Archive for the ‘Attack Detection’ Category

Chuck Leaver – The Advantages Of The Security Industry Working Together

Written By Chuck Leaver

No one can solve cybersecurity alone. No single solution company, no single provider, no one can take on the whole thing. To tackle security needs cooperation between different companies.

In some cases, those players are at various levels of the service stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Sometimes, those companies each have a particular best-of-breed piece of the puzzle: one player focuses on e-mail, others in crypto, others in interrupting the kill chain.

From the enterprise consumer’s point of view, effective security needs assembling a set of tools and services into a working whole. Speaking from the suppliers’ viewpoint, efficient security requires tactical alliances. Sure, each vendor, whether making hardware, writing software applications, or using services, has its own products and intellectual property. Nevertheless, we all work better when we work together, to allow integrations and make life easy for our resellers, our integrators- and the end client.

Paradoxically, not only can suppliers make more money through strategic alliances, but end customers will save profits at the same time. Why? A number of factors.

Consumers do not waste their cash (and time) with products which have overlapping abilities. Clients do not need to lose cash (and time) creating custom integrations. And customers won’t squander money (and time) aiming to debug systems that combat each other, such as by triggering additional notifications or hard to find incompatibilities.

The Ultimate Trifecta – Products, Solutions, and Channels

All three work together to meet the needs of the business client, as well as benefit the suppliers, who can concentrate on doing exactly what they do best, relying on strategic alliances to develop total solutions from jigsaw puzzle pieces.

Usually speaking, those services require more than simple APIs – which is where strategic alliances come in.

Think about the integration in between solutions (like a network danger scanner or Ziften’s endpoint visibility services) and analytics options. End clients don’t wish to run a whole load of different control panels, and they don’t want to by hand associate anomaly findings from a lot of different security tools. Strategic alliances in between product suppliers and analytics solutions – whether on-site or in the cloud – make good sense for everybody. That includes for the channel, who can offer and support total services that are already dialed in, already debugged, already documented, and will work with the least hassle possible.

Or think about the integration of solutions and managed security services providers (MSSPs). They wish to offer prospective clients pre-packaged options, ideally which can run in their multi-tenant clouds. That means that the items need to be scalable, with synergistic license terms. They must be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they have to feed into predictive analytics and occurrence response programs. The very best way to do that? Through tactical alliances, both horizontally with other solution vendors, and with significant MSSPs also.

How about major value add resellers (VAR)? VARs require solutions that are simple to understand, easy to support, and easy to add into existing security deployments. This makes brand-new solutions more attractive, more cost effective, simpler to set up, much easier to support – and strengthen the VAR’s client relationships.

Exactly what do they try to find when adding to their solution portfolio? Brand-new products that have tactical alliances with their existing product offerings. If you do not dovetail in to the VAR’s portfolio partners, well, you probably don’t dovetail.

2 Examples: Fortinet and Microsoft

No one can resolve cybersecurity alone, and that includes giants like Fortinet and Microsoft.

Think About the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric by means of Fabric APIs and have the ability to actively collect and share info to enhance threat intelligence, boost general hazard awareness, and widen hazard response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Introduction, “partner inclusion in the program signals to customers and the industry as a whole that the partner has actually teamed up with Fortinet and leveraged the Fortinet Fabric APIs to develop verified, end-to-end security options.”

Likewise, Microsoft is pursuing a similar technique with the Windows Defender Advanced Threat Protection program. Microsoft recently picked just a couple of crucial partners into this security program, saying, “We’ve spoken with our customers that they desire protection and visibility into possible hazards on all their device platforms and we’ve relied on partners to assist address this need. Windows Defender ATP provides security groups a single pane of glass for their endpoint security and now by working together with these partners, our customers can extend their ATP service to their entire install base.”

We’re the first to confess: Ziften cannot resolve security alone. No one can. The best way forward for the security market is to move forward together, through tactical alliances combining item vendors, service companies, and the channel. That way, we all win, vendors, service providers, channel partners, and business customers alike.

Chuck Leaver – Be Careful Of This Microsoft Word Feature And Phishing Attacks

Written By Josh Harriman And Presented By Chuck Leaver


An intriguing multifaceted attack has been reported in a current blog by Cisco’s Talos
Intelligence group. I wanted to speak about the infection vector of this attack as it’s quite
fascinating and something that Microsoft has actually pledged not to repair, as it is a feature
and not a bug. Reports are can be found about attacks in the wild which are making use of a
feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is
accomplished are reported in this blog from SecureData.

Special Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach a company. Phishing attacks are one
of the most typical as assailants are relying on that someone will either open a document sent
out to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software
usually provides access to begin their attack.

However in this case, the documents didn’t have a malicious item embedded in the Word doc,
which is a preferred attack vector, but rather a sly way of utilizing this function that
permits the Word program to connect out to obtain the real malicious files. By doing this they
could hope or rely on a better success rate of infection as harmful Word files themselves can
be scanned and erased prior to reaching the recipient.

Hunting for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to have the ability to alert on this behavior for our clients.
Finding conditions that show ‘odd’ habits such as Microsoft Word spawning a shell is
fascinating and not expected. Taking it further on and trying to find PowerShell running from
that spawned shell and it gets ‘extremely’ intriguing. Through our Search API, we can discover
these behaviors anytime they happened. We do not need the system to be switched on at the time
of the search, if they have actually run a program (in this case Word) that exhibited these
behaviors, we can discover that system. Ziften is constantly gathering and sending appropriate
procedure info which is why we can discover the data without depending on the system state at
the time of searching.

In our Zenith console, I looked for this condition by looking for the following:

Process → Filepath includes word.exe, Child Process Filepath includes cmd.exe, Child Process
commandline includes powershell

This returns the PIDs (Process ID) of the processes we saw startup with these conditions. After
this we can drill down to see the critical information.

In this very first image, we can see details around the procedure tree (Word spawning CMD with
Powershell under that) on the left, and to the right side you can see details like the System
name and User, plus start time.

Below in the next image, we take a look at the CMD procedure and get details regarding what was
passed to Powershell.

Most likely when the user had to answer this Microsoft Word pop up dialog box, that is when the
CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov
website. In the Powershell image below we can see more details such as Network Connect info
when it was reaching out to the website to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov website. Often we see fascinating
data within our Network Connect information that might not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout
the environment. We can likewise develop extensions that alter a GPO policy to not allow DDE or
even take additional action and go and discover these files and remove them from the system if
so wanted. Having the ability to find fascinating mixes of conditions within an environment is
extremely effective and we are delighted to have this function in our offering.

Chuck Leaver – Prevent And Manage Ransomware Withy These 4 Steps

Written By Alan Zeichick And Presented By Chuck Leaver


Ransomware is genuine, and is threatening individuals, services, schools, medical facilities, governments – and there’s no indication that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s be honest: Ransomware is probably the single most efficient attack that hackers have ever created. Anybody can develop ransomware utilizing easily available tools; any cash received is likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s disk drive, the hacker isn’t impacted.

A business is hit with ransomware every 40 seconds, according to some sources, and 60% of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the increase of RaaS (Ransomware-as-a-Service) it’s going to get worse.

Fortunately: We can fight back. Here’s a 4 step fight plan.

Good Fundamental Hygiene

It begins with training employees ways to handle destructive e-mails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; workers need to be taught not to click links in those messages, or naturally, not to give permission for plugins or apps to be installed.

However, some malware, like ransomware, will get through, typically making use of obsolete software applications or unpatched systems, just like in the Equifax breach. That’s where the next step can be found in:

Guaranteeing that end points are completely patched and completely updated with the current, most safe os, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the end point is healthy, and has the ability to best battle the infection.

Ransomware isn’t really a technology or security problem. It’s an organization problem. And it’s a lot more than the ransom that is demanded. That’s peanuts compared to loss of efficiency because of downtime, bad public relations, angry clients if service is interfered with, and the expense of rebuilding lost data. (And that assumes that valuable intellectual property or protected financial or consumer health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and safeguard those backups. If you do not have safe, protected backups, you cannot restore data and core infrastructure in a timely fashion. That includes making day-to-day snapshots of virtual machines, databases, applications, source code, and configuration files.

Businesses need tools to discover, determine, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of what’s taking place in the environment – consisting of “zero day” attacks that have not been seen before. Part of that is keeping an eye on end points, from the smart phone to the PC to the server to the cloud, to make sure that endpoints are up-to-date and secure, which no unexpected changes have been made to their underlying configuration. That way, if a machine is contaminated by ransomware or other malware, the breach can be discovered quickly, and the device separated and closed down pending forensics and healing. If an end point is breached, quick containment is critical.

The 4 Tactics.

Excellent user training. Upgrading systems with patches and repairs. Supporting everything as typically as possible. And using monitoring tools to assist both IT and security teams spot problems, and react rapidly to those problems. When it pertains to ransomware, those are the four battle-tested tactics we have to keep our organizations safe.

You can find out more about this in a short 8 minute video, where I speak to numerous industry experts about this concern:

Chuck Leaver – Ziften Clients Are Protected From The Flaw In Petya Variant

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Another outbreak, another problem for those who were not prepared. While this most current attack is similar to the earlier WannaCry danger, there are some differences in this most current malware which is a variant or new strain just like Petya. Dubbed, NotPetya by some, this strain has a great deal of problems for anybody who experiences it. It may encrypt your data, or make the system entirely unusable. And now the email address that you would be needed to call to ‘maybe’ unencrypt your files, has been removed so you’re out of luck getting your files back.

Plenty of details to the actions of this threat are openly offered, however I wanted to touch on that Ziften consumers are secured from both the EternalBlue threat, which is one mechanism used for its propagation, and even better still, an inoculation based upon a possible defect or its own type of debug check that removes the risk from ever executing on your system. It could still spread out nevertheless in the environment, but our security would already be presented to all existing systems to halt the damage.

Our Ziften extension platform enables our consumers to have protection in place against specific vulnerabilities and harmful actions for this threat and others like Petya. Besides the particular actions taken versus this particular version, we have taken a holistic approach to stop particular strains of malware that perform different ‘checks’ against the system before performing.

We can likewise utilize our Search capability to try to find residues of the other proliferation strategies utilized by this risk. Reports show WMIC and PsExec being utilized. We can search for those programs and their command lines and usage. Although they are legitimate procedures, their usage is normally rare and can be notified.

With WannaCry, and now NotPetya, we expect to see a continued rise of these kinds of attacks. With the release of the recent NSA exploits, it has provided ambitious cyber criminals the tools required to push out their wares. And though ransomware risks can be a high commodity vehicle, more damaging threats could be launched. It has actually constantly been ‘how’ to get the risks to spread (worm-like, or social engineering) which is most tough to them.

Chuck Leaver – Use SysSecOps To Bring IT And Security Together

Written By Chuck Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with hundreds of organizations he realized that one of the most significant challenges is that security and operations are 2 different departments – with drastically different goals, varying tools, and different management structures.

Scott and his analyst firm, Futuriom, recently completed a study, “Endpoint Security and SysSecOps: The Growing Trend to Develop a More Secure Business”, where one of the key findings was that clashing IT and security goals prevent experts – on both groups – from achieving their objectives.

That’s exactly what we believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – explains completely what we’ve been speaking about. Security teams and the IT teams need to get on the very same page. That suggests sharing the very same objectives, and sometimes, sharing the same tools.

Consider the tools that IT individuals utilize. The tools are designed to ensure the infrastructure and end devices are working properly, when something goes wrong, helps them repair it. On the endpoint side, those tools help guarantee that devices that are enabled onto the network, are configured properly, have software applications that are authorized and effectively updated/patched, and have not registered any faults.

Think about the tools that security individuals utilize. They work to enforce security policies on devices, infrastructure, and security devices (like firewall programs). This may include active monitoring incidents, scanning for abnormal habits, examining files to ensure they do not include malware, embracing the current threat intelligence, matching against newly found zero-days, and carrying out analysis on log files.

Discovering fires, battling fires

Those are two different worlds. The security groups are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the problem, and figure out if damage occurred (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an incident strikes to make sure that the systems are made safe and revived into operation.

Sounds excellent, doesn’t it? Sadly, all too often, they do not speak to each other – it’s like having the fire spotters and fire fighters utilizing dissimilar radios, different lingo, and different city maps. Worse, the groups can’t share the exact same data directly.

Our method to SysSecOps is to provide both the IT and security teams with the exact same resources – and that means the exact same reports, provided in the proper methods to professionals. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry virus, for example. On one hand, Microsoft provided a patch back in March 2017 that addressed the underlying SMB flaw. IT operations groups didn’t install the patch, due to the fact that they didn’t think this was a big deal and didn’t talk with security. Security groups didn’t know if the patch was set up, because they do not speak to operations. SysSecOps would have had everyone on the very same page – and could have potentially avoided this issue.

Missing out on data indicates waste and risk

The inefficient gap between IT operations and security exposes companies to risk. Preventable threats. Unneeded risk. It’s just undesirable!

If your company’s IT and security teams aren’t on the exact same page, you are incurring risks and costs that you should not need to. It’s waste. Organizational waste. It’s wasteful because you have so many tools that are offering partial data that have spaces, and each of your teams just sees part of the picture.

As Scott concluded in his report, “Coordinated SysSecOps visibility has currently shown its worth in assisting companies evaluate, analyze, and prevent considerable dangers to the IT systems and endpoints. If these goals are pursued, the security and management risks to an IT system can be greatly diminished.”

If your teams are working together in a SysSecOps sort of way, if they can see the exact same data at the same time, you not only have much better security and more effective operations – but also lower danger and lower costs. Our Zenith software application can help you achieve that effectiveness, not only working with your existing IT and security tools, but likewise filling in the gaps to make sure everyone has the best data at the right time.

Chuck Leaver – Detect And Respond To WannaCry With Ziften And Splunk

Written by Joel Ebrahami and presented by Chuck Leaver

WannaCry has actually produced a great deal of media attention. It may not have the huge infection rates that we have seen with many of the previous worms, however in the current security world the quantity of systems it was able to infect in one day was still somewhat shocking. The objective of this blog is NOT to offer a detailed analysis of the exploit, but rather to look how the threat acts on a technical level with Ziften’s Zenith platform and the integration we have with our technology partner Splunk.

Visibility of WannaCry in Ziften Zenith

My very first action was to connect to Ziften Labs threat research group to see exactly what details they could provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research group and notified me that they had samples of WannaCry currently running in our ‘Red Laboratory’ to look at the behavior of the risk and carry out more analysis. Josh sent me over the information of what he had found when examining the WannaCry samples in the Ziften Zenith console. He sent over those information, which I provide in this post.

The Red Lab has systems covering all the most popular typical operating systems with various services and setups. There were currently systems in the lab that were purposefully vulnerable to the WannaCry threat. Our international risk intelligence feeds utilized in the Zenith platform are upgraded in real-time, and had no trouble spotting the infection in our laboratory environment (see Figure 1).

2 lab systems have been recognized running the harmful WannaCry sample. While it is terrific to see our international risk intelligence feeds updated so rapidly and recognizing the ransomware samples, there were other behaviors that we detected that would have determined the ransomware danger even if there had not been a risk signature.

Zenith agents gather a large quantity of data on what’s occurring on each host. From this visibility info, we create non-signature based detection techniques to take a look at usually harmful or anomalous habits. In Figure 2 below, we show the behavioral detection of the WannaCry infection.

Investigating the Scope of WannaCry Infections

When detected either through signature or behavioral approaches, it is really easy to see which other systems have likewise been infected or are displaying similar habits.

Detecting WannaCry with Ziften and Splunk

After evaluating this info, I decided to run the WannaCry sample in my own environment on a vulnerable system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was currently set up to integrate with Splunk. This permitted me to take a look at the exact same info inside Splunk. Let me explain about the integration we have with Splunk.

We have two Splunk apps for Zenith. The first is our technology add on (TA): its function is to ingest and index ALL the raw data from the Zenith server that the Ziften agents create. As this info populates it is massaged into Splunk’s Common Information Model (CIM) so that it can be normalized and simply searched along with utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also consists of Adaptive Response capabilities for acting from events that are rendered in Splunk ES. The 2nd app is a dashboard for displaying our information with all the charts and graphs available in Splunk to make absorbing the data much easier.

Because I currently had the details on how the WannaCry threat acted in our research laboratory, I had the advantage of understanding exactly what to find in Splunk using the Zenith data. In this case I had the ability to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Danger Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to put on my “event responder hat” and investigate this in Splunk utilizing the Zenith agent information. My first thought was to browse the systems in my laboratory for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I understood that I would most likely find SMB data in the running process message type, however, I used Splunk’s * regex with the Zenith sourcetype so I might search all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).

My next action was to utilize the very same behavioral search we have in Zenith that looks for typical CryptoWare and see if I could get outcomes back. Once again this was extremely easy to do from the Splunk search panel. I utilized the same wildcard sourcetype as in the past so I could search throughout all Zenith data and this time I included the ‘delete shadows’ string search to see if this habit was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, displayed in Figure 6, that revealed me in detail the procedure that was developed and the complete command line that was performed.

Having all this detail within Splunk made it really simple to identify which systems were vulnerable and which systems had actually already been jeopardized.

WannaCry Removal Utilizing Splunk and Ziften

One of the next steps in any type of breach is to remediate the compromise as fast as possible to prevent further destruction and to act to prevent any other systems from being jeopardized. Ziften is one of the Splunk founding Adaptive Response members and there are a number of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to reduce these threats through extensions on Zenith.

When it comes to WannaCry we really could have utilized nearly any of the Adaptive Response actions presently readily available by Zenith. When trying to lessen the effect and avoid WannaCry initially, one action that can take place is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wanted to stop the SMB service, thus avoiding the exploit from ever happening and allowing the IT Operations group to get those systems patched prior to starting the SMB service again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the event that we have already been jeopardized, it is crucial to prevent further exploitation and stop the possible exfiltration of sensitive information or company intellectual property. There are really three actions we could take. The very first 2 are similar where we might kill the harmful process by either PID (process ID) or by its hash. This is effective, however because oftentimes malware will just generate under a brand-new process, or be polymorphic and have a different hash, we can apply an action that is guaranteed to prevent any inbound or outgoing traffic from those contaminated systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already diminishing, however ideally this technical blog reveals the worth of the Ziften and Splunk integration in dealing with ransomware hazards against the end point.


Chuck Leaver – You Need Continuous Endpoint Visibility Even When Devices Are Offline

Written By Roark Pollock And Presented By Chuck Leaver Ziften CEO


A survey recently completed by Gallup found that 43% of Americans that were employed worked from another location for some of their employment time in 2016. Gallup, who has been surveying telecommuting patterns in the United States for almost a 10 years, continues to see more employees working beyond standard offices and more of them doing so for more days from the week. And, obviously the number of connected devices that the typical staff member uses has increased as well, which assists drive the convenience and preference of working far from the office.

This freedom surely makes for better staff members, and one hopes more productive staff members, however the issues that these patterns represent for both systems and security operations teams ought to not be overlooked. IT systems management. IT asset discovery, and danger detection and response functions all benefit from real time and historical visibility into user, device, application, and network connection activity. And to be really efficient, endpoint visibility and monitoring ought to work regardless of where the user and device are operating, be it on the network (local), off the network however linked (remotely), or detached (offline). Existing remote working patterns are significantly leaving security and functional groups blind to prospective problems and risks.

The mainstreaming of these trends makes it much more challenging for IT and security groups to restrict what used to be considered higher threat user habits, such as working from a coffeehouse. But that ship has actually sailed and today security and systems management teams need to be able to adequately monitor user, device, application, and network activity, find abnormalities and improper actions, and enforce appropriate action or fixes no matter whether an endpoint is locally linked, from another location connected, or detached.

In addition, the fact that numerous workers now regularly gain access to cloud based assets and applications, and have backup network or USB connected storage (NAS) drives at their homes additionally magnifies the requirement for endpoint visibility. Endpoint controls often supply the one and only record of remote activity that no longer necessarily ends in the organization network. Offline activity provides the most severe example of the need for constant endpoint monitoring. Plainly network controls or network tracking are of negligible use when a device is running offline. The installation of a suitable endpoint agent is crucial to guarantee the capture of all important system and security data.

As an example of the kinds of offline activities that could be detected, a customer was recently able to monitor, flag, and report unusual habits on a business laptop. A high level executive transferred large amounts of endpoint data to an unapproved USB stick while the device was offline. Because the endpoint agent was able to gather this behavioral data during this offline period, the customer was able to see this uncommon action and follow up appropriately. Continuing to monitor the device, applications, and user habits even when the endpoint was detached, provided the customer visibility they never had previously.

Does your business have constant tracking and visibility when worker endpoints are on an island? If so, how do you do so?

Chuck Leaver – Watch Out For These Commands As They Could Be A Threat

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


The repeating of a concept when it concerns computer system security is never ever a bad thing. As sophisticated as some cyber attacks can be, you truly need to look for and understand making use of common easily available tools in your environment. These tools are usually utilized by your IT staff and most likely would be whitelisted for usage and can be missed out on by security teams mining through all the appropriate applications that ‘might’ be carried out on an endpoint.

As soon as someone has penetrated your network, which can be done in a range of ways and another blog post for another day, indications of these programs/tools running in your environment needs to be looked at to guarantee appropriate use.

A couple of commands/tools and their purpose:

Netstat – Details on the current connections on the network. This may be utilized to recognize other systems within the network.

Powershell – Built-in Windows command line function and can perform a variety of activities such as obtaining important information about the system, eliminating processes, adding files or deleting files and so on

WMI – Another effective built in Windows function. Can shift files around and collect crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Arranged jobs.

Looking for activity from these tools can be time consuming and in some cases be overwhelming, but is necessary to get a handle on who might be moving around in your environment. And not simply what is occurring in real time, but historically too to see a course somebody might have taken through the environment. It’s frequently not ‘patient zero’ that is the target, but once they get a foothold, they could make use of these tools and commands to begin their reconnaissance and finally move to a high value asset. It’s that lateral motion that you would like to discover.

You must have the capability to gather the information gone over above and the means to sift through to find, alert, and investigate this data. You can use Windows Events to monitor various modifications on a device then filter that down.

Looking at some screen shots shown below from our Ziften console, you can see a quick difference between what our IT group used to push out modifications in the network, versus someone running a really comparable command themselves. This could be much like what you find when someone did that remotely say by means of an RDP session.






An interesting side note in these screenshots is that in all scenarios, the Process Status is ‘Terminated’. You wouldn’t observe this specific information during a live examination or if you were not constantly collecting the data. However given that we are collecting all the info constantly, you have this historic data to take a look at. If in case you were observing the Status as ‘Running’, this could suggest that somebody is actually on that system right now.

This only scratches the surface of exactly what you should be gathering and how to evaluate exactly what is right for your environment, which obviously will be distinct from that of others. However it’s a good place to start. Destructive actors with the intention to do you damage will typically try to find the path of least resistance. Why try and develop new and fascinating tools, when a lot of exactly what they need is already there and ready to go.

Chuck Leaver – Cyber Attacks Defined And What You Can Do To Prevent Them

Written By Chuck Leaver CEO Ziften

No company, however little or big, is immune from a cyberattack. Whether the attack is started from an external source or from an insider – no business is totally safeguarded. I have lost count of the variety of times that senior managers from organizations have said to me, “why would anyone want to hack us?”

Cyberattacks Can Take Many Types

The proliferation of devices that can link to organization networks (laptop computers, mobile phones and tablets) suggest an increased risk of security vulnerabilities. The aim of a cyber attack is to make use of those vulnerabilities.


Among the most common cyberattack approaches is the use of malware. Malware is code that has a malicious intent and can include viruses, Trojans and worms. The aim with malware is typically to take delicate data or perhaps damage computer networks. Malware is often in the form of an executable file that will spread across your network.

Malware is ending up being a lot more advanced, and now there is rogue software that will masquerade itself as legitimate security software that has been created to secure your network.

Phishing Attacks

Phishing attacks are likewise common. Most often it’s an email that is sent from an allegedly “trusted authority” requesting that the user supply individual data by clicking a link. Some of these phishing e-mails look very genuine and they have fooled a lot of users. If the link is clicked and data input the information will be stolen. Today an increasing variety of phishing emails can include ransomware.

Password Attacks

A password attack is among the most basic forms of cyber attacks. This is where an unauthorized third party will attempt to get to your systems by “cracking” the login password. Software can be used here to carry out brute force attacks to predict passwords, and combination of words utilized for passwords can be compared using a dictionary file.

If an opponent gains access to your network through a password attack then they can easily introduce destructive malware and trigger a breach of your delicate data. Password attacks are among the simplest to avoid, and rigorous password policies can supply an extremely efficient barrier. Changing passwords regularly is likewise recommended.

Denial of Service

A Denial of Service (DoS) attack is all about triggering maximum interruption of the network. Attackers will send very high amounts of traffic through the network and typically make numerous connection demands. The result is an overload of the network and it will close down.

Multiple computers can be utilized by cyber attackers in DoS attacks that will produce extremely high levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets against Krebs On Security. On a regular basis, endpoint devices connected to the network such as PC’s and laptops can be hijacked and will then contribute to the attack. If a DoS attack is experienced, it can have serious repercussions for network security.

Man in the Middle

Man in the middle attacks are attained by impersonating endpoints of a network during a details exchange. Info can be taken from the end user or even the server that they are interacting with.

How Can You Entirely Prevent Cyber Attacks?

Total avoidance of a cyber attack is not possible with current innovation, however there is a lot that you can do to safeguard your network and your delicate data. It is very important not to think that you can just acquire and install a security software application suite then sit back. The more sophisticated cyber wrongdoers are aware of all of the security software services on the market, and have devised approaches to overcome the safeguards that they offer.

Strong and frequently changed passwords is a policy that you need to adopt, and is among the simplest safeguards to put in place. The encryption of your delicate data is another no-brainer. Beyond installing antivirus and malware defense suites in addition to an excellent firewall software program, you ought to make sure that regular backups remain in place and also you have a data breach event response/remediation plan in case the worst takes place. Ziften helps organizations continuously monitor for threats that may get through their defenses, and do something about it immediately to eliminate the risk totally.

Chuck Leaver – If You Are A Security Pro Then Do This Before Cloud Migration

Written By Logan Gilbert And Posted By Chuck Leaver Ziften CEO

Concerns Over Compliance And Security Prevent Companies From Cloud Migration

Migrating segments of your IT operations to the cloud can look like a huge chore, and an unsafe one at that. Security holes, compliance record keeping, the danger of presenting errors into your architecture … cloud migration presents a lot of scary problems to deal with.

If you’ve been leery about moving, you’re not alone – but aid is on the way.

When Evolve IP surveyed 1,000+ IT pros previously this year for their Adoption of Cloud Services North America report, 55 percent of those surveyed stated that security is their biggest issue about cloud adoption. For businesses that don’t already have some cloud presence, the number was even higher – 70%. The next biggest barrier to cloud adoption was compliance, mentioned by 40% of respondents. (That’s up eleven percent this year.).

But here’s the larger issue: If these concerns are keeping your organization from the cloud, you cannot benefit from the performance and cost benefits of cloud services, which becomes a strategic obstacle for your whole organization. You require a method to migrate that likewise responds to concerns about security, compliance, and operations.

Better Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility wins the day. Being able to see exactly what’s happening with every endpoint offers you the visibility you have to enhance security, compliance, and operational effectiveness when you move your data center to the cloud.

And I suggest any endpoint: desktop computer, laptop, mobile phone, server, VM, or container.

As a long period of time IT professional, I understand the temptation to believe you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you know that parts of your environment count on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your own data center – unlike when you’re in the cloud – you can use network taps and a whole host of monitoring tools to take a look at traffic on the wire, determine a great deal about who’s talking to whom, and repair your issues.

However that level of info pales in comparison to endpoint visibility, in the cloud or the data center. The granularity and control of Ziften’s system offers you a lot more control than you might ever get with a network tap. You can find malware and other issues anywhere (even off your network), isolate them instantly, then track them back to whichever user, application, device, or process was the weak spot in the chain. Ziften offers the capability to perform look back forensics and to quickly fix concerns in much less time.

Removing Your Cloud Migration Nightmares.

Endpoint visibility makes a huge difference anytime you’re ready to migrate part of your environment to the cloud. By examining endpoint activity, you can establish a baseline inventory of your systems, clean out wildcard assets such as orphaned VMs, and hunt down vulnerabilities. That gets everything safe and steady within your very own data center before your move to a cloud company like AWS or Azure.

After you’ve moved to the cloud, continuous visibility into each user, application and device implies that you can administer all parts of your infrastructure better. You avoid losing resources by preventing VM expansion, plus you have a comprehensive body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance guidelines.

When you’re ready to transfer to the cloud, you’re not doomed to weak security, incomplete compliance, or operational SNAFUs. Ziften’s technique to endpoint security gives you the visibility you require for cloud migration without the headaches.