Archive for the ‘Attack Detection’ Category

Chuck Leaver – Using Powerful Hunting In Windows Defender ATP

Written By Josh Harrimen And Presented By Chuck Leaver


Following on the heels of our recent partnership announcement with Microsoft, our Ziften Security Research group has actually begun leveraging a very cool part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) platform from their Security Center. The Advanced Searching feature lets users run queries in line with the information that has actually been sent out by products and tools, for example Ziften, to discover interesting behaviors rapidly. These queries can be kept and shared amongst the user base of Windows Defender ATP users.

We have included a handful of shared inquiries up until now, but the outcomes are rather intriguing, and we like the ease of use of the searching interface. Considering that Ziften sends endpoint data collected from macOS and Linux systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to display the total coverage of the platform.

You can access the Advanced Searching user interface by choosing the database icon on the left hand side as revealed in the image below.

You can observe the top-level schema on the top left of that page with occasions such as Machineinfo, ProcessCreation, NetworkCommunication and some others. We ran some current malware within our Redlab and produced some inquiries to find that data and produce the outcomes for examination. An example of this was OceanLotus. We developed a few queries to discover both the dropper and files connected with this risk.

After running the queries, you get outcomes with which you can interact with.

Upon evaluation of the results, we see some systems that have exhibited the looked for habits. When you pick these systems, you can see the information of the system under examination. From there you can see alerts set off and an event timeline. Information from the destructive process are revealed in the image below.

Additional behavior based queries can likewise be run. For instance, we executed another malicious sample which leveraged a small number of methods that we queried. The screenshot directly below shows an inquiry we ran when looking for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is definitely something you would want to know is taking place within your environment.

From these query outcomes, you can once again choose the system under examination and further examine the suspicious behaviors.

This blog definitely does not work as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our passion about how simple it is to leverage this feature to perform your own custom danger hunting in a multi-system environment, and throughout Windows, macOS and Linux systems.

We look forward to sharing more of our experimentation and research studies using queries built utilizing the Advanced Hunting feature. We share our successes with everybody here, so check out this blog often.

Chuck Leaver – New Intelligent Security Association From Microsoft Is Great

Written By David Shefter And Presented By Chuck Leaver


It’s an excellent strategy: Microsoft has actually developed a mechanism for third-party security businesses, like Ziften, to work together to much better protect our clients. Everybody wins with the brand-new Microsoft Intelligent Security Association, revealed very recently – and we overjoyed to be a founding member and included in the launch. Kudos to Microsoft!

Sharing of Security Intelligence

Among the most interesting tasks coming out of Microsoft has actually been the new Microsoft Intelligent Security Graph, a danger intelligence engine built on artificial intelligence. The Intelligent Security Graph forms the structure of the new association – and the structure of a great deal of brand-new opportunities for development.

As Microsoft says, “At the present time, with the immense computing benefits offered by the cloud, the Machine learning and Artificial Intelligence is finding new ways to use its rich analytics engines and by applying a mix of automated and manual processes, artificial intelligence and human experts, we are able to develop a smart security graph that develops from itself and develops in real time, minimizing our cumulative time to discover and respond to brand-new incidents.”

The need for much better, more intelligent, security is significant, which is why we’re thrilled to be an establishing member of the new association.

Brad Anderson, Microsoft Corporate Vice President, Enterprise Mobility + Security, recently wrote, “Approximately 96 percent of all malware is polymorphic – meaning that it is only experienced by a single user and device prior to being changed with yet another malware variant. This is because for the most part malware is captured nearly as quick as it’s developed, so malware developers constantly develop to try and stay ahead. Data such as this hammers home how crucial it is to have security solutions in place that are as nimble and ingenious as the attacks.”

Endpoint Detection and Response that is Advanced

Which brings us to the kind of advanced endpoint detection and response (EDR) that Ziften provides to desktops, servers, and cloud assets – providing the organization special 24/7 visibility and control for any asset, anywhere. Nobody provides the functionality you’ll find in Ziften’s Zenith security platform.

That’s where the Microsoft Intelligent Security Association comes in. At the end of the day, even the very best defenses may be breached, and security groups should react faster and more strongly to ensure the security of their data and systems.

Ziften and Microsoft are delivering totally integrated hazard protection that covers customers’ endpoints – indicating customer devices, servers, and the cloud – with a structure of shared intelligence and the power of the cloud to transform tracking of organizational systems.

What Microsoft is Stating

“The Intelligent Security Association improves cooperation from leading sources to protect customers,” said Microsoft. “Having actually already attained strong client momentum with our integrated Ziften and Microsoft Windows Defender ATP option, clients stand to further gain from continued partnership.”

Additionally, “Continued integration and intelligence sharing within the context of the Microsoft Intelligent Security Graph enables joint customers to more quickly and properly discover, examine and react to attacks throughout their whole endpoint and cloud base.”

What Ziften is Saying

Ziften’s CEO, Chuck Leaver, is telling everybody that our founding subscription in the Microsoft Intelligent Security Association is a significant win for our joint customers and prospects – and it unites everybody in the Microsoft universe and beyond (note that Ziften’s Mac and Linux products are also part of the Microsoft partnership). “As security vendors, we all recognize the need to work together and team up to protect our clients and their workers. Congratulations to Microsoft for pioneering this industry effort,” Chuck said.

The outcome: Improved security for our clients, and tighter integration and more innovation in the industry. It’s a genuine win for everybody. Apart from the hackers, naturally. They lose. No apologies people.

Chuck Leaver – Great Security Opportunity For Microsoft Channel Partners

Written By Greg McCreight And Presented By Chuck Leaver


Windows Defender Advanced Threat Protection (WDATP) is very good, popular with Microsoft channel partners around the world. It is probable that you’re currently dealing with Microsoft clients to set up and look after WDATP on their Windows end points.

I’m thrilled to tell you about a new opportunity: Get a fast start with an industry-leading service that integrates right into WDATP: Ziften Zenith. For a restricted time, Microsoft channel partners can utilize our brand-new “Fast Start” program to collaborate with Ziften.

With “Fast Start,” you delight in all the benefits of Ziften’s leading tier partner status for a complete year, and we’ll assist you to get up and running quickly with joint market and business advancement resources – and with a waiver of the usual sales volume dedication related to Gold Status.

If you do not know Ziften, we provide infrastructure visibility and collaborated risk detection, prevention, and response across all endpoint devices and cloud environments. Zenith, our flagship security platform, easily deploys to client devices, servers, and virtual machines.

Once installed, Zenith continuously collects all the info essential to properly assess the existing and historic state of all handled devices including system, user habits, network connection, application, binary, and procedure data. Zenith offers your clients’ IT and security teams with constant visibility and control of all managed assets including continuous monitoring, alerting, and automated or manual actions.

Zenith is cross-platform – it operates with and safeguards Windows, Mac, Linux, and other end points.

What’s specifically notable – and here’s the chance – is that Ziften has worked together with Microsoft to incorporate Zenith with Windows Defender ATP. That suggests your customers can utilize WDATP on Windows systems and Zenith on their macOS and Linux systems to discover, view, and respond to cyberattacks all using just the WDATP Management Console for all the systems. Zenith is hidden in the background.

A single pane of glass, to handle Windows, Mac, Linux endpoints, which can consist of desktops, notebooks, and servers. That makes Zenith an ideal solution to provide to your existing WDATP clients… and to make your bids for new WDATP business more comprehensive for multi-platform business potential customers.

Furthermore, offering Zenith can assist you speed client migrations to Windows 10, and offer more Business E5 commercial editions.

” Fast Start” with Gold Status for a Year

Ziften is absolutely concentrated on the channel: 96% of our sales in 2017 were through the channel. We are delighted to bring the “Fast Start” program to existing Microsoft channel partners, anywhere in the world.

With “Fast Start,” you can sign up for the Ziften Channel Program with these advantages:

Expedited Approval and On-Boarding – Ziften channel managers and field sales work directly with you to get operating providing the Zenith endpoint security service integrated with Windows Defender ATP.

Superior Security Value – You’ll be uniquely positioned to provide clients and potential customers higher security worth throughout more of their overall environment than ever, increasing the variety of supported and secured Windows, Mac, and Linux systems.

Hands-On Collaboration – Ziften dedicates field sales, sales engineers, and marketing to support your daily pre-sales engagements, drive brand-new sales opportunities, and assist to close more deals with Microsoft and Ziften endpoint security.

Here’s what one major Microsoft channel partner, states about this – this is Ronnie Altit, creator and CEO of Insentra, a “partner-obsessed” Australian IT services company that works solely through the IT channel:

” As a large Microsoft reseller, teaming with Ziften to provide their Zenith security platform integrated with Microsoft Windows Defender ATP was a no-brainer. We’re thrilled at the seamless integration between Zenith and Windows Defender ATP giving our customers holistic protection and visibility throughout their Windows and non-Windows systems. Ziften has actually been a pleasure to work with, and helpful at every step of the procedure. We expect to be exceptionally successful offering this powerful security service to our clients.”

Chuck Leaver – The Advantages Of The Security Industry Working Together

Written By Chuck Leaver

No one can solve cybersecurity alone. No single solution company, no single provider, no one can take on the whole thing. To tackle security needs cooperation between different companies.

In some cases, those players are at various levels of the service stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Sometimes, those companies each have a particular best-of-breed piece of the puzzle: one player focuses on e-mail, others in crypto, others in interrupting the kill chain.

From the enterprise consumer’s point of view, effective security needs assembling a set of tools and services into a working whole. Speaking from the suppliers’ viewpoint, efficient security requires tactical alliances. Sure, each vendor, whether making hardware, writing software applications, or using services, has its own products and intellectual property. Nevertheless, we all work better when we work together, to allow integrations and make life easy for our resellers, our integrators- and the end client.

Paradoxically, not only can suppliers make more money through strategic alliances, but end customers will save profits at the same time. Why? A number of factors.

Consumers do not waste their cash (and time) with products which have overlapping abilities. Clients do not need to lose cash (and time) creating custom integrations. And customers won’t squander money (and time) aiming to debug systems that combat each other, such as by triggering additional notifications or hard to find incompatibilities.

The Ultimate Trifecta – Products, Solutions, and Channels

All three work together to meet the needs of the business client, as well as benefit the suppliers, who can concentrate on doing exactly what they do best, relying on strategic alliances to develop total solutions from jigsaw puzzle pieces.

Usually speaking, those services require more than simple APIs – which is where strategic alliances come in.

Think about the integration in between solutions (like a network danger scanner or Ziften’s endpoint visibility services) and analytics options. End clients don’t wish to run a whole load of different control panels, and they don’t want to by hand associate anomaly findings from a lot of different security tools. Strategic alliances in between product suppliers and analytics solutions – whether on-site or in the cloud – make good sense for everybody. That includes for the channel, who can offer and support total services that are already dialed in, already debugged, already documented, and will work with the least hassle possible.

Or think about the integration of solutions and managed security services providers (MSSPs). They wish to offer prospective clients pre-packaged options, ideally which can run in their multi-tenant clouds. That means that the items need to be scalable, with synergistic license terms. They must be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they have to feed into predictive analytics and occurrence response programs. The very best way to do that? Through tactical alliances, both horizontally with other solution vendors, and with significant MSSPs also.

How about major value add resellers (VAR)? VARs require solutions that are simple to understand, easy to support, and easy to add into existing security deployments. This makes brand-new solutions more attractive, more cost effective, simpler to set up, much easier to support – and strengthen the VAR’s client relationships.

Exactly what do they try to find when adding to their solution portfolio? Brand-new products that have tactical alliances with their existing product offerings. If you do not dovetail in to the VAR’s portfolio partners, well, you probably don’t dovetail.

2 Examples: Fortinet and Microsoft

No one can resolve cybersecurity alone, and that includes giants like Fortinet and Microsoft.

Think About the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric by means of Fabric APIs and have the ability to actively collect and share info to enhance threat intelligence, boost general hazard awareness, and widen hazard response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Introduction, “partner inclusion in the program signals to customers and the industry as a whole that the partner has actually teamed up with Fortinet and leveraged the Fortinet Fabric APIs to develop verified, end-to-end security options.”

Likewise, Microsoft is pursuing a similar technique with the Windows Defender Advanced Threat Protection program. Microsoft recently picked just a couple of crucial partners into this security program, saying, “We’ve spoken with our customers that they desire protection and visibility into possible hazards on all their device platforms and we’ve relied on partners to assist address this need. Windows Defender ATP provides security groups a single pane of glass for their endpoint security and now by working together with these partners, our customers can extend their ATP service to their entire install base.”

We’re the first to confess: Ziften cannot resolve security alone. No one can. The best way forward for the security market is to move forward together, through tactical alliances combining item vendors, service companies, and the channel. That way, we all win, vendors, service providers, channel partners, and business customers alike.

Chuck Leaver – Be Careful Of This Microsoft Word Feature And Phishing Attacks

Written By Josh Harriman And Presented By Chuck Leaver


An intriguing multifaceted attack has been reported in a current blog by Cisco’s Talos
Intelligence group. I wanted to speak about the infection vector of this attack as it’s quite
fascinating and something that Microsoft has actually pledged not to repair, as it is a feature
and not a bug. Reports are can be found about attacks in the wild which are making use of a
feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is
accomplished are reported in this blog from SecureData.

Special Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach a company. Phishing attacks are one
of the most typical as assailants are relying on that someone will either open a document sent
out to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software
usually provides access to begin their attack.

However in this case, the documents didn’t have a malicious item embedded in the Word doc,
which is a preferred attack vector, but rather a sly way of utilizing this function that
permits the Word program to connect out to obtain the real malicious files. By doing this they
could hope or rely on a better success rate of infection as harmful Word files themselves can
be scanned and erased prior to reaching the recipient.

Hunting for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to have the ability to alert on this behavior for our clients.
Finding conditions that show ‘odd’ habits such as Microsoft Word spawning a shell is
fascinating and not expected. Taking it further on and trying to find PowerShell running from
that spawned shell and it gets ‘extremely’ intriguing. Through our Search API, we can discover
these behaviors anytime they happened. We do not need the system to be switched on at the time
of the search, if they have actually run a program (in this case Word) that exhibited these
behaviors, we can discover that system. Ziften is constantly gathering and sending appropriate
procedure info which is why we can discover the data without depending on the system state at
the time of searching.

In our Zenith console, I looked for this condition by looking for the following:

Process → Filepath includes word.exe, Child Process Filepath includes cmd.exe, Child Process
commandline includes powershell

This returns the PIDs (Process ID) of the processes we saw startup with these conditions. After
this we can drill down to see the critical information.

In this very first image, we can see details around the procedure tree (Word spawning CMD with
Powershell under that) on the left, and to the right side you can see details like the System
name and User, plus start time.

Below in the next image, we take a look at the CMD procedure and get details regarding what was
passed to Powershell.

Most likely when the user had to answer this Microsoft Word pop up dialog box, that is when the
CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov
website. In the Powershell image below we can see more details such as Network Connect info
when it was reaching out to the website to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov website. Often we see fascinating
data within our Network Connect information that might not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout
the environment. We can likewise develop extensions that alter a GPO policy to not allow DDE or
even take additional action and go and discover these files and remove them from the system if
so wanted. Having the ability to find fascinating mixes of conditions within an environment is
extremely effective and we are delighted to have this function in our offering.

Chuck Leaver – Prevent And Manage Ransomware Withy These 4 Steps

Written By Alan Zeichick And Presented By Chuck Leaver


Ransomware is genuine, and is threatening individuals, services, schools, medical facilities, governments – and there’s no indication that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s be honest: Ransomware is probably the single most efficient attack that hackers have ever created. Anybody can develop ransomware utilizing easily available tools; any cash received is likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s disk drive, the hacker isn’t impacted.

A business is hit with ransomware every 40 seconds, according to some sources, and 60% of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the increase of RaaS (Ransomware-as-a-Service) it’s going to get worse.

Fortunately: We can fight back. Here’s a 4 step fight plan.

Good Fundamental Hygiene

It begins with training employees ways to handle destructive e-mails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; workers need to be taught not to click links in those messages, or naturally, not to give permission for plugins or apps to be installed.

However, some malware, like ransomware, will get through, typically making use of obsolete software applications or unpatched systems, just like in the Equifax breach. That’s where the next step can be found in:

Guaranteeing that end points are completely patched and completely updated with the current, most safe os, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the end point is healthy, and has the ability to best battle the infection.

Ransomware isn’t really a technology or security problem. It’s an organization problem. And it’s a lot more than the ransom that is demanded. That’s peanuts compared to loss of efficiency because of downtime, bad public relations, angry clients if service is interfered with, and the expense of rebuilding lost data. (And that assumes that valuable intellectual property or protected financial or consumer health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and safeguard those backups. If you do not have safe, protected backups, you cannot restore data and core infrastructure in a timely fashion. That includes making day-to-day snapshots of virtual machines, databases, applications, source code, and configuration files.

Businesses need tools to discover, determine, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of what’s taking place in the environment – consisting of “zero day” attacks that have not been seen before. Part of that is keeping an eye on end points, from the smart phone to the PC to the server to the cloud, to make sure that endpoints are up-to-date and secure, which no unexpected changes have been made to their underlying configuration. That way, if a machine is contaminated by ransomware or other malware, the breach can be discovered quickly, and the device separated and closed down pending forensics and healing. If an end point is breached, quick containment is critical.

The 4 Tactics.

Excellent user training. Upgrading systems with patches and repairs. Supporting everything as typically as possible. And using monitoring tools to assist both IT and security teams spot problems, and react rapidly to those problems. When it pertains to ransomware, those are the four battle-tested tactics we have to keep our organizations safe.

You can find out more about this in a short 8 minute video, where I speak to numerous industry experts about this concern:

Chuck Leaver – Ziften Clients Are Protected From The Flaw In Petya Variant

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Another outbreak, another problem for those who were not prepared. While this most current attack is similar to the earlier WannaCry danger, there are some differences in this most current malware which is a variant or new strain just like Petya. Dubbed, NotPetya by some, this strain has a great deal of problems for anybody who experiences it. It may encrypt your data, or make the system entirely unusable. And now the email address that you would be needed to call to ‘maybe’ unencrypt your files, has been removed so you’re out of luck getting your files back.

Plenty of details to the actions of this threat are openly offered, however I wanted to touch on that Ziften consumers are secured from both the EternalBlue threat, which is one mechanism used for its propagation, and even better still, an inoculation based upon a possible defect or its own type of debug check that removes the risk from ever executing on your system. It could still spread out nevertheless in the environment, but our security would already be presented to all existing systems to halt the damage.

Our Ziften extension platform enables our consumers to have protection in place against specific vulnerabilities and harmful actions for this threat and others like Petya. Besides the particular actions taken versus this particular version, we have taken a holistic approach to stop particular strains of malware that perform different ‘checks’ against the system before performing.

We can likewise utilize our Search capability to try to find residues of the other proliferation strategies utilized by this risk. Reports show WMIC and PsExec being utilized. We can search for those programs and their command lines and usage. Although they are legitimate procedures, their usage is normally rare and can be notified.

With WannaCry, and now NotPetya, we expect to see a continued rise of these kinds of attacks. With the release of the recent NSA exploits, it has provided ambitious cyber criminals the tools required to push out their wares. And though ransomware risks can be a high commodity vehicle, more damaging threats could be launched. It has actually constantly been ‘how’ to get the risks to spread (worm-like, or social engineering) which is most tough to them.

Chuck Leaver – Use SysSecOps To Bring IT And Security Together

Written By Chuck Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with hundreds of organizations he realized that one of the most significant challenges is that security and operations are 2 different departments – with drastically different goals, varying tools, and different management structures.

Scott and his analyst firm, Futuriom, recently completed a study, “Endpoint Security and SysSecOps: The Growing Trend to Develop a More Secure Business”, where one of the key findings was that clashing IT and security goals prevent experts – on both groups – from achieving their objectives.

That’s exactly what we believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – explains completely what we’ve been speaking about. Security teams and the IT teams need to get on the very same page. That suggests sharing the very same objectives, and sometimes, sharing the same tools.

Consider the tools that IT individuals utilize. The tools are designed to ensure the infrastructure and end devices are working properly, when something goes wrong, helps them repair it. On the endpoint side, those tools help guarantee that devices that are enabled onto the network, are configured properly, have software applications that are authorized and effectively updated/patched, and have not registered any faults.

Think about the tools that security individuals utilize. They work to enforce security policies on devices, infrastructure, and security devices (like firewall programs). This may include active monitoring incidents, scanning for abnormal habits, examining files to ensure they do not include malware, embracing the current threat intelligence, matching against newly found zero-days, and carrying out analysis on log files.

Discovering fires, battling fires

Those are two different worlds. The security groups are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the problem, and figure out if damage occurred (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an incident strikes to make sure that the systems are made safe and revived into operation.

Sounds excellent, doesn’t it? Sadly, all too often, they do not speak to each other – it’s like having the fire spotters and fire fighters utilizing dissimilar radios, different lingo, and different city maps. Worse, the groups can’t share the exact same data directly.

Our method to SysSecOps is to provide both the IT and security teams with the exact same resources – and that means the exact same reports, provided in the proper methods to professionals. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry virus, for example. On one hand, Microsoft provided a patch back in March 2017 that addressed the underlying SMB flaw. IT operations groups didn’t install the patch, due to the fact that they didn’t think this was a big deal and didn’t talk with security. Security groups didn’t know if the patch was set up, because they do not speak to operations. SysSecOps would have had everyone on the very same page – and could have potentially avoided this issue.

Missing out on data indicates waste and risk

The inefficient gap between IT operations and security exposes companies to risk. Preventable threats. Unneeded risk. It’s just undesirable!

If your company’s IT and security teams aren’t on the exact same page, you are incurring risks and costs that you should not need to. It’s waste. Organizational waste. It’s wasteful because you have so many tools that are offering partial data that have spaces, and each of your teams just sees part of the picture.

As Scott concluded in his report, “Coordinated SysSecOps visibility has currently shown its worth in assisting companies evaluate, analyze, and prevent considerable dangers to the IT systems and endpoints. If these goals are pursued, the security and management risks to an IT system can be greatly diminished.”

If your teams are working together in a SysSecOps sort of way, if they can see the exact same data at the same time, you not only have much better security and more effective operations – but also lower danger and lower costs. Our Zenith software application can help you achieve that effectiveness, not only working with your existing IT and security tools, but likewise filling in the gaps to make sure everyone has the best data at the right time.

Chuck Leaver – Detect And Respond To WannaCry With Ziften And Splunk

Written by Joel Ebrahami and presented by Chuck Leaver

WannaCry has actually produced a great deal of media attention. It may not have the huge infection rates that we have seen with many of the previous worms, however in the current security world the quantity of systems it was able to infect in one day was still somewhat shocking. The objective of this blog is NOT to offer a detailed analysis of the exploit, but rather to look how the threat acts on a technical level with Ziften’s Zenith platform and the integration we have with our technology partner Splunk.

Visibility of WannaCry in Ziften Zenith

My very first action was to connect to Ziften Labs threat research group to see exactly what details they could provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research group and notified me that they had samples of WannaCry currently running in our ‘Red Laboratory’ to look at the behavior of the risk and carry out more analysis. Josh sent me over the information of what he had found when examining the WannaCry samples in the Ziften Zenith console. He sent over those information, which I provide in this post.

The Red Lab has systems covering all the most popular typical operating systems with various services and setups. There were currently systems in the lab that were purposefully vulnerable to the WannaCry threat. Our international risk intelligence feeds utilized in the Zenith platform are upgraded in real-time, and had no trouble spotting the infection in our laboratory environment (see Figure 1).

2 lab systems have been recognized running the harmful WannaCry sample. While it is terrific to see our international risk intelligence feeds updated so rapidly and recognizing the ransomware samples, there were other behaviors that we detected that would have determined the ransomware danger even if there had not been a risk signature.

Zenith agents gather a large quantity of data on what’s occurring on each host. From this visibility info, we create non-signature based detection techniques to take a look at usually harmful or anomalous habits. In Figure 2 below, we show the behavioral detection of the WannaCry infection.

Investigating the Scope of WannaCry Infections

When detected either through signature or behavioral approaches, it is really easy to see which other systems have likewise been infected or are displaying similar habits.

Detecting WannaCry with Ziften and Splunk

After evaluating this info, I decided to run the WannaCry sample in my own environment on a vulnerable system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was currently set up to integrate with Splunk. This permitted me to take a look at the exact same info inside Splunk. Let me explain about the integration we have with Splunk.

We have two Splunk apps for Zenith. The first is our technology add on (TA): its function is to ingest and index ALL the raw data from the Zenith server that the Ziften agents create. As this info populates it is massaged into Splunk’s Common Information Model (CIM) so that it can be normalized and simply searched along with utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also consists of Adaptive Response capabilities for acting from events that are rendered in Splunk ES. The 2nd app is a dashboard for displaying our information with all the charts and graphs available in Splunk to make absorbing the data much easier.

Because I currently had the details on how the WannaCry threat acted in our research laboratory, I had the advantage of understanding exactly what to find in Splunk using the Zenith data. In this case I had the ability to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Danger Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to put on my “event responder hat” and investigate this in Splunk utilizing the Zenith agent information. My first thought was to browse the systems in my laboratory for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I understood that I would most likely find SMB data in the running process message type, however, I used Splunk’s * regex with the Zenith sourcetype so I might search all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).

My next action was to utilize the very same behavioral search we have in Zenith that looks for typical CryptoWare and see if I could get outcomes back. Once again this was extremely easy to do from the Splunk search panel. I utilized the same wildcard sourcetype as in the past so I could search throughout all Zenith data and this time I included the ‘delete shadows’ string search to see if this habit was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, displayed in Figure 6, that revealed me in detail the procedure that was developed and the complete command line that was performed.

Having all this detail within Splunk made it really simple to identify which systems were vulnerable and which systems had actually already been jeopardized.

WannaCry Removal Utilizing Splunk and Ziften

One of the next steps in any type of breach is to remediate the compromise as fast as possible to prevent further destruction and to act to prevent any other systems from being jeopardized. Ziften is one of the Splunk founding Adaptive Response members and there are a number of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to reduce these threats through extensions on Zenith.

When it comes to WannaCry we really could have utilized nearly any of the Adaptive Response actions presently readily available by Zenith. When trying to lessen the effect and avoid WannaCry initially, one action that can take place is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wanted to stop the SMB service, thus avoiding the exploit from ever happening and allowing the IT Operations group to get those systems patched prior to starting the SMB service again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the event that we have already been jeopardized, it is crucial to prevent further exploitation and stop the possible exfiltration of sensitive information or company intellectual property. There are really three actions we could take. The very first 2 are similar where we might kill the harmful process by either PID (process ID) or by its hash. This is effective, however because oftentimes malware will just generate under a brand-new process, or be polymorphic and have a different hash, we can apply an action that is guaranteed to prevent any inbound or outgoing traffic from those contaminated systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already diminishing, however ideally this technical blog reveals the worth of the Ziften and Splunk integration in dealing with ransomware hazards against the end point.


Chuck Leaver – You Need Continuous Endpoint Visibility Even When Devices Are Offline

Written By Roark Pollock And Presented By Chuck Leaver Ziften CEO


A survey recently completed by Gallup found that 43% of Americans that were employed worked from another location for some of their employment time in 2016. Gallup, who has been surveying telecommuting patterns in the United States for almost a 10 years, continues to see more employees working beyond standard offices and more of them doing so for more days from the week. And, obviously the number of connected devices that the typical staff member uses has increased as well, which assists drive the convenience and preference of working far from the office.

This freedom surely makes for better staff members, and one hopes more productive staff members, however the issues that these patterns represent for both systems and security operations teams ought to not be overlooked. IT systems management. IT asset discovery, and danger detection and response functions all benefit from real time and historical visibility into user, device, application, and network connection activity. And to be really efficient, endpoint visibility and monitoring ought to work regardless of where the user and device are operating, be it on the network (local), off the network however linked (remotely), or detached (offline). Existing remote working patterns are significantly leaving security and functional groups blind to prospective problems and risks.

The mainstreaming of these trends makes it much more challenging for IT and security groups to restrict what used to be considered higher threat user habits, such as working from a coffeehouse. But that ship has actually sailed and today security and systems management teams need to be able to adequately monitor user, device, application, and network activity, find abnormalities and improper actions, and enforce appropriate action or fixes no matter whether an endpoint is locally linked, from another location connected, or detached.

In addition, the fact that numerous workers now regularly gain access to cloud based assets and applications, and have backup network or USB connected storage (NAS) drives at their homes additionally magnifies the requirement for endpoint visibility. Endpoint controls often supply the one and only record of remote activity that no longer necessarily ends in the organization network. Offline activity provides the most severe example of the need for constant endpoint monitoring. Plainly network controls or network tracking are of negligible use when a device is running offline. The installation of a suitable endpoint agent is crucial to guarantee the capture of all important system and security data.

As an example of the kinds of offline activities that could be detected, a customer was recently able to monitor, flag, and report unusual habits on a business laptop. A high level executive transferred large amounts of endpoint data to an unapproved USB stick while the device was offline. Because the endpoint agent was able to gather this behavioral data during this offline period, the customer was able to see this uncommon action and follow up appropriately. Continuing to monitor the device, applications, and user habits even when the endpoint was detached, provided the customer visibility they never had previously.

Does your business have constant tracking and visibility when worker endpoints are on an island? If so, how do you do so?