Archive for the ‘Attack Detection’ Category

Chuck Leaver – Watch Out For These Commands As They Could Be A Threat

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


The repeating of a concept when it concerns computer system security is never ever a bad thing. As sophisticated as some cyber attacks can be, you truly need to look for and understand making use of common easily available tools in your environment. These tools are usually utilized by your IT staff and most likely would be whitelisted for usage and can be missed out on by security teams mining through all the appropriate applications that ‘might’ be carried out on an endpoint.

As soon as someone has penetrated your network, which can be done in a range of ways and another blog post for another day, indications of these programs/tools running in your environment needs to be looked at to guarantee appropriate use.

A couple of commands/tools and their purpose:

Netstat – Details on the current connections on the network. This may be utilized to recognize other systems within the network.

Powershell – Built-in Windows command line function and can perform a variety of activities such as obtaining important information about the system, eliminating processes, adding files or deleting files and so on

WMI – Another effective built in Windows function. Can shift files around and collect crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Arranged jobs.

Looking for activity from these tools can be time consuming and in some cases be overwhelming, but is necessary to get a handle on who might be moving around in your environment. And not simply what is occurring in real time, but historically too to see a course somebody might have taken through the environment. It’s frequently not ‘patient zero’ that is the target, but once they get a foothold, they could make use of these tools and commands to begin their reconnaissance and finally move to a high value asset. It’s that lateral motion that you would like to discover.

You must have the capability to gather the information gone over above and the means to sift through to find, alert, and investigate this data. You can use Windows Events to monitor various modifications on a device then filter that down.

Looking at some screen shots shown below from our Ziften console, you can see a quick difference between what our IT group used to push out modifications in the network, versus someone running a really comparable command themselves. This could be much like what you find when someone did that remotely say by means of an RDP session.






An interesting side note in these screenshots is that in all scenarios, the Process Status is ‘Terminated’. You wouldn’t observe this specific information during a live examination or if you were not constantly collecting the data. However given that we are collecting all the info constantly, you have this historic data to take a look at. If in case you were observing the Status as ‘Running’, this could suggest that somebody is actually on that system right now.

This only scratches the surface of exactly what you should be gathering and how to evaluate exactly what is right for your environment, which obviously will be distinct from that of others. However it’s a good place to start. Destructive actors with the intention to do you damage will typically try to find the path of least resistance. Why try and develop new and fascinating tools, when a lot of exactly what they need is already there and ready to go.

Chuck Leaver – Cyber Attacks Defined And What You Can Do To Prevent Them

Written By Chuck Leaver CEO Ziften

No company, however little or big, is immune from a cyberattack. Whether the attack is started from an external source or from an insider – no business is totally safeguarded. I have lost count of the variety of times that senior managers from organizations have said to me, “why would anyone want to hack us?”

Cyberattacks Can Take Many Types

The proliferation of devices that can link to organization networks (laptop computers, mobile phones and tablets) suggest an increased risk of security vulnerabilities. The aim of a cyber attack is to make use of those vulnerabilities.


Among the most common cyberattack approaches is the use of malware. Malware is code that has a malicious intent and can include viruses, Trojans and worms. The aim with malware is typically to take delicate data or perhaps damage computer networks. Malware is often in the form of an executable file that will spread across your network.

Malware is ending up being a lot more advanced, and now there is rogue software that will masquerade itself as legitimate security software that has been created to secure your network.

Phishing Attacks

Phishing attacks are likewise common. Most often it’s an email that is sent from an allegedly “trusted authority” requesting that the user supply individual data by clicking a link. Some of these phishing e-mails look very genuine and they have fooled a lot of users. If the link is clicked and data input the information will be stolen. Today an increasing variety of phishing emails can include ransomware.

Password Attacks

A password attack is among the most basic forms of cyber attacks. This is where an unauthorized third party will attempt to get to your systems by “cracking” the login password. Software can be used here to carry out brute force attacks to predict passwords, and combination of words utilized for passwords can be compared using a dictionary file.

If an opponent gains access to your network through a password attack then they can easily introduce destructive malware and trigger a breach of your delicate data. Password attacks are among the simplest to avoid, and rigorous password policies can supply an extremely efficient barrier. Changing passwords regularly is likewise recommended.

Denial of Service

A Denial of Service (DoS) attack is all about triggering maximum interruption of the network. Attackers will send very high amounts of traffic through the network and typically make numerous connection demands. The result is an overload of the network and it will close down.

Multiple computers can be utilized by cyber attackers in DoS attacks that will produce extremely high levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets against Krebs On Security. On a regular basis, endpoint devices connected to the network such as PC’s and laptops can be hijacked and will then contribute to the attack. If a DoS attack is experienced, it can have serious repercussions for network security.

Man in the Middle

Man in the middle attacks are attained by impersonating endpoints of a network during a details exchange. Info can be taken from the end user or even the server that they are interacting with.

How Can You Entirely Prevent Cyber Attacks?

Total avoidance of a cyber attack is not possible with current innovation, however there is a lot that you can do to safeguard your network and your delicate data. It is very important not to think that you can just acquire and install a security software application suite then sit back. The more sophisticated cyber wrongdoers are aware of all of the security software services on the market, and have devised approaches to overcome the safeguards that they offer.

Strong and frequently changed passwords is a policy that you need to adopt, and is among the simplest safeguards to put in place. The encryption of your delicate data is another no-brainer. Beyond installing antivirus and malware defense suites in addition to an excellent firewall software program, you ought to make sure that regular backups remain in place and also you have a data breach event response/remediation plan in case the worst takes place. Ziften helps organizations continuously monitor for threats that may get through their defenses, and do something about it immediately to eliminate the risk totally.

Chuck Leaver – If You Are A Security Pro Then Do This Before Cloud Migration

Written By Logan Gilbert And Posted By Chuck Leaver Ziften CEO

Concerns Over Compliance And Security Prevent Companies From Cloud Migration

Migrating segments of your IT operations to the cloud can look like a huge chore, and an unsafe one at that. Security holes, compliance record keeping, the danger of presenting errors into your architecture … cloud migration presents a lot of scary problems to deal with.

If you’ve been leery about moving, you’re not alone – but aid is on the way.

When Evolve IP surveyed 1,000+ IT pros previously this year for their Adoption of Cloud Services North America report, 55 percent of those surveyed stated that security is their biggest issue about cloud adoption. For businesses that don’t already have some cloud presence, the number was even higher – 70%. The next biggest barrier to cloud adoption was compliance, mentioned by 40% of respondents. (That’s up eleven percent this year.).

But here’s the larger issue: If these concerns are keeping your organization from the cloud, you cannot benefit from the performance and cost benefits of cloud services, which becomes a strategic obstacle for your whole organization. You require a method to migrate that likewise responds to concerns about security, compliance, and operations.

Better Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility wins the day. Being able to see exactly what’s happening with every endpoint offers you the visibility you have to enhance security, compliance, and operational effectiveness when you move your data center to the cloud.

And I suggest any endpoint: desktop computer, laptop, mobile phone, server, VM, or container.

As a long period of time IT professional, I understand the temptation to believe you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you know that parts of your environment count on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your own data center – unlike when you’re in the cloud – you can use network taps and a whole host of monitoring tools to take a look at traffic on the wire, determine a great deal about who’s talking to whom, and repair your issues.

However that level of info pales in comparison to endpoint visibility, in the cloud or the data center. The granularity and control of Ziften’s system offers you a lot more control than you might ever get with a network tap. You can find malware and other issues anywhere (even off your network), isolate them instantly, then track them back to whichever user, application, device, or process was the weak spot in the chain. Ziften offers the capability to perform look back forensics and to quickly fix concerns in much less time.

Removing Your Cloud Migration Nightmares.

Endpoint visibility makes a huge difference anytime you’re ready to migrate part of your environment to the cloud. By examining endpoint activity, you can establish a baseline inventory of your systems, clean out wildcard assets such as orphaned VMs, and hunt down vulnerabilities. That gets everything safe and steady within your very own data center before your move to a cloud company like AWS or Azure.

After you’ve moved to the cloud, continuous visibility into each user, application and device implies that you can administer all parts of your infrastructure better. You avoid losing resources by preventing VM expansion, plus you have a comprehensive body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance guidelines.

When you’re ready to transfer to the cloud, you’re not doomed to weak security, incomplete compliance, or operational SNAFUs. Ziften’s technique to endpoint security gives you the visibility you require for cloud migration without the headaches.

Chuck Leaver – Visibility Of Endpoint Security And Remediate Immediately

Written By Logan Gilbert And Presented By Chuck Leaver


Ziften aids with incident response, remediation, and examination, even for endpoints off your network.

When events take place, security analysts need to act rapidly and thoroughly.

With telecommuting labor forces and organization “cloud” infrastructures, remediation and analysis on an endpoint present a really challenging task. Below, watch how you can use Ziften to take actions on the endpoint and figure out the source and propagation of a compromise in minutes – no matter where the endpoints reside.

First, Ziften alerts you to harmful activities on endpoints and steers you to the reason for the alarm. In seconds, Ziften lets you take removal actions on the endpoint, whether it’s on the organization network, a staff member’s home, or the local coffee bar. Any remediation action you ‘d typically perform through a direct access to the endpoint, Ziften provides through its web console.

Simply that quickly, removal is taken care of. Now you can use your security knowledge to go risk hunting and conduct a bit of forensics work. You can right away dive into a lot more information about the process that caused the alert; then ask those important questions to discover how widespread the problem is and where it spread from. Ziften provides comprehensive event removal for security analysts.

See firsthand how Ziften can assist your security group zero in on risks in your environment with our Thirty Days totally free trial.

Chuck Leaver – If You Want To Prevent Cyber Attacks Pay Attention To Endpoint Management

Written By Chuck Leaver, CEO Ziften

Recognize and manage any device that requires access to your business network.

When a company becomes larger so does its asset footprint, and this makes the job of managing the entire set of IT assets a lot more difficult. IT management has changed from the days where IT asset management consisted of keeping records of devices such as printers, accounting for all installed applications and guaranteeing that anti-virus suites were updated.

Today, companies are under continuous threat of cyber attacks and using harmful code to infiltrate the business network. Numerous devices now have network access abilities. Gone are the days when only desktop PC’s connected to an organization network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all likely to connect to the network.
While this supplies versatility for the organizations with the ability for users to link from another location, it opens an entire brand-new variety of vulnerabilities as these different endpoints make the challenge of corporate IT security a great deal more complex.

What Is Endpoint Management?

It is essential that you have a policy based approach to the endpoint devices that are linked to your network to lessen the danger of cyber attacks and data breaches. Using laptops, tablets, mobile phones and other devices might be convenient, however they can expose organizations to a large selection of security dangers. The primary objective of a sound endpoint management strategy should be that network activities are thoroughly kept an eye on and unapproved devices can not access the network.

A lot of endpoint management software is most likely to inspect that the device has an operating system that has actually been approved, as well as anti-virus software applications, and examine the device for upgraded private virtual network systems.

Endpoint management systems will recognize and control any device that requires access to the business network. If anybody is trying to access the enterprise environment from a non compliant device they will be rejected. This is vital to combat attacks from cyber crooks and breaches from destructive groups.

Any device which does not abide by endpoint management policies are either quarantined or approved minimal access. Local administrative rights might be eliminated and browsing the Web restricted.

Organizations Have The Ability To Do More

There are a number of methods that a business can use as part of their policy on endpoint management. This can consist of firewall programs (both network and individual), the file encryption of delicate data, more powerful authentication methods which will definitely consist of making use of tough to crack passwords that are frequently altered and device and network level anti-viruses and anti malware protection.

Endpoint management systems can work as a client and server basis where software is deployed and centrally managed on a server. The client program will have to be set up on all endpoint devices that are licensed to access the network. It is also possible to utilize a software as a service (SaaS) model of endpoint management where the supplier of the service will host and maintain the server and the security applications from another location.

When a client device attempts a log in then the server based application will scan the device to see if it complies with the company’s endpoint management policy, and then it will confirm the credentials of the user prior to access to the network can be granted.

The Problem With Endpoint Management Systems

Most businesses see security software as a “complete treatment” but it is not that clear cut. Endpoint security software that is acquired as a set and forget service will never ever suffice. The knowledgeable hackers out there understand about these software systems and are developing destructive code that will avert the defenses that a set and forget application can provide.

There has to be human intervention and Jon Oltsik, contributor at Network World said “CISOs need to take ownership of endpoint security and designate a group of experts who own endpoint security controls as part of a general duty for event prevention, detection, and response.”

Ziften’s endpoint security services offer the continuous monitoring and look-back visibility that a cyber security team needs to discover and act upon to prevent any destructive breaches spreading and taking the sensitive data of the business.

Chuck Leaver – Breach Defense Requires Endpoint Threat Detection Investment

Written By Chuck Leaver Ziften CEO



Preventing data breaches is a difficult thing to achieve, but essential to prosper in the present business climate. Because of the large amount of cyber wrongdoers waiting in the wings to take personal details, credit card information, and other important data from consumers, companies need to know the high amount of hazards to info online, and take steps to prevent it. Making use of endpoint threat detection and response software is among the best ways to take care of this issue, as it can allow for a simple way to combat against a variety of various exploits hackers can utilize to obtain access to a company network.

In order to produce a much better, more attack proof system, developing a strong sense of back-end security is necessary. The New York Times’ short article on safeguarding data discusses a couple of, extremely important steps that can make a big difference in keeping client information from falling into the wrong hands. Some of the steps the article discusses consist of using point-of-sale systems for consumer transactions only, committing one computer to all monetary company, and keeping software applications up to date. These are wise pointers due to the fact that they secure against a number of manners in which hackers want to utilize to breach systems. A PoS system that doesn’t link to the Web other than to send data to bank servers is more secure than one that isn’t so limited because it decreases the danger of a virus getting onto the network through the Internet. Making one computer the single access point for monetary transactions and absolutely nothing else can keep viruses or other harmful monitoring software from getting in. In this way, a company can considerably protect its clients while not in fact taking on that many additional expenses.

Make Sure That Security And Safety Come First

Property Casualty 360 has a similar list of suggestions, including automating patches to business systems, utilizing file encryption on all devices, enforcing strong passwords, and keeping an eagle-eyed approach to e-mail. Encrypting information, specifically financial info, is extremely essential. It is possible for a hacker to get monetary details saved as plain text really simply without making use of file encryption measures. Of course, strong endpoint threat response systems ought to be used to handle this danger, but security, like clothing in Fall, is best when layered. Utilizing a number of different strategies simultaneously greatly decreases the possibility of a given organization’s data from being breached, which can, in time, make it a lot easier to secure against any type of damage that could be done.

Lots of breaches take place not when a piece of malware has successfully planted itself on a server, however when an employee’s email account contains an insecure password. Dictionary words, like “cat” or “password,” ought to never ever be used. They are easy to hack and to break in to, and they can lead to whole stores of data being stolen. Likewise, an employee accidentally sending out a list of clients to someone without checking their desired recipients list can wind up sending an entire fleet of details out to the wrong person, easily causing massive data loss. This kind of leakage needs to be prevented by solid training.

In response to the multitude of risks out there presently, the very best method to handle them is to use strong endpoint threat response systems in order to avoid losing crucial data. Utilizing a large variety of various security methods in order to secure against all inbound attacks in a wise way to make sure that your organization is able to weather a variety of knocks. This kind of attitude can keep a company from being sunk by the big amount of attacks presently hitting companies.

Chuck Leaver – Who Is Watching The Watchers In Your Organization?

Written By Charles Leaver CEO Ziften



High level cyber attacks underline how a lack of auditing on existing compliance products can make the worst type of headlines.

In the previous Java attacks into Facebook, Microsoft and Apple along with other giants of the market, didn’t need to dig too much into their playbooks to find a technique to attack. As a matter of fact they used one of, if not the oldest axiom in the book – they utilized a remote vulnerability in massively distributed software and exploited it to install remote access to software application ability. And in this case on an application that (A) wasn’t the latest version and (B) probably didn’t need to be running.

While the hacks themselves have actually been headline news, the methods companies can utilize to prevent or curtail them is quite boring stuff. All of us hear “keep boxes current with patch management software applications” and “ensure harmony with compliance tools”. That is industry standard and old news. However to posture a question: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management technologies. I think Facebook and Apple discovered that just because a management system tells you that a software application current doesn’t suggest you must believe it! Here at Ziften our results in the field state as much where we regularly uncover dozens of variations of the SAME significant application running at Fortune 1000 websites – which by the way all are utilizing compliance and systems management products.

When it comes to the exploited Java plug-in, this was a SIGNIFICANT application with large circulation. This is the kind of software that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some type of check against these products is necessary (just ask any of the organizations that were hacked…). But this only constitutes a part of the issue – this is a major (debatably important) application we are speaking about here. If companies struggle to get their arms around maintaining updates on recognized licensed applications being utilized, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Simply speaking – if you cannot even understand what you are supposed to know then how on Earth can you understand (and in this case secure) about the important things you do not know or are concerned about?


Chuck Leaver – Ziften Will Help Counter The Threat Of Extraneous Software

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften

The fact about the PC ecosystem is such that extraneous procedures are all over and go into enterprise computers by every ploy you can possibly imagine. Leading software ISVs and hardware OEMs and IHVs have no ethical qualms with straining enterprise PCs with unneeded and undesirable software applications if they can grab a few royalty bucks on the side at your cost. This one flew up on my screen only today as I handled the recent headline-making Java security vulnerabilities.

Here is the setting – zero-day vulnerabilities were found just recently in Java, a key software element in many business applications. Department of Homeland Security professionals encouraged shutting off Java entirely, however that cuts off Java enterprise apps.

The option for where Java is required (within lots of enterprises) is to update Java, an Oracle software product, to obtain a minimum of the latest partial software application fixes from Oracle. But Oracle defaults installation of unwanted extraneous software through the Ask Toolbar, which many security-conscious however naïve users will assume is useful given the Oracle suggestion (and golly gee there is no charge), although browser add-ons are a notorious security risk.

Just Ziften integrates security awareness with extraneous procedure recognition and remediation abilities to help businesses boost both their security and their performance-driving operating efficiency Don’t choose half-measures that ignore extraneous processes multiplying throughout your business client landscape – employ Ziften to get visibility and control over your client population.


You Can Shine A Light On Security Blindspots With Ziften ZFlow – Chuck Leaver

Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften

Over the past few years, lots of IT organizations have embraced the use of NetFlow telemetry (network connection metadata) to improve their security posture. There are many factors behind this: NetFlow is reasonably inexpensive (vs. full packet capture); it’s relatively easy to collect as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s simple to evaluate utilizing freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can supply much required visibility into what is really going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can offer insight where little or no visibility exists. The majority of organizations are gathering flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. A lot of organizations are not routing all the way down to the access layer and are hence generally blind to some degree in this segment of the network.


Carrying out full packet capturing in this area is still not 100% possible due to a number of reasons. The solution is to implement endpoint-based NetFlow to bring back visibility and offer essential extra context to the other flows being collected in the network. Ziften ZFlow telemetry stems from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to create. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, but likewise offers additional important Layer 4-7 details such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows just can not supply.

This essential additional contextual data can help considerably minimize events of false positives and supply rich data to analysts, SOC personnel and incident handlers to allow them to quickly investigate the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based alerts (firewall software, IDS/IPS, web proxies and gateways), ZFlow can significantly reduce the quantity of time it requires to work through a security event. And we know that time to detect harmful behavior is a key factor to how successful an attack ends up being. Dwell times have reduced in recent history however are still at unacceptable levels – presently over 230 days that an attacker can roam undetected through your network harvesting your essential data.

Below is a screenshot that shows a port 80 connection to an Internet destination of Fascinating truths about this connection that network-based tools might miss out on is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another fascinating data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both very eye-catching to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the analyst might pivot into the Ziften console and see deeper into that system’s habits – exactly what actions or binaries were executed prior to and after the connection, procedure history, network activity and more).

Ziften’s ZFlow shines a light on security blindspots and can provide the extra endpoint context of processes, application and user attribution to assist security personnel much better comprehend exactly what is actually occurring in their environment. Integrated with network-based events, ZFlow can assist considerably minimize the time it takes to examine and respond to security alerts and dramatically enhance a company’s security posture.

Chuck Leaver – With The Ziften App For Splunk You Can Detect Superfish

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften


Background Details: Lenovo confessed to pre installing the Superfish adware on some client PCs, and dissatisfied clients are now dragging the business to court on the matter stated PCWorld. A proposed class action suit was submitted late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having problems finding Superfish across your enterprise? With the Ziften App for Splunk, you can discover infected endpoints with a straightforward Splunk search. Just search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish




The following image reveals the results you would see in your Ziften App for Splunk if systems were contaminated. In this specific instance, we spotted numerous systems infected with Superfish.





The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it ends up, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software application also lays down the following to the system:

A computer system registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be done on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results much like the following image. If the system is tidy, you will see no results.



Some analysts have actually specified that you can simply eliminate Superfish by eliminating the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not continue across reboots. Simply getting rid of the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a reboot of the system.

The simplest way to remove Superfish from your system is to update Microsoft’s built in autovirus product Windows Defender. Shortly after the general public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other removal methods exist, however upgrading Windows Defender is without a doubt the most basic technique.