Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CYNET 360
USER GUIDE
2
Table of Contents
INTRODUCTION .............................................................................................................................................................. 4
ABOUT CYNET ......................................................................................................................................................................... 4 NATIVELY-BUILT PROTECTION ACROSS ALL ATTACK SURFACES ............................................................................................................ 4 MAIN CAPABILITIES .................................................................................................................................................................. 5
CONSOLE INTERFACE ...................................................................................................................................................... 6
LOGGING INTO CYNET 360 ........................................................................................................................................................ 6 INTERFACE LAYOUT .................................................................................................................................................................. 7
DASHBOARD .................................................................................................................................................................. 9
ALERTS ......................................................................................................................................................................... 13
ALERT DETAILS ...................................................................................................................................................................... 14 ALERT ACTIONS ..................................................................................................................................................................... 15 ALERT STATUS ....................................................................................................................................................................... 16
FORENSIC ..................................................................................................................................................................... 17
ADVANCED SEARCH................................................................................................................................................................ 18 Display Fields ................................................................................................................................................................ 19 Search Fields ................................................................................................................................................................. 19 Saved Searches ............................................................................................................................................................. 20 Saved Policies ................................................................................................................................................................ 21
FILES ................................................................................................................................................................................... 24 File Favorite Searches ................................................................................................................................................... 24 File Details Page ............................................................................................................................................................ 25 Occurrences .................................................................................................................................................................. 27 Static Analysis Results ................................................................................................................................................... 28
HOSTS ................................................................................................................................................................................. 29 Host Favorite Searches ................................................................................................................................................. 29 Host Details Page .......................................................................................................................................................... 30 Hosts Map View ............................................................................................................................................................ 31 Hosts Actions ................................................................................................................................................................ 33 Hosts Details ................................................................................................................................................................. 34
USERS ................................................................................................................................................................................. 35 User Favorite Searches ................................................................................................................................................. 35 User Details Page .......................................................................................................................................................... 36
DOMAINS ............................................................................................................................................................................. 38 Domain Favorite Searches ............................................................................................................................................ 38 Domain/IP Address Details Page .................................................................................................................................. 39 Domain Actions ............................................................................................................................................................. 40
SOCKETS .............................................................................................................................................................................. 41 Socket Favorite Searches .............................................................................................................................................. 41
ACTIONS ....................................................................................................................................................................... 42
FILE ACTIONS ........................................................................................................................................................................ 43 HOST ACTIONS ...................................................................................................................................................................... 44 USER ACTIONS ...................................................................................................................................................................... 45 NETWORK ACTIONS ............................................................................................................................................................... 45 AUTO REMEDIATION .............................................................................................................................................................. 46
SCANNER ...................................................................................................................................................................... 53
MANUAL SCANS .................................................................................................................................................................... 55
3
REPORTS ...................................................................................................................................................................... 56
ALERTS REPORT ..................................................................................................................................................................... 56 TOP RISKS REPORT ................................................................................................................................................................. 58 VULNERABILITIES ASSESSMENT REPORT ..................................................................................................................................... 59 INVENTORY REPORT ............................................................................................................................................................... 60 EXPORTING REPORTS .............................................................................................................................................................. 61
MAPS ........................................................................................................................................................................... 63
AUDIT ........................................................................................................................................................................... 64
SETTINGS ...................................................................................................................................................................... 66
SCAN GROUPS ...................................................................................................................................................................... 67 CONFIGURATION ................................................................................................................................................................... 83 EPS CONFIGURATION ............................................................................................................................................................. 98 DECOY FILES ....................................................................................................................................................................... 100 THREAT HUNTING ................................................................................................................................................................ 105
TH results .................................................................................................................................................................... 106 ADVANCED ......................................................................................................................................................................... 107 USERS ............................................................................................................................................................................... 114 MAPS ................................................................................................................................................................................ 121 ANALYSIS ........................................................................................................................................................................... 122 ALERTS .............................................................................................................................................................................. 124 INTEGRATIONS .................................................................................................................................................................... 127 VULNERABILITY MANAGEMENT .............................................................................................................................................. 129 UBA MANAGEMENT ....................................................................................................................................................... 131 THREAT HUNTING ................................................................................................................................................................ 134 WHITELISTING ..................................................................................................................................................................... 136 SYSTEM INFO ...................................................................................................................................................................... 137
FEATURES & FUNCTIONALITY ......................................................................................................................................138
ANALYSIS ACTIONS ............................................................................................................................................................... 138 REMEDIATION ACTIONS ........................................................................................................................................................ 141
APPENDIX: SYSTEM COMPONENTS .............................................................................................................................145
INTEGRATION WITH SIEM – NEW API FOR EXTRACTING DATA FROM CYNET .................................................................................... 145 MULTI-TENANCY ................................................................................................................................................................. 146 CYNET BINARIES .................................................................................................................................................................. 147 CYNET SERVICES .................................................................................................................................................................. 148 CYNETEPS COMMAND-LINE FLAGS ......................................................................................................................................... 150
4
INTRODUCTION
About Cynet Cynet was founded by an elite group of seasoned security entrepreneurs, researchers and SOC
practitioners to build a single, autonomous platform centralizing all aspects of breach protection.
Cynet couples unmatched prevention, detection and response capabilities with extreme ease of
operation, providing protection for all an organization’s needs, regardless of their security team’s
size and prior skill.
Natively-built protection across all attack surfaces
Cynet is a security platform that protects organizations from breaches by automated discovery and
mitigation of all threat vectors across all attack stages.
Cynet is the first solution that protects the entire environment, by correlating users, files, network
traffic and host activities with a complete set of threat prevention and detection tools, joined by
pre-set and custom auto-remediation policies for post-compromise activity.
By unifying all aspects of breach protection in a single interface, Cynet eliminates the need for multi-
product security stacks, and the dependency on high-level security skills.
Cynet CyOps 24/7 Security Team & The Support Team
The Cynet SOC and Support are available to customers for any issues, questions or comments:
Phone (IL): +972-72-336-9736
Phone (US): +1-347-474-0048
Phone (EU): +44-203-290-9051
Support Email: [email protected]
CyOps Email: [email protected]
5
Main Capabilities
Total Environment Visibility:
An organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all users’ logging in and out, internal and external traffic, and process execution on hosts to provide real time contextual visibility into the entire environment’s activities.
360° Prevention and Detection:
Cynet continuously builds
and natively integrates the
full scope of technologies
to prevent and detect
attack vectors that target
users, files, the network
and hosts: AV, NGAV, EDR,
network analytics, UEBA
and deception, building a
robust security protection
stack across all attack
stages.
Automated
Remediation: Cynet provides the widest set
available of remediation
actions for compromised hosts
and users, malicious files and
network communication.
Cynet is shipped with pre-built
remediations making it the
only solution with the ability
to automatically block attacks
at multiple post-compromise
stages such as privilege
escalation, credential theft,
lateral movement and others.
Context Based Alert
Operation: In the case of malicious
activity without a
matching pre-built
remediation, Cynet
provides the full user, file,
network and host context
for rapid insight into the
attack’s impact and scope.
The resolving process
concludes with manually
applying a remediation
action on the
compromised entity that
can be saved as policy to
automate response in
future occurrences.
Easy Deployment &
Maintenance: Cynet is based on server-
agent architecture. The
server can be either on-
prem, IaaS or hybrid, per
customer preference and
either a dissolvable
executable or a light-
weight agent that rapidly
deploys 50Ks of hosts a
single day.
CyOps 24X7 Security
Expertise: Cynet complements its
automated threat protection
technology with integrated
security services with no
additional costs. CyOps is a
24/7 team of threat analysts
and security researchers that
proactively hunts for threats
among Cynet’s customers, as
well as responds to customer
escalations, assisting with file
analysis, incident response and
deep investigation.
6
CONSOLE INTERFACE Cynet 360 utilizes a web-based graphic user interface over an HTTPS encrypted connection. The following guide
describes each section of the web interface in detail.
LOGGING INTO CYNET 360
In most installations, the URL to log into the Cynet 360 console will be:
▪ https://*CYNET_SERVER*:8443
Where *CYNET_SERVER* is the IP address, hostname of your Cynet 360 server. Navigating to this URL will bring up the
Cynet 360 login page.
Log in with the default credentials:
▪ Username: operator
▪ Password: qwdftyjkop
NOTE It is highly recommended by Cynet to change the default operator credentials after initial login and creation of
additional user accounts in the Users settings section.
NOTE If you receive the message “Your connection is not private”, this is because Cynet is currently using a self-
signed certificate. To remove this message, install a CA issued certificate on the Cynet IIS site. To ignore the message
and proceed, click Advanced at the bottom left and then click Proceed to localhost.
7
INTERFACE LAYOUT
The Cynet 360 interface is designed to provide a simple layout for navigation of the system. There are six main sections
of the console interface, which can be easily navigated using the main navigation menu on the left side. The six main
sections include:
▪ Dashboard - Overview of the alerts, scans, and analysis (See also the Dashboard section)
▪ Alerts - Lists all alerts generated by the system (See also the Alerts section)
▪ Forensic - Lists all data from files, users, hosts, and network (See also the Forensic section)
▪ Actions - Lists all remediation actions taken and results (See also the Actions section)
▪ Scanner - Lists all scan results of hosts in the environment (See also the Scanner section)
▪ Reports - Lists all of the reports generated by the system (See also the Reports section)
▪ Maps - Contains a map of all locations configured (See also the Maps section)
▪ Audit – Lists all user actions performed in the system (See also Audit section)
▪ Settings – Contains all system configuration settings (See also the Settings section)
← DASHBOARD
← ALERTS
← FORENSIC
← ACTIONS
← SCANNER
← REPORTS
← MAPS
← SETTINGS
8
In addition to the main navigation menu, some sections may contain sub-menus, which can be used to navigate to other
pages within the section.
Additionally, at the top of every page of the console the current date and time is displayed, as well as the current logged
in user. To the right of the logged in user is a link to logout of the system.
If the Cynet server is configured for multi-tenancy (see also the Multi-Tenancy section), a drop-down menu will appear
next to the current logged in user. This drop-down menu will provide navigational access to the other Cynet servers
currently configured to point to this Master server.
9
DASHBOARD The Dashboard provides a high-level overview of the current security status of the environment. It utilizes various
graphics to display the current number of open alerts, files that have been analyzed, hosts that have been scanned and
allows pivoting to various other areas of the console based on this information. There are 4 main graphics on the
dashboard, which are described in more detail in the next section of the guide:
A. Open Alerts –Metrics about current open alerts. The number of files, users, hosts, and network traffic items
associated with these open alerts are displayed to the right.
B. Threat Radar – Overall risk level (center) and high risk objects (files, users, hosts, and network traffic). Individual
risk scores for objects will be displayed as dots on the radar. Objects with open alerts will be shown as solid
dots, and can be clicked on to view details.
C. Files Analyzed – Metrics about files that have been analyzed by the system to date. The percentage of
“whitelisted” files indicates the number of files which have been analyzed and deemed safe through security
intelligence. The remaining percentage will be reviewed by the Cynet CyOps SOC.
D. Alerts By Date – Graph on alerts generated over the past 10 days.
E. Hosts Scanned – Metrics on hosts that have been scanned recently.
Each section of the dashboard is explained in greater detail below.
A B C
E D
10
OPEN ALERTS
The Open Alerts, located at the left side of the dashboard, provides the number of current open alerts of all severity
levels. The colored ring around the Total Alerts indicate the severities of the alerts. To the right, the number of Files,
Users, Hosts, and Network objects associated with these alerts is displayed.
Hovering the cursor over the Total Alerts ring will display how many open alerts there are of each severity. Click on the
object symbols to pivot to the Alerts page filtered by File Alerts, User Alerts, Network Alerts, and Host Alerts pages.
The Alerts by Date section provides a graphical timeline of generated alerts per day. Hovering the graph will display the
number of alerts generated on each day.
11
THREAT RADAR
The Threat Radar contains the current Total Security Score in the center. This value is calculated from on the current
Risk Levels of every File, User, Host, and Network object in the environment, as well as any Open Alerts. All active
threats in the environment appear as blips on the Threat Radar.
Clicking on items highlighted within the Threat Radar will display the object name and the associated Alert. To view the
details of this object, click the blue arrow
12
FILES ANALYZED
The Files Analyzed section located the top right side of the Main Dashboard provides the number of files that have been
scanned and analyzed by the system. It also contains the percentage of Whitelisted files, which have been determined
as safe files based on their collected metadata and behavioral analysis compared to Cynet’s Security Threat Intelligence.
HOSTS SCANNED
The Hosts Scanned section located at the bottom right side of the Main Dashboard provides statistics for the number of
hosts that have been scanned in the past day, week, and month.
13
ALERTS The Alerts page provides a customizable view of the alerts generated by the system. Various filters can be used to
display specific alerts, and actions can be taken on displayed alerts. The page contains the following sections:
A. The Alert Types Menu allows users to filter alerts generated for Files, Users, Hosts, Network, or All Alerts
(default).
B. The Quick Search allows users to quickly filter displayed alerts by a keyword search.
C. The Alert Actions section allows users to export displayed alerts to an Excel (.xlsx) file and/or take a
Remediation Action. (See also the Alert Actions section)
D. The Alerts Quick Filter Bar allows users to quickly filter alerts by Alert Name, Severity, Status, Host name, File
name, User name, Network, or Alert Date. Also from here all currently visible alerts can be selected to perform
an action on multiple alerts.
E. The Load Entries drop-down menu can be used to show more or less alerts currently being displayed on the
Alerts Dashboard. The system will display 25 alerts by default.
F. The Displayed Alerts section will show all alerts according to the filter criteria set in the Alerts Filter Bar above.
Relevant information about the alert will be displayed. To view details about the alert, click the arrows on
each alert (See also the Alerts Details section)
G. The Alert Status is displayed below the alert name. Alert statuses can be changed individually or in a group (See
also the Alert Status section)
H. The Total Open Alerts graphic will display the current number of open alerts and the distribution of alert types
(file, users, network, or hosts).
A B
D
E
F
C
H
G
14
ALERT DETAILS
To view more details for displayed alerts, click on the “more” button displayed as at the bottom of the alert. This
will open a window below the alert with details about the alert.
Additional information displayed in the alert details include:
▪ Description – A detailed description of the alert and additional details such as related processes and hashes,
associated users, windows events, etc.
▪ Recommendation – The recommended remediation actions to be take based on the type of alert and severity
by the Cynet SOC.
▪ Related Objects – All correlated files, users, hosts, and network traffic for this alert will be shown in this section.
▪ Comments – Analysts can add comments based on the alert investigation and resolution.
▪ Some Alerts will also include the file Path and Hash.
15
ALERT ACTIONS
Alerts actions can be used to change an alert status or to perform a remediation action on files, hosts, or users. On the
Overall Alerts Dashboard, select one or more alerts to perform an action on and then click the Actions button to open
the Alert Actions menu.
This menu will notify you of the alerts that are currently selected, and provide you with the ability to:
A. Change the Alert Status to Open, Close, or Ignore (See also the Alert Status section)
B. Perform additional Analysis actions (See also Analysis Actions section)
C. Perform Remediation actions (See also Remediation Actions section)
D. Create a new Auto-Remediation rule based on the alert details. (See also Auto Remediation section)
A
B D
C
16
ALERT STATUS
The Alert Status can be set based on the current stage of the alert lifecycle. The following statuses are available for
alerts:
▪ Open – Alert is new and requires investigation and remediation actions.
▪ Ignore – Alert is to be ignored because either it is expected, known, or non-malicious activity. Ignoring an alert
will prevent similar alerts from being triggered in the future.
▪ Close – Alert has been investigated and should be closed and archived. New activity or behaviors that match
previously closed alerts will trigger new alerts to be opened.
An Alert’s status can be change using the Quick Status Change (shown below) menu on the Overall Alerts Dashboard or
using the Alert Actions Menu (see Alert Actions section above).
17
FORENSIC The Forensic page is broken up into five distinct sub-sections: Files, Hosts, Users, Domains, and Sockets. Each sub-
section provides inventories for all data collected by Cynet 360. Every page of the Forensic section has the same basic
layout:
A. The Sub-Menu contains links to the inventories of all Files, Hosts, Users, Domains, and Network sockets
observed by the system.
B. The Favorite Searches bar provides predefined searches to quickly search within the inventories. (See also the
Advanced Search section)
C. The Advanced Search bar provides the ability to search for within the inventories on any of the available
metadata fields, or to change the displayed fields in the Inventory List area. (See also the Advanced Search
section)
D. The Actions area provides the ability to export inventories to an Excel (.xlsx) file and/or take a Remediation
Action. (See the Analysis Actions & Remediation Actions sections)
E. The Quick Filter Bar provides the ability to quickly filter inventories by metadata and indicators such as file
name, risk level, host name, IP address, etc.
F. The Inventory List area lists every object that matches the filter criteria set in the Quick Filter Bar. To view more
information and details about this object, click on the object name to view the details page. (See also the File
Details, Host Details, User Details, and Domain/IP Address Details pages)
G. The Top Results graphics show objects with the high-risk levels and other risky items.
C
E
A
F
G
D
B
18
ADVANCED SEARCH
The Advanced Search feature provides the ability search for files, hosts, users, and network traffic based on any of the
available metadata fields, or to change the displayed fields in the Inventory List on any Forensic page. To begin an
advanced search or edit the displayed file fields, click on the Advanced Search bar…
This will open the Advanced Search window.
A. From here the columns/fields in the Inventory List can be modified by checking/unchecking the Display Fields.
B. Use the Search Fields window to specify the search criteria.
C. Searches can be saved to the Saved Searches to be used again in the future.
D. Search criteria can also be saved to the Saved Policies to be applied as an indicator that contributes to the
object’s risk level.
Saved Policies can also be configured to open an alert once the policy’s search criteria is matched.
See the following sections for more detail about the Display Fields, Search Fields, Saved Searches, and Saved Policies
areas.
B
A
C
D
19
DISPLAY FIELDS
The Inventory List on any Forensic page can be modified to display additional columns than what is shown by default. To
add/remove columns from the Inventory List, check or uncheck fields from the Display Fields menu.
Once the desired fields to view have been selected, the columns in the Inventory List will automatically update with the
selected display fields.
SEARCH FIELDS
To perform a search for objects using non-displayed fields, click the “+” magnifying glass icon in the Display Fields menu
to add that field to the Search Fields window.
To remove a field from the Search Fields window, click the “-” magnifying glass icon.
20
For each field added to the Search Filters area, select from the drop-down the appropriate logical operator (i.e. “Starts
with”, “Ends with”, “Contains”, “Smaller than”, etc.). Then enter the search filters in the text box next to it.
Then click Search to apply the search filters to the Inventory list.
SAVED SEARCHES
Search filters can be kept as Saved Searches for future use by entering the search filter criteria and then clicking the Save
Search button.
The system will prompt for a name of the saved search. Enter a name, and click Ok to save.
NOTE Fields not checked off in the Display Fields menu can still be used in the Search Fields as search filters. These
columns will not appear in the Inventory List, but will be applied to the search results regardless.
21
The saved search will then appear in the Saved Searches section to the right. Once saved, simply click on the search
name and the Search Fields window will populate with the search filters in that saved search.
Add your Saved Search to the Favorite Searches bar by clicking the ☆ symbol.
To delete a Saved Search, click the X symbol to the right of the Saved Search name.
SAVED POLICIES
Saved Policies can be created in order to apply a custom risk level to objects based on collected indicators. In addition,
saved policies can also be created in order to open an alert on objects relevant to the policy. Similar to the Saved Search,
search filter criteria can be entered into the Search Fields. Then click the Save Policy button to save these filters as a
policy.
22
The system will prompt for a name of the saved policy, a risk number value to be factored into the object’s risk level, and
a checkbox that will enable Cynet to open an alert once the search criteria is matched.
• Enter a name
• Enter a policy risk number (1-1000)
• Select the checkbox “Open alert on policy match”
• Select the alert severity from the drop-down menu.
• Click Ok to save.
The saved policy will then appear in the Saved Policies section to the right. Once saved, simply click on the policy name
and the Search Fields window will populate with the filters in that saved policy.
To delete a Saved Policy, click the X symbol to the right of the Saved Policy name.
23
Objects that match the Saved Policy criteria will have it appear in the object’s Details Page as a triggered indicator, and
the risk number value entered the Saved Policy will be factored into the new risk level for the object.
If the saved policy was configured to open an alert upon search criteria match, you will receive the alert in the main
alerts page.
The alert name will be the policy name you configured.
24
FILES
The Files page provides visibility of all scanned files in the organization and the ability to obtain file-specific information.
The Files Inventory list by default contains the following columns:
▪ File Name – The name of the file. This link takes you to the File Details Page.
▪ Risk Level – The file’s current risk level
▪ Company Name – The file publisher information
▪ Endpoints – The number of endpoints this file exists on
▪ AntiViruses – The number of AV vendors which have signatures for this file
▪ First Seen – The date and timestamp when this file was first seen in the environment.
▪ Last Seen – The date and timestamp when this file was last seen in the environment.
Inventory List columns can be altered using the Advanced Search by changing which fields are displayed.
FILE FAVORITE SEARCHES
The Files page contains eight default favorite searches. These default favorite searches cannot be edited or deleted.
They provide a quick and easy way to search for files based on:
▪ Internal Com – Files which have network communication to an internal IP address(es).
▪ External Com – Files which have network communication to an external IP address(es).
▪ Unique in Org – Files which are unique within your organization and exist only once.
▪ DLL – Files with the .dll extension.
▪ EXE – Files with the .exe extension.
▪ NO GUI – Files that are running in a hidden window.
▪ Detected by Security Intel – Files identified using Cynet’s security intelligence feeds.
▪ Start Up – Files which have made themselves persistent on the endpoint and will execute when the computer
starts up.
25
FILE DETAILS PAGE
The File Details page includes all the information collected by the system regarding the selected file. At the top of the
details page will be a timeline describing the lifecycle of the file.
The file relationship diagram displays how the file is related to other entities in the organization.
A. The center will contain the File Name and Risk Level.
B. To the left will be all associated Hosts, Processes (parent or child), Users, or Network entities. Clicking on an
associated entity will drill into the details page of that entity.
C. To the right will be all detected Indicators for this file.
▪ High severity indicators are denoted in Red
▪ Medium severity indicators are denoted in Gold
▪ Low severity indicators are denoted in Blue
▪ Positive indicators are denoted in Green
B A C
26
The bottom of the file details page contains multiple tabs with detailed information about this file.
▪ The Details tab contains metadata about the file such as file size, path, publisher, hashes, and other data.
▪ The Alerts tab contains all alerts associated with this file. Each tab has associated with it the relevant
remediation action tools.
▪ The Occurrences tab contains all instances of the process on all hosts. Each line will show which host(s) it ran
on, the user(s) it ran as. (See also the Occurrence section)
▪ The Hosts tab contains the hosts which this file is present on.
▪ The Users tab contains all the users running this file.
▪ The Sockets tab contains the network traffic generated to/from this file.
▪ The Domains tab contains the domains which were queried by this process to initiate network traffic.
▪ The Process DLLs tab contains the DLL files loaded by the currently viewed process.
▪ The Static Analysis tab contains the information collected during static analysis of the file.
▪ The Dynamic Analysis tab contains the information collected and generated from a sandbox execution of file in
the Cynet SSE.
NOTE Certain tabs may not appear in the details page because there is no relevant data to be displayed for that data
category.
27
OCCURRENCES
The Occurrences tab displays each instance of a file throughout the environment. For example, if a specific file was
executed on two hosts, there would be two entries in the occurrence tab.
Each process occurrence can be expanded using the + symbol to view additional information.
Each occurrence will include details about how the file ran during that instance, including the running user, command-
line, path the file was run from, etc.
28
STATIC ANALYSIS RESULTS
Static Analysis results are displayed on the Static Analysis tab of the File Details Page. Information in the analysis section
include:
A. The Meta area includes metadata such as hashes, product name (e.g. “Microsoft Windows Operations System”
/ version information / build information), product description, digital signature, timestamp, scattering, and
fingerprinting (e.g. “MS Visual C++ 8.0 DLL).
B. The Strings in File are providing a view into the text strings inside the file.
C. The File Analysis area lists imported functions, as well as File Header Information.
D. The File Headers/Sections area lists the file’s headers and portable execution (PE) sections and their respective
hash. PE Section file types typically include .text, .rdata, .data, .pdata, .rsrc, .reloc, and more.
A
B
C
D
29
HOSTS
The Hosts page provides visibility of all scanned hosts in the organization and the ability to obtain host-specific
information. The Hosts Inventory list by default contains the following columns:
▪ Host Name – The name of the file. This link takes you to the Host Details Page.
▪ Risk Level – The host’s current risk level
▪ Last Scan – The date and timestamp when this host was last scanned by the system.
▪ Host IP – The IP address of the endpoint.
▪ OS Version – The operating system of the endpoint.
▪ # Process – The number of processes detected running on the endpoint.
▪ # Logged Users – The number of users logged into the endpoint.
▪ # Connections - The number of network connections detected on the endpoint.
Inventory List columns can be altered using the Advanced Search by changing which fields are displayed.
HOST FAVORITE SEARCHES
The Hosts page contains three default favorite searches. These default favorite searches cannot be edited or deleted.
They provide a quick and easy way to search for hosts based on:
▪ High Risk – Hosts with a high risk level
▪ Internal Com – Hosts which have network communication to an internal IP address(es).
▪ External Com – Hosts which have network communication to an external IP address(es).
30
HOST DETAILS PAGE
The Host Details page includes all the information collected by the system regarding the selected host. At the top of the
details page will be a timeline describing the lifecycle of the host.
The host relationship diagram displays how the host is related to other entities in the organization.
A. The center will contain the Host Name and Risk Level.
B. To the left will be all associated Files, Users, or Network entities. Clicking on an associated entity will drill into
the details page of that entity.
C. To the right will be all detected Indicators for this host.
▪ High severity indicators are denoted in Red
▪ Medium severity indicators are denoted in Gold
▪ Low severity indicators are denoted in Blue
▪ Positive indicators are denoted in Green
B A C
31
HOSTS MAP VIEW
The Hosts map view enables the operator to view the organizations network segments and endpoints, in an inter-
connected map display.
Accessing the Host map view is done via the ‘Hosts’ tab in the forensics feature.
Mark the checkbox right next to ‘Map’.
After selecting the checkbox, the dashboard will alter its presentation to a Map view.
The hosts may appear in 3 different colors, where each color represents the risk status of the host:
Red: High Risk
Yellow: Medium Risk
Blue: Low Risk.
32
Any of the objects is clickable and will collapse or expand when selected.
For example, after clicking on a host, the selected host’s detailed information will appear underneath the map.
In addition, there is another display layer available, it is called ‘Deceptive View’.
This view will allow the operator to see exactly on which endpoints are the Decoy files deployed.
In order to toggle between the views, mark the ‘Deceptive view’ checkbox on the top left corner.
33
HOSTS ACTIONS
The “Actions” icon enables the operator to run actions on all of the hosts in the organization with one single click.
*Hosts which are currently being scanned by Cynet
After clicking on the “Actions” icon, a pop up menu will open to the right side of the icon.
The actions feature provides the operator the ability to perform 2 types of actions on all of the hosts:
1) Run Command - This action will execute the specified commands on the selected host(s) and the output will be captured and presented in the console. If the output contains multiple lines, it will be preserved in a text file format.
2) Run File - This action will allow a specified file to be run on the selected host(s). First, select a file from the local
computer, then upload the file to the Cynet server. The Cynet server will then deploy the file to the host(s) to be executed.
34
HOSTS DETAILS
The bottom of the host details page contains multiple tabs with detailed information about this host.
▪ The Details tab contains metadata about the host such as host name, IP Address, Operating system, software
versions, and other data.
▪ The Alerts tab contains all alerts associated with this host.
▪ The Files tab contains all the files scanned on the host.
▪ The Users tab contains all the users logged into the host, and locally configured hosts.
▪ The Deception tab contains a list of all of the Decoy files which are deployed on the endpoint.
▪ The Traffic tab contains the open network sockets, DNS requests cached, IP addresses configured, ARP table
entries, and NICs contained on the host.
▪ The System tab contains a list of security certificates, Operating System Updates installed, Installed Software,
and network shares on the host.
NOTE Certain tabs may not appear in the details page because there is no relevant data in the database to be displayed.
35
USERS
The Users page provides visibility of all scanned user accounts in the organization and the ability to obtain user-specific
information. The Users Inventory list by default contains the following columns:
▪ User Name – The name of the user account. This link takes you to the User Details Page.
▪ Risk Level – The user account’s current risk level
▪ Locked – Displays if the user account is currently locked out or not.
▪ Disabled – Displays if the user account is currently Disabled or not.
▪ Running Files – The number of files the user account is currently running.
▪ Password Age – The password age of the user account (in days old).
▪ Last Login – The date and timestamp when the user account last logged into a host.
▪ First Seen – The date and timestamp when the user account was first seen in the environment.
Inventory List columns can be altered using the Advanced Search by changing which fields are displayed.
USER FAVORITE SEARCHES
The Users page contains three default favorite searches. These default favorite searches cannot be edited or deleted.
They provide a quick and easy way to search for users based on:
▪ High Risk – User accounts with a high risk level
▪ Locked – User account which are locked out.
▪ Run Risky Files – User accounts running high risk files.
36
USER DETAILS PAGE
The User Details page includes all the information collected by the system regarding the selected user. At the top of the
details page will be a timeline describing the recorded events of the user.
The user relationship diagram displays how the user is related to other entities in the organization.
A. The center will contain the User Name and Risk Level.
B. To the left will be all associated Files, Hosts, or Network entities. Clicking on an associated entity will drill into
the details page of that entity.
C. To the right will be all detected Indicators for this user.
▪ High severity indicators are denoted in Red
▪ Medium severity indicators are denoted in Gold
▪ Low severity indicators are denoted in Blue
▪ Positive indicators are denoted in Green
B A C
37
The bottom of the user details page contains multiple tabs with detailed information about this host.
▪ The Details tab contains metadata about this user such as user name, Last login date, # of Files Running by
user, and the number of machines logged into by the user in the last day, week, month, etc.
▪ The Alerts tab contains all alerts associated with this user.
▪ The Files tab contains all the files being run by this user.
▪ The Hosts tab contains all the hosts this user has logged into.
▪ The Domains tab contains a list of domains that have been requested for resolution by this user.
▪ The Logins tab contains a list of all logins by this user across all scanned hosts.
NOTE Certain tabs may not appear in the details page because there is no relevant data in the database to be displayed.
38
DOMAINS
The Domains page provides visibility of all domains resolved on hosts in the environment. The Domains Inventory list by
default contains the following columns:
▪ Domain – The domain resolved. This link takes you to the Domain/IP Address Details Page.
▪ Risk Level – The domain’s current risk level.
▪ Classification – Displays the domain classification based on security intelligence.
▪ Date In – The date and timestamp when the domain was first resolved.
▪ Last Seen – The date and timestamp when the domain was last resolved.
▪ URL Count – The number of URLs visited with this domain.
▪ Host Count – The number of hosts that have resolved this domain.
▪ Remote IP Count – the number of remote IP addresses that resolve to this domain.
▪ Source IP Count – The number of local IPs that have resolved this domain.
▪ User Count – The number of users which have resolved this domain.
Inventory List columns can be altered using the Advanced Search by changing which fields are displayed.
DOMAIN FAVORITE SEARCHES
The Domains page contains two default favorite searches. These default favorite searches cannot be edited or deleted.
They provide a quick and easy way to search for domains based on:
▪ High Risk – Domains with a high risk level
▪ Detected by Security Intel – Domains identified using Cynet’s security intelligence feeds.
39
DOMAIN/IP ADDRESS DETAILS PAGE
The Domains Detail page includes all the information collected by the system regarding the selected domain. At the top
of the details page will be a timeline describing the recorded events of the user.
The user relationship diagram displays how the user is related to other entities in the organization.
A. The center will contain the Domain Name and Risk Level.
B. To the left will be all associated Files, Hosts, or Users. Clicking on an associated entity will drill into the details
page of that entity.
C. To the right will be all detected Indicators for this domain.
▪ High severity indicators are denoted in Red
▪ Medium severity indicators are denoted in Gold
▪ Low severity indicators are denoted in Blue
▪ Positive indicators are denoted in Green
B A C
40
DOMAIN ACTIONS
The “Actions” icon enables the operator to insert an IP\URL of an external address, and perform a DNS remediation on
that address for the entire organization.
DNS Remediation – This action will redirect all traffic to the domain to a specified IP address. This is done by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any hosts that attempt to resolve the domain in the network will be given the specified IP address from the internal DNS server, preventing traffic from reaching the actual domain’s IP address.
41
SOCKETS
The Sockets page provides visibility of all network sockets created on hosts in the environment. The Sockets Inventory
list by default contains the following columns:
▪ Hostname – The host associated with the network traffic. This link takes you to the Host Details Page.
▪ Risk Level – The network socket’s current risk level.
▪ Local IP – The source IP address of the network traffic. This link takes you to the Domain/IP Address Details
Page.
▪ Local Port – The source port of the network traffic.
▪ Remote IP – The destination IP address of the network traffic. This link takes you to the Domain/IP Address
Details Page.
▪ Remote Port – The destination port of the network traffic.
▪ First Seen – The date and timestamp of when this network traffic was first seen.
▪ Last Seen – The date and timestamp of when this network traffic was last seen.
Inventory List columns can be altered using the Advanced Search by changing which fields are displayed.
SOCKET FAVORITE SEARCHES
The Domains page contains one default favorite search. This default favorite search cannot be edited or deleted. It
provides a quick and easy way to search for network sockets based on:
▪ High Risk – Network sockets with a high-risk level.
42
ACTIONS The Actions page is broken up into five distinct sub-sections: Files, Hosts, Users, Network, and Auto Remediation. Each
sub-section provides lists of actions taken from Cynet 360. Every page of the Actions section has the same basic layout:
A. The Sub-Menu, contains links to the pages:
▪ Files Actions – Actions taken on files (See also File Actions sections)
▪ Host Actions – Actions taken on hosts (See also Host Actions section)
▪ User Actions – Actions take on user accounts (See also User Actions section)
▪ Network Actions – Actions taken on network traffic (See also Network Actions section)
▪ Auto Remediation – Auto Remediation rules (See also Auto Remediation section)
B. Some action pages (such as the File Actions page) contain Action Tabs, which provide additional actions that
can be taken. These include:
▪ Analysis – Analysis actions taken on files (See also Analysis Actions section)
▪ Deep Scan – Deep Scan actions taken on files (See also Deep Scans sections)
C. The Quick Filter Bar provides the ability to quickly filter actions lists file name, host name, ip address, actions
taken, etc.
D. The Actions area provides the ability to export displayed action lists to an Excel (.xlsx) file and/or take additional
remediation actions. (See also the Analysis Actions & Remediation Actions sections)
E. The Actions List provides a list of all actions take on files, hosts, users, and network traffic.
C
E
A D
B
43
FILE ACTIONS
The File Actions page provides visibility of all actions taken on files in the environment. (See also the Remediation
Actions section). The File Actions list contains the following information:
▪ File Name – The file the action was taken on. This link will take you to the File Details Page.
▪ Host Name – The host the action was taken on. This link will take you to the Hosts Detail Page.
▪ Host IP – The IP address of the host the action was taken on. This link will take you to the Host Details Page.
▪ Time – The time the file action was initiated.
▪ Action Taken – The type of file action taken.
▪ Status – The result of the file action taken.
▪ Status Info – Additional information about the file action taken.
ANALYSIS
The Analysis page provides visibility of all file analysis actions taken on files in the environment. (See also the Analysis
Actions section). The Analysis list contains the following information:
▪ File Name – The file and path the file action was taken on. This link will take you to the File Details Page of that
file.
▪ Analysis Time – The date and timestamp of when the analysis action was initiated.
▪ Hashes – The hash of the file the analysis action was taken on. This link will take you to the File Details Page of
that file.
▪ Static Result – The result of static analysis on the file. This link will take you to Static Analysis tab of the File
Details Page of that file.
▪ Analysis Time - The date and timestamp of when the analysis action was completed.
▪ Dynamic Result - The result of dynamic analysis on the file. This link will take you to Dynamic Analysis tab of the
File Details Page of that file.
44
DEEP SCAN
The Deep Scan page provides visibility of all file deep scan actions taken on files in the environment. (See also the
Analysis Actions and Deep Scans sections) The deep scan list contains the following information:
▪ Scan ID – A unique identifier for an initiated deep scan.
▪ Host Name – The host that the deep scan was initiated on. This link will take you to the Host Details Page of
that host.
▪ File Name – The file name the deep scan action was taken on.
▪ SHA256 – The hash of the file the deep scan action was taken on. This link will take you to the File Details Page
of that file.
▪ Date In – The date and timestamp of when the deep scan action was initiated.
▪ Last Heartbeat – The date and timestamp of when the deep scanner last checked in with the Cynet server.
▪ Status – The last status update from the deep scanner
▪ Scan Detail – Details about the deep scan such as duration (in minutes), percentage completed, and the
number of actions monitored by the deep scanner.
HOST ACTIONS
The Host Actions page provides visibility of all actions taken on hosts in the environment. (See also the Remediation
Actions section). The Host Actions list contains the following information:
▪ Host Name – The host the action was taken on. This link will take you to the Host Details Page of that host.
▪ Time – The time the host action was initiated.
▪ Action Taken – The type of host action taken.
▪ Status – The result of the host action taken.
▪ Status Info – Information about the host action taken.
▪ Extra Details – Additional information about the host action taken.
45
USER ACTIONS
The Users Actions page provides visibility of all actions taken on users in the environment. (See also the Remediation
Actions section). The User Actions list contains the following information:
▪ User Name – The user account the action was taken on. This link will take you to the User Details Page of that
user account.
▪ Host Name – The host the user action was taken on (only for local user accounts).
▪ Time – The time the user action was initiated.
▪ Action Taken – The type of user action taken.
▪ Status – The result of the user action taken.
▪ Status Info – Information about the user action taken.
NETWORK ACTIONS
The Network Actions page provides visibility of all actions taken on network traffic in the environment. (See also the
Remediation Actions section). The Network Actions list contains the following information:
▪ Network Name – The network object the action was taken on. This link will take you to either the Domain/IP
Address Details Page.
▪ Host Name – The host the network action was taken on (only for local user accounts).
▪ Time – The time the network action was initiated.
▪ Action Taken – The type of network action taken.
▪ Status – The result of the network action taken.
▪ Status Info – Information about the network action taken.
46
AUTO REMEDIATION
The Auto Remediation page provides the ability to manage rules which allow Cynet 360 to automatically perform a
remediation action when an alert is generated. These auto remediation rules can be configured to match alerts based on
a number of factors, and take a remediation action to mitigate the threat. The Auto Remediation list contains the
following information:
▪ Name – The provided name of the auto-remediation rule.
▪ Description – The provided description of the auto-remediation rule.
▪ Remediation – The remediation action that is taken when this rule is matched.
▪ Priority – The order in which auto-remediation rules will be processed.
▪ Date In – The date and timestamp when the auto-remediation rule was created.
CREATE AUTO REMEDIATION RULES
To create a new Auto Remediation rule, click the Add New Rule button in the top-right corner of the Auto Remediation
page.
47
This will open the Auto Remediation creation menu on the right side of the page.
GENERAL CONFIGURATION
▪ Rule Name – Enter an alias for the rule.
▪ Description – Enter a description for the rule.
▪ Priority – Enter a number used by the system to identify which rule will be executed in the case where two auto
remediation rules match a generated alert. The lower the number, the higher the priority (i.e. If an alert
matches a rule with priority 1 and another with priority 5, the priority 1 rule’s remediation action will be
executed)
48
MATCHING
▪ Alert Name – Enter a regular expression (REGEX) to match on the name of the alert. This allows for matching of
multiple alerts with different names according to a pattern.
To match on all alert names, use the regular expression ( .* )
▪ Host Groups – Select the host groups that should be used to match hosts in generated alerts. If the host in the
alert is part of the selected host group(s), this criteria is met.
To match on all Host Groups, use the Select All option.
▪ Alert Severity – Select the severity that should be used when matching generated alerts. If the alert’s severity
matches one of the selected severity(s), this criteria is met.
To match on all Host Groups, use the Select All option.
ADVANCED MATCHING
▪ File – Enter a specific File Hash or File Name when matching this rule to a generated alert.
Leave this field empty to match on any file in an alert.
▪ User – Enter a specific User Name when matching this rule to a generated alert.
Leave this field empty to match on any user in an alert.
▪ Network – Enter a specific IP address, Domain, or URL when matching to an alert.
Leave this field empty to match on any network criteria in an alert.
49
▪ Hosts to Match – Enter a specific Host(s) when matching this rule to a generated alert. To add a new host
match, click the Add New Match button or the Edit Match button to edit an existing host match entry.
Leave this field on the ALL selection to match on all hosts.
▪ Add New Match & Edit Match – When adding a new a new host match or editing an existing match criterion:
▪ Group Name – An alias for the host match entry.
▪ Hosts to Match – Enter a regular expression to match on the hostname. This allows for matching of
multiple hosts with different names according to a pattern.
To match on all host names, use the regular expression ( .* )
▪ Selected OS – Select the operating system to match on from the drop-down menu. Operating systems
in the list are pulled from scanned hosts.
To match on all Host Groups, use the Select All option.
50
ACTION
▪ Remediation Type – Select the type of remediation from the drop-down menu
▪ Action – Select the action associated with the type of remediation from the drop-down menu.
Remediation Types and Actions available (See also the Remediation Actions section)
▪ File Remediation Actions
▪ Kill Process
▪ Quarantine File
▪ Delete File
▪ Host Remediation Actions
▪ Restart Machine
▪ Shutdown Machine
▪ Disable All NICs
▪ Run Command
▪ User Remediation Actions
▪ Disable User
▪ Network Remediation Actions
▪ Block Traffic
Once all configurations have been made for the Auto Remediation Rule, click the Save button to save all changes. New
Rules will appear in the Auto Remediation dashboard.
51
EDIT AUTO REMEDIATION RULES
To edit an Auto Remediation rule, click on the Auto Remediation rule name.
This will open the Auto Remediation editing menu on the right side of the page.
Then edit the rule according to the same steps as the Create Auto Remediation Rules section.
DELETE AUTO REMEDIATION RULES
To delete an Auto Remediation rule, select the rule to delete in the Auto Remediation rule list
52
Then click the Delete button in the top-right corner of the Auto Remediation page.
The system will prompt you to confirm the Auto Remediation rule deletion. To complete the deletion, click the Confirm
Delete button.
53
SCANNER The Scanner page provides a simple interface to start and stop host scans and view the status of host scans. Ad-hoc
scans can be performed on the Manual Scans page.
A. Scanner Action Buttons - enables the ability to perform scan related actions such as:
▪ Start/ Stop Scanner – Starts or Stops the scanner service.
▪ Restart Scans –This will clear all displayed scan history, and will initiate the scanner service to rescan
all hosts immediately.
▪ Export Scan-Errors – Exports scan errors to an Excel (.xlsx) report.
▪ Export Never Scanned Endpoints – Exports unscanned hosts to an Excel (.xlsx) report.
▪ Disable\Enable Auto Refresh – This will disable or enable the auto refresh of the scanned endpoints
table data.
▪ Reload Table Data – This will refresh the Scanned Endpoints table with the latest scan data received
from endpoints.
B. Quick Filter - allows users to quickly filter scanned hosts by Host Name/IP, Scan Start (date and timestamp),
Scan End (date and timestamp), Scan Status, Status Details, scan Distribution Type, or details.
(See also Group Information section for more about Distribution Types).
C. Today Scans - displays the number of success and failed scanned endpoints.
D. Scanned Endpoints - lists the endpoints attempted to be scanned by Cynet 360 according to the configuration
settings in the Scan Groups (See also the Scan Groups section).
E. Excel – allows users to export the complete or filtered view of the scanner page.
F. Actions – after selecting the checkbox of one or numerous endpoints, and clicking the actions icon, the user is
presented with 3 scanner actions to run on the endpoints:
A B
C D
E F
54
▪ Restart Scans– stops the Cynet scanner process on the endpoints, and reinitiates the scanner service
to rescan all hosts immediately.
▪ Stop Scans – Stops the Cynet scanner process on the endpoints.
▪ Remove Scanner – Stops the Cynet scanner process on the endpoints, and removes all Cynet’s files and
folders from the endpoint.
55
MANUAL SCANS
The Manual Scans page allows users to inmate a manual scan of a host and view the status of an initiated manual scan.
A. Manual Scans – Enter the hostname or IP address of a host to be manually scanned and click the Scan Host
button.
B. Quick Filter - allows users to quickly filter manually scanned hosts by Scan Date, IP/Hostname, Distribution
Type, Scan Status, or Scan Details.
C. Manual Scans List – lists the endpoints attempted to be scanned by Cynet 360 using a manual scan.
NOTE Manually scanned hosts MUST be configured in a Scan Group in the Settings. If the host is not part of a configured
scan group either by hostname, IP address, IP Range, or Active Directory OU, the manual scan will fail. This is because
Cynet 360 does not know which scan credentials or distribution type to use when scanning the host.
A B C
56
REPORTS The Reports page provides reporting capabilities on alerts and risks generated by the system.
A. Report Types– Use this drop-down menu to select the report type. There are two types:
▪ Alerts Report
▪ Top Risks Report
B. Date Range – Reports can be filtered to show items within date range. Select the desired range and then click
Go to apply and view items within the date range.
C. Report Filters – Reports can be filtered to show all objects, or only files, hosts, users, or network objects.
D. Export Report – The Adobe PDF icon can be clicked to export the visible report to a .pdf report format.
ALERTS REPORT
The Alerts Report contains statistics on all alerts generated by the system within the specified date range. These reports
can be filtered to display alerts for only files, hosts, users, or network.
The first graphic on the Alerts Report displays alerts by type over the given date range. Each object type is highlighted
with a different color.
A B C D
57
The second graphic displays the number of alerts by their current status (open/closed). This graphic will also highlight
how many high, medium, and low severity alerts there were.
The bottom half of the Alerts Report contains the specific areas associated with these alerts in the given date range.
Each file, user, host, and network traffic that are part of these alerts will be displayed in the radar graphic.
58
TOP RISKS REPORT
The Top Risks Report contains reports for the files, hosts, users, and network traffic with the highest risk levels.
The first graphic displays the top riskiest objects according to the current report filter (see Report Filters above). These
can include the top 10 riskiest files, hosts, users, and network traffic.
The bottom half of this report lists these objects and some additional details for each.
59
VULNERABILITIES ASSESSMENT REPORT
The VA Report contains operational data generated by the system based on the VA configuration. These reports are
divided to:
• Missing KB’s on host (Microsoft OS patch)
• Agent Validation (Security policy compliancy)
• Application Patches Validation (3rd party application patch validation, e.g. Java, Adobe, etc.)
• Unauthorized Applications
Each of the reports will generate and download csv file with all data, that data could be send to the IT team in order to
fix those issues.
60
INVENTORY REPORT
The Inventory Report contains operational data generated by the system based on the Cynet collection. This is part of
the immediate visibility that Cynet provides. That can help with many use cases such as:
• Crate and maintain CMDB
• Understand what are protected
• Find old /non-supported OS
• Etc.
61
EXPORTING REPORTS
Reports can be exported by using the Adobe PDF icon in the top-right corner of the page. The images below are
examples of exported reports.
NOTE Be sure to disable your web browser’s pop-up blocker for the Cynet web interface. PDF reports are presented in a
separate browser tab, and may be blocked by the pop-up blocker.
62
63
MAPS The Maps page provides a geographical or topological representation of open alerts. See the Maps section of the
settings page to configure map locations.
The configured locations on the Maps page will appear as a Green or Red dot. High or Critical alerts will turn the green
dot into a red dot. The red dot will increase in size based on the number of alerts generated from that particular
location. Zoom into the map to see the configured regions.
64
AUDIT The Audit Panel provides full audit trail for all user action in the system.
◼ The Cynet platform provides a full audit trial for any user actions performed in the system. ◼ The audit records are saved in the database and in external files. ◼ This document describes how to access and use the Audit trial, via the following methods:
o Cynet UI o External Log files
Audit using Cynet UI – Clicking on the Audit icon will navigate the user to the audit screen. The page lists all user actions
being performed in the system.
◼ Audit Table is visible, with the following attributes per audit record: o User Name – user that executed the action generating the Audit o Info – Details about the action, including a short title of the action (e.g. “Authentication Mode
Changed”), and a JSon payload containing extra details about the action (if this exists) o Action – name of the action executed o Category – category of the action in the system (Account\Settings\Remediation) o Action Time – time that the action was executed
◼ Filter\Sort area o Allows sorting according to any field o Allows filtering by any field (text – for text attributes, list of predefined value attributes, from-to for
date attributes) ◼ Paging
o Defines how many entries will be loaded per page (default – 25) ◼ Export
o All the data can be exported to a spreadsheet by clicking on the icon.
Audit using log files – By default, all audit records are located in the following path: “C:\Cynet360\logs\audit”.
◼ The audit Files are cyclical. For every system restart, or every 50MB, a new file will be created in the following format: “CF_<CREATE_HOUR>T<CREATE_MINUTE>T<CREATE_SECOND>_<YYYYMMDD>.txt”
◼ The file is text-based and includes all audit records. Each record appears in a new line: “date hour Audit action:<action code>;userName:<user>; category:<category>; details:<description+Json>”
65
◼ See following example:
====[-- Logging Start --]====
04/17/2018 06:57:10 Audit action:Login; category:Account; details:user operator logged in;
04/17/2018 06:58:30 Audit user:operator; action:SaveGroupInformation; category:Settings; details:scan group information saved, group info:{account name:EP-
Admin, distribution type:CynetLauncher, scan mode:AlwaysOn, CPU limit:15, scan interval:60, scan history:3, Is guest user enabled:false, live file on:false, user
EPS remediation:false, network attack detections:true, set network share:false, send only data increments:true, internet avialibility tests:false, Use decoy
files:true, Allow credentials decoy:false, Alert if not scanned:false, Enable ETW:false, Etw RansomKill:false, Etw Ransom Kill:false, Etw Decoys:false, Ssdeep:false,
Adt:true, Disable strings collection:false, Use driver:false, Driver block raw:false, Driver kill raw:false, Driver log Handle:false, Driver block Handle:false, UA
lert:false, Etw Decoys Limit:100, Msi Update:false, Enable Update:true, Allow fuzzy remediation:false, FastScanDoKill:false, VAWindowsPatches:false, VA Risky
Apps:false, VA Outdated Apps:false, VA Running Apps:false, VA Period Minutes:1440, TH Period Minutes:30, TH Enabled:false, AntiVirus Enable:false, AntiVirus
Do Kill:false};;
04/17/2018 06:59:16 Audit user:operator; action:SaveAdvancedSettings; category:Settings; details:advanced settings saved,
settings:{SettingsConnectivity:{ListenIP:169.254.250.12, ListenPort:443, SecondaryListenIP:null, SecondaryListenPort:null, ProxyConnectivity:{IP:null, Port:8080}},
SettingsPrivacy:{SendAlertsToSIEM:false, AnalyzeUniqueFiles:true, DaysToKeepAnalyzedFiles:30, DaysToKeepLogFiles:7, AnonymizeHostnames:false,
AnonymizeUsers:false, AnonymizeUsersInternal:false, DisplayUserPhoto:false, PhotoAttributeInAD:null, IgnoreARP:false, IgnoreCertificate:false,
IgnoreDNSCache:false, IgnoreHostsFileInformation:false, IgnoreInstalledSoftware:false, IgnoreIpSettings:false, IgnoreUserInformation:false,
IgnoreMsUpdatesInformation:false, IgnoreNetworkInterfaceInformation:false, IgnoreNetworkHostSharesInformation:false, AllowSocFileAnalysis:true,
AutomaticSystemUpgrade:true, DisableSyncOfCmdLineParamsToCloud:false, EnableFilesWhiteListing:true, IsSendMemoryStringsToCloud:true},
MasterSlave:{IsMasterServer:false, IsMaster:true, CurrentyLoggedClient:null, MasterDetails:{IP:null, Port:8443}, SlaveDetails:null}, DomainsWhiteListing:null,
ScanThrottling:{RealScanMaxThreads:200, RPCTimeout:80, RPCPsExecTimeout:30, RemediationMaxThreads:300}, RemediationConfiguration:{MaxRetries:48,
RetryInterval:30}, DecoyFilesListeningPort:8484, PoliciesExcludes:null, Signatures:null, UiTimeoutMinutes:20};;
04/17/2018 06:59:56 Audit user:operator; action:AddScannedEndpoint; category:Settings; details:scanned endpoint added,
details:{ScannedEndpointType:HOST, Item:169.254.250.12};;
04/17/2018 07:00:02 Audit user:operator; action:DeleteScannedEndpoint; category:Settings; details:delete scanned endpoint:{Name:Main,
ScannedEndpointType:HOST, Items:[192.168.3.4]};;
04/17/2018 07:05:04 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:guest, Level:DASHBOARD};;
04/17/2018 07:05:24 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:guest, Level:DASHBOARD};;
04/17/2018 07:05:52 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:Shai, Level:DASHBOARD};;
04/17/2018 07:05:59 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:Shai, Level:DASHBOARD};;
04/17/2018 07:06:53 Audit user:operator; action:SetAuthenticationMode; category:Settings; details:Authentication mode changed : Enable only Active directory
Authentication;
04/17/2018 07:07:45 Audit user:operator; action:SetAuthenticationMode; category:Settings; details:Authentication mode changed : Enable only local Active
directory;
04/17/2018 07:09:28 Audit user:operator; action:AddNewMapRange; category:Settings; details:new map range added, details:{name:IL Office, x
coordinate:5270.0, y coordinate:-7437.0, from ip:169.254.224.1, to ip:169.254.224.254, hc key:il};;
04/17/2018 07:34:31 Audit user:operator; action:DeleteScannedEndpoint; category:Settings; details:delete scanned endpoint:{Name:Main,
ScannedEndpointType:HOST, Items:[169.254.250.12]};;
04/17/2018 07:34:42 Audit user:operator; action:AddScannedEndpoint; category:Settings; details:scanned endpoint added,
details:{ScannedEndpointType:HOST, Item:169.254.224.138};;
====[-- Logging Terminate --]====
66
SETTINGS The Settings Panel provides extensive system management and configuration capabilities for the Cynet 360 platform.
The panel is divided into the following tabs:
▪ Scan Groups – Settings for scan groups with separate scan settings and includes:
▪ Scan Groups
▪ Group Information
▪ Scan Population
▪ Scan Scheduling
▪ Configuration – Settings for miscellaneous system configurations and includes:
▪ Excluded IP Ranges
▪ Traffic Analysis
▪ Log Parser
▪ VPN Parser
▪ Import User Data from AD
▪ Import User Data from CSV File
▪ User SMS Notifications
▪ EPS Configuration – Settings for configuration of the CynetEPS and memory forensic analysis.
▪ Advanced – Settings for advanced scanning configuration and includes:
▪ Connectivity
▪ Privacy & Compliance
▪ Master & Slave
▪ Policy Exclusions
▪ Scan Throttling
▪ Domain Whitelisting
▪ Remediation Settings
▪ Decoy File Settings
▪ UI Session Time Settings
▪ Users – Settings for user account to access the Cynet system.
▪ Add/Edit/Delete Users
▪ Change Password
▪ Maps – Settings for the Maps page of the system.
▪ Analysis – Settings for analysis actions of the system.
▪ Smart Simulation Execution (SSE) sandbox
▪ Deep Scan
▪ Alerts – Settings for the configuration of alerts generated by the system.
▪ General Settings
▪ Immediate Alert Notification Settings
▪ Host No-Scan Alert Settings
▪ Alert Severity Configuration Settings
▪ Integrations – Settings for integration with other systems, such as Active Directory.
▪ Vulnerability Management – Settings for the Vulnerability Management Feature
▪ UBA Management – Setting for the UBA management Feature.
▪ Threat Hunting – Setting for the Threat Hunting Feature.
▪ System Info – Information regarding the Cynet system.
▪ Main Info
▪ System Health
67
SCAN GROUPS
The Scan Groups page is used to configure how to scan endpoints. Different groups can be configured based on the
endpoint type, IP subnet, or scanner mode. By default, there is a “default group” which can be used or a new scan group
can be created.
SCAN GROUP SETTINGS
Scan groups can be used to separate scanning settings between different areas of the organization such as subnets,
computer types, departments, etc. All scan settings are saved to the group and are specific to that group. Scan groups
can contain separate credentials for scanning, scan scheduling, distribution types, etc.
To create a new Scan Group:
A. Click the Create button.
B. Enter a Group Name and Group Description (optional) in the text boxes
C. Click Save button to create the new group.
Then make sure to select the appropriate Scan Group from the drop-down menu before editing the Group Information
section.
To Remove a Scan Group ensure to select the correct group for deletion from the drop-down menu, then click the
Delete Group button.
A
B C
68
GROUP INFORMATION SETTINGS
The Scan Account is the account used to authenticate to hosts when scanned. Multiple sets of credentials can be saved
in the system to be used on any scan group. All saved credentials are hashed and encrypted within the Cynet database.
For more information about configuring a user account(s) to be used as a scan account (for Windows Domain & Local,
Linux Local, and Mac Local), please see the Configuring Scan Accounts appendix of this guide.
Choosing the scanning platform:
▪ Choose the relevant operating system from the list.
▪ After Choosing the platform, all the setting will be adjusted based on the selection.
To create a new scan account:
▪ Click the Create button.
NOTE Separate credentials are necessary for Windows, Linux and MAC hosts. Hosts of each OS type should be placed in
a separate scan group, with separate credentials for each scan group.
NOTE Any group can include only one kind of operating platform.
69
▪ There will then be a prompt to enter an alias for this set of credentials.
▪ The Service option will use the current credentials running the Cynet service on the server.
▪ The Credentials option requires to enter a username, the password, and the domain (if an Active Directory
account).
The Validate Credentials option will attempt to confirm the entered credentials are valid by connecting the domain
controller. If the credentials are validated successfully, a icon will appear. Failed credentials will have a icon.
Then click the Save button to save the entered credentials.
NOTE If the credentials entered are a local Windows account or a local Linux account, a domain does not need to be
specified.
NOTE the Validate Credentials functionality will only work for Active Directory credentials. Local Windows accounts or
local Linux accounts will not validate.
70
The Distribution Type is the way the system will push the Cynet endpoint scanner (CynetEPS) to the endpoints.
Distribution Types include:
▪ Auto – The Auto distribution type cycles through the types listed above. If one distribution type fails, the system
will proceed to the next type and attempt to scan the host. The order of types this setting will use is: Cynet
Launcher, RPC-SMB One Way, and then RPC Task.
▪ Launcher – The Cynet Launcher type will authenticate to the endpoint(s) using the configured account
credentials via CynetLauncher.exe and transmit the CynetEPS via SMB to be executed. This distribution type
requires port 445 to be opened on the endpoint(s).
▪ Scheduled Tasks – Cynet server will authenticate to the endpoint(s) using the configured account credentials
via MSRPC and transmit a task message to the endpoints to execute the CynetEPS. This distribution type
requires TCP port 135 to be opened on the endpoint(s).
▪ SSH – Cynet server with authenticate to the endpoint(s) using the configured account credentials via SSH and
transmit the CynetEPS and run the daemon. This distribution type requires TCP port 22 to be opened on the
endpoint(s)
▪ RPC - Cynet server will authenticate to the endpoint(s) using the configured account credentials via PsExec and
transmit the CynetEPS via SMB to be executed. This distribution type requires TCP port 445 to be opened on the
endpoints(s).
▪ Manually Installed Agent – Cynet server won’t perform dispatching the installation will be done using 3rd party
system such as WSUS, SSCM, Big Fix, etc.
Distribution Type settings are marked on the Scanner page in the Distribution Type column.
71
DEFINING MANUALLY INSTALLED AGENTS GROUP
In order to use this feature, we introduce a new "distribution type" to the scan groups - "Manually Installed Agents".
To create a group that contains manually installed agent - need to:
1. Create new scan group
2. Under Settings → Scan Groups → Distribution Type
3. Choose "Manually Installed Agents"
4. From now on, this group will contain only agents that were manually installed.
ADDING AGENT TO MANUALLY INSTALLED GROUP
1. Pre-configure the host in the scan group population
2. In order to add a Manually Installed Agent to a group as defined above:
a. Add the agent to the group population (using one of the suggested methods - Host name, IP range,
OU)
b. Install the agent using MSI
c. Agent will be automatically associated to the group it was defined in.
3. This feature is also supported for Linux machine.
4. Make sure, that "Distribution Platform" parameter of the scan group is set to "Linux"
Changing group
1. Via the UI, delete the host from one scan-group, and add it to the other
2. It’s also possible to Export and Import the host population
72
ADDING AGENTS TO GROUPS USING CLI
Sending "-group" argument to the EPS
In order to add a Manually Installed Agent to a group as defined above, we introduce a new argument to the EPS "-
group".
The new argument points on the name of the group that the EPS should belong to.
In order to use this parameter:
1. Add "-group" to the MSI command line arguments, followed by the target group name
2. When using MSI installation the Cynet MSI could have additional command line parameter for group name. if
the group name exist it’ll assign the host to the relevant group, otherwise it’ll assign the host to default MSI
group.
Changing group
1. In order to move agent from group to group - simply uninstall the msi.
2. Install it again with the new group name as argument
The Scan Mode setting is the manner in which the system will configure the Cynet endpoint scanner (CynetEPS) to run
on hosts. Distribution Methods include:
▪ Interval – The CynetEPS will be deployed (see Distribution Type below) to the configured endpoint(s) at the
specified scan interval. The CynetEPS will self-terminate on the endpoints at the end of the scan cycle.
▪ AlwaysOn – The CynetEPS will be deployed (see Distribution Type below) to the configured endpoint(s)
immediately. The CynetEPS will continue to run after the initial scan has completed. This will ensure any new
change or activity on the endpoint(s) are collected and sent back to the Cynet server in real-time for analysis.
▪ Light Agent – The CynetEPS will be deployed (see Distribution Type below) to the configured endpoint(s)
immediately. The CynetEPS will continue to run after the initial scan has completed and a service will be created
so the CynetEPS starts when the endpoint(s) reboot.
73
Scan Mode settings are marked on the Scanner pages in the Status column. Hosts scanned in the Interval mode will show
the scan progress. Hosts scanned in the AlwaysOn and Light Agent modes will display their current status.
▪ Active Directory Domain - The domain which will be scanned. This setting is used to pull computers in the Scan
Population configuration section below.
▪ CPU Average Consumption - The maximum CPU usage the CynetEPS executable will use when running on
endpoints in this scan group.
▪ Scan Interval - The time interval which endpoints in this scan group will be scanned in Interval mode. If using
the AlwaysOn mode, this setting represents the duration interval the system will wait to redeploy to an
endpoint that has not checked in.
▪ Scan Results History – This setting configures the number of scan results that are kept in the Scanner page
history for each endpoint.
Some of the following settings vary depending on the distribution type or scan mode being used:
▪ EPS Remediation (appears only with Light Agent mode) – This setting is used in the Light Agent mode, and will
configure the CynetEPS to perform remediation actions rather than remediation actions being taken by the
Cynet service on the server.
▪ Network Attacks Detection (appears only with Light Agent & AlwaysOn modes) – This setting configures the
CynetEPS to detect network-based attacks being performed on the host. The CynetEPS binds itself to the
endpoint NIC to see all network traffic being performed on the host.
▪ EPS Network share (only necessary for Task Scheduler distribution type) - This setting is used for Scheduled
Task distribution types so the endpoints can pull the CynetEPS from a read-only network share on the Cynet
server.
▪ EPS Delta Changes (appears only with Interval mode) - This setting will configure the CynetEPS to send only
new or modified metadata to the server, limiting the amount of data sent over the network.
74
▪ Internet Availability Check – This setting will configure the CynetEPS to check the endpoint(s) for internet
connectivity. This setting weights some threat indicators differently based on the ability to connect directly to
the internet.
▪ Memory Injection Remediation – This setting will allow the CynetEPS to automatically kill any process that
performs a memory injection or an illegal usage of memory on a scanned host. (Most useful for immediate
Ransomware mitigation).
▪ Decoy Files (available only with Light Agent & AlwaysOn modes) – This setting will create decoy files on the
scanned host(s). Cynet 360 will deploy deception files with beaconing functionality which will generate an alert
when accessed. See also the Decoys section.
▪ Credential Decoy Detection (appears only when Use Decoy Files is enabled) – This setting deploys imitation
credentials to various parts of the host for deception purposes. When these credentials are used or accessed,
the system will generate an alert. The Use Decoy Files settings must be enabled in order to enable the
Credentials Decoy. See also the Decoys section.
▪ Unscanned Group Alert – This setting will generate an alert if most of the scan population of this group is not
being scanned.
75
▪ Advanced Detection Technology – This setting enables the Advanced Detection Technology (ADT) heuristic
engine. The ADT engine will allow the Cynet EPS to detect threats using behavioral analysis.
▪ ADT – Behavioral Heuristic Remediation – This setting enables the behavioral heuristic remediation capabilities
of the ADT.
▪ ADT - Ransomware Heuristic Detection (appears only in AlwaysOn and Light Agent mode) – This setting
enables the ransomware detection capabilities of the ADT engine in the Cynet EPS.
▪ ADT - Ransomware Heuristic Remediation (appears only when Ransomware Heuristic Detection is enabled) –
This setting enables the ransomware remediation capabilities of the ADT engine. When ransomware is detected
using the ADT engine, it will automatically be stopped.
▪ ADT - Ransomware Heuristic Decoys (appears only when Ransomware Heuristic Detection is enabled) – This
setting enables ransomware detection through the use of hidden decoy files created on scanned endpoints.
These decoy files are separate files from the Decoys functionality of the system. These specific files are
designed to detect modifications by ransomware.
▪ ADT - Ransomware Heuristic Decoy Disk Space Limit (appears only Ransomware Heuristic Decoys is enabled)
– This setting limits the amount of disk space the Ransomware Heuristic Decoys can consume on an endpoint
(in Mb).
NOTE In order to audit some of the credential decoys, the built-in guest account needs to be enabled on the Cynet
server. This is OPTIONAL based on your organization’s security policies and is only used for auditing. The credential
decoys will still function as intended.
76
▪ ADT – Fuzzy Hashing Detection – This setting enables the Cynet EPS to fuzzy hashing techniques to detect
malware. This technique involves mathematically calculating similarities between files. This detection method
allows the system to detect previously unknown variants of malware through similar or shared code between
malware.
▪ ADT - Fuzzy Hashing Remediation (appears only when Fuzzy Hashing Detection is enabled) – This setting
enables remediation capabilities of the Fuzzy Hashing detection mechanism. When malware is detected using
this method, it will automatically be stopped.
▪ Disable String Collection – This setting disables memory string collection by the EPS for all hosts in this scan
group.
▪ Memory Protection Mode – This setting enables the EPS to run in the kernel level. While in memory protection
mode, the EPS gains the visibility to kernel level threats and enables an anti-tampering mechanism, which
prevents the EPS process from being terminated on the host.
▪ Raw Disk Writing Prevention (appears only when Memory Protection Mode is enabled) – This setting enables
the EPS to prevent raw disk writing, such as writing to the MBR.
▪ Raw Disk Writing Process Termination (appears only when Raw Disk Writing Prevention is enabled) – This
setting enables the EPS to automatically terminate a process that attempt to perform a raw disk write.
▪ Memory Injection Prevention (appears only when Memory Protection Mode is enabled) – This setting enables
the EPS to pre-emptively terminate a process performing a memory injection at the kernel level.
77
▪ EPS Alert Messages – This setting enables the EPS to display an alert message on the host when a threat is
detection.
▪ EPS Fast Scan Detection – This setting enables the EPS to send scan data from hosts to the Cynet server
immediately for analysis. In normal operation, the EPS sends this data in increments to reduce network traffic
congestion.
▪ EPS Fast Scan Remediation – This setting enables the EPS to automatically terminate any process that is
detected as a threat using the fast scan detection method.
▪ Enable Windows Patch Validation – this setting enables the Windows Patch validation function, as part of the
Vulnerability Management feature.
▪ Enable Unauthorized Applications Validation – this setting enables the unauthorized applications validation
function, as part of the Vulnerability Management feature.
▪ Enable Application Patch Validation – this setting enables the application patch validation function, as part of
the Vulnerability Management feature.
▪ Enable Agents Validation - this setting enables the agent's validation function, as part of the Vulnerability
Management feature.
▪ Encryption Token – This setting is used to create a random encryption token to encrypt the password used for
the Scan Account in this group. This ensures that the encrypted password token is unknown and cannot be
decrypted.
Click the Save button to ensure all configuration changes are saved.
78
SCAN POPULATION SETTINGS
There are three ways to add endpoints to a scan group: individually via hostname/IP address, IP address ranges, or
Active Directory OUs.
▪ Endpoints – New endpoints can be added to the scan group population by entering either an individual
hostname or IP address.
✓ Example: Explicit hostname host1344
✓ Example: Explicit IP Address 192.168.220.101
▪ Import from File
o Click on Import will open the following Dialog window
o Once choose the file and uploading the system will show confirmation message
NOTE When entering a hostname, ensure the Cynet server is able to resolve the hostname to an IP address to connect
and scan the host.
79
o Example for CSV file:
o The list form the CSV will be imported to the population List:
80
▪ IP Ranges – New endpoints can be added to the scan group population by entering an IP address range or CIDR
range. The system will look for all active hosts within the range and add then to the list.
✓ Example: IP Range w/ subnet suffix 192.168.1.0/24
✓ Example: IP Range 192.168.1.0-192.168.1.255
▪ Active Directory – New endpoints can be added to the scan group population by entering the names of Active
Directory OUs. The system will poll the active directory domain specified in the Group Information setting and
look for all computer objects in this OU.
✓ Example: Entire AD OU Tree .*
✓ Example: Add specific OU Servers
✓ Example: Exclude specific OU !Workstations
✓ Example: Nested OU Workstations+LocationA+Laptops
NOTE When a valid IP Range or CIDR range is entered, the number of addresses within that range will appear to the
right of the Add button.
NOTE Distinguished Names (DNs) for OUs do not need to be entered. The system will perform a query in the tree
structure for any OU that matches the entered name.
NOTE If multiple OUs contain the same name but reside in different branches of the tree structure, use the Nested OU
option (+ symbol) to specify the branch OU that should be polled.
NOTE When Uploading File make sure that the CSV file contain only Hostname and all of the list in the same column
without empty spaces or Titles
81
To exclude an OU from being polled, prefix the OU name with the “!” character. Excluded OUs will be highlighted in red.
Click the Sync button to manually poll Active Directory for the current list of computer objects in the specified OUs and
refresh the endpoints list.
To remove a host, IP range, or OU from the scan population, select the item and click the Delete button. The system will
prompt you to confirm the deletion.
NOTE The Active Directory sync may take a few minutes, depending on the number of OUs specified and the number of
hosts that exist in the OUs. Once the sync has completed, there should be a ‘Synced Successfully’ message.
82
SCAN SCHEDULE SETTINGS
Scan groups can be configured to be scanned according to a schedule. By default, all days and all times are enabled for
scanning.
A. To disable scanning on a day of the week remove the check from the checkbox.
B. To set time restrictions for scans, enter the Start and End times. Times are in HH:MM format (24-hour format).
C. Alternatively, a schedule can be configured of when scans should NOT be performed by removing the check
from the Scan Enabled check box.
D. To add a new scan schedule, click the Add button and configure the scan settings.
NOTE To disable the whole scan group, uncheck the “scan enabled” checkbox and then click Update. This will ensure
that the system does not scan any hosts in this scan group.
A B
D
C
83
CONFIGURATION
The Configuration page contains settings such as Analytics Server, Excluded IP Ranges, Log & VPN Parser, and Traffic
Analysis settings.
ANALYTICS SERVER CONFIGURATIONS
As part of File Monitoring feature, Cynet needed analytics server (based on ELK), this configuration is to setup the
connection between Cynet server and the analytics server. Once checking “Configure analytics server” checkbox, need to
fill the following fields.
EXCLUSION SETTINGS
Individual IP addresses or IP address ranges or Hostnames can be excluded from scanning, regardless if they are
configured in a scan group. To exclude them from being scanned:
Enter an IP or IP Range into the text box. Acceptable IP/IP Range formats are as follows:
▪ Example – Explicit IP Address:192.168.0.1
▪ Example – IP Address Range:192.168.0.1-192.168.0.255
▪ Example – IP Address w/ subnet prefix:192.168.0.1/24
▪ Example – Shai-LG-Laptop
Click the Add button to add the exclusion to the list.
NOTE File Monitoring feature can’t work without analytics server.
84
To remove an IP address or IP range from the exclusion list, select the item and click the Delete button. The system will
prompt you to confirm the deletion.
NETWORK TRAFFIC ANALYSIS SETTINGS
The Traffic Analysis settings allows configuration of which network interface card (NIC) to use for analyzing traffic from a
SPAN port or network tap port.
1. Select the NIC to be used for network traffic analysis
2. Click Save Adapters the Configuration settings.
NOTE When a valid IP Range or CIDR range is entered, the number of addresses within that range will appear to the
right of the Add button.
85
LOG PARSER SETTINGS
The Log Parser settings allows for parsing and ingesting log data from external sources such as a proxy server. To
configure a new set of logs to parse:
Click the Create button. This will open the Log Parser definition Window.
In the Log Parser definition window, you can define how to parse proxy logs. Any log entry will consist of columns
separated by one or more spaces. (a column represents a field).
Optionally parsed fields:
▪ Source IP - The IP address of the requesting instance, the client IP address.
▪ Destination IP – Domains destination IP address.
▪ User - The user identity for the requesting client.
▪ Request method - The request method to obtain an object.
▪ URL - This column contains the URL requested.
▪ Date - The time when proxy server started to log the transaction, which normally happens at the end of a
transaction lifecycle, after the entire request was received from and the entire response was sent to the HTTP
client
▪ Host - Hostname from the original URL requested.
▪ Port – Destination port.
▪ Event Identifier - A unique number in every log that identifies it from all others.
▪ Regex Separator – The character(s) which separate fields of information in the log.
▪ Fields Format Type – There are two type of field formats: By Name or By Offset. Parsing by name indicates
parsing fields within the log according to each field’s name. Parsing by offset indicates parsing fields within the
log according to each field’s column location.
Every log file has a different set of fields. In addition, not all logs have the same fields. Therefor each file provides its own
parsing configuration.
Parser mode of operation:
In order to extract a field from a log entry, the parser walks through a string, formatted in the configuration table for the
current log file and field. Each character in the formatted string indicates the next step the parser should take. The basic
86
string format is an integer, indicating the column index where the requested data is. For example, the URL field string
format may be “2” because the URL is in the third column of the log entry.
Formatting rules:
▪ Columns are separated by one or more spaces unless they are in quotations.
▪ First column index is zero.
▪ For undefined field set “100”
▪ Adding 2 columns: index1 + index2
▪ Remove prefix: index - prefixSize. For example: user = Bella and want to get only Bella (assuming that the user is
in second place) User string format= 1-5
▪ For fields which are seated differently in each row in the log and have a fixed prefix: ~ prefix. For example:
every URL includes the prefix request=http://www.google.comURL format string = ~ request=-> the parser will
search for the column index of current prefix in each line and extract the data.
▪ Remark, must have space between each index, +, -, ~ in string format! For example: ~ request – 7 + 8.
Example: In the example below, the following proxy log is being parsed to match the correct fields:
In the Log Parser definition window, a proxy parser name is entered and each field’s index is entered to its
corresponding field name.
Once the parser is defined, click Save to save it.
20161208 748 192.168.0.227 200 user 80 GET http://dm.com/default.jpg
209.85.153.118 image/jpeg4
0 1 2 3 4 5 6 7 8 9
87
To test a defined parser to ensure it is formatted correctly:
1. Ensure the correct parser is selected from the drop-down menu
2. Enter your sample log string in the text box
3. Click the Verify Parser button to begin parsing your log string
4. Check that the field names match up to the correct fields within the log string
▪ If necessary, you can go back to fix defined parsers by clicking the Edit Parser button.
▪ To remove a defined parser, click the Delete button.
Parser mode of operation – using Name Indication:
In order to extract a field from a log entry, the parser walks through a string, formatted in the configuration table for the
current log file and field. Each character in the formatted string indicates the next step the parser should take. The basic
string format is using key inductions, indicating the filed name and then the requested data is. For example, the URL field
url:http://www.gmail.com; .
NOTE The Proxy Parser name must be formatted correctly, and include the word “proxy” and an integer following it to
identify it.
1
2
4
3
88
Example: In the example below, the following VPN log is being parsed to match the correct fields based on token names:
In the Log Parser definition window, a proxy parser name is entered, and each field’s index is entered to its
corresponding field name.
<189>date=2018-08-09 time=09:51:08 devname="Cynet-FW"
devid="FG100ETK18000005" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" eventtime=1533797468
srcip=192.168.1.35 srcname="Cynet-Office-LAB" srcport=51235
srcintf="port16" srcintfrole="lan" dstip=52.114.7.36 dstport=443
dstintf="wan1" dstintfrole="wan" poluuid="12d62dd6-8f3a-51e8-499b-
f7ba3b95e538" sessionid=24606457 proto=6
action=https://github.com/rreer/ert policyid=1 policytype="policy"
service="HTTPS" dstcountry="Hong Kong" srccountry="Reserved"
trandisp="snat" transip=213.57.20.194 transport=51235 appid=41469
app="Microsoft.Portal" appcat="Collaboration" apprisk="elevated"
applist="default" duration=2 sentbyte=3512 rcvdbyte=4130 sentpkt=9
rcvdpkt=7 utmaction="allow" countapp=1 devtype="Windows PC"
devcategory="Windows Device" osname="Windows 10 / 2016"
mastersrcmac="9c:5c:8e:86:c5:80" srcmac="9c:5c:8e:86:c5:80"
srcserver=0
89
To test a defined parser to ensure it is formatted correctly:
1. Ensure the correct parser is selected from the drop-down menu 2. Enter your sample log string in the text box 3. Click the Verify Parser button to begin parsing your log string 4. Check that the field names match up to the correct fields within the log string
▪ If necessary, you can go back to fix defined parsers by clicking the Edit Parser button.
▪ To remove a defined parser, click the Delete button.
Once finished configured the parser setting, we need to configure the log file path location:
For more information on defining parsers, click the Help button, or contact Cynet support.
1
2
4
3
90
VPN PARSER SETTINGS
The VPN Parser settings allows for parsing and ingesting log data from VPN sources. To configure a new set of logs to
parse:
Click the Create button. This will open the Log Parser definition Window.
In the Log Parser definition window, you can define how to parse VPN logs. Any log entry will consist of columns
separated by one or more spaces. (a column represents a field).
Optionally parsed fields:
▪ Source IP - The IP address of the requesting instance, the client IP address. ▪ Destination IP – Domains destination IP address. ▪ User Name - The user identity for the requesting client. ▪ Login Time - The time when the VPN session was initiated. ▪ Host Name - Hostname from the original URL requested. ▪ OS Information – Details about the operating system used to initiate the VPN session. ▪ Event Identifier - A unique number in every log that identifies it from all others. ▪ Regex Separator – The character(s) which separate fields of information in the log. ▪ Fields Format Type – There are two type of field formats: By Name or By Offset. Parsing by name indicates
parsing fields within the log according to each field’s name. Parsing by offset indicates parsing fields within the log according to each field’s column location.
91
Every log file has a different set of fields. In addition, not all logs have the same fields. Therefor each file provides its own
parsing configuration.
Parser mode of operation – using Offset:
In order to extract a field from a log entry, the parser walks through a string, formatted in the configuration table for the
current log file and field. Each character in the formatted string indicates the next step the parser should take. The basic
string format is an integer, indicating the column index where the requested data is. For example, the URL field string
format may be “2” because the URL is in the third column of the log entry.
Example: In the example below, the following VPN log is being parsed to match the correct fields:
In the Log Parser definition window, a proxy parser name is entered and each field’s index is entered to its
corresponding field name.
<134> VPN: 2008-08-21 08:01:22 connect2a [192.168.1.2] jsmith
Primary authentication successful for host-test2 from 10.2.6.152
0 1 2 3 4 5 6
7 8 9 10 11 12 13
92
To test a defined parser to ensure it is formatted correctly:
1. Ensure the correct parser is selected from the drop-down menu 2. Enter your sample log string in the text box 3. Click the Verify Parser button to begin parsing your log string 4. Check that the field names match up to the correct fields within the log string
▪ If necessary, you can go back to fix defined parsers by clicking the Edit Parser button.
▪ To remove a defined parser, click the Delete button.
Once finished configured the parser setting, we need to configure the log file path location:
For more information on defining parsers, click the Help button, or contact Cynet support.
1
2
4
3
93
COLLECTING LOGS USING SYSLOG:
Cynet can be configured to collect the data using syslog listener. In order to do it we must perform the following steps:
1. Open the Cynet server and navigate to: Cynet360\app\CynetSyslog
2. Edit the Cynet.Syslog.exe.config
a. Configure IP (should be local host) b. Configure the syslog port (should use 514) c. Configure output folder and naming convention
94
3. After the configuration save and run the Cynet.Syslog.exe file
4. Now you should see the events coming on the command line screen and the logs being created
5. Once the log file is being created you can configure log parser and configure the syslog output folder as log file directory for importing the files.
NOTE as best practice we suggest separating different syslog sources to different listeners by configuring different
ports. That will make it much simple to pars the data.
95
IMPORT USER DATA SETTINGS
Cynet can be configured to import user account attributes from Active Directory. These settings map the field of
information to the AD attribute name. User data that can be imported from AD includes:
▪ User Name – User’s account name. ▪ Mobile – User’s mobile phone number. (Used for SMS verification below) ▪ Office Phone – User’s Office phone number. ▪ Role – User’s job title. ▪ Department – User’s department in the organization.
In the example below, each field is being mapped to the corresponding attribute name in Active Directory. For example,
the Role field is being mapped to the ‘title’ attribute.
Click Save to save the mapping settings. The server will then import user data from Active Directory once every 24 hours.
Imported user data can be viewed on the User Details Page.
NOTE Active Directory attribute names are case sensitive.
96
IMPORT USER DATA FROM CSV FILE
Cynet can be configured to import user account attributes from a comma separated value (CSV) file. These settings map
the field of information to the field index in the csv file. User data that can be imported from a csv file includes:
▪ User Name – User’s account name. ▪ Mobile – User’s mobile phone number. (Used for SMS verification below) ▪ Office Phone – User’s Office phone number. ▪ Role – User’s job title. ▪ Department – User’s department in the organization.
In the example below, each field is being mapped to the corresponding index of data within the csv file. For example, the
Role field is being mapped to index #3 in the csv file.
The csv file to match this mapping would include user data like the one below where the user name field is first, mobile
number second, office number third, etc.
To upload this csv file, click the Choose File button and navigate to the location of the csv file on your computer. Once
selected, click Open.
Click Upload CSV File to upload the file. This file will be parsed according to the field mapping configured in the section
above. Imported user data can be viewed on the User Details Page.
97
USER SMS CONFIRMATIONS SETTINGS
This setting will enable the SMS Confirmation functionality. When unusual user logins occur observed by the Cynet
system, it will send an SMS to the user’s mapped mobile number (user data is mapped via Active Directory or CSV file,
see those setting in the sections above). For more information about this functionality, see the User SMS Confirmation
section.
To enable the SMS Confirmation, click the checkbox and the click Save.
98
EPS CONFIGURATION
The EPS configuration page contains advanced configuration settings for memory-based analysis by the Cynet Endpoint
Scanner (EPS).
MEMORY STRINGS SETTINGS
The Memory Strings settings are used to configure the Cynet EPS to search for specific strings within the memory
contents on endpoints. This functionality can be used to find customized indicators of compromise within the memory
contents of any process running on endpoints.
To create a new Memory String search, click on Add Memory String. The following are the fields available when creating
a new memory signature.
GENERAL SETTINGS
▪ Name – Provide an Alias for the signature pattern rule ▪ Patterns – In this section, we will add the Hex values of the string we found for the signature as they appear in
the memory page. Note that the additional boxes are allowing us to add more strings that are not connected directly to our first string in the condition that the following is true:
▪ They have to have the same privileges on the base address and location address. ▪ They must be of the same type. ▪ The base address of the second signature must be equal in size to the first signature ▪ The location address size of the second signature must be equal to the location address size of the first
signature. ▪ If one of the strings is located in the base address, then the other strings must be located at the base
address and vice versa. ▪ If none of the strings are located at the base address, then they can be located at any address within
the spool. ▪ Scan Type – This setting refers to the type of activity we will be looking to match with the signature in memory:
New Page, New Process, Existing Page, or All [of the above] types. ▪ Get Strings – This setting enables the EPS to collect the memory strings for signature matching. This should
always be enabled for matching to work. ▪ Action – This setting refers to the action the EPS will take when it matches the specified signature pattern.
CHECK PAGE DATA SETTINGS
▪ CMD – This setting allows the EPS to match on the entire signature patterns (AllOff) or on one of the signature patterns (AnyOff)
▪ Should run on Cynet Server? – This setting can be used to include or exclude the Cynet server from this signature matching.
NOTE The EPS Configuration settings is used to configure advanced methods of detecting malware artifacts within
memory. These settings should only be configured with the assistance of Cynet engineers.
99
FILTER BY PAGE METADATA SETTINGS
▪ State (HEX) – Match on the meminfo.State value. ▪ Type (HEX) – Match on the meminfo.Type value. ▪ Protect (HEX) – Match on the meminfo.Protect value. ▪ Is page in image base? – Match on the existence of the isimagebase() function. ▪ Allocation protect (HEX) – Match on the meminfo.AllocationProtect value. ▪ Base address – Match on the base address being equal to the allocation base, or not. (i.e.
meminfo.BaseAddress = meminfo.AllocationBase). ▪ Region Size – Match on the meminfo.RegionSize value between the high and low values. ▪ File names action type – This configures if the EPS will match by a specific file name or match on any file name.
If set to “Ignore”, the EPS will ignore matching by file name(s). If set to “Scan Only”, the EPS will match on the specified file names.
▪ File Names – Match by file name(s) File name can be ignored with the setting above. Multiple file names can be split by a semi-colon “;”.
▪ Alert name – Provide a name for alerts generated by this signature. ▪ Alert Severity – Provide a severity for alerts generated by this signature. ▪ Alert Type – Provide a type for alerts generated by this signature. ▪ Open Automatic alert – Automatically open alert without validation from the Cynet SOC.
100
DECOY FILES
Decoy files are a defense mechanism employed by Cynet 360 using honeypot tactics. Cynet 360 is able to deploy various
deception entities on scanned hosts, which are used to lure attackers. When these entities are used, Cynet 360 is able to
detect them and alert on the illicit activity. See the Group Information Settings section of this document to see the
Decoy configuration settings. The two settings that need to be enabled are the Use Decoy Files and Allow Credential
Decoys.
There are multiple forms in which Cynet deploys the deception capabilities. The following list is a high-level explanation
of each deception type. See the sub-sections for each type for details:
▪ Office Documents – Cynet will deploy Excel, Word, and PowerPoint documents to the host in a newly created user directory. These files contain beacons, which will communicate back to the Cynet server when opened and generate an alert. – Cynet Platform allow the users to create their own decoys.
▪ Remote Desktop Files – Cynet will deploy RDP files with saved imitation credentials on the host. When this file is executed, it will attempt to connect to the Cynet server with invalid credentials and generate an alert.
▪ ODBC – Cynet will configure an ODBC connection on the host, which points to the Cynet server. When this ODBC connection is used, it will generate an error and an alert.
▪ NetBIOS – Cynet will configure network shares on the host, which are monitored. When the session is used, it will generate any alert.
▪ Stored Credentials – Cynet will implant invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, it will generate an alert.
▪ Text files – Cynet will deploy text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal web application. If either of these invalid credentials are used, it will generate an alert.
Every Decoy alert will contain details about which type of decoy was triggered, the attacker IP address, the Victim IP
address, hostname and File name (if applicable).
101
DECOY OFFICE DOCUMENTS
Cynet will create a new user folder such as C:\Users\admin_c493d82, with a randomly generated account name.
Within this directory, there will be several decoy Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint
(.pptx). These files contain attractive filenames to lure attackers and are placed through the new user directory.
When one of these files is opened with Microsoft Office, the beacon within the document will attempt to communicate
back to the Cynet server as well as the Cynet controlled web domain ad-stats.com. This ensures that the Cynet SOC can
identify decoy files being opened outside the corporate LAN environment.
DECOY RDP FILES
Cynet will create a saved RDP connection file in the same directory as described above. This RDP connection file contains
invalid credentials saved within it. The file will attempt an RDP connection the Cynet server on port TCP 8484 and will
fail. Once the RDP attempt is made, the alert will be generated within the Cynet console.
102
DECOY ODBC CONNECTION
ODBC (Open Database Connectivity) is an open standard API for accessing databases. ODBC statements are used to
connect to various databases such as Access, dBase, DB2, Excel, and others. Cynet uses the Windows built-in
programming support for ODBC by planting an ODBC connection to a non-existent database in the environment. When
an attacker attempts to use this ODBC connection to connect to the invalid database, an alert will generated in the Cynet
console.
Cynet implants the ODBC connection by deploying various registry keys to the Windows host. The planted ODBC can also
be found in Control Panel > System & Security > Administrative Tools > Data Sources (ODBC).
Then click the System DSN tab and the planted connection will be listed as an SQL Server.
DECOY TEXT FILES
Within the newly created user directory, Cynet will deploy text files with invalid domain credentials, as well as
credentials for a non-existent internal application. If the domain credentials are used for authentication or if the URL is
accessed, an alert will be generated in the Cynet console.
103
DECOY STORED CREDENTIALS
The Windows Credential Manager is the “digital locker” where Windows stores login credentials on the network. This
data can be accessed by the Windows or other applications that can use the stored credentials. There are three main
types of stored credentials in the Credential Manager:
▪ Windows Credentials – Only used by Windows and its services. For example, saved credentials for a network shared folder.
▪ Certificate-based Credentials – Used together with smart card authentication. This is usually configured in higher security network with Active Directory configured for smart card authentication.
▪ Generic Credentials – General saved credentials that are defined by applications used on the computer. For example, Office365 or Windows Live.
The credentials saved in the Credential Manager are commonly targeted by threat actors. Cynet 360 will plant invalid
username and password credentials in the Credentials Manager. When a threat actor uses these credentials to
authenticate in the environment, an alert will be generated.
DECOY FILES MANAGEMENT
In the Decoy Files tab Cynet user could manage all decoy files, including the following actions:
104
▪ Decoy File Deployment Setting – once Decoy file chosen the use can customize where to deploy it and for what groups.
▪ Add New Decoy File – Allow to create new decoy file from existing office file, clicking on the add new Decoy File will open the following dialog box
o Choose file to use for decoy o Fill the decoy name – it’ll use for managing but also part of the alert details. o Click on generate test file → it’ll download test file o Click + and choose groups and file deployment locations.
Once someone will access the file Cynet platform will detect it and trigger and alert.
105
THREAT HUNTING
Allows the customer to scan the endpoints – on demand – for threats according to IOCs
Process:
- End user defines the IOCs (file SHA256, file MD5, file name, file full path), the extensions and folders to search
in
- End user defines the severity of the alert that would be raised in case a threat was found
- The system scans the endpoints, and if a file that answers the IOC is fount, it generates an alert
CONFIGURATION \ SETTINGS
ENABLE\DISABLE TH
- Settings -> Scan groups
- Choose the relevant group
- Check\Uncheck – “Enable Threat Hunting”
- If checked – “Threat Hunting Period” – define the time interval [in minutes] to check if there is a new search to
perform
CONFIGURE TH SETTINGS
In order to configure the Threat Hunting, go to:
Settings -> THREAT HUNTING
- “Create/Remove search indicator by type” – lets you create the list of IOCs to search.
o For each IOC – select the type, the value, and the description of the alert that would be raised
o make sure to press the “+” button to add new entry to the list
o Notice – the system would alert for any of the IOCs that were found (no need for ALL of the IOCs
together)
- Filter By Extension – insert a list of file extensions that should be scanned (make sure to press the “+” button to
add new entry to the list)
- Filter By Directory – insert a list of folders to scan (make sure to press the “+” button to add new entry to the
list)
- Alert Severity - severity of the alert that would be raised in case a threat was found
- Suppressed Mode – whether or not to stop current scan (if exists) and immediately start the new scan, or wait
for the current scan to stop
- Save Changes – saves the changes, and start the process of threat hunting on all endpoints
- Stop current – any endpoint that did not start to scan yet – will not scan anymore
- Restart current – any endpoints would execute the scan (never mind if they executed it already, or not)
- Clear Search Criteria – delete all the IOCs
106
TH RESULTS
If a threat was found, according to the define IOCs, an alert would be presented, and mail would be sent.
The alert would be presented in the “Alerts” page. The details of the alert:
107
ADVANCED
The Advanced page contains advanced configuration settings for Cynet such as Connectivity, Deep Scan, Privacy &
Compliance, Master/Slave, Policy Exclusions and Scan Throttling settings.
CONNECTIVITY SETTINGS
▪ Primary Cynet Server IP & Port – The IP address and port number endpoints will send scan results to. ▪ Secondary Cynet Server IP & Port (Optional) – The secondary IP address and port number endpoints will send
scan results to if the primary IP address fails to accept scan data. This is typically a failover Cynet server or a Cynet server with an external IP address.
▪ Server Proxy Settings – If an internet proxy is used, enter the proxy IP address and port number to allow the Cynet server to sync to the Cynet cloud.
PRIVACY & COMPLIANCE SETTINGS
The Privacy & Compliance settings are used to limit the amount of information collected from endpoints and anonymize
information sent to the Cynet SOC.
▪ Send Scan Errors to SIEM – This setting will send scan errors via syslog to the IP address configured in the SIEM settings. (See also General Settings for SIEM configuration)
▪ Unique File Analysis by SOC – This setting will allow the system to automatically send unique files to the SSE sandbox for analysis.
▪ Analyzed File Retention – This setting will limit the amount of days a file analyzed by the SSE sandbox will be kept.
▪ Log File Retention – This setting will limit log files to those generated in the past X days. ▪ Data Anonymization – These settings will prevent hostnames and usernames from being sent to the Cynet SOC
when performing security intelligence lookups. A host or user ID will be sent to the Cynet SOC instead of real hostnames or usernames.
108
▪ Disable … Collection - These settings will prevent the CynetEPS from collecting this information when performing scans. Fields available for ignoring are:
✓ ARP Table entries ✓ Certificates ✓ DNS Cache ✓ Host file information ✓ Installed Software ✓ IP Settings ✓ User data ✓ MS Updates ✓ Network interfaces ✓ Network Shares
▪ Cynet SOC File Analysis – This setting will automatically send files to the Cynet SOC if further analysis is necessary.
▪ Automatic Updates – This setting allows the system to download critical update files from the Cynet virtual private cloud connection.
▪ Command Line Sync – This setting disables the sync of command-line parameters of processes to the Cynet SOC.
▪ File Whitelisting – This setting enables whitelisting of known files by the Cynet SOC. ▪ Memory String Sync - This setting disables the sync of memory strings to the Cynet SOC.
NOTE Cynet recommends leaving these settings, especially the Anonymization and Disable … Collection settings, to
their default values to perform complete threat analysis on hosts. Limiting collected data can negatively impact
Cynet’s threat detection.
109
MASTER & SLAVE SERVER SETTINGS
The Master and Slave server settings are used to configure a Cynet server as either a primary or relay server in a
distributed architecture.
Configure Master Server
▪ Ensure Master setting is selected. (default setting) ▪ In the Slave IP List settings, enter a Name for the slave server, the Client ID (provided by Cynet
representatives), and the IP address of the slave server. ▪ Then click Add to register then entered IP address as a slave server. ▪ Slave servers will appear in a list alongside the server name, client ID, and IP address. To remove any servers,
click the Delete button. ▪ Click Save at the bottom of the page to save these settings.
Configure Slave Server
▪ Ensure the Slave setting is selected. ▪ Enter the IP address and port of the master server (default port is TCP 8443). ▪ Click Save at the bottom of the page to save these settings.
110
POLICY EXCLUSION SETTINGS
The policies exclusions settings are used to exclude policies from running on specified host(s). This functionality provides
support for Cynet policies to be ignored locally.
To exclude a policy from running on endpoint(s):
▪ Enter the Policy Title to be excluded. After typing a few characters, the system will display all policies that match. Then Select the desired policy to exclude.
▪ Enter in the Wild Card field a regular expression to choose which host(s) should be excluded. Multiple hosts can be excluded from a policy by using regex.
✓ Example: Hostname123To exclude Hostanme 123 from this policy ✓ Example: W.*For workstations that begin with the W character
▪ Then click the Add to add the host/wildcard exclusion for this policy. ▪ Once the exclusion has been added, a menu will appear with all exclusion entries. Entries are listed with the
policy name and the host/regex match. These hosts will be excluded from factoring this policy into its risk level during calculation.
NOTE Excluding policies from running on hosts could have an adverse effect on detection analysis. Policy exclusions
should be discussed with a Cynet representative before any changes are made.
111
▪ To delete a policy exclusion, click the Remove button. ▪ To edit a policy exclusion, click the Edit button and the wildcard field will become editable. Once the changes
are made, click Save to apply the changes to the policy exclusion.
THROTTLE SETTINGS
The Scan Throttling settings are used to control the number of concurrent scans during scan cycles to scan environments
more efficiently.
▪ Max Concurrent Scanned Hosts – Maximum number of hosts the Cynet server will attempt to scan at any one time. This setting throttles the scanner from flooding the network with scan attempts.
▪ Total Scanned Hosts Timeout – Time out value for attempted RPC connections to endpoints. If this timeout is exceeded, endpoints are considered unreachable.
▪ Sync Response Timeout – Time out value for response from the PsExec process when using the RPC distribution type.
▪ Concurrent Remediation Actions - This setting is used to specify the maximum number of remediation actions the server will attempt at any one time.
112
DOMAIN WHITELISTING SETTINGS
The Domain Whitelisting settings are used to filter out trusted domains from analysis.
To add a domain to the whitelist:
▪ Enter the domain to be whitelisted. ▪ Click the Add Domain button. The domain should then appear in the list below.
To edit an existing whitelisted domain entry:
▪ Select the domain name. This will make the entry editable. ▪ Once the changes have been made, click the Update button.
To delete an existing whitelisted domain, select the domain name and click the Remove button.
REMEDIATION SETTINGS
The Remediation settings are used to configure the auto-remediation system to retry remediation actions if they initially
fail.
▪ Remediation Retry Attempts – sets the maximum number of times the system will re-attempt a remediation action. The default is 48 retries.
▪ Remediation Retry Interval – sets the time interval between remediation retries (in minutes). The default is 30 minutes.
113
DECOY SETTINGS
The Decoy Files setting is used to configure how decoy files interact with the Cynet system.
▪ Decoy Files Listener Port- The listener port that decoy files will use when beaconing back to the Cynet server (Protocol used is TCP).
For more information about Decoy Files, see the Decoys section of this document, which explains the types of decoys
that are deployed and how they are triggered.
CONSOLE SETTINGS
The UI Session Timeout setting is used to configure how long a session in the Cynet console will last before it
automatically logs out a user.
▪ UI Session time - The value (in minutes) the system will allow before automatically logging a user out of the system. Values can range from 1 minute to 525,600 minutes (1 year). The default value is 20 minutes.
FILE MONITORING
The File Monitoring Setting allow to customize the file extensions and the time interval for monitoring
▪ Extensions - Add file extensions which will be monitored for changes, the value will start with ‘.’ And the file extension
▪ Polling Interval – Control the time interval for reporting the data to the Cynet server.
114
USERS
The Users page contains the settings for user authentication to the Cynet console. From these settings, users can be
added, deleted, or permission can be edited. User passwords can also be changed on this page.
AUTHENTICATION SETTINGS
▪ Select Authentication Mode – This setting configures which authentication mode will be enabled for users
when logging into the Cynet console. Options are:
▪ Enable Local Authentication Only – Only local users in the Cynet user database will be authenticated.
▪ Enable Active Directory Authentication Only – Only Active Directory users will be authenticated.
▪ Enable Local & Active Directory Authentication – Users from both the Cynet user database and Active
Directory will be authenticated.
▪ Manage Cynet Users – In this section, local users can be added, edited, or deleted. The following sections
include instruction on how to perform these actions for local user accounts:
▪ Add New User
▪ Edit User Permissions
▪ Delete User
▪ Change Password
NOTE If an authentication mode that uses Active Directory is enabled, the Active Directory Authentication section of
settings will become available. These settings map users/groups in Active Directory to user levels in the Cynet console
for authentication.
NOTE You must also configure your Active Directory domain in the Integrations settings. This page points the Cynet
console to the domain to validate Active Directory credentials.
NOTE Cynet recommends enabling Active Directory & Cynet Users authentication mode, so that the operator (or any
other local account) can still be used to log into the console in the event that Active Directory authentication is not
possible.
NOTE The operator account is the default login for the Cynet console, and it cannot be deleted. Cynet recommends
changing the password of the operator account from the default password to something more complex and secure.
115
ADD NEW USER
To add a new user to access the Cynet console:
▪ Enter a User name, Password, and User Level (see above for user level privileges).
When assigning user permissions, there are three levels of user access:
▪ Custom User – This user level provides custom user permissions. Use the Custom User Access Permissions drop-down menu to select which actions this user is allowed to perform.
▪ Operator – This user level provides the ability to view all data, perform remediation actions, make configuration changes, and add/remove/edit users.
▪ Dashboard – This user level provides the ability to access only to the Main dashboard, and cannot view data, perform remediation actions, or make any configuration changes.
▪ Click Add to add the new user.
EDIT USER PERMISSIONS
To edit a user’s access the Cynet console:
▪ Click the Edit Permission button next to the user name.
NOTE If the “Custom” user level is selected, be sure to use the Custom User Access Permissions drop-down menu to
assign proper permissions to the user.
116
▪ A window will appear with the Custom User Access Permissions drop-down menu. Select or deselect the permissions appropriate for the user account.
▪ Click Save to apply the changes.
DELETE USER
To delete a user from the Cynet console:
▪ Click the Delete User button.
NOTE Operator level users are not editable because they already have full access permission. To change a user’s user
level, it must first be deleted and then recreated with the appropriate user level.
NOTE The default Operator account cannot be deleted.
117
CHANGE PASSWORD
All Cynet users can change their own passwords. To change an account’s password:
▪ Click the Change Password button.
If changing your own password: the system will prompt you to enter your current password, and your new password
twice. Then click Change to apply the password change. If the new password does not meet the complexity
requirements (see below), you will be prompted to re-enter both the current and new password.
If changing another account’s password: the system will prompt you to enter the new password twice. If the new
password does not meet the complexity requirements (see below), you will be prompted to re-enter the new password.
NOTE Passwords for Dashboard level users can be changed by operators. Operator level account passwords cannot be
changed by other Operators.
118
Password Complexity - Passwords must include at least 3 of the following 4 groups:
▪ Lower case letters (a-z) ▪ Upper case letters (A-Z) ▪ Numbers (0-9) ▪ Symbols (!@#$%^&*)
Password length should be between 8 and 20 characters.
ACTIVE DIRECTORY AUTHENTICATION SETTINGS
The Active Directory Authentication section maps users or groups within Active Directory domains to user levels in the
Cynet console for authentication.
Before these settings can be configured two other settings must be configured first:
1. Integrations – Configure a domain in the Active Directory section of the Integrations settings tab.
2. Authentication Mode – Enable an authentication mode in the Manage Authentication Users section of the
Users settings tab.
Once those two configuration settings are fulfilled, this section will become available.
ADD GROUP
To add an Active Directory group for Cynet console authentication:
▪ Select the Domain from the drop-down menu. (These domains are configured in the Active Directory section of
the Integrations page)
▪ Next, Select the Active Directory Group to map. All groups from AD will be pulled and listed in this drop-down
menu.
119
▪ Next, select the User Level. Authenticated users in this group will be given this user level.
▪ Lastly, click Add to add this group. All users in this group will be able to authenticate to the console using the
Active Directory credentials.
Groups added will appear in the Enabled Identities section below.
ADD USER
▪ Select the Domain from the drop-down menu. (These domains are configured in the Active Directory section of
the Integrations page)
▪ Next, enter a User name from the selected domain.
120
▪ Next, select the User Level. Authenticated users in this group will be given this user level.
▪ Lastly, click Add to add this group. All users in this group will be able to authenticate to the console using the
Active Directory credentials.
Users added will appear in the Enabled Identities section below.
ENABLED IDENTITIES
Once a group or user has been mapped, it will appear in the Enabled Identities section.
To remove an enabled identity, click the Remove button next to it.
121
MAPS
The Maps page contains configuration settings for the Map section of the console. With these settings, map
regions/locations can be added, removed, or edited.
To add or edit a region, click on an area of the map (zoom into the map using the zoom-in buttons or the mouse wheel).
The Edit Coordinate window will appear for a new or existing regions. In this window, you can enter the region name
and the IP address range for that location.
The click the Save Changes button to complete the region configurations.
To delete an existing region, click the Delete button in the Edit Coordinate window,
122
ANALYSIS
The Analysis page contains configuration settings for Cynet’s Smart Simulation Execution (SSE) sandbox, which provides
the system with dynamic analysis of a process.
DYNAMIC ANALYSIS SETTINGS
The Cynet SSE dynamic analysis can be configured with either an on-premise server or a cloud-based instance. The
settings below how to configure each.
Cloud Sandbox Configuration
1. Click the Enable Sandbox checkbox 2. Click the Cloud Dynamic Analysis checkbox. 3. Click the Save button to save changes.
On Premise Sandbox Configuration
1. Click the Enable Sandbox checkbox 2. Click the Local SSE IP Address checkbox 3. Enter the IP address of the SSE sandbox server 4. Click the Save button to save changes.
123
DEEP SCAN SETTINGS
These settings configure the time intervals for the Deep Scan process. See the Deep Scans section for more information
about starting a Deep Scan.
▪ Update Interval – This timer is used to configure how often the Cynet Deep Scanner (CynetDS.exe) sends collected data back to the Cynet server for analysis.
▪ Time Limit – This timer is used to configure how long the CynetDS will run on the endpoint to collect deep scan data. At the end of this timer, the CynetDS will terminate.
NOTE Minimum value for the Update Interval is 2 minutes, and the minimum value for the Time Limit is 15 minutes.
124
ALERTS
The Alerts page contains configuration settings for alerts generated by the system and how they are handled.
EMAIL SETTINGS
▪ Email Alert Recipients – The email addresses that should receive email alerts when the system generates an alert. Multiple emails should be comma separated.
▪ SMTP Server – The IP address of the organization’s SMTP server, which will be used to transport alert emails when generated by the system.
▪ SMTP SSL – This setting can be enabled if the SMTP server requires an SSL connection to be established for sending mail.
▪ Email Alert Sender – This setting controls the “from” field in email alerts generated by the system.
NOTE If the SIEM Connectivity settings are changed to a port other than the default (port 514), the Cynet services must
be restarted on the server in order for the changes to be applied.
125
GENERAL SETTINGS
▪ SIEM Server – The IP address of the organization’s SIEM system, which should receive syslog messages from the system.
▪ Minimum Alert Severity Display Filter – This setting will limit alerts displayed on the dashboard based on the severity. By default, all severity alerts are displayed
ALERT SETTINGS
The Immediate Alert Notification Settings are used to configure the types of alerts that should be enabled for alerts. This
setting exists in case customers want to exclude or filter out certain types of alerts.
NOTE Cynet recommends having all alert types enabled to ensure all types of threats are being detected and alerted on.
126
UNSCANNED HOST ALERT SETTINGS
These setting are used to generate alerts for specific hosts that are not being scanned by Cynet.
To add hosts to alert on failed scans, enter a Hostname then click Add.
To remove a host, select the host from the hosts list, and click Delete.
EMAIL ALERT FILTER SETTINGS
The Alert Severity Configuration settings are used to configure the minimum severity of alerts that will be sent out by
email. By default, Cynet 360 will send all alerts (Informative and above), however the system can be configured to send
only certain severities and above.
127
INTEGRATIONS
The Integrations page contains configuration settings for integration with other systems, such as Active Directory.
ACTIVE DIRECTORY
The Active Directory section contains settings on which domains the Cynet console will use for Active Directory
authentication (see also the Users settings tab). From here, you can manage the credentials that will be used within each
domain to validate Active Directory Credentials used during authentication to the console.
To create a new set of credentials, click the Create button in the top right-hand corner.
In the pop-up window, the following fields must be filled out:
▪ Name – An alias for this set of credentials
▪ Username – The user name of the account that will be used to validate credentials
▪ Password – The password of the account that will be used to validate credentials
▪ Domain – The domain the account exists in.
NOTE The account used to validate credentials does NOT need to be a domain admin. It only needs to be a domain
user.
128
Click the Validate Credentials button to check if the username and password that was entered are correct.
The click Save to save these credentials.
Once saved, the entered credentials will appear under the Manage Credentials section. Existing credentials can be
changed by clicking the Edit button or removed by clicking the Delete button.
Once there is at least one set of credentials saved, the Active Directory authentication can be enabled on the Users
settings tab.
129
VULNERABILITY MANAGEMENT
The Vulnerability Management page contains the configuration of the functions which are a part of the Vulnerability
Management feature.
▪ Windows Patch Validation:
• In this function, the Cynet scanner queries the Windows Update subsystem on the endpoint and maps
all the available KB’s ready to be installed. Once the EPS detects that there are KB’s which haven’t been
installed, it will generate a medium level alert which will include the list of KB’s that are not installed
yet.
• In the “Windows Patch Validation” configuration section, the operator is able to whitelist windows KB
updates which are known to be missing\uninstalled and prefers that they will not generate an alert.
• In order to add a Windows KB to the whitelist, type the name of the KB, with a line separating each KB.
▪ Unauthorized Applications:
• In this function, the Cynet scanner queries the Windows Add\Remove programs subsystem on the
endpoint, and compares the list received to the list of applications which are unauthorized to run on
the endpoint. Once the EPS detects that there are unauthorized applications installed on the endpoint,
it will generate a medium severity alert which will include the list of the unauthorized applications
installed on the endpoint.
• In the “Unauthorized Applications” configuration section, the operator is able to add\remove
applications from the unauthorized applications list. The list is already populated with applications
which Cynet’s R&D classified as “Potentially” restricted.
• In order to add an application to the unauthorized applications list, create a new line with the name of
the application exactly how it is configured in the add\remove programs subsystem of Windows.
130
▪ Application Patch Validation:
• In this function, the Cynet scanner queries the Windows Add\Remove programs subsystem on the
endpoint and verifies if the installed applications on the endpoint are with the latest patched version.
For example, if the security team of the organization defined that any Internet Explorer version under
11 is considered vulnerable, Cynet will scan all of the endpoints in the organization and generate a
medium severity alert of all the endpoints which contain an Internet Explorer version under 11.
• In the “Application Patch Validation” configuration section, the operator is able to add\remove
applications which are required to be installed with a minimum version.
The name of the application should be written as it is displayed in “Add\Remove Programs” in
Windows.
▪ Agents Validation:
• In this function, the operator is able to insert a list of 3rd party applications and processes, which were
defined as crucial applications on the endpoint. The Cynet scanner queries the Windows task manager
and Add\Remove programs and in order to verify the following:
I. If a 3rd party application is installed
II. If a 3rd party application is running.
• Cynet will scan all the endpoints in the organization and generate a medium severity alert which will
contain the list of endpoints that are not compliant:
I. Application is installed but not running
II. Application is not installed and not running.
• In the “Agents Validation” configuration sections, the operator is able to add\remove applications from
the necessary 3rd party applications list.
I. The name of the application should be written as it is displayed in Windows “Add\Remove
Programs”.
II. The process of the application should be written as it is displayed in Windows Task Manager.
131
UBA MANAGEMENT
The UBA Management page contains the configuration of the functions which are a part of the UBA Management
feature.
▪ Configure UBA policy:
• Allow to disable \ enable policy.
• Edit Policy: Define policy action, define alert severity, Define policy query.
132
▪ Create New Policy
• In this function, the Cynet perform allow the user to create is own policy, in the current version the
policy creation is based on SQL queries → only for advanced and mature users.
Once UBA policy will triggered and if configured action: SMS, the system will send SMS confirmation to the user:
▪ User SMS Confirmation
• Cynet 360 is engineered to perform user and entity behavioral analysis (UEBA) by collecting user
behavioral data and processing this data through machine learning algorithms. As part of this learning
process, Cynet can prompt users in the environment when unusual logins occur through the SMS
Confirmation feature.
• When an unusual login occurs, the Cynet system will send an SMS text message to the user’s mobile
phone number and prompt for a login verification. This verification allows the user to approve or
disapprove the login. The Cynet 360 system will then use this response to determine if an alert for
unusual user behavior should be generated.
133
The Cynet system will import users’ mobile phone information from Active Directory or through a parsed CSV file. See
the Import User Data from AD or Import User Data from CSV file settings. Cynet SMS verification messages will always
come from the following phone number:
+1 (646) 846-8440.
The example above shows a typical SMS Confirmation
message from Cynet when an unusual login has occurred.
The hyperlink within the message will send users to Cynet’s
user verification site.
The example to the right shows the verification site, where
users can respond to the unusual login. Responses will be
sent to your Cynet server, where it can be analyzed and
included in the user behavior analysis.
134
THREAT HUNTING
The Threat Hunting allows the customer to scan the endpoints – on demand – for threats according to IOCs on rest.
Process:
- End user defines the IOCs (file SHA256, file MD5, file name, file full path), the extensions and folders to search
in
- End user defines the severity of the alert that would be raised in case a threat was found
- The system scans the endpoints, and if a file that answers the IOC is fount, it generates an alert
ENABLE\DISABLE TH
- Settings -> Scan groups
- Choose the relevant group
- Check\Uncheck – “Enable Threat Hunting”
- If checked – “Threat Hunting Period” – define the time interval [in minutes] to check if there is a new search to
perform
CONFIGURE TH SETTINGS
In order to configure the Threat Hunting, go to:
Settings -> THREAT HUNTING
- “Create/Remove search indicator by type” – lets you create the list of IOCs to search.
o For each IOC – select the type, the value, and the description of the alert that would be raised
o make sure to press the “+” button to add new entry to the list
o Notice – the system would alert for any of the IOCs that were found (no need for ALL of the IOCs
together)
- Filter By Extension – insert a list of file extensions that should be scanned (make sure to press the “+” button to
add new entry to the list)
- Filter By Directory – insert a list of folders to scan (make sure to press the “+” button to add new entry to the
list)
- Alert Severity - severity of the alert that would be raised in case a threat was found
- Suppressed Mode – whether or not to stop current scan (if exists) and immediately start the new scan, or wait
for the current scan to stop
- Save Changes – saves the changes, and start the process of threat hunting on all endpoints
- Stop current – any endpoint that did not start to scan yet – will not scan anymore
- Restart current – any endpoints would execute the scan (never mind if they executed it already, or not)
- Clear Search Criteria – delete all the IOCs
135
TH RESULTS
If a threat was found, according to the define IOCs, an alert would be presented, and mail would be sent.
The alert would be presented in the “Alerts” page. The details of the alert:
136
WHITELISTING
The Whitelisting tab on the setting menu offers the ability to create rules to exclude arguments from the detection and
remediation mechanism. Those arguments that can be files / users/ Hashes / IP Addresses / etc. - will be excluded across
all Cynet agents on the network.
In order to apply the whitelist rule, it required to select a related alert, Type and a value.
137
SYSTEM INFO
The System Info page provides information about the health of the system and version.
MAIN INFO
The Main Info section contains information about this Cynet installation.
▪ Cynet Version – Running version of Cynet 360 ▪ Cynet Directory – Path of Cynet system installation. ▪ Disk Space – The amount of used disk space (MB) / amount of total disk space (MB). All system drive will be
displayed, however Cynet will monitor the disk it is installed on for low disk space.
SYSTEM HEALTH
The System Health section contains information regarding the system services, cloud sync, and SSE connection.
▪ Cynet Service – Displays the health status of the main Cynet service. ▪ DB- CynetDB Service – Displays the health status of the Cynet database service. ▪ Sync Cloud – Displays the health status of the connection to the Cynet VPC cloud. ▪ Monitor – CSHelper Service – Displays the health status of the Cynet Helper service, which monitors the
Cynet service and CynetDB service. ▪ Smart Simulation Execution (SSE) – Displays the health status of the connection to the Cynet SSE sandbox
(shows status for on premise and cloud sandbox connections) ▪ Guest Account is Active – Displays the status of the Guest account on the Cynet server (See also the Decoy
Files Settings section for more information).
138
FEATURES & FUNCTIONALITY The Cynet 360 platform offers a number of features and functionality it employs on top of the core threat detection
engine. Some of these features include analysis, remediation, forensic, deception, and user verification functionality.
ANALYSIS ACTIONS
Files scanned by Cynet 360 can have analysis actions taken on them. To take an analysis action, open any Actions menu
and select an action from the Analysis tab.
▪ Send to SOC – This action will send the selected file(s) to the Cynet SOC for deep inspection and analysis by Cynet’s team of security experts.
▪ Send to Analysis - This action will send the selected file(s) to the SSE Sandbox for analysis. This requires the Cynet SSE sandbox to be configured.
▪ Verify File - This action will verify that the selected file(s) still exists on the host(s). ▪ Get Memory Strings - This action will perform a dump of the strings within memory allocated by the selected
file(s). ▪ Pull File – This action will pull the selected file occurrence from the host. This action is only available by
selecting a specific file occurrence, because it requires targeting a specified host to pull the process from. Once pulled, the sample will be available for download from the File Actions page. The sample will have the extension stripped, and will be renamed to the file’s SHA256 hash. This action is limited to files 100MB or less in size.
▪ Deep Scan (only appears for file Occurrences) – This action will begin a deep scan of the selected file occurrence on the host. This action is only available by selecting a specific file occurrence, because it requires targeting a specified instance of a process on a host. For more see the Deep Scans section below.
139
DEEP SCANS
Cynet employs the use of Deep Scans of files to monitor a specific file on an endpoint to monitor behaviors of a process
for an extended period of time. This is a hybrid analysis between normal scanning and sandboxing, in which the deep
scan analysis takes place on the endpoint.
To initiate a Deep Scan of a file navigate to the Files Detail Page, and the Occurrences tab of the file to be deep scanned.
Deep Scans must be initiated manually.
1. On the file’s occurrence tab, Check the file occurrence to be scanned 2. Click the Actions button to the right.
3. In the Actions menu, select the Deep Scan option.
When the Deep Scan is running, check on the Deep Scans tab on the File Actions page to view the current status.
NOTE Deep Scans can only be performed on one file per host at a time. Once the deep scan has completed on the host,
another deep scan can be performed on that host.
NOTE When you initiate a Deep Scan on a process occurrence, you will be prompted to acknowledge that additional files
(such as child processes) may be monitored as part of the scan. Any currently running deep scans on this host will be
terminated.
1
2
3
140
Once the Deep Scan has completed, results can be viewed in the Deep Scan tab of the File Details Page of the specified
file. There are two options to view results: Advanced or Normal.
Advanced View will show additional information over the Normal view about the actions observed by the Deep Scan,
such as Hostname, Scope of the event/object, First Seen, and Last Seen timestamps.
141
REMEDIATION ACTIONS
Objects scanned by Cynet 360 can have remediation actions taken on them. To take a remediation action, open any
Actions menu and select an action from the Remediation tab.
ACTIONS MENU BUTTONS
The Remediation tab also has a sub-menu which allows for navigation between the various types of remediation actions
available within the system.
← FILE ACTIONS
← USER ACTIONS
← HOST ACTIONS
← NETWORK ACTIONS
142
FILE ACTIONS
Cynet can take an action on files observed on endpoints in the environment. File actions can be taken from any Actions
menu. Results of a file action will be recorded in the File Actions page.
▪ Delete File –This action will delete the selected file(s) from the host(s). ▪ Quarantine File - This action will quarantine the selected file(s) from the host(s). A list of Quarantined files can
be found on the File Actions Page of the console. ▪ Un-Quarantine File – This action will un-quarantine the selected file(s) from the host(s). This action is only
available on the File Actions page, because it can only be performed on a file that has been quarantined already.
▪ Kill Process - This action will kill the selected process(es) on the hosts(s). This action leaves the file intact, only killing the process loaded in memory.
USER ACTIONS
Cynet can take an action on users observed in the environment. User actions can be taken from any Actions menu.
Results of a user action will be recorded in the User Actions page.
▪ Disable User - This action will disable the selected user account (domain or local accounts). ▪ Enable User - This action will enable the selected user account if it has been disabled.
143
HOST ACTIONS
Cynet can take an action on hosts scanned in the environment. Host actions can be taken from any Actions menu.
Results of a host action will be recorded in the Host Actions page.
▪ Scan Host - This action will re-scan the selected host(s) once. ▪ Shut Down Host - This action will shut down the selected host(s). ▪ Restart Host - This action will reboot the selected host(s). ▪ Change IP - This action will change the IP address of the host(s). ▪ Disable All NICs - This action will disabled the NIC on the selected host(s). Using this action will prevent any
further remote connections to the host(s). ▪ Run Command - This action will execute the specified commands on the selected host(s) and the output will be
captured and presented in the console. If the output contains multiple lines, it will be preserved in a text file format.
▪ Run File - This action will allow a specified file to be run on the selected host(s). First, select a file from the local computer, then upload the file to the Cynet server. The Cynet server will then deploy the file to the host(s) to be executed.
▪ Delete Service - This action will delete the specified service on the selected host(s). ▪ Disable Service - This action will disable the specified service on the selected host(s). ▪ Delete Schedule Task - This action will delete the specified scheduled task on the selected host(s). ▪ Disable Schedule Task - This action will disable the specified scheduled task on the selected host(s). ▪ Isolate - This action will isolate the host(s) by filtering any incoming\outgoing communication from\to the host
except Cynet server and permitted IP’s (can be configured) ▪ UnIsolate - This action will UnIsolate the host(s) by removing the filter of the communication.
144
NETWORK ACTIONS
Cynet can take an action to block network connections observed in the environment. Network actions can be taken from
any Actions menu. Results of a network action will be recorded in the Network Actions page.
▪ Block Traffic – This action will block traffic to specified IP addresses and domains. IP addresses will be blocked by modifying route table on the selected host(s) so traffic to those IPs loops back to the localhost IP address. Domains are blocked by creating an entry in the hosts file for the selected host(s) so the domain resolves to the localhost IP address.
▪ DNS Remediation – This action will redirect all traffic to the domain to a specified IP address. This is done by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any hosts that attempt to resolve the domain in the network will be given the specified IP address from the internal DNS server, preventing traffic from reaching the actual domain’s IP address.
145
APPENDIX: SYSTEM COMPONENTS INTEGRATION WITH SIEM – NEW API FOR EXTRACTING DATA FROM CYNET
New API to allow SIEM systems to extract information from Cynet:
- Sockets
- Domain occurrences
- File occurrences
- User login
- Vulnerability Assessment (NEW!)
Our APIs are documented in the product in the following link – https://<server-name>:6334/help. Relevant API entries
- Sockets
o api/network/sockets?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
- Domains
o api/network/domains?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
- File occurrences
o api/file/occurences?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
- User
o api/user/loggedIn?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
- Vulnerability Assessment
o Missing Windows patches - api/va/patches/missing
o Existing Windows patches - api/va/patches/exsiting
o Unauthorized Applications - api/va/riskyApps
o Installed Software - api/va/installedSoftwares
o Applications patch - api/va/patchValidation
o Installed agents - api/va/Agents
Notices:
1. Currently – no documentation to the fields of the internal objects (LoggedInUserSummaryDTO,
SocketSummaryDTO, FileOccurenceModel, etc…)
2. The filter according to FromDate and ToDate is calculated this way:
FromDate =< last-seen < ToDate
3. Defaults
a. Offset – 0
b. Limit – 500
c. FromDate – no filter
d. ToDate – no filter
146
MULTI-TENANCY
In a distributed architecture, Cynet servers can be configured in a Master/Slave configuration. In this architecture, there
will be one Master server, and there can be multiple Slave servers configured to communicate with the Master server.
For more information about configuration, see the Master & Slave Settings sections for configuration settings of both
Master and Slave servers.
Cynet provides a single console to view data from multiple locations. When logging into the Master server, the console
will by default display all data related to the Master server’s database. To view the console for configured Slave servers,
use the drop-down menu in the Menu Section next to the Logout button and select the appropriate Slave server.
This will reload the current console with all the data from the selected Slave server. Each Slave server will contain its
own settings, scan data, and alerts but will be available to be viewed from the Master server’s console.
MASTER/SLAVE NETWORK COMMUNICATION
The Master server will need access to the Slave server(s) database to retrieve all data related to the Slave server’s
scanned endpoints. This connection occurs on TCP port 3333. The Slave server will communicate with the Master server
using an API in the web console via TCP port 8443*
TCP / 3333
TCP / 8443*
Cynet Master Server Cynet Slave Server
NOTE The default web console listening port is TCP 8443, however this can be changed in the configuration settings. The
connection from a Slave server to Master server should be on the configured web console port for the Master server.
147
CYNET BINARIES
The following are binaries used by Cynet 360 to scan endpoints. See the Cynet Server Services section for more
information about the executables and services that run on the Cynet server for analysis, detection, and remediation of
threats.
EXECUTABLES (WINDOWS)
The following executables are run from the C:\Windows\ directory.
▪ CynetEPS.exe – The Endpoint Scanner (EPS) process is deployed by the Cynet 360 server to Windows endpoints to be scanned. It deploys certain child processes (see below) and collects indicators from files, users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.
The following are child processes dynamically spawned by CynetEPS.exe
▪ CynetMS.exe – The Memory Scanner (MS) process scans memory usage by running processes for malicious activity.
▪ CynetAR.exe – The Auto Run (AR) process collects data regarding autorun entries, drivers, task, services, etc. for process scheduled to run at boot (persistence).
▪ CynetGW.exe – The GUI Window (GW) process collects data regarding window activity for each process, to detect processes running in hidden windows.
▪ CynetSD64.exe – The Software Dev 64-Bit (SD64) process collects DLL dependencies for 64-bit processes running on the system. Since the CynetEPS is running as a 32-bit process, the CynetSD64 process is necessary to collect this data from 64-bit processes.
▪ CynetLauncher.exe - The Launcher executable is a remote execution process which runs on endpoints to distribute the CynetEPS executable for scanning.
▪ CynetDS.exe – The Deep Scan executable runs on endpoints for forensic analysis of a specified process. The CynetDS can only monitor one process per host at a time, but multiple hosts can be have the deep scan running at the same time. See the Deep Scans section for more information.
▪ CynetRunner.exe – The Runner executable is deployed to endpoints when certain remediation actions are used. When “Run Command” or “Run File” actions are used, this process will handle the execution of the action, and collect the response output. The output can then be viewed in the console interface.
▪ CynetRunner64.exe – The 64-bit version of the CynetRunner.exe process (see above).
DAEMONS (LINUX & MAC)
The following daemons are run from the /opt/Cynet/ directory.
▪ CynetEPS – The Endpoint Scanner (EPS) daemon is deployed by the Cynet 360 server to Linux or Mac endpoints to be scanned. It collects indicators from files, users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.
148
CYNET SERVICES
The following are services used by Cynet 360 for various purposes. Services are listed as services which run on the
server, and services that run on the scanned endpoints in the environment.
CYNET SERVER SERVICES
The services listed below are only found on the Cynet server for processing scan data from scanned endpoints. For more
information about Stopping/Starting procedures for these services, see the Stop/Start Cynet Server Services section of
this guide.
▪ CSHelper (cshelper.exe) – The CSHelper service acts as a watchdog service for the other Cynet services on the server. It will constantly check that all other Cynet services are running, and will automatically restart any that are not currently running. This service can also check if updates to the Cynet server version exist. If the system is configured for automatic updates, it will begin the update process and restart the Cynet services after the update has completed.
▪ Cynet (cynet.exe) – The Cynet service is the central Cynet service, which coordinates actions between all other Cynet services. It will perform start-up checks, perform database updates or maintenance if necessary, perform threat analysis queries, heartbeat back to the Cynet VPC, perform threat intelligence queries, send file to the sandbox for analysis, and perform remediation actions on endpoints (if actions are taken manually or through auto-remediation)
▪ CynetListener (cynetlistener.exe) – The CynetListener service is responsible for listening for raw scan data coming in from endpoints. This service will place this data in a temporary queue, where it will be processed by the CynetProtobufHandler service when available.
▪ CynetProtobufHandler (cynet.protobufprocessor.exe) – The CynetProtobufHandler service is responsible for processing raw scan data collected from endpoints by the server and processing the data so it can be stored in the appropriate database location.
▪ Redis (redis-server.exe) – The Redis service is a queue application responsible for the communication between the Cynet database and the frontend web interface. The queuing provides quick page loads when using the web interface, especially with actions which require complex queries to the database.
▪ [OPTIONAL] CynetSyslog (Cynet.Syslog.exe) – The CynetSyslog service can be configured to run a syslog listener. This service will accept incoming syslog messages through a configured port and archive them on the Cynet server. The Cynet server can also be configured to parse syslogs (see the Log Parser settings section of this guide).
149
ENDPOINT SERVICES (WINDOWS)
The service listed below is installed on any Windows host with the Light Agent installed.
▪ CynetLauncher – This service is created when the light agent is installed on a Windows host. This service will run the CynetLauncher.exe once at boot up, which invokes the CynetEPS process on the endpoint with the necessary command-line parameters.
ENDPOINT SERVICES (LINUX)
The services listed below is installed on any Linux host with the Light Agent installed.
▪ cyservice – This service is created when the light agent is installed on a Linux host. This service starts the CynetEPS daemon when the system boots. It is placed in the /etc/init.d/ directory.
ENDPOINT SERVICES (MAC)
The services listed below is installed on any Linux host with the Light Agent installed.
▪ com.cyneteps.service.plist – This service is created when the light agent is installed on a Mac host. This service starts the CynetEPS daemon when the system boots. It is placed in the /Library/LaunchDaemons/ directory.
NOTE The CynetLauncher service will not stay in the ‘Running’ state after it is run. To verify the light agent is running,
check the task manager and look for the CynetEPS process to be running. See the Validation section of the Windows
Light Agent Installation procedure for more details.
NOTE Check the Validation section of the Linux Light Agent Installation procedure for more details about checking the
status of this service.
NOTE Check the Validation section of the Mac Light Agent Installation procedure for more details about checking the
status of this service.
150
CYNETEPS COMMAND-LINE FLAGS
The CynetEPS process that runs on Windows endpoints contains a number of command-line flags that activate or
deactivate certain functionality of the Cynet scanner while it scans endpoints. The flags can be seen in the “Command
Line” column in the Windows Task Manager.
A typical CynetEPS execution with a full command-line of flags may look like this:
CynetEPS.exe 192.168.200.100 –port 443 –cpulimit 15 –scanid 52 –alwayson –driver
-donetworkcheck –adthransom –adtdokill –ualert –fh -fhdokill
NOTE The first command-line argument specifies the IP address of the Cynet server. It is a required argument for the
CynetEPS to run. There is no flag to define this argument.
151
The table in the following section contains a list of the command-line flags and values that are available to control the
functionality of the CynetEPS. These flags are set at the time of execution and are typically set by the Cynet server when
scanning endpoints. They may also be used to set the default configuration of the Light Agent during agent installation.
Consult Cynet support for any questions regarding these flags.
Flag Description
-port <port> This flag along with a port number defines the port the EPS will use when sending scan
data back to the Cynet server.
Example: -port 443
-secip <ip> This flag along with an IP address defines a secondary IP address for the EPS to send scan
data to. This IP address will only be used if the primary IP address (specified in the first
command-line argument) is unavailable.
Example: -secip 192.168.100.200
-secport <port> This flag along with a port number defines the port for the secondary IP address the EPS
will use when sending scan data back to the Cynet server.
Example: -secport 8443
-cpulimit <value> This flag along with a numeric value defines the maximum amount of CPU usage that the
CynetEPS and CynetMS are allowed to consume when scanning the host. 60% of this value
is allocated to the CynetEPS process, while the remaining 40% is allocated for the CynetMS
process.
Example: -cpulimit 15 (9% to CynetEPS, 6% to the CynetMS)
-memsize <value> This flag along with a numeric value defines the maximum amount of memory usage the
CynetEPS and CynetMS are allowed to consume when scanning the host (in Megabytes).
This limit is applied to the CynetEPS and CynetMS process respectively.
Example: -memsize 300
-heartbeat <value> This flag along with a numeric value defines the interval in which the CynetEPS will
heartbeat back to the Cynet server (in seconds). The default value is 300 (5 minutes).
Example: -heartbeat 15
-donetworkcheck This flag enables the CynetEPS to perform an internet connectivity check. This connectivity
is factored into the risk score analysis.
Example: -donetworkcheck
-nomemstr This flag disables memory string collect by the CynetEPS when analyzing processes on
endpoints during scanning.
Example: -nomemstr
-ps <ip> This flag along with the host’s IP address allows the EPS to bind to the NIC configured with
this IP address to detect network based attacks.
Example: -ps 192.168.1.10
-pps <value> This flag along with a numeric value defines the maximum number of network packets the
CyneEPS will analyze per second. If this limit is exceeded, the Network Monitor within the
CynetEPS will enter a sleep mode until it has completed analyzing all packets in the
current queue.
152
Flag Description
Example: -pps 10000
-ualert This flag enable the CynetEPS to display a pop-up on the endpoint desktop when an alert
is generated by Cynet to notify the user.
Example: -ualert
-driver This flag enables the CynetEPS to install a driver on the system for the self-protection
mode. This mode ensures that the EPS process cannot be killed on the host. It also
provides kernel level visibility.
Example: -driver
-driverblockraw This flag enables blocking any attempt to write to the MBR.
Example: -driverblockraw
-driverkillraw This flag enables automatic remediation for any attempt to write to the MBR. Any process
that was blocked from writing to the MBR will be killed.
Example: -driverkillraw
-driverloghandle This flag enables logging for process handles on scanned endpoints. This flag is typically
only used for troubleshooting.
Example: -driverloghandle
-debugconfig This flag stores all scan data in an unencrypted data file on the endpoint so it is human-
readable. This flag is typically only used for troubleshooting.
Example: debugconfig
-disableupdate This flag disables the CynetEPS from automatically updating its arguments from the Cynet
server. This flag is typically only used for troubleshooting.
Example: -disableupdate
-showconsole This flag enables the CynetEPS to display all activity to a command prompt at execution.
This flag is typically only used for troubleshooting.
Example: -showconsole
-savelog
(-loglevel <value>)
This flag enables the CynetEPS to log all activity to a log file located at
C:\Windows\clog\CynetEPSLog.txt. Optionally, the –loglevel flag can be used in
conjunction to specify what types of events should be saved in the log. This flag is
typically only used for troubleshooting.
Log Levels:
1 - all
2 - trace
3 - debug
4 - info (default)
5 - warn
6 - error
7 - fatal
8 - off
Example: -savelog
Example: -savelog –loglevel all
153
Flag Description
Example: -savelog –loglevel 1
-debugms This flag enables the CynetMS to log all activity to a log file located at
C:\Windows\System32\CynetLoggerMS.txt or C:\Windows\CynetLoggerMS.txt (depending
on the working directory). This flag is typically only used for troubleshooting.
Example: -debugms
-savejson This flag enables the CynetEPS to create json files locally, which simulates data files sent
back to the Cynet server (called PCQ files). These json files are typically saved to
C:\Windows\system32\CynetEPSJson#.file. This flag is typically only used for
troubleshooting.
Example: -savejson
-savezip This flag enables the CynetEPS to save all PCQ files to a single zip file. This zip file is
typically saved to C:\windows\CynetEPSJson.zip. This flag is typically only used for
troubleshooting.
Example: -savezip
-osharecycle <value> This flag along with a numeric value defines the minimum amount of time the CynetEPS
will take to collect information from a remotely opened file (in minutes).
Example: -osharecycle 3
-fh This flag enables the Fuzzy Hashing detection mechanism. With the Fuzzy Hashing
technique, Cynet is able to mathematically calculate similarities in code to detect similar
variants of malware.
Example: -fh
-fhdokill This flag enables remediation based on threats detected using the Fuzzy Hashing
technique. Processes will automatically be killed when detected.
Example: -fhdokill
-decoy This flag enables the CynetEPS to monitor for brute force attempts on decoy files and
users that were deployed to the endpoint.
Example: -decoy
-adtdisable This flag disables the ADT (Advanced Detection Technology) heuristic engine on the
CynetEPS. This functionality is enabled by default on the CynetEPS unless this flag is set.
Cynet does NOT RECOMMEND disabling this feature, as it is an important mechanism for
threat detection.
Example: -adtdisable
-adthdokill This flag enables the CynetEPS to automatically kill processes determined to be malicious
by the ADT Heuristic Engine.
Example: -adthdokill
-adthransom This flag enables the CynetEPS Ransomware detection mechanism in the ADT Heuristic
Engine.
Example: -adthransom
-adtnodecoy This flag disables the decoy file feature for Ransomware detection in the ADT Heuristic
detection. With this feature, hidden decoy files are deployed to specific locations on the
154
Flag Description
file system for Ransomware detection. Cynet does NOT RECOMMEND disabling this
feature, as it affects the ability to detect new variants of Ransomware.
Example: -adtnodecoy
-adtdecoylimit <value> This flag along with a numeric value defines the maximum disk space that can be used by
the ransomware heuristic decoy files (in Megabytes).
Example: -adtdecoylimit 100
-adtnoproccb This flag disables…
Example: adtnoproccb
-fastscan This flag enables the CynetEPS external threat intelligence
Example: -fastscan
-fastscandokill This flag enables the CynetEPS to automatically remediate threats detected using external
threat intelligence.
Example: -fastscandokill