Monthly Archives: May 2018

Charles Leaver – How To Do Advanced Hunting With Windows Defender ATP

Published by:

Written By Josh Harrimen And Presented By Charles Leaver


Following on the heels of our recent collaboration statement with Microsoft, our Ziften Security Research team has actually started leveraging a very fantastic element of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Searching function lets users run inquiries against the data that has actually been sent out by products and tools, such as Ziften, to find interesting behaviors quickly. These queries can be saved and shared among the community of Windows Defender ATP users.

We have included a handful of shared inquiries so far, however the results are rather intriguing, and we enjoy the ease of use of the searching interface. Because Ziften sends endpoint data gathered from macOS and Linux systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to display the total protection of the platform.

You can access the Advanced Hunting interface by choosing the database icon on the left-hand side as revealed below.

You can observe the high-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some current malware within our Redlab and produced some inquiries to discover that data and produce the outcomes for examination. One such sample was OceanLotus. We developed a small number of inquiries to find both the files and dropper related to this danger.

After running the inquiries, you get results with which you can connect with.

Upon assessment of the outcomes, we see some systems that have actually shown the looked for behavior. When you choose these systems, you can see the information of the system under examination. From there you can view signals activated and an event timeline. Information from the harmful procedure are revealed below.

Additional behavior based queries can likewise be run. For instance, we carried out another destructive sample which leveraged a few strategies that we queried. The screenshot directly below shows an inquiry we ran when trying to find the Gatekeeper program on a macOS being disabled from the command line. While this action may be an administrative action, it is certainly something you would wish to know is happening within your environment.

From these query results, you can again select the system in question and further investigate the suspicious habits.

This article certainly doesn’t function as a thorough tutorial on utilizing the Advanced Hunting feature within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our passion about how simple it is to utilize this function to perform your own customized danger hunting in a multi-system environment, and across Linux, Windows and macOS systems.

We eagerly anticipate sharing more of our experimentation and research studies utilizing queries constructed utilizing the Advanced Hunting function. We share our successes with everyone here, so check out this blog often.

Charles Leaver – What Happened At RSA 2018

Published by:

Written By Logan Gilbert And Presented By Charles Leaver


After spending a couple of days with the Ziften group at the 2018 RSA Conference, my technology observation was: more of the same, the typical suspects and the typical buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were splendidly overused. Lots of attention paid to avoidance, everybody’s preferred attack vector – email, and everyone’s preferred vulnerability – ransomware.

The one surprise I encountered was seeing a small number of NetFlow analysis businesses – lots of smaller businesses attempting to make their mark utilizing a very rich, however tough to work with, data set. Extremely cool stuff! Find the little cubicles and you’ll discover tons of innovation. Now, in fairness to the bigger suppliers I understand there are some truly cool technologies therein, but RSA barely lends itself to cutting through the buzzwords to actual value.

RSA Buzz

I may have a biased view given that Ziften has actually been partnering with Microsoft for the last 6+ months, however Microsoft seemed to play a far more popular leadership role at RSA this year. Initially, on Monday, Microsoft announced it’s all new Intelligent Security Association combining their security partnerships “to concentrate on safeguarding clients in a world of increased threats”, and more notably – reinforcing that security through shared security intelligence throughout this ecosystem of partners. Ziften is naturally proud to be an establishing member in the Intelligent Security Association.

In addition, on Tuesday, Microsoft revealed a ground breaking partnership with many in the cyber security industry named the “Cybersecurity Tech Accord.” This accord requires a “digital Geneva Convention” that sets standards of behavior for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world.

RSA Attendees

A true point of interest to me though was the different types included of the expo audience itself. As I was likewise an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less t-shirts.

Ok, maybe not suits as such, however more security Supervisors, Directors, VPs, CISOs, and security leaders than I remember seeing at previous events. I was encouraged to see what I think are the business decision makers checking out security companies first hand, rather than delegating that job to their security group. From this audience I often heard the very same overtones:

– This is overwhelming.
– I can’t discriminate between one innovation and another.

Those who were Absent from RSA

There were certainly less “technology trolls”. What, you might ask, are technology trolls? Well, as a vendor and security engineer, these are the individuals (constantly men) that appear five minutes before the close of the day and drag you into a technical due-diligence workout for an hour, or at least till the happy hour parties start. Their objective – absolutely nothing useful to anyone – and here I’m assuming that the troll in fact works for a company, so nothing helpful for the company that actually paid countless dollars for their attendance. The only thing gained is the troll’s self-affirmation that they have the ability to “beat down the supplier” with their technical expertise. I’m being severe, however I have actually experienced the trolls from both sides of the fence, both as a seller, and as a buyer – and back at the home office nobody is basing buying decisions based on troll recommendations. I can only presume that companies send out tech trolls to RSA and comparable expos since they do not desire them in their workplace.

Holistic Security Conversations

Which brings me back to the kind of people I did see a great deal of at RSA: security savvy (not just tech savvy) security leaders, who understand the corporate argument and choices behind security innovations. Not only are they influencers however in most cases business owners of security for their particular organizations. Now, apart from the aforementioned questions, these security leaders seemed less focused on a technology or specific use case, but rather a focus on a desire for “holistic” security. As we know, excellent security needs a collection of innovations, policy and practice. Security smart customers needed to know how our technology fitted into their holistic service, which is a refreshing change of dialog. As such, the types of concerns I would hear:

– How does your innovation partner with other solutions I currently utilize?
– More notably: Does your business actually buy into that collaboration?

That last concern is critical, basically asking if our partnerships are just fodder for a site, or, if we really have an acknowledgment with our partner that the sum is greater than the parts.

The latter is exactly what security experts are looking for and require.

To Conclude

Overall, RSA 2018 was great from my point of view. After you get past the lingo, much of the buzz focussed on things that matter to customers, our industry, and us as individuals – things like security partner ecosystems that add value, more holistic security through genuine collaboration and significant integrations, and face to face discussions with business security leaders, not technology trolls.

Charles Leaver – You Need To Discover All Of Your Unmanaged Assets

Published by:

Written By Logan Gilbert And Presented By Charles Leaver


All of us relate to the image of the hooded villain hovering over his laptop late at night – accessing a business network, taking valuable data, vanishing without a trace. We personify the attacker as intelligent, persistent, and crafty. But the reality is the large majority of attacks are enabled by simple human carelessness or recklessness – making the task of the cyber criminal an easy one. He’s inspecting all the doors and windows constantly. All it takes is one mistake on your part and hegets in.

What do we do? Well, you already know the answer. We spend a good chunk of our IT budget plan on security defense-in-depth systems – developed to discover, trick, fool, or outright block the bad guys. Let’s park the discourse on whether or not we are winning that war. Because there is a far simpler war underway – the one where the aggressor enters your network, organization critical application, or IP/PPI data through a vector you didn’t even know you had – the unmanaged asset – often referred to as Shadow IT.

Believe this is not your company? A recent study recommends the typical enterprise has 841 cloud apps in use. Surprisingly, most IT executives think the variety of cloud apps in use by their organization is in the order of thirty to forty – indicating they are incorrect by an aspect of 20 times. The very same report highlights that more than 98% of cloud apps are not GDPR ready, and 95% of enterprise class cloud apps are not SOC 2 ready.

Shadow IT/ Unmanaged Assets Defined

Shadow IT is defined as any SaaS application used – by staff members, departments, or entire service groups – without the comprehension or authorization of the business’s IT department. In addition, the advent of ‘everything as a service’ has actually made it even easier for workers to access whatever software application they feel is needed to make them more efficient.

The Effect

Well-intentioned workers typically do not understand they’re breaking business guidelines by activating a brand-new server instance, or downloading unapproved apps or software offerings. However, it takes place. When it does, three problems can develop:

1. Corporate standards within an organization are jeopardized given that unapproved software means each computer system has different abilities.

2. Rogue software applications typically includes security flaws, putting the entire network at risk and making it a lot more hard for IT to manage security threats.

3. Asset blind spots not just increase security and compliance dangers, they can increase legal risk. Information retention policies developed to restrict legal liability are being skirted with details contained on unauthorized cloud assets.

3 Vital Factors To Consider for Dealing With Unmanaged Asset Dangers

1. First, release tools that can offer comprehensive visibility into all cloud assets- managed and unmanaged. Know what brand-new virtual machines have been triggered recently, along with exactly what other devices and applications with which each VM instance is interacting.

2. Second, make certain your tooling can provide continuous inventory of authorized and unapproved virtual devices operating in the cloud. Ensure you can see all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis purposes look for a service that provides a capture of any and all assets (physical and virtual) that have ever existed on the network – not just a service that is limited to active assets – and within a short look back window.

Unmanaged Asset Discovery with Ziften

Ziften makes it simple to quickly discover cloud assets that have been commissioned outside of IT’s purview. And we do it continuously and with deep historic recall at your fingertips – including when each device first linked to the network, when it last appeared, and how frequently it reconnects. And if a virtual device is decommissioned, no problem, we still have all its historical behavior data.

Recognize and secure covert attack vectors coming from shadow IT – prior to a disaster. Know exactly what’s happening in your cloud environment.