Monthly Archives: March 2017

Why You Need To Observe Command Activity To Uncover Threats – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


The repetition of a concept when it comes to computer security is never ever a bad thing. As sophisticated as some attacks may be, you truly have to look for and comprehend the use of typical readily offered tools in your environment. These tools are typically used by your IT staff and more than likely would be white listed for use and can be missed by security teams mining through all the pertinent applications that ‘could’ be performed on an endpoint.

Once someone has penetrated your network, which can be carried out in a variety of ways and another post for another day, indications of these programs/tools running in your environment ought to be examined to ensure correct usage.

A couple of commands/tools and their features:

Netstat – Details on the existing connections on the system. This may be utilized to identify other systems within the network.

Powershell – Built-in Windows command line function and can perform a range of actions such as obtaining critical info about the system, killing processes, including files or removing files and so on

WMI – Another effective integrated Windows function. Can move files around and gather crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.

AT – Arranged jobs.

Searching for activity from these tools can be time consuming and sometimes be frustrating, however is required to get a handle on who might be shuffling around in your network. And not just exactly what is taking place in real-time, but in the past as well to see a path somebody may have taken through the network. It’s typically not ‘patient zero’ that is the target, but once they get a grip, they might utilize these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral movement that you would like to discover.

You need to have the capability to gather the information discussed above and the means to sort through to find, alert, and examine this data. You can use Windows Events to track various modifications on a device then filter that down.

Looking at some screen shots below from our Ziften console, you can see a quick distinction between exactly what our IT group utilized to push out modifications in the network, versus somebody running a very comparable command themselves. This could be much like what you discover when somebody did that from a remote location say through an RDP session.





An interesting side note in these screenshots is that in all cases, the Process Status is ‘Terminated’. You would not see this specific information during a live examination or if you were not always collecting the data. However since we are collecting all of the details continually, you have this historical data to take a look at. If in case you were seeing the Status as ‘Running’, this could suggest that somebody is actually on that system as of now.

This only scratches the surface of what you must be collecting and the best ways to analyze exactly what is right for your network, which obviously will be different than that of others. However it’s a good place to start. Malicious actors with intent to do you harm will generally look for the path of least resistance. Why try and develop new and interesting tools, when a lot of exactly what they require is already there and all set to go.

Incident Response And Forensic Analysis Are Related Activities And Both Necessary – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There may be a joke somewhere concerning the forensic expert that was late to the incident response party. There is the seed of a joke in the concept at least however of course, you need to understand the distinctions between forensic analysis and incident response to appreciate the capacity for humor.

Incident response and forensic analysis are related disciplines that can utilize comparable tools and associated data sets but also have some essential distinctions. There are four especially essential distinctions between forensic analysis and incident response:

– Objectives.
– Requirements for data.
– Group skills.
– Advantages.

The distinction in the objectives of forensic analysis and incident response is possibly the most crucial. Incident response is focused on identifying a quick (i.e., near real time) reaction to an immediate risk or concern. For instance, a house is on fire and the firefighters that show up to put that fire out are involved in incident response. Forensic analysis is typically carried out as part of an arranged compliance, legal discovery, or police investigation. For example, a fire detective might take a look at the remains of that house fire to figure out the total damage to the home, the reason for the fire, and whether the root cause was such that other houses are also at risk. Simply put, incident response is concentrated on containment of a hazard or problem, while forensic analysis is concentrated on a full understanding and extensive remediation of a breach.

A 2nd major distinction between the disciplines is the data resources needed to accomplish the goals. Incident response groups typically only need short-term data sources, frequently no greater than a month or so, while forensic analysis groups normally require a lot longer lived logs and files. Bear in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonality in the workers abilities of forensic analysis and incident response teams, and in fact incident response is often thought about as a subset of the border forensic discipline, there are very important differences in task requirements. Both kinds of research study require strong log analysis and malware analysis capabilities. Incident response requires the capability to quickly separate a contaminated device and to establish methods to remediate or quarantine the device. Interactions have the tendency to be with other operations and security staff member. Forensic analysis generally requires interactions with a much more comprehensive set of departments, including HR, compliance, operations and legal.

Not remarkably, the viewed advantages of these activities likewise differ.

The ability to remove a hazard on one device in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard hunting, is the first defense line in security operations. Forensic analysis is incident responses’ less glamorous relative. However, the advantages of this work are indisputable. An extensive forensic examination permits the remediation of all risks with the mindful analysis of a whole attack chain of events. And that is no laughing matter.

Do your endpoint security procedures accommodate both instant incident response, and long lasting historic forensic analysis?

First Part Of Why Edit Difference Is A Critical Detection Tool – Charles Leaver

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


Why are the same techniques being used by attackers all of the time? The basic response is that they continue to work. For instance, Cisco’s 2017 Cyber Security Report tells us that after years of decline, spam email with malicious attachments is once again on the rise. Because traditional attack vector, malware authors usually mask their activities by using a filename similar to a typical system process.

There is not always a connection with a file’s path name and its contents: anyone who has actually tried to conceal sensitive details by offering it an uninteresting name like “taxes”, or altered the extension on a file attachment to get around e-mail rules is aware of this concept. Malware creators understand this as well, and will typically name their malware to look like typical system procedures. For example, “explore.exe” is Internet Explorer, however “explorer.exe” with an extra “r” could be anything. It’s simple even for professionals to overlook this minor distinction.

The opposite problem, known.exe files running in uncommon places, is easy to resolve, utilizing SQL sets and string functions.


What about the other scenario, discovering close matches to the executable name? Most people begin their search for near string matches by arranging data and visually searching for disparities. This generally works effectively for a little set of data, maybe even a single system. To find these patterns at scale, nevertheless, requires an algorithmic method. One established strategy for “fuzzy matching” is to utilize Edit Distance.

Exactly what’s the very best technique to determining edit distance? For Ziften, our technology stack consists of HP Vertica, which makes this job easy. The web has lots of data scientists and data engineers singing Vertica’s praises, so it will be enough to discuss that Vertica makes it easy to produce customized functions that make the most of its power – from C++ power tools, to statistical modeling scalpels in R and Java.

This Git repo is kept by Vertica enthusiasts working in industry. It’s not a certified offering, but the Vertica group is definitely familiar with it, and moreover is thinking everyday about the best ways to make Vertica more useful for data researchers – an excellent space to see. Best of all, it contains a function to calculate edit distance! There are likewise some other tools for the natural processing of langauge here like word tokenizers and stemmers.

By utilizing edit distance on the top executable paths, we can quickly find the nearest match to each of our top hits. This is a fascinating data-set as we can arrange by distance to find the closest matches over the whole dataset, or we can arrange by frequency of the leading path to see exactly what is the nearest match to our commonly utilized procedures. This data can also emerge on contextual “report card” pages, to reveal, e.g. the top 5 nearest strings for a given path. Below is an example to give a sense of usage, based on genuine data ZiftenLabs observed in a customer environment.


Setting an upper limit of 0.2 seems to discover excellent results in our experience, however the point is that these can be edited to fit specific use cases. Did we discover any malware? We see that “teamviewer_.exe” (ought to be simply “teamviewer.exe”), “iexplorer.exe” (must be “iexplore.exe”), and “cvshost.exe” (should be svchost.exe, unless possibly you work for CVS pharmacy…) all look weird. Because we’re currently in our database, it’s likewise minor to get the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.


In this specific real life environment, it turned out that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the customer with further examination on the user and system where we observed the portable applications given that use of portable apps on a USB drive might be evidence of naughty activity. The more troubling find was cvshost.exe. Ziften’s intelligence feeds show that this is a suspect file. Searching for the md5 hash for this file on VirusTotal verifies the Ziften data, showing that this is a possibly serious Trojan infection that may be part of a botnet or doing something even more destructive. When the malware was discovered, however, it was easy to resolve the issue and make sure it stays resolved using Ziften’s ability to kill and constantly obstruct procedures by MD5 hash.

Even as we develop innovative predictive analytics to identify harmful patterns, it is necessary that we continue to enhance our capabilities to hunt for known patterns and old techniques. Even if brand new risks emerge does not suggest the old ones go away!

If you enjoyed this post, watch this space for part 2 of this series where we will apply this technique to hostnames to find malware droppers and other malicious websites.

Future Connected Devices Will Make Endpoints Harder To Detect And Increase Security Fears – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


It wasn’t long ago that everybody knew exactly what you meant if you raised the issue of an endpoint. If someone wished to offer you an endpoint security solution, you understood exactly what devices that software was going to protect. However when I hear someone casually talk about endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep utilizing that word. I don’t believe it indicates what you think it indicates.” Today an endpoint could be almost any kind of device.

In truth, endpoints are so diverse today that individuals have actually reverted to calling them “things.” In accordance with Gartner at the close of 2016 there were over six billion “things” linked to the internet. The consulting firm anticipates that this number will shoot up to 21 billion by the year 2020. The business uses of these things will be both generic (e.g. linked light bulbs and A/C systems) and industry specific (e.g. oil well security tracking). For IT and security teams charged with connecting and protecting endpoints, this is only half of the brand-new obstacle, nevertheless. The embrace of virtualization technology has redefined exactly what an endpoint is, even in environments where these groups have generally run.

The last decade has seen a huge change in the method end users gain access to info. Physical devices continue to be more mobile with lots of info workers now doing the majority of their computing and interaction on laptop computers and mobile phones. More notably, everyone is becoming an information employee. Today, much better instrumentation and tracking has actually allowed levels of data collection and analysis that can make the insertion of information technology into practically any task lucrative.

At the same time, more conventional IT assets, particularly servers, are becoming virtualized to get rid of a few of the standard restrictions in having those assets connected to physical devices.

These two trends together will affect security teams in important ways. The universe of “endpoints” will include billions of long-lived and unsecure IoT endpoints as well as billions of virtual endpoint instances that will be scaled up and down as needed as well as migrated to various physical locations on demand.

Organizations will have really different concerns with these 2 general kinds of endpoints. Over their life times, IoT devices will need to be secured from a host of hazards a few of which have yet to be dreamed up. Monitoring and safeguarding these devices will need advanced detection capabilities. On the positive side, it will be possible to keep distinct log data to enable forensic investigation.

Virtual endpoints, on the other hand, provide their own important concerns. The ability to move their physical location makes it far more challenging to guarantee right security policies are constantly connected to the endpoint. The practice of re-imaging virtual endpoints can make forensic investigation difficult, as important data is usually lost when a brand-new image is applied.

So it doesn’t matter what word or phrases are utilized to explain your endpoints – endpoint, systems, client device, user device, mobile device, server, virtual device, container, cloud workload, IoT device, and so on – it is very important to comprehend precisely what someone indicates when they utilize the term endpoint.

Detection Capabilities Essential Post Compromise – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Prevention Has Stopped working Then Detection Is Important

The final scene in the popular Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and butchering the shocked protectors. The desperate company commander, grasping their alarming protective dilemma, orders his air support to strike his own position: “For the record, it’s my call – Dump whatever you’ve got left on my position!” Moments later on the battleground is immolated in a napalm hellscape.

Although physical dispute, this illustrates 2 aspects of cybersecurity (1) You need to deal with unavoidable perimeter breaches, and (2) It can be absolute hell if you do not detect early and respond powerfully. MITRE Corporation has been leading the call for rebalancing cyber security priorities to position due focus on breach detection in the network interior instead of just concentrating on penetration avoidance at the network border. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and chief gatekeeper. “Today, companies are asking ‘What length of time have the hackers been inside? How far have they got?'”.

Some call this the “assumed breach” method to cyber security, or as published to Twitter by F-Secure’s Chief Research study Officer:.

Question: What number of the Fortune 500 are jeopardized – Response: 500.

This is based upon the possibility that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complicated scale.

Shift the Burden of Perfect Execution from the Defenders to the Attackers.

The traditional cyber security viewpoint, derived from the legacy perimeter defense model, has actually been that the enemy only needs to be right once, while the defender should be right all the time. An adequately resourced and consistent hacker will eventually achieve penetration. And time to successful penetration reduces with increasing size and intricacy of the target business.

A boundary or prevention reliant cyber defense model essentially requires perfect execution by the defender, while delivering success to any sufficiently sustained attack – a plan for particular cyber disaster. For instance, a leading cyber security red team reports successful business penetration in under three hours in more than 90% of their client engagements – and these white hats are restricted to ethical means. Your business’s black hat assailants are not so constrained.

To be practical, the cyber defense strategy should turn the tables on the assailants, moving to them the unachievable problem of ideal execution. That is the rationale for a strong detection ability that constantly keeps track of endpoint and network habits for any uncommon indications or observed attacker footprints inside the border. The more delicate the detection capability, the more care and stealth the enemies should work out in perpetrating their kill chain series, and the more time and labor and skill they need to invest. The protectors require but observe a single opponent tramp to uncover their foot tracks and unwind the attack kill chain. Now the protectors become the hunter, the enemies the hunted.

The MITRE ATT&CK Design.

MITRE provides a detailed taxonomy of opponent footprints, covering the post compromise sector of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task team leader Blake Strom says, “We decided to focus on the post-attack duration [portion of kill chain lined in orange listed below], not only because of the strong possibility of a breach and the dearth of actionable details, but also because of the many opportunities and intervention points available for reliable defensive action that do not necessarily count on anticipation of enemy tools.”




As displayed in the MITRE figure above, the ATT&CK design supplies extra granularity on the attack kill chain post-compromise phases, breaking these out into ten tactic classifications as revealed. Each tactic classification is further detailed into a list of methods a hacker may employ in carrying out that method. The January 2017 model update of the ATT&CK matrix lists 127 methods across its 10 strategy categories. For instance, Computer system registry Run Keys/ Start Folder is a technique in the Determination classification, Strength is a technique in the Qualifications classification, and Command-Line Interface is a method in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) solutions, such as Ziften supplies, use vital visibility into assailant usage of techniques noted in the ATT&CK model. For instance, Windows registry Run Keys/ Start Folder method usage is reported, as is Command-Line Interface use, since these both include readily observable endpoint habits. Strength usage in the Qualifications category need to be obstructed by design in each authentication architecture and be observable from the resulting account lockout. However even here the EDR product can report occasions such as unsuccessful login efforts, where an attacker may have a couple of guesses to attempt this, while staying under the account lockout attempt threshold.

For mindful protectors, any strategy use may be the attack giveaway that deciphers the whole kill chain. EDR products compete based on their technique observation, reporting, and notifying abilities, along with their analytics potential to carry out more of the attack pattern detection and kill chain restoration, in support of protecting security analysts staffing the business SOC. Here at Ziften we will lay out more of EDR solution abilities in support of the ATT&CK post compromise detection model in future blog posts in this series.

Latest RSA Conference Requires Vendors To Provide Security Solutions That Are Tailored – Charles Leaver

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO


More tailored solutions are needed by security, network and functional teams in 2017

A lot of us have participated in security conventions for many years, however none bring the exact same high level of enjoyment as RSA – where security is talked about by the world. Of all the conventions I have participated in and worked, absolutely nothing comes close the passion for brand-new technology individuals displayed this previous week in good old San Francisco.

After taking a few days to absorb the lots of conversations about the needs and constraints with current security solutions, I’ve been able to synthesize a singular style amongst participants: People want personalized options that match their environment and work well throughout multiple internal teams.

When I refer to the term “individuals,” I suggest everybody in attendance despite technological segment. Operational experts, security professionals, network veterans, and even user behavior experts frequented the Ziften cubicle and shared their stories with us.

Everyone seemed more prepared than ever to discuss their wants and needs for their environment. These participants had their own set of objectives they wished to attain within their department and they were hungry for responses. Since the Ziften Zenith solution provides such broad visibility on business devices, it’s not unexpected that our booth stayed crowded with people eager to get more information about a brand-new, refreshingly easy endpoint security innovation.

Attendees came with complaints about myriad enterprise-centric security concerns and sought deeper insight into exactly what’s truly taking place on their network and on devices taking a trip in and out of the office.

End users of old-school security products are on the look out for a newer, more pivotal software applications.

If I could select just one of the regular questions I got at RSA to share, it’s this one:

” Just what is endpoint discovery?”

1) Endpoint discovery: Ziften reveals a historic view of unmanaged devices which have been linked to other business endpoints at some stage. Ziften permits users to find recognized and unidentified entities which are active or have actually been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften uses our extension platform to expose these unknown entities operating on the network.

b. Extensions: These are custom-fit solutions tailored to the user’s specific desires and
requirements. The Ziften Zenith agent can execute the designated extension one time, on a schedule or persistently.

Usually after the above description came the real reason they were participating in:

People are searching for a vast array of solutions for numerous departments, which includes executives. This is where operating at Ziften makes answering this question a treat.

Only a part of the RSA guests are security experts. I spoke with lots of network, operation, endpoint management, vice presidents, general managers and channel partners.

They clearly all use and comprehend the need for quality security software applications but
seemingly discover the translation to business worth missing amongst security suppliers.

NetworkWorld’s Charles Araujo phrased the problem quite well in a post recently:

Organizations must also justify security data in a company context and handle it holistically as part of the total IT and company operating model. A group of suppliers is also attempting to tackle this obstacle …

Ziften was amongst only three companies discussed.

After listening to those wants and needs of individuals from various business critical backgrounds and describing to them the capabilities of Ziften’s Extension platform, I usually described how Ziften would regulate an extension to resolve their requirement, or I gave them a quick demo of an extension that would enable them to overcome a hurdle.

2) Extension Platform: Tailored, actionable services.

a. SKO Silos: Extensions based upon fit and requirement (operations, network, endpoint, etc).

b. Custom-made Requests: Require something you do not see? We can repair that for you.

3) Improved Forensics:

a. Security: Threat management, Danger Evaluation, Vulnerabilities, Suspicious metadata.

b. Operations: Compliance, License Justification, Unmanaged Assets.

c. Network: Ingress/Egress IP motion, Domains, Volume metadata.

4) Visibility within the network– Not simply exactly what enters and goes out.

a. ZFlow: Finally see the network traffic inside your business.

Needless to say, everybody I spoke with in our cubicle quickly comprehended the vital value of having a solution such as Ziften Zenith running in and across their business.

Forbes writer, Jason Bloomberg, stated it very well when he recently described the future of business security software and how all signs point toward Ziften leading the way:

Maybe the broadest disturbance: vendors are enhancing their capability to understand how bad actors act, and can therefore take actions to prevent, detect or reduce their malicious activities. In particular, today’s suppliers understand the ‘Cyber Kill Chain’ – the steps a proficient, patient hacker (understood in the biz as an innovative consistent hazard, or APT) will require to attain his/her dubious objectives.

The product of U.S. Defense contractor Lockheed Martin, The Cyber Kill Chain contains seven links: reconnaissance, weaponization, shipment, exploitation, installation, establishing command and control, and actions on objectives.

Today’s more innovative suppliers target one or more of these links, with the objective of avoiding, finding or reducing the attack. Five suppliers at RSA emerged in this category.

Ziften provides an agent-based method to tracking the behavior of users, devices, applications, and
network components, both in real-time along with throughout historic data.

In real time, analysts use Ziften for risk recognition and prevention, while they utilize the historical data to discover steps in the kill chain for mitigation and forensic purposes.