

WMI – Another effective built in Windows function. Can shift files around and collect crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Arranged jobs.

Looking for activity from these tools can be time consuming and in some cases be overwhelming, but is necessary to get a handle on who might be moving around in your environment. And not simply what is occurring in real time, but historically too to see a course somebody might have taken through the environment. It’s frequently not ‘patient zero’ that is the target, but once they get a foothold, they could make use of these tools and commands to begin their reconnaissance and finally move to a high value asset. It’s that lateral motion that you would like to discover.

You must have the capability to gather the information gone over above and the means to sift through to find, alert, and investigate this data. You can use Windows Events to monitor various modifications on a device then filter that down.

Looking at some screen shots shown below from our Ziften console, you can see a quick difference between what our IT group used to push out modifications in the network, versus someone running a really comparable command themselves. This could be much like what you find when someone did that remotely say by means of an RDP session.






An interesting side note in these screenshots is that in all scenarios, the Process Status is ‘Terminated’. You wouldn’t observe this specific information during a live examination or if you were not constantly collecting the data. However given that we are collecting all the info constantly, you have this historic data to take a look at. If in case you were observing the Status as ‘Running’, this could suggest that somebody is actually on that system right now.

This only scratches the surface of exactly what you should be gathering and how to evaluate exactly what is right for your environment, which obviously will be distinct from that of others. However it’s a good place to start. Destructive actors with the intention to do you damage will typically try to find the path of least resistance. Why try and develop new and fascinating tools, when a lot of exactly what they need is already there and ready to go.

Chuck Leaver – The Important Distinction Between Incident Response And Forensic Analysis

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


There may be a joke somewhere regarding the forensic expert that was late to the incident response party. There is the seed of a joke in the idea at least but of course, you have to comprehend the distinctions between forensic analysis and incident response to appreciate the capacity for humor.

Incident response and forensic analysis are associated disciplines that can utilize similar tools and associated data sets however also have some important differences. There are 4 particularly essential differences between forensic analysis and incident response:

– Objectives.
– Requirements for data.
– Team abilities.
– Benefits.

The distinction in the objectives of incident response and forensic analysis is perhaps the most important. Incident response is focused on determining a fast (i.e., near real-time) reaction to an instant risk or issue. For example, a house is on fire and the firemen that show up to put that fire out are associated with incident response. Forensic analysis is normally carried out as part of an arranged compliance, legal discovery, or law enforcement examination. For example, a fire investigator may examine the remains of that house fire to determine the total damage to the property, the cause of the fire, and whether the origin was such that other houses are likewise at risk. Simply put, incident response is concentrated on containment of a danger or issue, while forensic analysis is concentrated on a full understanding and comprehensive removal of a breach.

A 2nd significant difference between the disciplines is the data resources required to achieve the objectives. Incident response teams typically just need short-term data sources, frequently no more than a month or so, while forensic analysis teams usually need much longer lived logs and files. Remember that the typical dwell time of an effective attack is someplace in between 150 and 300 days.

While there is commonness in the workers skills of incident response and forensic analysis teams, and in fact incident response is typically considered a subset of the border forensic discipline, there are important differences in task requirements. Both types of research require strong log analysis and malware analysis abilities. Incident response requires the ability to rapidly isolate a contaminated device and to develop ways to reconcile or quarantine the device. Interactions have the tendency to be with other security and operations staff member. Forensic analysis typically requires interactions with a much broader set of departments, consisting of legal, compliance, operations and HR.

Not remarkably, the perceived advantages of these activities also differ.

The capability to get rid of a hazard on one device in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard searching, is the first defense line in security operations. Forensic analysis is incident responses’ less attractive relative. Nevertheless, the benefits of this work are undeniable. A comprehensive forensic investigation permits the removal of all dangers with the mindful analysis of an entire attack chain of events. Which is no laughing matter.

Do your endpoint security processes make provision for both instant incident response, and long-lasting historical forensic analysis?

Chuck Leaver – Why Edit Difference Is Important Part One

Written By Jesse Sampson And Presented By Chuck Leaver CEO Ziften


Why are the same tricks being utilized by opponents over and over? The basic response is that they continue to work. For example, Cisco’s 2017 Cyber Security Report tells us that after years of wane, spam e-mail with destructive attachments is once again growing. In that standard attack vector, malware authors generally mask their activities by utilizing a filename similar to a typical system process.

There is not always a connection between a file’s path name and its contents: anybody who has actually attempted to conceal sensitive details by offering it an uninteresting name like “taxes”, or altered the extension on a file attachment to get around email rules understands this principle. Malware creators understand this as well, and will frequently name malware to look like typical system processes. For example, “explore.exe” is Internet Explorer, but “explorer.exe” with an additional “r” could be anything. It’s simple even for specialists to ignore this minor distinction.

The opposite issue, known.exe files running in uncommon locations, is simple to resolve, using string functions and SQL sets.


What about the other case, discovering close matches to the executable name? The majority of people start their search for near string matches by sorting data and visually searching for disparities. This normally works well for a little set of data, maybe even a single system. To find these patterns at scale, nevertheless, needs an algorithmic approach. One recognized method for “fuzzy matching” is to use Edit Distance.

Exactly what’s the best technique to determining edit distance? For Ziften, our technology stack includes HP Vertica, making this task simple. The internet has plenty of data scientists and data engineers singing Vertica’s praises, so it will suffice to discuss that Vertica makes it simple to develop custom functions that make the most of its power – from C++ power tools, to statistical modeling scalpels in R and Java.

This Git repo is preserved by Vertica enthusiasts operating in industry. It’s not a certified offering, but the Vertica group is absolutely aware of it, and additionally is thinking every day about how to make Vertica more useful for data scientists – a great space to watch. Most importantly, it consists of a function to compute edit distance! There are likewise alternative tools for natural language processing here like word stemmers and tokenizers.

Using edit distance on the top executable paths, we can rapidly discover the closest match to each of our leading hits. This is an interesting data set as we can arrange by distance to discover the closest matches over the entire dataset, or we can sort by frequency of the top path to see what is the closest match to our commonly utilized processes. This data can also emerge on contextual “report card” pages, to reveal, e.g. the leading five nearest strings for a given path. Below is a toy example to give a sense of use, based upon genuine data ZiftenLabs observed in a customer environment.


Setting a threshold of 0.2 appears to discover good results in our experience, however the point is that these can be edited to fit specific use cases. Did we find any malware? We observe that “teamviewer_.exe” (needs to be just “teamviewer.exe”), “iexplorer.exe” (needs to be “iexplore.exe”), and “cvshost.exe” (needs to be svchost.exe, unless perhaps you work for CVS drug store…) all look strange. Since we’re already in our database, it’s likewise minor to get the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.


In this specific real life environment, it ended up that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the customer with additional investigation on the user and system where we observed the portable applications considering that use of portable apps on a USB drive could be evidence of suspicious activity. The more disturbing find was cvshost.exe. Ziften’s intelligence feeds show that this is a suspicious file. Searching for the md5 hash for this file on VirusTotal verifies the Ziften data, suggesting that this is a possibly severe Trojan infection that may be part of a botnet or doing something even more malicious. When the malware was found, nevertheless, it was easy to resolve the problem and make sure it stays solved using Ziften’s capability to eliminate and persistently obstruct procedures by MD5 hash.

Even as we establish advanced predictive analytics to detect destructive patterns, it is very important that we continue to improve our abilities to hunt for known patterns and old techniques. Even if new threats emerge does not indicate the old ones go away!

If you enjoyed this post, watch this space for part 2 of this series where we will use this method to hostnames to identify malware droppers and other malicious sites.

Chuck Leaver – As Connected Devices Increase It Will Be More Difficult To Define An Endpoint

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


It wasn’t long ago that everybody understood what you implied if you raised the issue of an endpoint. If somebody wished to offer you an endpoint security solution, you knew what devices that software was going to protect. However when I hear someone casually discuss endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep using that word. I don’t think it indicates exactly what you believe it implies.” Today an endpoint could be almost any type of device.

In fact, endpoints are so diverse today that people have reverted to calling them “things.” According to Gartner at the close of 2016 there were greater than 6 billion “things” connected to the web. The consulting company forecasts that this number will shoot up to 21 billion by the year 2020. The business utilization of these things will be both generic (e.g. connected light bulbs and HVAC systems) and industry particular (e.g. oil rig security tracking). For IT and security teams responsible for linking and safeguarding endpoints, this is just half of the new difficulty, nevertheless. The embrace of virtualization innovation has redefined exactly what an endpoint is, even in environments in which these groups have actually typically operated.

The last decade has seen an enormous modification in the way end users access info. Physical devices continue to be more mobile with many info employees now doing the majority of their computing and communication on laptops and cellphones. More notably, everyone is becoming an information worker. Today, much better instrumentation and monitoring has allowed levels of data collection and analysis that can make the insertion of info-tech into almost any task lucrative.

At the same time, more conventional IT assets, particularly servers, are ending up being virtualized to remove some of the standard restrictions in actually having those assets connected to physical devices.

These 2 trends together will affect security teams in crucial ways. The totality of “endpoints” will include billions of long-lived and unsecure IoT endpoints as well as billions of virtual endpoint instances that will be scaled up and down as needed in addition to migrated to various physical places as needed.

Enterprises will have really different worries about these 2 basic types of endpoints. Over their life times, IoT devices will need to be safeguarded from a host of dangers some of which have yet to be dreamed up. Tracking and securing these devices will need advanced detection abilities. On the positive side, it will be possible to maintain well-defined log data to make it possible for forensic investigation.

Virtual endpoints, on the other hand, present their own essential issues. The ability to move their physical location makes it much more difficult to guarantee correct security policies are constantly attached to the endpoint. The practice of re-imaging virtual endpoints can make forensic investigation challenging, as important data is generally lost when a new image is used.

So it is irrelevant what word or phrases are utilized to describe your endpoints – endpoint, systems, user device, client device, mobile device, server, virtual device, container, cloud workload, IoT device, and so on – it is necessary to understand precisely what someone means when they use the term endpoint.

Chuck Leaver – The Importance Of Detection Post Compromise

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften

If Prevention Has Stopped working Then Detection Is Important

The final scene in the well known Vietnam War movie Platoon illustrates a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and slaughtering the surprised protectors. The desperate company commander, understanding their alarming protective predicament, orders his air assistance to strike his own position: “For the record, it’s my call – Dispose whatever you’ve got left on my position!” Moments later on the battlefield is immolated in a napalm hellscape.

Although physical dispute, this illustrates 2 elements of cybersecurity (1) You have to handle unavoidable boundary breaches, and (2) It can be bloody hell if you do not find early and react powerfully. MITRE Corporation has actually been leading the call for rebalancing cyber security priorities to place due focus on breach detection in the network interior instead of just concentrating on penetration avoidance at the network perimeter. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We could see that it wouldn’t be a question of if your network will be breached but when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cyber security, and primary gatekeeper. “Today, companies are asking ‘How long have the trespassers been within? How far have they got?'”.

Some call this the “presumed breach” technique to cyber security, or as published to Twitter by F-Secure’s Chief Research study Officer:.

Question: How many of the Fortune 500 are jeopardized – Response: 500.

This is based upon the probability that any sufficiently complex cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complicated scale.

Shift the Problem of Perfect Execution from the Protectors to the Hackers.

The traditional cybersecurity perspective, stemmed from the tradition border defense model, has been that the hacker just needs to be right once, while the protector must be right every time. A sufficiently resourced and relentless attacker will ultimately achieve penetration. And time to effective penetration reduces with increasing size and intricacy of the target business.

A perimeter or prevention-reliant cyber-defense model basically demands perfect execution by the protector, while ceding success to any adequately continual attack – a plan for particular cyber catastrophe. For example, a leading cybersecurity red team reports effective enterprise penetration in under 3 hours in greater than 90% of their client engagements – and these white hats are restricted to ethical means. Your enterprise’s black hat enemies are not so constrained.

To be practical, the cyber defense strategy should turn the tables on the hackers, moving to them the unreachable concern of perfect execution. That is the reasoning for a strong detection ability that continuously keeps track of endpoint and network behavior for any uncommon signs or observed attacker footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the hackers must work out in committing their kill chain series, and the more time and labor and talent they must invest. The defenders need but observe a single assailant footfall to reveal their foot tracks and relax the attack kill chain. Now the protectors become the hunter, the enemies the hunted.


MITRE supplies a comprehensive taxonomy of attacker footprints, covering the post compromise section of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project team leader Blake Strom says, “We decided to concentrate on the post attack duration [portion of kill chain lined in orange below], not only because of the strong likelihood of a breach and the dearth of actionable details, but also because of the many opportunities and intervention points readily available for efficient defensive action that do not always rely on prior knowledge of adversary tools.”




As displayed in the MITRE figure above, the ATT&CK model provides extra granularity on the attack kill chain post compromise stages, breaking these out into ten strategy categories as shown. Each tactic category is further detailed into a list of strategies an attacker might employ in performing that technique. The January 2017 model update of the ATT&CK matrix lists 127 techniques throughout its ten strategy categories. For instance, Windows registry Run Keys/ Start Folder is a method in the Perseverance classification, Brute Force is a technique in the Credentials category, and Command Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) products, such as Ziften provides, use vital visibility into assailant use of strategies noted in the ATT&CK design. For example, PC registry Run Keys/ Start Folder method usage is reported, as is Command Line Interface usage, because these both involve readily observable endpoint behavior. Brute Force use in the Qualifications classification ought to be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR solution can report events such as failed login attempts, where an enemy might have a few guesses to try, while remaining under the account lockout attempt limit.

For attentive protectors, any strategy usage may be the attack giveaway that unravels the whole kill chain. EDR solutions compete based upon their method observation, reporting, and informing abilities, in addition to their analytics potential to carry out more of the attack pattern detection and kill chain reconstruction, in support of safeguarding security experts staffing the enterprise SOC. Here at Ziften we will outline more of EDR solution abilities in support of the ATT&CK post compromise detection model in future blogs in this series.


Chuck Leaver – Recap Of RSA 2017 Customized Security Solutions Required

Written By Michael Vaughan And Presented By Chuck Leaver Ziften CEO


More customized solutions are required by security, network and functional groups in 2017

A number of us have actually participated in security conventions for many years, however none bring the exact same high level of enjoyment as RSA – where the world talks security. Of all the conventions I have actually gone to and worked, nothing comes close the passion for brand-new innovation people exhibited this previous week in good old San Francisco.

After taking a few days to absorb the lots of discussions about the requirements and constraints with existing security solutions, I have actually been able to synthesize a singular theme amongst participants:

People desire personalized solutions that fit their environment and work well across numerous internal groups.

When I describe the term “people,” I imply everyone in attendance regardless of technological section. Operational experts, security professionals, network veterans, and even user habits experts often
visited the Ziften cubicle and shared their stories with us.

Everybody appeared more ready than ever to discuss their wants and needs for their environment. These attendees had their own set of goals they wanted to achieve within their department and they were hungry for answers. Because the Ziften Zenith solution offers such broad visibility on business devices, it’s not unexpected that our cubicle remained crowded with individuals eager to read more about a new, refreshingly basic endpoint security technology.

Guests included grievances about myriad enterprise-centric security issues and sought much deeper insight into exactly what’s really occurring on their network and on devices traveling in and out of the workplace.

End users of old-school security solutions are on the look out for a more recent, more pivotal software applications.

If I might select simply one of the frequent questions I got at RSA to share, it’s this one:

” What exactly is endpoint discovery?”

1) Endpoint discovery: Ziften exposes a historic view of unmanaged devices which have been linked to other business endpoints at some point in time. Ziften permits users to discover recognized
and unknown entities which are active or have been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften uses our extension platform to reveal these unknown entities working on the network.

b. Extensions: These are custom fit options customized to the user’s particular wants and
needs. The Ziften Zenith agent can execute the assigned extension one time, on a schedule or constantly.

Almost always after the above explanation came the genuine factor they were attending:

Individuals are looking for a large range of solutions for different departments, which includes executives. This is where working at Ziften makes addressing this concern a treat.

Only a part of the RSA participants are security specialists. I consulted with lots of network, operation, endpoint management, vice presidents, basic supervisors and channel partners.

They clearly all use and understand the requirement for quality security software but
apparently discover the translation to company worth missing amongst security vendors.

NetworkWorld’s Charles Araujo phrased the concern rather well in a post last week:

Organizations needs to also rationalize security data in a company context and manage it holistically as part of the general IT and business operating model. A group of vendors is likewise attempting to tackle this obstacle …

Ziften was amongst only three businesses mentioned.

After listening to those wants and needs of individuals from numerous business-critical backgrounds and describing to them the capabilities of Ziften’s Extension platform, I typically described how Ziften would modulate an extension to solve their requirement, or I gave them a brief demonstration of an extension that would allow them to overcome an obstacle.

2) Extension Platform: Tailored, actionable options.

a. SKO Silos: Extensions based on fit and need (operations, network, endpoint, etc).

b. Custom Requests: Need something you do not see? We can fix that for you.

3) Enhanced Forensics:

a. Security: Danger management, Danger Assessment, Vulnerabilities, Suspicious metadata.

b. Operations: Compliance, License Justification, Unmanaged Assets.

c. Network: Ingress/Egress IP motion, Domains, Volume metadata.

4) Visibility within the network– Not just exactly what goes in and leaves.

a. ZFlow: Lastly see the network traffic inside your business.

Needless to say, everybody I spoke with in our cubicle rapidly understood the vital benefit of having a tool such as Ziften Zenith running in and throughout their business.

Forbes writer, Jason Bloomberg, stated it very well when he recently explained the future of business security software and how all indications point toward Ziften leading the way:

Possibly the broadest interruption: vendors are improving their ability to comprehend how bad actors behave, and can therefore take steps to prevent, identify or alleviate their malicious activities. In particular, today’s suppliers comprehend the ‘Cyber Kill Chain’ – the actions an experienced, patient hacker (known in the biz as an advanced consistent threat, or APT) will take to attain his/her wicked goals.

The product of U.S. Defense professional Lockheed Martin, The Cyber Kill Chain consists of 7 links: reconnaissance, weaponization, delivery, exploitation, setup, developing command and control, and actions on goals.

Today’s more innovative suppliers target one or more of these links, with the goal of avoiding, finding or alleviating the attack. 5 suppliers at RSA emerged in this classification.

Ziften offers an agent-based  technique to tracking the habits of users, devices, applications, and
network aspects, both in real-time as well as throughout historical data.

In real time, experts utilize Ziften for threat identification and avoidance, while they utilize the historic data to discover steps in the kill chain for mitigation and forensic purposes.