Threats Can Be Indicated By The Use Of Commands – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


The repeating of a theme when it concerns computer system security is never ever a negative thing. As sophisticated as some attacks may be, you truly need to watch for and comprehend making use of typical easily available tools in your environment. These tools are normally utilized by your IT staff and most likely would be whitelisted for use and can be missed by security groups mining through all the pertinent applications that ‘could’ be performed on an endpoint.

Once somebody has actually penetrated your network, which can be carried out in a variety of ways and another post for another day, indications of these programs/tools running in your environment should be looked at to guarantee correct usage.

A couple of commands/tools and their features:

Netstat – Information on the present connections on the system. This could be used to identify other systems within the network.

Powershell – Integrated Windows command line function and can carry out a range of activities such as obtaining vital info about the system, eliminating processes, including files or removing files and so on

WMI – Another effective integrated Windows utility. Can shift files around and gather important system info.

Route Print – Command to see the local routing table.

Net – Including users/domains/accounts/groups.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Set up tasks.

Searching for activity from these tools can be time consuming and often be overwhelming, however is required to manage who might be shuffling around in your network. And not simply what is happening in real-time, however historically as well to see a path somebody may have taken through the network. It’s frequently not ‘patient zero’ that is the target, once they get a grip, they might use these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral movement that you would like to find.

You need to have the ability to gather the information discussed above and the ways to sort through to discover, alert, and examine this data. You can utilize Windows Events to monitor various changes on a device and after that filter that down.

Looking at some screen shots shown below from our Ziften console, you can see a quick distinction between what our IT group utilized to push out modifications in the environment, versus someone running a very similar command themselves. This may be much like what you find when somebody did that remotely say via an RDP session.





An intriguing side note in these screenshots is that in all cases, the Process Status is ‘Terminated’. You wouldn’t observe this specific information during a live examination or if you were not constantly gathering the data. But given that we are collecting all the information constantly, you have this historical data to look at. If in case you were observing the Status as ‘Running’, this could suggest that somebody is live on that system as of now.

This only touches the surface of what you must be collecting and how to evaluate what is correct for your environment, which of course will be distinct from that of others. However it’s a good place to start. Destructive actors with intent to do you harm will usually look for the path of least resistance. Why attempt and produce new and interesting tools, when a great deal of exactly what they need is currently there and all set to go.

Why Both Incident Response And Forensic Analysis Are Essential – Chuck Leaver

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


There may be a joke somewhere regarding the forensic analyst that was late to the incident response party. There is the seed of a joke in the concept at least but of course, you need to understand the distinctions between forensic analysis and incident response to value the capacity for humor.

Forensic analysis and incident response are related disciplines that can utilize similar tools and related data sets however also have some crucial distinctions. There are four especially crucial differences between incident response and forensic analysis:

– Objectives.
– Data requirements.
– Team skills.
– Advantages.

The distinction in the goals of incident response and forensic analysis is possibly the most essential. Incident response is focused on identifying a fast (i.e., near real time) reaction to an immediate danger or issue. For instance, a home is on fire and the firemen that show up to put that fire out are associated with incident response. Forensic analysis is usually performed as part of an arranged compliance, legal discovery, or law enforcement examination. For example, a fire investigator might analyze the remains of that house fire to figure out the overall damage to the house, the reason for the fire, and whether the origin was such that other houses are likewise at risk. To puts it simply, incident response is focused on containment of a hazard or problem, while forensic analysis is concentrated on a full understanding and thorough removal of a breach.

A second significant distinction between the disciplines is the data resources required to attain the objectives. Incident response groups generally only require short term data sources, often no greater than a month or so, while forensic analysis teams usually need much longer lived logs and files. Bear in mind that the typical dwell time of an effective attack is somewhere between 150 and 300 days.

While there is commonness in the workers abilities of incident response and forensic analysis groups, and in fact incident response is often considered a subset of the border forensic discipline, there are very important distinctions in job requirements. Both kinds of research study require strong log analysis and malware analysis capabilities. Incident response requires the capability to quickly separate an infected device and to establish ways to reconcile or quarantine the device. Interactions have the tendency to be with other security and operations staff member. Forensic analysis typically needs interactions with a much broader set of departments, consisting of operations, legal, HR, and compliance.

Not surprisingly, the perceived benefits of these activities also vary.

The capability to eliminate a threat on one machine in near real-time is a significant determinate in keeping breaches separated and limited in effect. Incident response, and proactive threat searching, is the first defense line in security operations. Forensic analysis is incident responses’ less attractive relative. However, the advantages of this work are undeniable. An extensive forensic investigation permits the remediation of all hazards with the careful analysis of a whole attack chain of events. And that is no laughing matter.

Do your endpoint security procedures accommodate both instant incident response, and long-term historical forensic analysis?

First Part Of Why Edit Difference Is Important – Chuck Leaver

Written By Jesse Sampson And Presented By Chuck Leaver CEO Ziften


Why are the same tricks being utilized by assailants all of the time? The basic response is that they are still working today. For instance, Cisco’s 2017 Cyber Security Report informs us that after years of wane, spam e-mail with destructive attachments is once again growing. In that conventional attack vector, malware authors typically conceal their activities by using a filename much like a typical system procedure.

There is not always a connection with a file’s path name and its contents: anyone who has aimed to hide delicate details by providing it a boring name like “taxes”, or changed the extension on a file attachment to circumvent e-mail guidelines is aware of this principle. Malware creators understand this too, and will typically name malware to resemble common system procedures. For example, “explore.exe” is Internet Explorer, however “explorer.exe” with an additional “r” could be anything. It’s easy even for professionals to ignore this minor distinction.

The opposite problem, known.exe files running in uncommon locations, is simple to fix, utilizing string functions and SQL sets.


How about the other case, discovering close matches to the executable name? Most people start their search for near string matches by arranging data and visually looking for disparities. This usually works well for a little set of data, maybe even a single system. To discover these patterns at scale, nevertheless, needs an algorithmic method. One recognized technique for “fuzzy matching” is to utilize Edit Distance.

What’s the best method to calculating edit distance? For Ziften, our technology stack includes HP Vertica, which makes this job easy. The web has lots of data researchers and data engineers singing Vertica’s praises, so it will be adequate to discuss that Vertica makes it simple to develop custom functions that maximize its power – from C++ power tools, to statistical modeling scalpels in R and Java.

This Git repo is kept by Vertica lovers working in industry. It’s not an official offering, however the Vertica team is absolutely aware of it, and moreover is thinking every day about ways to make Vertica better for data scientists – a great space to view. Best of all, it contains a function to compute edit distance! There are also some other tools for the natural processing of langauge here like word tokenizers and stemmers.

By using edit distance on the leading executable paths, we can quickly find the closest match to each of our top hits. This is an intriguing data-set as we can sort by distance to discover the nearest matches over the whole dataset, or we can sort by frequency of the top path to see what is the closest match to our frequently used procedures. This data can likewise appear on contextual “report card” pages, to reveal, e.g. the top 5 nearest strings for a given path. Below is a toy example to give a sense of use, based on real data ZiftenLabs observed in a client environment.


Setting an upper limit of 0.2 seems to discover excellent results in our experience, but the take away is that these can be adapted to fit specific usage cases. Did we find any malware? We notice that “teamviewer_.exe” (needs to be just “teamviewer.exe”), “iexplorer.exe” (must be “iexplore.exe”), and “cvshost.exe” (should be svchost.exe, unless maybe you work for CVS pharmacy…) all look strange. Considering that we’re currently in our database, it’s likewise trivial to obtain the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.


In this specific real life environment, it turned out that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the client with additional investigation on the user and system where we observed the portable applications considering that use of portable apps on a USB drive could be evidence of naughty activity. The more troubling find was cvshost.exe. Ziften’s intelligence feeds indicate that this is a suspect file. Searching for the md5 hash for this file on VirusTotal validates the Ziften data, suggesting that this is a possibly serious Trojan virus that may be part of a botnet or doing something even more malicious. Once the malware was discovered, nevertheless, it was easy to fix the problem and make sure it remains resolved using Ziften’s ability to kill and constantly block procedures by MD5 hash.

Even as we develop innovative predictive analytics to identify destructive patterns, it is very important that we continue to improve our abilities to hunt for recognized patterns and old techniques. Just because brand new dangers emerge doesn’t mean the old ones disappear!

If you liked this post, watch this space for the second part of this series where we will apply this technique to hostnames to find malware droppers and other malicious websites.

Endpoint Protection Will Be A Major Challenge Once Connected Devices Increase – Chuck Leaver

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


Just a short time ago everybody understood exactly what you suggested if you raised the issue of an endpoint. If someone wished to offer you an endpoint security solution, you knew what devices that software application was going to safeguard. But when I hear someone casually mention endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep utilizing that word. I don’t think it means exactly what you believe it means.” Today an endpoint could be almost any kind of device.

In truth, endpoints are so diverse today that individuals have taken to calling them “things.” In accordance with Gartner at the close of 2016 there were more than six billion “things” linked to the web. The consulting firm predicts that this number will shoot up to 21 billion by the year 2020. Business uses of these things will be both generic (e.g. linked light bulbs and A/C systems) and industry specific (e.g. oil rig security monitoring). For IT and security teams responsible for connecting and safeguarding endpoints, this is just half of the new challenge, however. The acceptance of virtualization technology has redefined exactly what an endpoint is, even in environments where these groups have typically run.

The previous decade has seen a massive change in the way end users gain access to info. Physical devices continue to become more mobile with numerous info workers now doing the majority of their computing and interaction on laptops and mobile phones. More significantly, everybody is ending up being an information employee. Today, much better instrumentation and monitoring has allowed levels of data collection and analysis that can make the insertion of information technology into nearly any job rewarding.

At the same time, more conventional IT assets, particularly servers, are becoming virtualized to remove some of the conventional limitations in actually having those assets tied to physical devices.

These 2 patterns together will affect security groups in important ways. The totality of “endpoints” will consist of billions of long-lived and unsecure IoT endpoints along with billions of virtual endpoint instances that will be scaled up and down as needed as well as moved to various physical areas as needed.

Enterprises will have very different worries about these 2 general kinds of endpoints. Over their life times, IoT devices will need to be secured from a host of hazards a few of which have yet to be thought up. Monitoring and protecting these devices will need sophisticated detection capabilities. On the plus side, it will be possible to maintain well-defined log data to make it possible for forensic investigation.

Virtual endpoints, on the other hand, provide their own crucial issues. The ability to move their physical location makes it a lot more hard to ensure appropriate security policies are constantly connected to the endpoint. The practice of re-imaging virtual endpoints can make forensic investigation tough, as important data is generally lost when a new image is applied.

So no matter what word or words are utilized to explain your endpoints – endpoint, systems, user device, client device, mobile device, server, virtual machine, container, cloud workload, IoT device, and so on – it is essential to comprehend exactly what somebody implies when they utilize the term endpoint.

If You Have Been Compromised Then Detection Is Vital – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften


If Prevention Has Stopped working Then Detection Is Essential

The final scene in the well known Vietnam War film Platoon portrays a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire boundary of an American Army battalion, overrunning it, and butchering the stunned defenders. The desperate company leader, comprehending their dire defensive issue, orders his air support to strike his own position: “For the record, it’s my call – Dispose everything you have actually got left on my position!” Minutes later on the battleground is immolated in a napalm hellscape.

Although physical conflict, this illustrates 2 elements of cyber security (1) You have to deal with inevitable perimeter breaches, and (2) It can be absolute hell if you do not find early and respond forcefully. MITRE Corporation has been leading the call for re-balancing cybersecurity priorities to position due emphasis on detecting breaches in the network interior instead of simply focusing on penetration prevention at the network perimeter. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We might see that it wouldn’t be a question of if your network will be breached however when it would be breached,” discusses Gary Gagnon, MITRE’s senior vice president, director of cyber security, and chief security officer. “Today, companies are asking ‘For how long have the trespassers been within? How far have they gone?'”.

Some call this the “presumed breach” approach to cybersecurity, or as published to Twitter by F-Secure’s Chief Research study Officer:.

Question: How many of the Fortune 500 are jeopardized – Response: 500.

This is based upon the likelihood that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complex scale.

Shift the Problem of Perfect Execution from the Protectors to the Hackers.

The traditional cyber security perspective, originated from the legacy boundary defense design, has been that the hacker only has to be right once, while the defender should be right each time. An adequately resourced and persistent hacker will eventually accomplish penetration. And time to successful penetration decreases with increasing size and intricacy of the target business.

A border or prevention reliant cyber defense model basically requires the best execution by the protector, while ceding success to any adequately sustained attack – a plan for specific cyber disaster. For instance, a leading cyber security red group reports effective enterprise penetration in under three hours in more than 90% of their customer engagements – and these white hats are limited to ethical methods. Your business’s black hat hackers are not so constrained.

To be feasible, the cyber defense strategy needs to turn the tables on the attackers, moving to them the unreachable problem of best execution. That is the rationale for a strong detection capability that constantly monitors endpoint and network behavior for any unusual signs or observed enemy footprints inside the boundary. The more delicate the detection capability, the more caution and stealth the enemies must exercise in committing their kill chain series, and the more time and labor and talent they should invest. The protectors require but observe a single attacker footfall to discover their foot tracks and unwind the attack kill chain. Now the defenders end up being the hunter, the opponents the hunted.

The MITRE ATT&CK Design.

MITRE supplies an in-depth taxonomy of opponent footprints, covering the post compromise segment of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task team leader Blake Strom states, “We chose to concentrate on the post-attack duration [part of kill chain lined in orange below], not just because of the strong likelihood of a breach and the scarcity of actionable info, but also because of the many opportunities and intervention points readily available for efficient defensive action that do not always depend on prior knowledge of adversary tools.”




As displayed in the MITRE figure above, the ATT&CK design provides additional granularity on the attack kill chain post compromise phases, breaking these out into ten strategy classifications as revealed. Each tactic category is additionally detailed into a list of methods an opponent might use in carrying out that technique. The January 2017 design update of the ATT&CK matrix lists 127 strategies throughout its ten strategy categories. For example, Computer registry Run Keys/ Start Folder is a strategy in the Determination classification, Brute Force is a technique in the Qualifications category, and Command Line Interface is a method in the Execution classification.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) products, such as Ziften supplies, use crucial visibility into attacker usage of methods noted in the ATT&CK model. For example, Registry Run Keys/ Start Folder strategy use is reported, as is Command Line Interface use, given that these both involve easily observable endpoint behavior. Strength usage in the Qualifications category must be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR solution can report occasions such as unsuccessful login attempts, where an opponent may have a few guesses to try, while remaining under the account lockout attempt limit.

For mindful defenders, any strategy use may be the attack giveaway that deciphers the whole kill chain. EDR solutions contend based upon their method observation, reporting, and informing abilities, as well as their analytics potential to carry out more of the attack pattern detection and kill chain restoration, in support of safeguarding security experts staffing the business SOC. Here at Ziften we will lay out more of EDR solution capabilities in support of the ATT&CK post compromise detection model in future blogs in this series.

Tailored Security Solutions Are Required Says The 2017 RSA – Chuck Leaver

Written By Michael Vaughan And Presented By Chuck Leaver Ziften CEO


More tailored options are required by security, network and functional teams in 2017

Many of us have participated in security conventions for many years, however none bring the very same high level of enjoyment as RSA – where the world talks security. Of all the conventions I have actually participated in and worked, absolutely nothing comes close the enthusiasm for brand-new technology people exhibited this previous week in good old San Francisco.

After taking a few days to digest the lots of discussions about the requirements and restrictions with present security tech, Ihave actually been able to synthesize a particular style amongstguests: People desire personalized solutions that fit their environment and work well across multiple internal groups.

When I refer to the term “individuals,” I suggest everyone in attendance regardless of technological segment. Operational specialists, security pros, network veterans, and even user habits experts frequented the Ziften booth and shared their experiences.

Everyone seemed more ready than ever to discuss
their needs and wants for their environment. These attendees had their own set of goals they wanted to achieve within their department and they were desperate for answers. Because the Ziften Zenith option provides such broad visibility on business devices, it’s not surprising that our booth remained crowded with individuals eager to find out more about a brand-new, refreshingly simple endpoint security technology.

Participants included complaints about myriad enterprise centric security issues and sought deeper insight into exactly what’s truly occurring on their network and on devices traveling in and out of the workplace.

End users of old-school security solutions are on the look
out for a newer, more essential software.

If I could select just one of the frequent questions I received at RSA to share, it’s this one:

” Exactly what is endpoint discovery?”

1) Endpoint discovery: Ziften reveals a historical view of
unmanaged devices which have actually been linked to other
business endpoints at some time. Ziften permits users to find known
and unidentified entities which are active or have been
interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften uses our extension platform to reveal these unknown entities running on the network.

b. Extensions: These are custom fit options customized to the user’s particular wants and requirements. The Ziften Zenith agent can execute the designated extension one time, on a schedule or on a continuous basis.

Generally after the above explanation came the real reason they were attending:

Individuals are searching for a vast array of solutions for various departments, which includes executives. This is where working
at Ziften makes addressing this question a real treat.

Only a part of the RSA participants are security professionals. I spoke with dozens of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They plainly all utilize and understand the requirement for quality security software however seemingly find the translation to company worth missing out amongst security suppliers.

NetworkWorld’s Charles Araujo phrased the issue rather
well in an article a short article last week:

Enterprises must likewise rationalize security data in a company context and handle it holistically as part of the general IT and business operating model. A group of suppliers is also attempting to tackle this challenge …

Ziften was among only three companies mentioned.

After paying attention to those wants and needs
of people from numerous business-critical backgrounds and describing to them the abilities of Ziften’s Extension platform, I generally described how Ziften would regulate an extension to resolve their requirement, or I gave them a brief demonstration of an extension that would allow them to overcome an obstacle.

2) Extension Platform: Tailored, actionable services.

a. SKO Silos: Extensions based upon fit and need (operations, network, endpoint, etc).

b. Custom-made Requests: Require something you can’t see? We can fix that for you.

3) Enhanced Forensics:

a. Security: Danger management, Threat Assessment, Vulnerabilities, Metadata that is suspicious.

b. Operations: Compliance, License Rationalization, Unmanaged Assets.

c. Network: Ingress/Egress IP movement, Domains, Volume metadata.

4) Visibility within the network– Not simply what enters and leaves.

a. ZFlow: Finally see the network traffic inside your business.

Needless to say, everybody I spoke with in our
cubicle quickly understood the important benefit of having a product such as Ziften Zenith running in and across their enterprise.

Forbes author, Jason Bloomberg, stated it best when
he recently explained the future of enterprise security software applications and how all signs point toward Ziften leading the way:

Maybe the broadest disturbance: vendors are enhancing their capability to comprehend how bad actors behave, and can hence take actions to prevent, find or reduce their malicious activities. In particular, today’s vendors understand the ‘Cyber Kill Chain’ – the steps a skilled, patient hacker (known in the biz as an advanced consistent threat, or APT) will require to achieve his/her nefarious goals.

The product of U.S. Defense professional Lockheed Martin,
The Cyber Kill Chain contains seven links: reconnaissance, weaponization, delivery, exploitation, setup, establishing command and control, and actions on objectives.

Today’s more ingenious vendors target one or more of these links, with the goal of avoiding, discovering or reducing the attack. Five vendors at RSA emerged in this classification.

Ziften provides an agent based technique to tracking the habits of users, devices, applications, and network components, both in real time as well as throughout historic data.

In real-time, experts utilize Ziften for hazard identification and avoidance, while they utilize the historical data to discover steps in the kill chain for mitigation and forensic purposes.