Check Out This Advanced Hunting With Windows Defender ATP – Chuck Leaver

Written By Josh Harrimen And Presented By Chuck Leaver

 

Following on from our current partnership statement with Microsoft, our Ziften Security Research group has actually started leveraging a very great part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Searching feature lets users run queries against the information that has actually been sent by products and tools, for example Ziften, to discover intriguing habits quickly. These inquiries can be kept and shared among the user base of Windows Defender ATP users.

We have actually included a handful of shared inquiries up until now, however the outcomes are rather interesting, and we like the ease of use of the searching interface. Given that Ziften sends out endpoint data collected from macOS and Linux systems to Windows Defender ATP, we are focusing on those OS in our inquiry advancement efforts to showcase the complete coverage of the platform.

You can access the Advanced Hunting interface by selecting the database icon on the left hand side as shown below.

You can observe the high-level schema on the top left of that page with occasions such as ProcessCreation, Machineinfo, NetworkCommunication and some others. We ran some current malware within our Redlab and created some queries to find that data and create the results for examination. An example of this was OceanLotus. We developed a few queries to find both the dropper and files associated with this threat.

After running the inquiries, you get results with which you can interact with.

Upon inspection of the outcomes, we see some systems that have exhibited the searched for behavior. When you choose these systems, you can view the information of the particular system in question. From there you can view alerts activated and an event timeline. Details from the malicious process are revealed in the image below.

Extra behavior-based queries can also be run. For instance, we carried out another harmful sample which leveraged a few strategies that we queried. The screenshot directly below reveals an inquiry we ran when searching for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is certainly something you would wish to know is occurring within your environment.

From these query outcomes, you can again select the system under examination and further investigate the suspicious behaviors.

This blog post definitely doesn’t act as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our excitement about how simple it is to utilize this feature to conduct your very own custom-made danger hunting in a multi-system environment, and across Linux, Windows and macOS systems.

We eagerly anticipate sharing more of our experiments and research studies utilizing queries constructed using the Advanced Searching feature. We share our successes with everybody here, so stay tuned.

RSA 2018 Was Refreshing For A Number Of Reasons – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver

 

After spending a few days with the Ziften team at the 2018 RSA Conference, my technology observation was: more of the very same, the normal suspects and the usual buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were wonderfully worn out. Lots of attention paid to prevention, everyone’s preferred attack vector – email, and everybody’s favorite vulnerability – ransomware.

The only surprise I encountered was seeing a smattering of NetFlow analysis businesses – great deals of smaller sized companies trying to make their mark using a really abundant, however hard to work with, data set. Really cool stuff! Find the small booths and you’ll discover lots of innovation. Now, in fairness to the bigger suppliers I know there are some really cool innovations therein, but RSA barely positions itself to seeing through the buzzwords to real worth.

The Buzz at RSA

I may have a prejudiced view given that Ziften has actually been partnering with Microsoft for the last six plus months, however Microsoft appeared to play a lot more popular leading role at RSA this year. First, on Monday, Microsoft revealed it’s all new Intelligent Security Association bringing together their security collaborations “to concentrate on defending customers in a world of increased threats”, and more significantly – reinforcing that defense through shared security intelligence throughout this environment of partners. Ziften is of course proud to be an establishing member in the Intelligent Security Association.

Furthermore, on Tuesday, Microsoft revealed a ground breaking partnership with many in the cybersecurity market named the “Cybersecurity Tech Accord.” This accord calls for a “digital Geneva Convention” that sets standards of habits for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world.

RSA Attendees

A true interesting point to me though was the makeup of the expo audience itself. As I was likewise an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less t-shirts.

Ok, maybe not suits per se, but more security Supervisors, Directors, VPs, CISOs, and security leaders than I recall seeing in the past. I was motivated to see what I think are business decision makers having a look at security businesses first hand, as opposed to delegating that task to their security team. From this audience I often heard the same themes:

– This is overwhelming.
– I can’t discriminate in between one innovation and another.

RSA Absences

There were certainly less “technology trolls”. What, you might ask, are technology trolls? Well, as a supplier and security engineer, these are the guys (always males) that show up five minutes before the close of the day and drag you into a technical due-diligence workout for an hour, or at least up until the happy hour parties start. Their objective – definitely nothing beneficial to anyone – and here I’m presuming that the troll actually works for a company, so absolutely nothing useful for the business that actually paid thousands of dollars for their attendance. The only thing acquired is the troll’s self-affirmation that they are able to “beat down the vendor” with their technical expertise. I’m being extreme, however I’ve experienced the trolls from both sides, both as a vendor, and as a buyer – and back at the home office no one is basing buying choices based upon troll recommendations. I can just presume that businesses send out tech trolls to RSA and similar expos because they do not want them in their workplace.

Discussions about Holistic Security

Which brings me back to the kind of people I did see a lot of at RSA: security savvy (not just tech savvy) security leaders, who comprehend the business argument and decisions behind security technologies. Not just are they influencers but oftentimes the business owners of security for their respective companies. Now, apart from the above mentioned concerns, these security leaders seemed less concentrated on an innovation or specific usage case, but rather a focus on a desire for “holistic” security. As we understand, great security needs a collection of innovations, policy and practice. Security savvy customers wanted to know how our innovation fitted into their holistic service, which is a refreshing modification of dialog. As such, the types of concerns I would hear:

– How does your technology partner with other solutions I currently use?
– More notably: Does your business really buy into that collaboration?

That last concern is important, basically asking if our collaborations are just fodder for a site, or, if we really have an acknowledgment with our partner that the sum is greater than the parts.

The latter is what security experts are searching for and need.

To Conclude

In general, RSA 2018 was terrific from my viewpoint. After you go beyond the jargon, much of the buzz centered on things that matter to clients, our industry, and us as people – things like security partner communities that add worth, more holistic security through genuine partnership and significant integrations, and face to face conversations with business security leaders, not technology trolls.

Discovering Unmanaged Assets In Your Cloud Environment – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver

 

We all identify with the vision of the masked bad guy bending over his computer late in the evening – accessing a corporate network, stealing valuable data, vanishing without a trace. We personify the opponent as smart, determined, and crafty. But the truth is the vast majority of attacks are made possible by easy human carelessness or recklessness – making the job of the cyber criminal an easy one. He’s inspecting all the doors and windows continuously. All it takes is one error on your part and hegets in.

Exactly what do we do? Well, you know the answer. We invest a large portion of our IT budget plan on security defense-in-depth systems – designed to identify, trick, fool, or outright obstruct the bad guys. Let’s park the discourse on whether or not we are winning that war. Since there is a far easier war taking place – the one where the opponent enters your network, business crucial application, or IP/PPI data through a vector you didn’t even comprehend you had – the asset that is unmanaged – often described as Shadow IT.

Believe this is not your company? A current research study recommends the average business has 841 cloud apps in use. Surprisingly, most IT executives believe the variety of cloud apps in use by their organization is around 30-40 – suggesting they are incorrect by an element of 20 times. The very same report highlights that over 98% of cloud apps are not GDPR prepared, and 95% of enterprise class cloud apps are not SOC 2 ready.

Defining Unmanaged Assets/Shadow IT

Shadow IT is defined as any SaaS application utilized – by workers, departments, or whole company units – without the comprehension or authorization of the business’s IT department. And, the introduction of ‘everything as a service’ has made it even easier for workers to access whatever software they feel is needed to make them more productive.

The Effect

Well-intentioned employees normally do not understand they’re breaking business guidelines by activating a new server instance, or downloading unauthorized apps or software offerings. However, it happens. When it does, three problems can emerge:

1. Corporate standards within a company are compromised since unauthorized software applications means each computer system has different capabilities.

2. Rogue software often comes with security defects, putting the whole network at risk and making it much more tough for IT to handle security risk.

3. Asset blind spots not only drive up security and compliance threats, they can increase legal dangers. Information retention policies developed to restrict legal liability are being compromised with details stored on unapproved cloud assets.

Three Key Considerations for Dealing With Unmanaged Asset Risk

1. Initially, release tools that can offer extensive visibility into all cloud assets- managed and unmanaged. Know what brand-new virtual machines have actually been triggered this week, along with exactly what other devices and applications with which each VM instance is communicating.

2. Second, ensure your tooling can offer constant stock of authorized and unauthorized virtual machines running in the cloud. Make certain you can see all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis purposes try to find a service that supplies a capture of any and all assets (virtual and physical) that have actually ever been on the network – not just a service that is limited to active assets – and within a short look back window.

Ziften approach to Unmanaged Asset Discovery

Ziften makes it easy to rapidly discover cloud assets that have been commissioned beyond IT’s purview. And we do it continuously and with deep historic recall within your reach – consisting of when each device first connected to the network, when it last appeared, and how often it reconnects. And if a virtual device is decommissioned, no problem, we still have all its historic habits data.

Recognize and protect concealed attack vectors coming from shadow IT – prior to a disaster. Know what’s going on in your cloud environment.