Cynet360 User Guide · Hosts Map View ... size and prior skill. Natively-built protection across...

CYNET 360

USER GUIDE

2

Table of Contents

INTRODUCTION .............................................................................................................................................................. 4

ABOUT CYNET ......................................................................................................................................................................... 4 NATIVELY-BUILT PROTECTION ACROSS ALL ATTACK SURFACES ............................................................................................................ 4 MAIN CAPABILITIES .................................................................................................................................................................. 5

CONSOLE INTERFACE ...................................................................................................................................................... 6

LOGGING INTO CYNET 360 ........................................................................................................................................................ 6 INTERFACE LAYOUT .................................................................................................................................................................. 7

DASHBOARD .................................................................................................................................................................. 9

ALERTS ......................................................................................................................................................................... 13

ALERT DETAILS ...................................................................................................................................................................... 14 ALERT ACTIONS ..................................................................................................................................................................... 15 ALERT STATUS ....................................................................................................................................................................... 16

FORENSIC ..................................................................................................................................................................... 17

ADVANCED SEARCH................................................................................................................................................................ 18 Display Fields ................................................................................................................................................................ 19 Search Fields ................................................................................................................................................................. 19 Saved Searches ............................................................................................................................................................. 20 Saved Policies ................................................................................................................................................................ 21

FILES ................................................................................................................................................................................... 24 File Favorite Searches ................................................................................................................................................... 24 File Details Page ............................................................................................................................................................ 25 Occurrences .................................................................................................................................................................. 27 Static Analysis Results ................................................................................................................................................... 28

HOSTS ................................................................................................................................................................................. 29 Host Favorite Searches ................................................................................................................................................. 29 Host Details Page .......................................................................................................................................................... 30 Hosts Map View ............................................................................................................................................................ 31 Hosts Actions ................................................................................................................................................................ 33 Hosts Details ................................................................................................................................................................. 34

USERS ................................................................................................................................................................................. 35 User Favorite Searches ................................................................................................................................................. 35 User Details Page .......................................................................................................................................................... 36

DOMAINS ............................................................................................................................................................................. 38 Domain Favorite Searches ............................................................................................................................................ 38 Domain/IP Address Details Page .................................................................................................................................. 39 Domain Actions ............................................................................................................................................................. 40

SOCKETS .............................................................................................................................................................................. 41 Socket Favorite Searches .............................................................................................................................................. 41

ACTIONS ....................................................................................................................................................................... 42

FILE ACTIONS ........................................................................................................................................................................ 43 HOST ACTIONS ...................................................................................................................................................................... 44 USER ACTIONS ...................................................................................................................................................................... 45 NETWORK ACTIONS ............................................................................................................................................................... 45 AUTO REMEDIATION .............................................................................................................................................................. 46

SCANNER ...................................................................................................................................................................... 53

MANUAL SCANS .................................................................................................................................................................... 55

3

REPORTS ...................................................................................................................................................................... 56

ALERTS REPORT ..................................................................................................................................................................... 56 TOP RISKS REPORT ................................................................................................................................................................. 58 VULNERABILITIES ASSESSMENT REPORT ..................................................................................................................................... 59 INVENTORY REPORT ............................................................................................................................................................... 60 EXPORTING REPORTS .............................................................................................................................................................. 61

MAPS ........................................................................................................................................................................... 63

AUDIT ........................................................................................................................................................................... 64

SETTINGS ...................................................................................................................................................................... 66

SCAN GROUPS ...................................................................................................................................................................... 67 CONFIGURATION ................................................................................................................................................................... 83 EPS CONFIGURATION ............................................................................................................................................................. 98 DECOY FILES ....................................................................................................................................................................... 100 THREAT HUNTING ................................................................................................................................................................ 105

TH results .................................................................................................................................................................... 106 ADVANCED ......................................................................................................................................................................... 107 USERS ............................................................................................................................................................................... 114 MAPS ................................................................................................................................................................................ 121 ANALYSIS ........................................................................................................................................................................... 122 ALERTS .............................................................................................................................................................................. 124 INTEGRATIONS .................................................................................................................................................................... 127 VULNERABILITY MANAGEMENT .............................................................................................................................................. 129 UBA MANAGEMENT ....................................................................................................................................................... 131 THREAT HUNTING ................................................................................................................................................................ 134 WHITELISTING ..................................................................................................................................................................... 136 SYSTEM INFO ...................................................................................................................................................................... 137

FEATURES & FUNCTIONALITY ......................................................................................................................................138

ANALYSIS ACTIONS ............................................................................................................................................................... 138 REMEDIATION ACTIONS ........................................................................................................................................................ 141

APPENDIX: SYSTEM COMPONENTS .............................................................................................................................145

INTEGRATION WITH SIEM – NEW API FOR EXTRACTING DATA FROM CYNET .................................................................................... 145 MULTI-TENANCY ................................................................................................................................................................. 146 CYNET BINARIES .................................................................................................................................................................. 147 CYNET SERVICES .................................................................................................................................................................. 148 CYNETEPS COMMAND-LINE FLAGS ......................................................................................................................................... 150

4

INTRODUCTION

About Cynet Cynet was founded by an elite group of seasoned security entrepreneurs, researchers and SOC

practitioners to build a single, autonomous platform centralizing all aspects of breach protection.

Cynet couples unmatched prevention, detection and response capabilities with extreme ease of

operation, providing protection for all an organization’s needs, regardless of their security team’s

size and prior skill.

Natively-built protection across all attack surfaces

Cynet is a security platform that protects organizations from breaches by automated discovery and

mitigation of all threat vectors across all attack stages.

Cynet is the first solution that protects the entire environment, by correlating users, files, network

traffic and host activities with a complete set of threat prevention and detection tools, joined by

pre-set and custom auto-remediation policies for post-compromise activity.

By unifying all aspects of breach protection in a single interface, Cynet eliminates the need for multi-

product security stacks, and the dependency on high-level security skills.

Cynet CyOps 24/7 Security Team & The Support Team

The Cynet SOC and Support are available to customers for any issues, questions or comments:

Phone (IL): +972-72-336-9736

Phone (US): +1-347-474-0048

Phone (EU): +44-203-290-9051

Support Email: [email protected]

CyOps Email: [email protected]

mailto:[email protected]


5

Main Capabilities

Total Environment Visibility:

An organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all users’ logging in and out, internal and external traffic, and process execution on hosts to provide real time contextual visibility into the entire environment’s activities.

360° Prevention and Detection:

Cynet continuously builds

and natively integrates the

full scope of technologies

to prevent and detect

attack vectors that target

users, files, the network

and hosts: AV, NGAV, EDR,

network analytics, UEBA

and deception, building a

robust security protection

stack across all attack

stages.

Automated

Remediation: Cynet provides the widest set

available of remediation

actions for compromised hosts

and users, malicious files and

network communication.

Cynet is shipped with pre-built

remediations making it the

only solution with the ability

to automatically block attacks

at multiple post-compromise

stages such as privilege

escalation, credential theft,

lateral movement and others.

Context Based Alert

Operation: In the case of malicious

activity without a

matching pre-built

remediation, Cynet

provides the full user, file,

network and host context

for rapid insight into the

attack’s impact and scope.

The resolving process

concludes with manually

applying a remediation

action on the

compromised entity that

can be saved as policy to

automate response in

future occurrences.

Easy Deployment &

Maintenance: Cynet is based on server-

agent architecture. The

server can be either on-

prem, IaaS or hybrid, per

customer preference and

either a dissolvable

executable or a light-

weight agent that rapidly

deploys 50Ks of hosts a

single day.

CyOps 24X7 Security

Expertise: Cynet complements its

automated threat protection

technology with integrated

security services with no

additional costs. CyOps is a

24/7 team of threat analysts

and security researchers that

proactively hunts for threats

among Cynet’s customers, as

well as responds to customer

escalations, assisting with file

analysis, incident response and

deep investigation.

6

CONSOLE INTERFACE Cynet 360 utilizes a web-based graphic user interface over an HTTPS encrypted connection. The following guide

describes each section of the web interface in detail.

LOGGING INTO CYNET 360

In most installations, the URL to log into the Cynet 360 console will be:

▪ https://*CYNET_SERVER*:8443

Where *CYNET_SERVER* is the IP address, hostname of your Cynet 360 server. Navigating to this URL will bring up the

Cynet 360 login page.

Log in with the default credentials:

▪ Username: operator

▪ Password: qwdftyjkop

NOTE It is highly recommended by Cynet to change the default operator credentials after initial login and creation of

additional user accounts in the Users settings section.

NOTE If you receive the message “Your connection is not private”, this is because Cynet is currently using a self-

signed certificate. To remove this message, install a CA issued certificate on the Cynet IIS site. To ignore the message

and proceed, click Advanced at the bottom left and then click Proceed to localhost.

7

INTERFACE LAYOUT

The Cynet 360 interface is designed to provide a simple layout for navigation of the system. There are six main sections

of the console interface, which can be easily navigated using the main navigation menu on the left side. The six main

sections include:

▪ Dashboard - Overview of the alerts, scans, and analysis (See also the Dashboard section)

▪ Alerts - Lists all alerts generated by the system (See also the Alerts section)

▪ Forensic - Lists all data from files, users, hosts, and network (See also the Forensic section)

▪ Actions - Lists all remediation actions taken and results (See also the Actions section)

▪ Scanner - Lists all scan results of hosts in the environment (See also the Scanner section)

▪ Reports - Lists all of the reports generated by the system (See also the Reports section)

▪ Maps - Contains a map of all locations configured (See also the Maps section)

▪ Audit – Lists all user actions performed in the system (See also Audit section)

▪ Settings – Contains all system configuration settings (See also the Settings section)

← DASHBOARD

← ALERTS

← FORENSIC

← ACTIONS

← SCANNER

← REPORTS

← MAPS

← SETTINGS

8

In addition to the main navigation menu, some sections may contain sub-menus, which can be used to navigate to other

pages within the section.

Additionally, at the top of every page of the console the current date and time is displayed, as well as the current logged

in user. To the right of the logged in user is a link to logout of the system.

If the Cynet server is configured for multi-tenancy (see also the Multi-Tenancy section), a drop-down menu will appear

next to the current logged in user. This drop-down menu will provide navigational access to the other Cynet servers

currently configured to point to this Master server.

9

DASHBOARD The Dashboard provides a high-level overview of the current security status of the environment. It utilizes various

graphics to display the current number of open alerts, files that have been analyzed, hosts that have been scanned and

allows pivoting to various other areas of the console based on this information. There are 4 main graphics on the

dashboard, which are described in more detail in the next section of the guide:

A. Open Alerts –Metrics about current open alerts. The number of files, users, hosts, and network traffic items

associated with these open alerts are displayed to the right.

B. Threat Radar – Overall risk level (center) and high risk objects (files, users, hosts, and network traffic). Individual

risk scores for objects will be displayed as dots on the radar. Objects with open alerts will be shown as solid

dots, and can be clicked on to view details.

C. Files Analyzed – Metrics about files that have been analyzed by the system to date. The percentage of

“whitelisted” files indicates the number of files which have been analyzed and deemed safe through security

intelligence. The remaining percentage will be reviewed by the Cynet CyOps SOC.

D. Alerts By Date – Graph on alerts generated over the past 10 days.

E. Hosts Scanned – Metrics on hosts that have been scanned recently.

Each section of the dashboard is explained in greater detail below.

A B C

E D

10

OPEN ALERTS

The Open Alerts, located at the left side of the dashboard, provides the number of current open alerts of all severity

levels. The colored ring around the Total Alerts indicate the severities of the alerts. To the right, the number of Files,

Users, Hosts, and Network objects associated with these alerts is displayed.

Hovering the cursor over the Total Alerts ring will display how many open alerts there are of each severity. Click on the

object symbols to pivot to the Alerts page filtered by File Alerts, User Alerts, Network Alerts, and Host Alerts pages.

The Alerts by Date section provides a graphical timeline of generated alerts per day. Hovering the graph will display the

number of alerts generated on each day.

11

THREAT RADAR

The Threat Radar contains the current Total Security Score in the center. This value is calculated from on the current

Risk Levels of every File, User, Host, and Network object in the environment, as well as any Open Alerts. All active

threats in the environment appear as blips on the Threat Radar.

Clicking on items highlighted within the Threat Radar will display the object name and the associated Alert. To view the

details of this object, click the blue arrow

12

FILES ANALYZED

The Files Analyzed section located the top right side of the Main Dashboard provides the number of files that have been

scanned and analyzed by the system. It also contains the percentage of Whitelisted files, which have been determined

as safe files based on their collected metadata and behavioral analysis compared to Cynet’s Security Threat Intelligence.

HOSTS SCANNED

The Hosts Scanned section located at the bottom right side of the Main Dashboard provides statistics for the number of

hosts that have been scanned in the past day, week, and month.

13

ALERTS The Alerts page provides a customizable view of the alerts generated by the system. Various filters can be used to

display specific alerts, and actions can be taken on displayed alerts. The page contains the following sections:

A. The Alert Types Menu allows users to filter alerts generated for Files, Users, Hosts, Network, or All Alerts

(default).

B. The Quick Search allows users to quickly filter displayed alerts by a keyword search.

C. The Alert Actions section allows users to export displayed alerts to an Excel (.xlsx) file and/or take a

Remediation Action. (See also the Alert Actions section)

D. The Alerts Quick Filter Bar allows users to quickly filter alerts by Alert Name, Severity, Status, Host name, File

name, User name, Network, or Alert Date. Also from here all currently visible alerts can be selected to perform

an action on multiple alerts.

E. The Load Entries drop-down menu can be used to show more or less alerts currently being displayed on the

Alerts Dashboard. The system will display 25 alerts by default.

F. The Displayed Alerts section will show all alerts according to the filter criteria set in the Alerts Filter Bar above.

Relevant information about the alert will be displayed. To view details about the alert, click the arrows on

each alert (See also the Alerts Details section)

G. The Alert Status is displayed below the alert name. Alert statuses can be changed individually or in a group (See

also the Alert Status section)

H. The Total Open Alerts graphic will display the current number of open alerts and the distribution of alert types

(file, users, network, or hosts).

A B

D

E

F

C

H

G

14

ALERT DETAILS

To view more details for displayed alerts, click on the “more” button displayed as at the bottom of the alert. This

will open a window below the alert with details about the alert.

Additional information displayed in the alert details include:

▪ Description – A detailed description of the alert and additional details such as related processes and hashes,

associated users, windows events, etc.

▪ Recommendation – The recommended remediation actions to be take based on the type of alert and severity

by the Cynet SOC.

▪ Related Objects – All correlated files, users, hosts, and network traffic for this alert will be shown in this section.

▪ Comments – Analysts can add comments based on the alert investigation and resolution.

▪ Some Alerts will also include the file Path and Hash.

15

ALERT ACTIONS

Alerts actions can be used to change an alert status or to perform a remediation action on files, hosts, or users. On the

Overall Alerts Dashboard, select one or more alerts to perform an action on and then click the Actions button to open

the Alert Actions menu.

This menu will notify you of the alerts that are currently selected, and provide you with the ability to:

A. Change the Alert Status to Open, Close, or Ignore (See also the Alert Status section)

B. Perform additional Analysis actions (See also Analysis Actions section)

C. Perform Remediation actions (See also Remediation Actions section)

D. Create a new Auto-Remediation rule based on the alert details. (See also Auto Remediation section)

A

B D

C

16

ALERT STATUS

The Alert Status can be set based on the current stage of the alert lifecycle. The following statuses are available for

alerts:

▪ Open – Alert is new and requires investigation and remediation actions.

▪ Ignore – Alert is to be ignored because either it is expected, known, or non-malicious activity. Ignoring an alert

will prevent similar alerts from being triggered in the future.

▪ Close – Alert has been investigated and should be closed and archived. New activity or behaviors that match

previously closed alerts will trigger new alerts to be opened.

An Alert’s status can be change using the Quick Status Change (shown below) menu on the Overall Alerts Dashboard or

using the Alert Actions Menu (see Alert Actions section above).

17

FORENSIC The Forensic page is broken up into five distinct sub-sections: Files, Hosts, Users, Domains, and Sockets. Each sub-

section provides inventories for all data collected by Cynet 360. Every page of the Forensic section has the same basic

layout:

A. The Sub-Menu contains links to the inventories of all Files, Hosts, Users, Domains, and Network sockets

observed by the system.

B. The Favorite Searches bar provides predefined searches to quickly search within the inventories. (See also the

Advanced Search section)

C. The Advanced Search bar provides the ability to search for within the inventories on any of the available

metadata fields, or to change the displayed fields in the Inventory List area. (See also the Advanced Search

section)

D. The Actions area provides the ability to export inventories to an Excel (.xlsx) file and/or take a Remediation

Action. (See the Analysis Actions & Remediation Actions sections)

E. The Quick Filter Bar provides the ability to quickly filter inventories by metadata and indicators such as file

name, risk level, host name, IP address, etc.

F. The Inventory List area lists every object that matches the filter criteria set in the Quick Filter Bar. To view more

information and details about this object, click on the object name to view the details page. (See also the File

Details, Host Details, User Details, and Domain/IP Address Details pages)

G. The Top Results graphics show objects with the high-risk levels and other risky items.

C

E

A

F

G

D

B

18

ADVANCED SEARCH

The Advanced Search feature provides the ability search for files, hosts, users, and network traffic based on any of the

available metadata fields, or to change the displayed fields in the Inventory List on any Forensic page. To begin an

advanced search or edit the displayed file fields, click on the Advanced Search bar…

This will open the Advanced Search window.

A. From here the columns/fields in the Inventory List can be modified by checking/unchecking the Display Fields.

B. Use the Search Fields window to specify the search criteria.

C. Searches can be saved to the Saved Searches to be used again in the future.

D. Search criteria can also be saved to the Saved Policies to be applied as an indicator that contributes to the

object’s risk level.

Saved Policies can also be configured to open an alert once the policy’s search criteria is matched.

See the following sections for more detail about the Display Fields, Search Fields, Saved Searches, and Saved Policies

areas.

B

A

C

D

19

DISPLAY FIELDS

The Inventory List on any Forensic page can be modified to display additional columns than what is shown by default. To

add/remove columns from the Inventory List, check or uncheck fields from the Display Fields menu.

Once the desired fields to view have been selected, the columns in the Inventory List will automatically update with the

selected display fields.

SEARCH FIELDS

To perform a search for objects using non-displayed fields, click the “+” magnifying glass icon in the Display Fields menu

to add that field to the Search Fields window.

To remove a field from the Search Fields window, click the “-” magnifying glass icon.

20

For each field added to the Search Filters area, select from the drop-down the appropriate logical operator (i.e. “Starts

with”, “Ends with”, “Contains”, “Smaller than”, etc.). Then enter the search filters in the text box next to it.

Then click Search to apply the search filters to the Inventory list.

SAVED SEARCHES

Search filters can be kept as Saved Searches for future use by entering the search filter criteria and then clicking the Save

Search button.

The system will prompt for a name of the saved search. Enter a name, and click Ok to save.

NOTE Fields not checked off in the Display Fields menu can still be used in the Search Fields as search filters. These

columns will not appear in the Inventory List, but will be applied to the search results regardless.

21

The saved search will then appear in the Saved Searches section to the right. Once saved, simply click on the search

name and the Search Fields window will populate with the search filters in that saved search.

Add your Saved Search to the Favorite Searches bar by clicking the ☆ symbol.

To delete a Saved Search, click the X symbol to the right of the Saved Search name.

SAVED POLICIES

Saved Policies can be created in order to apply a custom risk level to objects based on collected indicators. In addition,

saved policies can also be created in order to open an alert on objects relevant to the policy. Similar to the Saved Search,

search filter criteria can be entered into the Search Fields. Then click the Save Policy button to save these filters as a

policy.

22

The system will prompt for a name of the saved policy, a risk number value to be factored into the object’s risk level, and

a checkbox that will enable Cynet to open an alert once the search criteria is matched.

• Enter a name

• Enter a policy risk number (1-1000)

• Select the checkbox “Open alert on policy match”

• Select the alert severity from the drop-down menu.

• Click Ok to save.

The saved policy will then appear in the Saved Policies section to the right. Once saved, simply click on the policy name

and the Search Fields window will populate with the filters in that saved policy.

To delete a Saved Policy, click the X symbol to the right of the Saved Policy name.

23

Objects that match the Saved Policy criteria will have it appear in the object’s Details Page as a triggered indicator, and

the risk number value entered the Saved Policy will be factored into the new risk level for the object.

If the saved policy was configured to open an alert upon search criteria match, you will receive the alert in the main

alerts page.

The alert name will be the policy name you configured.

24

FILES

The Files page provides visibility of all scanned files in the organization and the ability to obtain file-specific information.

The Files Inventory list by default contains the following columns:

▪ File Name – The name of the file. This link takes you to the File Details Page.

▪ Risk Level – The file’s current risk level

▪ Company Name – The file publisher information

▪ Endpoints – The number of endpoints this file exists on

▪ AntiViruses – The number of AV vendors which have signatures for this file

▪ First Seen – The date and timestamp when this file was first seen in the environment.

▪ Last Seen – The date and timestamp when this file was last seen in the environment.

Inventory List columns can be altered using the Advanced Search by changing which fields are displayed.

FILE FAVORITE SEARCHES

The Files page contains eight default favorite searches. These default favorite searches cannot be edited or deleted.

They provide a quick and easy way to search for files based on:

▪ Internal Com – Files which have network communication to an internal IP address(es).

▪ External Com – Files which have network communication to an external IP address(es).

▪ Unique in Org – Files which are unique within your organization and exist only once.

▪ DLL – Files with the .dll extension.

▪ EXE – Files with the .exe extension.

▪ NO GUI – Files that are running in a hidden window.

▪ Detected by Security Intel – Files identified using Cynet’s security intelligence feeds.

▪ Start Up – Files which have made themselves persistent on the endpoint and will execute when the computer

starts up.

25

FILE DETAILS PAGE

The File Details page includes all the information collected by the system regarding the selected file. At the top of the

details page will be a timeline describing the lifecycle of the file.

The file relationship diagram displays how the file is related to other entities in the organization.

A. The center will contain the File Name and Risk Level.

B. To the left will be all associated Hosts, Processes (parent or child), Users, or Network entities. Clicking on an

associated entity will drill into the details page of that entity.

C. To the right will be all detected Indicators for this file.

▪ High severity indicators are denoted in Red

▪ Medium severity indicators are denoted in Gold

▪ Low severity indicators are denoted in Blue

▪ Positive indicators are denoted in Green

B A C

26

The bottom of the file details page contains multiple tabs with detailed information about this file.

▪ The Details tab contains metadata about the file such as file size, path, publisher, hashes, and other data.

▪ The Alerts tab contains all alerts associated with this file. Each tab has associated with it the relevant

remediation action tools.

▪ The Occurrences tab contains all instances of the process on all hosts. Each line will show which host(s) it ran

on, the user(s) it ran as. (See also the Occurrence section)

▪ The Hosts tab contains the hosts which this file is present on.

▪ The Users tab contains all the users running this file.

▪ The Sockets tab contains the network traffic generated to/from this file.

▪ The Domains tab contains the domains which were queried by this process to initiate network traffic.

▪ The Process DLLs tab contains the DLL files loaded by the currently viewed process.

▪ The Static Analysis tab contains the information collected during static analysis of the file.

▪ The Dynamic Analysis tab contains the information collected and generated from a sandbox execution of file in

the Cynet SSE.

NOTE Certain tabs may not appear in the details page because there is no relevant data to be displayed for that data

category.

27

OCCURRENCES

The Occurrences tab displays each instance of a file throughout the environment. For example, if a specific file was

executed on two hosts, there would be two entries in the occurrence tab.

Each process occurrence can be expanded using the + symbol to view additional information.

Each occurrence will include details about how the file ran during that instance, including the running user, command-

line, path the file was run from, etc.

28

STATIC ANALYSIS RESULTS

Static Analysis results are displayed on the Static Analysis tab of the File Details Page. Information in the analysis section

include:

A. The Meta area includes metadata such as hashes, product name (e.g. “Microsoft Windows Operations System”

/ version information / build information), product description, digital signature, timestamp, scattering, and

fingerprinting (e.g. “MS Visual C++ 8.0 DLL).

B. The Strings in File are providing a view into the text strings inside the file.

C. The File Analysis area lists imported functions, as well as File Header Information.

D. The File Headers/Sections area lists the file’s headers and portable execution (PE) sections and their respective

hash. PE Section file types typically include .text, .rdata, .data, .pdata, .rsrc, .reloc, and more.

A

B

C

D

29

HOSTS

The Hosts page provides visibility of all scanned hosts in the organization and the ability to obtain host-specific

information. The Hosts Inventory list by default contains the following columns:

▪ Host Name – The name of the file. This link takes you to the Host Details Page.

▪ Risk Level – The host’s current risk level

▪ Last Scan – The date and timestamp when this host was last scanned by the system.

▪ Host IP – The IP address of the endpoint.

▪ OS Version – The operating system of the endpoint.

▪ # Process – The number of processes detected running on the endpoint.

▪ # Logged Users – The number of users logged into the endpoint.

▪ # Connections - The number of network connections detected on the endpoint.


HOST FAVORITE SEARCHES

The Hosts page contains three default favorite searches. These default favorite searches cannot be edited or deleted.

They provide a quick and easy way to search for hosts based on:

▪ High Risk – Hosts with a high risk level

▪ Internal Com – Hosts which have network communication to an internal IP address(es).

▪ External Com – Hosts which have network communication to an external IP address(es).

30

HOST DETAILS PAGE

The Host Details page includes all the information collected by the system regarding the selected host. At the top of the

details page will be a timeline describing the lifecycle of the host.

The host relationship diagram displays how the host is related to other entities in the organization.

A. The center will contain the Host Name and Risk Level.

B. To the left will be all associated Files, Users, or Network entities. Clicking on an associated entity will drill into

the details page of that entity.

C. To the right will be all detected Indicators for this host.





B A C

31

HOSTS MAP VIEW

The Hosts map view enables the operator to view the organizations network segments and endpoints, in an inter-

connected map display.

Accessing the Host map view is done via the ‘Hosts’ tab in the forensics feature.

Mark the checkbox right next to ‘Map’.

After selecting the checkbox, the dashboard will alter its presentation to a Map view.

The hosts may appear in 3 different colors, where each color represents the risk status of the host:

Red: High Risk

Yellow: Medium Risk

Blue: Low Risk.

32

Any of the objects is clickable and will collapse or expand when selected.

For example, after clicking on a host, the selected host’s detailed information will appear underneath the map.

In addition, there is another display layer available, it is called ‘Deceptive View’.

This view will allow the operator to see exactly on which endpoints are the Decoy files deployed.

In order to toggle between the views, mark the ‘Deceptive view’ checkbox on the top left corner.

33

HOSTS ACTIONS

The “Actions” icon enables the operator to run actions on all of the hosts in the organization with one single click.

*Hosts which are currently being scanned by Cynet

After clicking on the “Actions” icon, a pop up menu will open to the right side of the icon.

The actions feature provides the operator the ability to perform 2 types of actions on all of the hosts:

1) Run Command - This action will execute the specified commands on the selected host(s) and the output will be captured and presented in the console. If the output contains multiple lines, it will be preserved in a text file format.

2) Run File - This action will allow a specified file to be run on the selected host(s). First, select a file from the local

computer, then upload the file to the Cynet server. The Cynet server will then deploy the file to the host(s) to be executed.

34

HOSTS DETAILS

The bottom of the host details page contains multiple tabs with detailed information about this host.

▪ The Details tab contains metadata about the host such as host name, IP Address, Operating system, software

versions, and other data.

▪ The Alerts tab contains all alerts associated with this host.

▪ The Files tab contains all the files scanned on the host.

▪ The Users tab contains all the users logged into the host, and locally configured hosts.

▪ The Deception tab contains a list of all of the Decoy files which are deployed on the endpoint.

▪ The Traffic tab contains the open network sockets, DNS requests cached, IP addresses configured, ARP table

entries, and NICs contained on the host.

▪ The System tab contains a list of security certificates, Operating System Updates installed, Installed Software,

and network shares on the host.

NOTE Certain tabs may not appear in the details page because there is no relevant data in the database to be displayed.

35

USERS

The Users page provides visibility of all scanned user accounts in the organization and the ability to obtain user-specific

information. The Users Inventory list by default contains the following columns:

▪ User Name – The name of the user account. This link takes you to the User Details Page.

▪ Risk Level – The user account’s current risk level

▪ Locked – Displays if the user account is currently locked out or not.

▪ Disabled – Displays if the user account is currently Disabled or not.

▪ Running Files – The number of files the user account is currently running.

▪ Password Age – The password age of the user account (in days old).

▪ Last Login – The date and timestamp when the user account last logged into a host.

▪ First Seen – The date and timestamp when the user account was first seen in the environment.


USER FAVORITE SEARCHES

The Users page contains three default favorite searches. These default favorite searches cannot be edited or deleted.

They provide a quick and easy way to search for users based on:

▪ High Risk – User accounts with a high risk level

▪ Locked – User account which are locked out.

▪ Run Risky Files – User accounts running high risk files.

36

USER DETAILS PAGE

The User Details page includes all the information collected by the system regarding the selected user. At the top of the

details page will be a timeline describing the recorded events of the user.

The user relationship diagram displays how the user is related to other entities in the organization.

A. The center will contain the User Name and Risk Level.

B. To the left will be all associated Files, Hosts, or Network entities. Clicking on an associated entity will drill into

the details page of that entity.

C. To the right will be all detected Indicators for this user.





B A C

37

The bottom of the user details page contains multiple tabs with detailed information about this host.

▪ The Details tab contains metadata about this user such as user name, Last login date, # of Files Running by

user, and the number of machines logged into by the user in the last day, week, month, etc.

▪ The Alerts tab contains all alerts associated with this user.

▪ The Files tab contains all the files being run by this user.

▪ The Hosts tab contains all the hosts this user has logged into.

▪ The Domains tab contains a list of domains that have been requested for resolution by this user.

▪ The Logins tab contains a list of all logins by this user across all scanned hosts.

NOTE Certain tabs may not appear in the details page because there is no relevant data in the database to be displayed.

38

DOMAINS

The Domains page provides visibility of all domains resolved on hosts in the environment. The Domains Inventory list by

default contains the following columns:

▪ Domain – The domain resolved. This link takes you to the Domain/IP Address Details Page.

▪ Risk Level – The domain’s current risk level.

▪ Classification – Displays the domain classification based on security intelligence.

▪ Date In – The date and timestamp when the domain was first resolved.

▪ Last Seen – The date and timestamp when the domain was last resolved.

▪ URL Count – The number of URLs visited with this domain.

▪ Host Count – The number of hosts that have resolved this domain.

▪ Remote IP Count – the number of remote IP addresses that resolve to this domain.

▪ Source IP Count – The number of local IPs that have resolved this domain.

▪ User Count – The number of users which have resolved this domain.


DOMAIN FAVORITE SEARCHES

The Domains page contains two default favorite searches. These default favorite searches cannot be edited or deleted.

They provide a quick and easy way to search for domains based on:

▪ High Risk – Domains with a high risk level

▪ Detected by Security Intel – Domains identified using Cynet’s security intelligence feeds.

39

DOMAIN/IP ADDRESS DETAILS PAGE

The Domains Detail page includes all the information collected by the system regarding the selected domain. At the top

of the details page will be a timeline describing the recorded events of the user.

The user relationship diagram displays how the user is related to other entities in the organization.

A. The center will contain the Domain Name and Risk Level.

B. To the left will be all associated Files, Hosts, or Users. Clicking on an associated entity will drill into the details

page of that entity.

C. To the right will be all detected Indicators for this domain.





B A C

40

DOMAIN ACTIONS

The “Actions” icon enables the operator to insert an IP\URL of an external address, and perform a DNS remediation on

that address for the entire organization.

DNS Remediation – This action will redirect all traffic to the domain to a specified IP address. This is done by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any hosts that attempt to resolve the domain in the network will be given the specified IP address from the internal DNS server, preventing traffic from reaching the actual domain’s IP address.

41

SOCKETS

The Sockets page provides visibility of all network sockets created on hosts in the environment. The Sockets Inventory

list by default contains the following columns:

▪ Hostname – The host associated with the network traffic. This link takes you to the Host Details Page.

▪ Risk Level – The network socket’s current risk level.

▪ Local IP – The source IP address of the network traffic. This link takes you to the Domain/IP Address Details

Page.

▪ Local Port – The source port of the network traffic.

▪ Remote IP – The destination IP address of the network traffic. This link takes you to the Domain/IP Address

Details Page.

▪ Remote Port – The destination port of the network traffic.

▪ First Seen – The date and timestamp of when this network traffic was first seen.

▪ Last Seen – The date and timestamp of when this network traffic was last seen.


SOCKET FAVORITE SEARCHES

The Domains page contains one default favorite search. This default favorite search cannot be edited or deleted. It

provides a quick and easy way to search for network sockets based on:

▪ High Risk – Network sockets with a high-risk level.

42

ACTIONS The Actions page is broken up into five distinct sub-sections: Files, Hosts, Users, Network, and Auto Remediation. Each

sub-section provides lists of actions taken from Cynet 360. Every page of the Actions section has the same basic layout:

A. The Sub-Menu, contains links to the pages:

▪ Files Actions – Actions taken on files (See also File Actions sections)

▪ Host Actions – Actions taken on hosts (See also Host Actions section)

▪ User Actions – Actions take on user accounts (See also User Actions section)

▪ Network Actions – Actions taken on network traffic (See also Network Actions section)

▪ Auto Remediation – Auto Remediation rules (See also Auto Remediation section)

B. Some action pages (such as the File Actions page) contain Action Tabs, which provide additional actions that

can be taken. These include:

▪ Analysis – Analysis actions taken on files (See also Analysis Actions section)

▪ Deep Scan – Deep Scan actions taken on files (See also Deep Scans sections)

C. The Quick Filter Bar provides the ability to quickly filter actions lists file name, host name, ip address, actions

taken, etc.

D. The Actions area provides the ability to export displayed action lists to an Excel (.xlsx) file and/or take additional

remediation actions. (See also the Analysis Actions & Remediation Actions sections)

E. The Actions List provides a list of all actions take on files, hosts, users, and network traffic.

C

E

A D

B

43

FILE ACTIONS

The File Actions page provides visibility of all actions taken on files in the environment. (See also the Remediation

Actions section). The File Actions list contains the following information:

▪ File Name – The file the action was taken on. This link will take you to the File Details Page.

▪ Host Name – The host the action was taken on. This link will take you to the Hosts Detail Page.

▪ Host IP – The IP address of the host the action was taken on. This link will take you to the Host Details Page.

▪ Time – The time the file action was initiated.

▪ Action Taken – The type of file action taken.

▪ Status – The result of the file action taken.

▪ Status Info – Additional information about the file action taken.

ANALYSIS

The Analysis page provides visibility of all file analysis actions taken on files in the environment. (See also the Analysis

Actions section). The Analysis list contains the following information:

▪ File Name – The file and path the file action was taken on. This link will take you to the File Details Page of that

file.

▪ Analysis Time – The date and timestamp of when the analysis action was initiated.

▪ Hashes – The hash of the file the analysis action was taken on. This link will take you to the File Details Page of

that file.

▪ Static Result – The result of static analysis on the file. This link will take you to Static Analysis tab of the File

Details Page of that file.

▪ Analysis Time - The date and timestamp of when the analysis action was completed.

▪ Dynamic Result - The result of dynamic analysis on the file. This link will take you to Dynamic Analysis tab of the

File Details Page of that file.

44

DEEP SCAN

The Deep Scan page provides visibility of all file deep scan actions taken on files in the environment. (See also the

Analysis Actions and Deep Scans sections) The deep scan list contains the following information:

▪ Scan ID – A unique identifier for an initiated deep scan.

▪ Host Name – The host that the deep scan was initiated on. This link will take you to the Host Details Page of

that host.

▪ File Name – The file name the deep scan action was taken on.

▪ SHA256 – The hash of the file the deep scan action was taken on. This link will take you to the File Details Page

of that file.

▪ Date In – The date and timestamp of when the deep scan action was initiated.

▪ Last Heartbeat – The date and timestamp of when the deep scanner last checked in with the Cynet server.

▪ Status – The last status update from the deep scanner

▪ Scan Detail – Details about the deep scan such as duration (in minutes), percentage completed, and the

number of actions monitored by the deep scanner.

HOST ACTIONS

The Host Actions page provides visibility of all actions taken on hosts in the environment. (See also the Remediation

Actions section). The Host Actions list contains the following information:

▪ Host Name – The host the action was taken on. This link will take you to the Host Details Page of that host.

▪ Time – The time the host action was initiated.

▪ Action Taken – The type of host action taken.

▪ Status – The result of the host action taken.

▪ Status Info – Information about the host action taken.

▪ Extra Details – Additional information about the host action taken.

45

USER ACTIONS

The Users Actions page provides visibility of all actions taken on users in the environment. (See also the Remediation

Actions section). The User Actions list contains the following information:

▪ User Name – The user account the action was taken on. This link will take you to the User Details Page of that

user account.

▪ Host Name – The host the user action was taken on (only for local user accounts).

▪ Time – The time the user action was initiated.

▪ Action Taken – The type of user action taken.

▪ Status – The result of the user action taken.

▪ Status Info – Information about the user action taken.

NETWORK ACTIONS

The Network Actions page provides visibility of all actions taken on network traffic in the environment. (See also the

Remediation Actions section). The Network Actions list contains the following information:

▪ Network Name – The network object the action was taken on. This link will take you to either the Domain/IP

Address Details Page.

▪ Host Name – The host the network action was taken on (only for local user accounts).

▪ Time – The time the network action was initiated.

▪ Action Taken – The type of network action taken.

▪ Status – The result of the network action taken.

▪ Status Info – Information about the network action taken.

46

AUTO REMEDIATION

The Auto Remediation page provides the ability to manage rules which allow Cynet 360 to automatically perform a

remediation action when an alert is generated. These auto remediation rules can be configured to match alerts based on

a number of factors, and take a remediation action to mitigate the threat. The Auto Remediation list contains the

following information:

▪ Name – The provided name of the auto-remediation rule.

▪ Description – The provided description of the auto-remediation rule.

▪ Remediation – The remediation action that is taken when this rule is matched.

▪ Priority – The order in which auto-remediation rules will be processed.

▪ Date In – The date and timestamp when the auto-remediation rule was created.

CREATE AUTO REMEDIATION RULES

To create a new Auto Remediation rule, click the Add New Rule button in the top-right corner of the Auto Remediation

page.

47

This will open the Auto Remediation creation menu on the right side of the page.

GENERAL CONFIGURATION

▪ Rule Name – Enter an alias for the rule.

▪ Description – Enter a description for the rule.

▪ Priority – Enter a number used by the system to identify which rule will be executed in the case where two auto

remediation rules match a generated alert. The lower the number, the higher the priority (i.e. If an alert

matches a rule with priority 1 and another with priority 5, the priority 1 rule’s remediation action will be

executed)

48

MATCHING

▪ Alert Name – Enter a regular expression (REGEX) to match on the name of the alert. This allows for matching of

multiple alerts with different names according to a pattern.

To match on all alert names, use the regular expression ( .* )

▪ Host Groups – Select the host groups that should be used to match hosts in generated alerts. If the host in the

alert is part of the selected host group(s), this criteria is met.

To match on all Host Groups, use the Select All option.

▪ Alert Severity – Select the severity that should be used when matching generated alerts. If the alert’s severity

matches one of the selected severity(s), this criteria is met.


ADVANCED MATCHING

▪ File – Enter a specific File Hash or File Name when matching this rule to a generated alert.

Leave this field empty to match on any file in an alert.

▪ User – Enter a specific User Name when matching this rule to a generated alert.

Leave this field empty to match on any user in an alert.

▪ Network – Enter a specific IP address, Domain, or URL when matching to an alert.

Leave this field empty to match on any network criteria in an alert.

49

▪ Hosts to Match – Enter a specific Host(s) when matching this rule to a generated alert. To add a new host

match, click the Add New Match button or the Edit Match button to edit an existing host match entry.

Leave this field on the ALL selection to match on all hosts.

▪ Add New Match & Edit Match – When adding a new a new host match or editing an existing match criterion:

▪ Group Name – An alias for the host match entry.

▪ Hosts to Match – Enter a regular expression to match on the hostname. This allows for matching of

multiple hosts with different names according to a pattern.

To match on all host names, use the regular expression ( .* )

▪ Selected OS – Select the operating system to match on from the drop-down menu. Operating systems

in the list are pulled from scanned hosts.


50

ACTION

▪ Remediation Type – Select the type of remediation from the drop-down menu

▪ Action – Select the action associated with the type of remediation from the drop-down menu.

Remediation Types and Actions available (See also the Remediation Actions section)

▪ File Remediation Actions

▪ Kill Process

▪ Quarantine File

▪ Delete File

▪ Host Remediation Actions

▪ Restart Machine

▪ Shutdown Machine

▪ Disable All NICs

▪ Run Command

▪ User Remediation Actions

▪ Disable User

▪ Network Remediation Actions

▪ Block Traffic

Once all configurations have been made for the Auto Remediation Rule, click the Save button to save all changes. New

Rules will appear in the Auto Remediation dashboard.

51

EDIT AUTO REMEDIATION RULES

To edit an Auto Remediation rule, click on the Auto Remediation rule name.

This will open the Auto Remediation editing menu on the right side of the page.

Then edit the rule according to the same steps as the Create Auto Remediation Rules section.

DELETE AUTO REMEDIATION RULES

To delete an Auto Remediation rule, select the rule to delete in the Auto Remediation rule list

52

Then click the Delete button in the top-right corner of the Auto Remediation page.

The system will prompt you to confirm the Auto Remediation rule deletion. To complete the deletion, click the Confirm

Delete button.

53

SCANNER The Scanner page provides a simple interface to start and stop host scans and view the status of host scans. Ad-hoc

scans can be performed on the Manual Scans page.

A. Scanner Action Buttons - enables the ability to perform scan related actions such as:

▪ Start/ Stop Scanner – Starts or Stops the scanner service.

▪ Restart Scans –This will clear all displayed scan history, and will initiate the scanner service to rescan

all hosts immediately.

▪ Export Scan-Errors – Exports scan errors to an Excel (.xlsx) report.

▪ Export Never Scanned Endpoints – Exports unscanned hosts to an Excel (.xlsx) report.

▪ Disable\Enable Auto Refresh – This will disable or enable the auto refresh of the scanned endpoints

table data.

▪ Reload Table Data – This will refresh the Scanned Endpoints table with the latest scan data received

from endpoints.

B. Quick Filter - allows users to quickly filter scanned hosts by Host Name/IP, Scan Start (date and timestamp),

Scan End (date and timestamp), Scan Status, Status Details, scan Distribution Type, or details.

(See also Group Information section for more about Distribution Types).

C. Today Scans - displays the number of success and failed scanned endpoints.

D. Scanned Endpoints - lists the endpoints attempted to be scanned by Cynet 360 according to the configuration

settings in the Scan Groups (See also the Scan Groups section).

E. Excel – allows users to export the complete or filtered view of the scanner page.

F. Actions – after selecting the checkbox of one or numerous endpoints, and clicking the actions icon, the user is

presented with 3 scanner actions to run on the endpoints:

A B

C D

E F

54

▪ Restart Scans– stops the Cynet scanner process on the endpoints, and reinitiates the scanner service

to rescan all hosts immediately.

▪ Stop Scans – Stops the Cynet scanner process on the endpoints.

▪ Remove Scanner – Stops the Cynet scanner process on the endpoints, and removes all Cynet’s files and

folders from the endpoint.

55

MANUAL SCANS

The Manual Scans page allows users to inmate a manual scan of a host and view the status of an initiated manual scan.

A. Manual Scans – Enter the hostname or IP address of a host to be manually scanned and click the Scan Host

button.

B. Quick Filter - allows users to quickly filter manually scanned hosts by Scan Date, IP/Hostname, Distribution

Type, Scan Status, or Scan Details.

C. Manual Scans List – lists the endpoints attempted to be scanned by Cynet 360 using a manual scan.

NOTE Manually scanned hosts MUST be configured in a Scan Group in the Settings. If the host is not part of a configured

scan group either by hostname, IP address, IP Range, or Active Directory OU, the manual scan will fail. This is because

Cynet 360 does not know which scan credentials or distribution type to use when scanning the host.

A B C

56

REPORTS The Reports page provides reporting capabilities on alerts and risks generated by the system.

A. Report Types– Use this drop-down menu to select the report type. There are two types:

▪ Alerts Report

▪ Top Risks Report

B. Date Range – Reports can be filtered to show items within date range. Select the desired range and then click

Go to apply and view items within the date range.

C. Report Filters – Reports can be filtered to show all objects, or only files, hosts, users, or network objects.

D. Export Report – The Adobe PDF icon can be clicked to export the visible report to a .pdf report format.

ALERTS REPORT

The Alerts Report contains statistics on all alerts generated by the system within the specified date range. These reports

can be filtered to display alerts for only files, hosts, users, or network.

The first graphic on the Alerts Report displays alerts by type over the given date range. Each object type is highlighted

with a different color.

A B C D

57

The second graphic displays the number of alerts by their current status (open/closed). This graphic will also highlight

how many high, medium, and low severity alerts there were.

The bottom half of the Alerts Report contains the specific areas associated with these alerts in the given date range.

Each file, user, host, and network traffic that are part of these alerts will be displayed in the radar graphic.

58

TOP RISKS REPORT

The Top Risks Report contains reports for the files, hosts, users, and network traffic with the highest risk levels.

The first graphic displays the top riskiest objects according to the current report filter (see Report Filters above). These

can include the top 10 riskiest files, hosts, users, and network traffic.

The bottom half of this report lists these objects and some additional details for each.

59

VULNERABILITIES ASSESSMENT REPORT

The VA Report contains operational data generated by the system based on the VA configuration. These reports are

divided to:

• Missing KB’s on host (Microsoft OS patch)

• Agent Validation (Security policy compliancy)

• Application Patches Validation (3rd party application patch validation, e.g. Java, Adobe, etc.)

• Unauthorized Applications

Each of the reports will generate and download csv file with all data, that data could be send to the IT team in order to

fix those issues.

60

INVENTORY REPORT

The Inventory Report contains operational data generated by the system based on the Cynet collection. This is part of

the immediate visibility that Cynet provides. That can help with many use cases such as:

• Crate and maintain CMDB

• Understand what are protected

• Find old /non-supported OS

• Etc.

61

EXPORTING REPORTS

Reports can be exported by using the Adobe PDF icon in the top-right corner of the page. The images below are

examples of exported reports.

NOTE Be sure to disable your web browser’s pop-up blocker for the Cynet web interface. PDF reports are presented in a

separate browser tab, and may be blocked by the pop-up blocker.

63

MAPS The Maps page provides a geographical or topological representation of open alerts. See the Maps section of the

settings page to configure map locations.

The configured locations on the Maps page will appear as a Green or Red dot. High or Critical alerts will turn the green

dot into a red dot. The red dot will increase in size based on the number of alerts generated from that particular

location. Zoom into the map to see the configured regions.

64

AUDIT The Audit Panel provides full audit trail for all user action in the system.

◼ The Cynet platform provides a full audit trial for any user actions performed in the system. ◼ The audit records are saved in the database and in external files. ◼ This document describes how to access and use the Audit trial, via the following methods:

o Cynet UI o External Log files

Audit using Cynet UI – Clicking on the Audit icon will navigate the user to the audit screen. The page lists all user actions

being performed in the system.

◼ Audit Table is visible, with the following attributes per audit record: o User Name – user that executed the action generating the Audit o Info – Details about the action, including a short title of the action (e.g. “Authentication Mode

Changed”), and a JSon payload containing extra details about the action (if this exists) o Action – name of the action executed o Category – category of the action in the system (Account\Settings\Remediation) o Action Time – time that the action was executed

◼ Filter\Sort area o Allows sorting according to any field o Allows filtering by any field (text – for text attributes, list of predefined value attributes, from-to for

date attributes) ◼ Paging

o Defines how many entries will be loaded per page (default – 25) ◼ Export

o All the data can be exported to a spreadsheet by clicking on the icon.

Audit using log files – By default, all audit records are located in the following path: “C:\Cynet360\logs\audit”.

◼ The audit Files are cyclical. For every system restart, or every 50MB, a new file will be created in the following format: “CF_<CREATE_HOUR>T<CREATE_MINUTE>T<CREATE_SECOND>_<YYYYMMDD>.txt”

◼ The file is text-based and includes all audit records. Each record appears in a new line: “date hour Audit action:<action code>;userName:<user>; category:<category>; details:<description+Json>”

65

◼ See following example:

====[-- Logging Start --]====

04/17/2018 06:57:10 Audit action:Login; category:Account; details:user operator logged in;

04/17/2018 06:58:30 Audit user:operator; action:SaveGroupInformation; category:Settings; details:scan group information saved, group info:{account name:EP-

Admin, distribution type:CynetLauncher, scan mode:AlwaysOn, CPU limit:15, scan interval:60, scan history:3, Is guest user enabled:false, live file on:false, user

EPS remediation:false, network attack detections:true, set network share:false, send only data increments:true, internet avialibility tests:false, Use decoy

files:true, Allow credentials decoy:false, Alert if not scanned:false, Enable ETW:false, Etw RansomKill:false, Etw Ransom Kill:false, Etw Decoys:false, Ssdeep:false,

Adt:true, Disable strings collection:false, Use driver:false, Driver block raw:false, Driver kill raw:false, Driver log Handle:false, Driver block Handle:false, UA

lert:false, Etw Decoys Limit:100, Msi Update:false, Enable Update:true, Allow fuzzy remediation:false, FastScanDoKill:false, VAWindowsPatches:false, VA Risky

Apps:false, VA Outdated Apps:false, VA Running Apps:false, VA Period Minutes:1440, TH Period Minutes:30, TH Enabled:false, AntiVirus Enable:false, AntiVirus

Do Kill:false};;

04/17/2018 06:59:16 Audit user:operator; action:SaveAdvancedSettings; category:Settings; details:advanced settings saved,

settings:{SettingsConnectivity:{ListenIP:169.254.250.12, ListenPort:443, SecondaryListenIP:null, SecondaryListenPort:null, ProxyConnectivity:{IP:null, Port:8080}},

SettingsPrivacy:{SendAlertsToSIEM:false, AnalyzeUniqueFiles:true, DaysToKeepAnalyzedFiles:30, DaysToKeepLogFiles:7, AnonymizeHostnames:false,

AnonymizeUsers:false, AnonymizeUsersInternal:false, DisplayUserPhoto:false, PhotoAttributeInAD:null, IgnoreARP:false, IgnoreCertificate:false,

IgnoreDNSCache:false, IgnoreHostsFileInformation:false, IgnoreInstalledSoftware:false, IgnoreIpSettings:false, IgnoreUserInformation:false,

IgnoreMsUpdatesInformation:false, IgnoreNetworkInterfaceInformation:false, IgnoreNetworkHostSharesInformation:false, AllowSocFileAnalysis:true,

AutomaticSystemUpgrade:true, DisableSyncOfCmdLineParamsToCloud:false, EnableFilesWhiteListing:true, IsSendMemoryStringsToCloud:true},

MasterSlave:{IsMasterServer:false, IsMaster:true, CurrentyLoggedClient:null, MasterDetails:{IP:null, Port:8443}, SlaveDetails:null}, DomainsWhiteListing:null,

ScanThrottling:{RealScanMaxThreads:200, RPCTimeout:80, RPCPsExecTimeout:30, RemediationMaxThreads:300}, RemediationConfiguration:{MaxRetries:48,

RetryInterval:30}, DecoyFilesListeningPort:8484, PoliciesExcludes:null, Signatures:null, UiTimeoutMinutes:20};;

04/17/2018 06:59:56 Audit user:operator; action:AddScannedEndpoint; category:Settings; details:scanned endpoint added,

details:{ScannedEndpointType:HOST, Item:169.254.250.12};;

04/17/2018 07:00:02 Audit user:operator; action:DeleteScannedEndpoint; category:Settings; details:delete scanned endpoint:{Name:Main,

ScannedEndpointType:HOST, Items:[192.168.3.4]};;

04/17/2018 07:05:04 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:guest, Level:DASHBOARD};;

04/17/2018 07:05:24 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:guest, Level:DASHBOARD};;

04/17/2018 07:05:52 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:Shai, Level:DASHBOARD};;

04/17/2018 07:05:59 Audit user:operator; action:AddUser; category:Settings; details:Add user with details:{UserName:Shai, Level:DASHBOARD};;

04/17/2018 07:06:53 Audit user:operator; action:SetAuthenticationMode; category:Settings; details:Authentication mode changed : Enable only Active directory

Authentication;

04/17/2018 07:07:45 Audit user:operator; action:SetAuthenticationMode; category:Settings; details:Authentication mode changed : Enable only local Active

directory;

04/17/2018 07:09:28 Audit user:operator; action:AddNewMapRange; category:Settings; details:new map range added, details:{name:IL Office, x

coordinate:5270.0, y coordinate:-7437.0, from ip:169.254.224.1, to ip:169.254.224.254, hc key:il};;

04/17/2018 07:34:31 Audit user:operator; action:DeleteScannedEndpoint; category:Settings; details:delete scanned endpoint:{Name:Main,

ScannedEndpointType:HOST, Items:[169.254.250.12]};;

04/17/2018 07:34:42 Audit user:operator; action:AddScannedEndpoint; category:Settings; details:scanned endpoint added,

details:{ScannedEndpointType:HOST, Item:169.254.224.138};;

====[-- Logging Terminate --]====

66

SETTINGS The Settings Panel provides extensive system management and configuration capabilities for the Cynet 360 platform.

The panel is divided into the following tabs:

▪ Scan Groups – Settings for scan groups with separate scan settings and includes:

▪ Scan Groups

▪ Group Information

▪ Scan Population

▪ Scan Scheduling

▪ Configuration – Settings for miscellaneous system configurations and includes:

▪ Excluded IP Ranges

▪ Traffic Analysis

▪ Log Parser

▪ VPN Parser

▪ Import User Data from AD

▪ Import User Data from CSV File

▪ User SMS Notifications

▪ EPS Configuration – Settings for configuration of the CynetEPS and memory forensic analysis.

▪ Advanced – Settings for advanced scanning configuration and includes:

▪ Connectivity

▪ Privacy & Compliance

▪ Master & Slave

▪ Policy Exclusions

▪ Scan Throttling

▪ Domain Whitelisting

▪ Remediation Settings

▪ Decoy File Settings

▪ UI Session Time Settings

▪ Users – Settings for user account to access the Cynet system.

▪ Add/Edit/Delete Users

▪ Change Password

▪ Maps – Settings for the Maps page of the system.

▪ Analysis – Settings for analysis actions of the system.

▪ Smart Simulation Execution (SSE) sandbox

▪ Deep Scan

▪ Alerts – Settings for the configuration of alerts generated by the system.

▪ General Settings

▪ Immediate Alert Notification Settings

▪ Host No-Scan Alert Settings

▪ Alert Severity Configuration Settings

▪ Integrations – Settings for integration with other systems, such as Active Directory.

▪ Vulnerability Management – Settings for the Vulnerability Management Feature

▪ UBA Management – Setting for the UBA management Feature.

▪ Threat Hunting – Setting for the Threat Hunting Feature.

▪ System Info – Information regarding the Cynet system.

▪ Main Info

▪ System Health

67

SCAN GROUPS

The Scan Groups page is used to configure how to scan endpoints. Different groups can be configured based on the

endpoint type, IP subnet, or scanner mode. By default, there is a “default group” which can be used or a new scan group

can be created.

SCAN GROUP SETTINGS

Scan groups can be used to separate scanning settings between different areas of the organization such as subnets,

computer types, departments, etc. All scan settings are saved to the group and are specific to that group. Scan groups

can contain separate credentials for scanning, scan scheduling, distribution types, etc.

To create a new Scan Group:

A. Click the Create button.

B. Enter a Group Name and Group Description (optional) in the text boxes

C. Click Save button to create the new group.

Then make sure to select the appropriate Scan Group from the drop-down menu before editing the Group Information

section.

To Remove a Scan Group ensure to select the correct group for deletion from the drop-down menu, then click the

Delete Group button.

A

B C

68

GROUP INFORMATION SETTINGS

The Scan Account is the account used to authenticate to hosts when scanned. Multiple sets of credentials can be saved

in the system to be used on any scan group. All saved credentials are hashed and encrypted within the Cynet database.

For more information about configuring a user account(s) to be used as a scan account (for Windows Domain & Local,

Linux Local, and Mac Local), please see the Configuring Scan Accounts appendix of this guide.

Choosing the scanning platform:

▪ Choose the relevant operating system from the list.

▪ After Choosing the platform, all the setting will be adjusted based on the selection.

To create a new scan account:

▪ Click the Create button.

NOTE Separate credentials are necessary for Windows, Linux and MAC hosts. Hosts of each OS type should be placed in

a separate scan group, with separate credentials for each scan group.

NOTE Any group can include only one kind of operating platform.

69

▪ There will then be a prompt to enter an alias for this set of credentials.

▪ The Service option will use the current credentials running the Cynet service on the server.

▪ The Credentials option requires to enter a username, the password, and the domain (if an Active Directory

account).

The Validate Credentials option will attempt to confirm the entered credentials are valid by connecting the domain

controller. If the credentials are validated successfully, a icon will appear. Failed credentials will have a icon.

Then click the Save button to save the entered credentials.

NOTE If the credentials entered are a local Windows account or a local Linux account, a domain does not need to be

specified.

NOTE the Validate Credentials functionality will only work for Active Directory credentials. Local Windows accounts or

local Linux accounts will not validate.

70

The Distribution Type is the way the system will push the Cynet endpoint scanner (CynetEPS) to the endpoints.

Distribution Types include:

▪ Auto – The Auto distribution type cycles through the types listed above. If one distribution type fails, the system

will proceed to the next type and attempt to scan the host. The order of types this setting will use is: Cynet

Launcher, RPC-SMB One Way, and then RPC Task.

▪ Launcher – The Cynet Launcher type will authenticate to the endpoint(s) using the configured account

credentials via CynetLauncher.exe and transmit the CynetEPS via SMB to be executed. This distribution type

requires port 445 to be opened on the endpoint(s).

▪ Scheduled Tasks – Cynet server will authenticate to the endpoint(s) using the configured account credentials

via MSRPC and transmit a task message to the endpoints to execute the CynetEPS. This distribution type

requires TCP port 135 to be opened on the endpoint(s).

▪ SSH – Cynet server with authenticate to the endpoint(s) using the configured account credentials via SSH and

transmit the CynetEPS and run the daemon. This distribution type requires TCP port 22 to be opened on the

endpoint(s)

▪ RPC - Cynet server will authenticate to the endpoint(s) using the configured account credentials via PsExec and

transmit the CynetEPS via SMB to be executed. This distribution type requires TCP port 445 to be opened on the

endpoints(s).

▪ Manually Installed Agent – Cynet server won’t perform dispatching the installation will be done using 3rd party

system such as WSUS, SSCM, Big Fix, etc.

Distribution Type settings are marked on the Scanner page in the Distribution Type column.

71

DEFINING MANUALLY INSTALLED AGENTS GROUP

In order to use this feature, we introduce a new "distribution type" to the scan groups - "Manually Installed Agents".

To create a group that contains manually installed agent - need to:

1. Create new scan group

2. Under Settings → Scan Groups → Distribution Type

3. Choose "Manually Installed Agents"

4. From now on, this group will contain only agents that were manually installed.

ADDING AGENT TO MANUALLY INSTALLED GROUP

1. Pre-configure the host in the scan group population

2. In order to add a Manually Installed Agent to a group as defined above:

a. Add the agent to the group population (using one of the suggested methods - Host name, IP range,

OU)

b. Install the agent using MSI

c. Agent will be automatically associated to the group it was defined in.

3. This feature is also supported for Linux machine.

4. Make sure, that "Distribution Platform" parameter of the scan group is set to "Linux"

Changing group

1. Via the UI, delete the host from one scan-group, and add it to the other

2. It’s also possible to Export and Import the host population

72

ADDING AGENTS TO GROUPS USING CLI

Sending "-group" argument to the EPS

In order to add a Manually Installed Agent to a group as defined above, we introduce a new argument to the EPS "-

group".

The new argument points on the name of the group that the EPS should belong to.

In order to use this parameter:

1. Add "-group" to the MSI command line arguments, followed by the target group name

2. When using MSI installation the Cynet MSI could have additional command line parameter for group name. if

the group name exist it’ll assign the host to the relevant group, otherwise it’ll assign the host to default MSI

group.

Changing group

1. In order to move agent from group to group - simply uninstall the msi.

2. Install it again with the new group name as argument

The Scan Mode setting is the manner in which the system will configure the Cynet endpoint scanner (CynetEPS) to run

on hosts. Distribution Methods include:

▪ Interval – The CynetEPS will be deployed (see Distribution Type below) to the configured endpoint(s) at the

specified scan interval. The CynetEPS will self-terminate on the endpoints at the end of the scan cycle.

▪ AlwaysOn – The CynetEPS will be deployed (see Distribution Type below) to the configured endpoint(s)

immediately. The CynetEPS will continue to run after the initial scan has completed. This will ensure any new

change or activity on the endpoint(s) are collected and sent back to the Cynet server in real-time for analysis.

▪ Light Agent – The CynetEPS will be deployed (see Distribution Type below) to the configured endpoint(s)

immediately. The CynetEPS will continue to run after the initial scan has completed and a service will be created

so the CynetEPS starts when the endpoint(s) reboot.

73

Scan Mode settings are marked on the Scanner pages in the Status column. Hosts scanned in the Interval mode will show

the scan progress. Hosts scanned in the AlwaysOn and Light Agent modes will display their current status.

▪ Active Directory Domain - The domain which will be scanned. This setting is used to pull computers in the Scan

Population configuration section below.

▪ CPU Average Consumption - The maximum CPU usage the CynetEPS executable will use when running on

endpoints in this scan group.

▪ Scan Interval - The time interval which endpoints in this scan group will be scanned in Interval mode. If using

the AlwaysOn mode, this setting represents the duration interval the system will wait to redeploy to an

endpoint that has not checked in.

▪ Scan Results History – This setting configures the number of scan results that are kept in the Scanner page

history for each endpoint.

Some of the following settings vary depending on the distribution type or scan mode being used:

▪ EPS Remediation (appears only with Light Agent mode) – This setting is used in the Light Agent mode, and will

configure the CynetEPS to perform remediation actions rather than remediation actions being taken by the

Cynet service on the server.

▪ Network Attacks Detection (appears only with Light Agent & AlwaysOn modes) – This setting configures the

CynetEPS to detect network-based attacks being performed on the host. The CynetEPS binds itself to the

endpoint NIC to see all network traffic being performed on the host.

▪ EPS Network share (only necessary for Task Scheduler distribution type) - This setting is used for Scheduled

Task distribution types so the endpoints can pull the CynetEPS from a read-only network share on the Cynet

server.

▪ EPS Delta Changes (appears only with Interval mode) - This setting will configure the CynetEPS to send only

new or modified metadata to the server, limiting the amount of data sent over the network.

74

▪ Internet Availability Check – This setting will configure the CynetEPS to check the endpoint(s) for internet

connectivity. This setting weights some threat indicators differently based on the ability to connect directly to

the internet.

▪ Memory Injection Remediation – This setting will allow the CynetEPS to automatically kill any process that

performs a memory injection or an illegal usage of memory on a scanned host. (Most useful for immediate

Ransomware mitigation).

▪ Decoy Files (available only with Light Agent & AlwaysOn modes) – This setting will create decoy files on the

scanned host(s). Cynet 360 will deploy deception files with beaconing functionality which will generate an alert

when accessed. See also the Decoys section.

▪ Credential Decoy Detection (appears only when Use Decoy Files is enabled) – This setting deploys imitation

credentials to various parts of the host for deception purposes. When these credentials are used or accessed,

the system will generate an alert. The Use Decoy Files settings must be enabled in order to enable the

Credentials Decoy. See also the Decoys section.

▪ Unscanned Group Alert – This setting will generate an alert if most of the scan population of this group is not

being scanned.

75

▪ Advanced Detection Technology – This setting enables the Advanced Detection Technology (ADT) heuristic

engine. The ADT engine will allow the Cynet EPS to detect threats using behavioral analysis.

▪ ADT – Behavioral Heuristic Remediation – This setting enables the behavioral heuristic remediation capabilities

of the ADT.

▪ ADT - Ransomware Heuristic Detection (appears only in AlwaysOn and Light Agent mode) – This setting

enables the ransomware detection capabilities of the ADT engine in the Cynet EPS.

▪ ADT - Ransomware Heuristic Remediation (appears only when Ransomware Heuristic Detection is enabled) –

This setting enables the ransomware remediation capabilities of the ADT engine. When ransomware is detected

using the ADT engine, it will automatically be stopped.

▪ ADT - Ransomware Heuristic Decoys (appears only when Ransomware Heuristic Detection is enabled) – This

setting enables ransomware detection through the use of hidden decoy files created on scanned endpoints.

These decoy files are separate files from the Decoys functionality of the system. These specific files are

designed to detect modifications by ransomware.

▪ ADT - Ransomware Heuristic Decoy Disk Space Limit (appears only Ransomware Heuristic Decoys is enabled)

– This setting limits the amount of disk space the Ransomware Heuristic Decoys can consume on an endpoint

(in Mb).

NOTE In order to audit some of the credential decoys, the built-in guest account needs to be enabled on the Cynet

server. This is OPTIONAL based on your organization’s security policies and is only used for auditing. The credential

decoys will still function as intended.

76

▪ ADT – Fuzzy Hashing Detection – This setting enables the Cynet EPS to fuzzy hashing techniques to detect

malware. This technique involves mathematically calculating similarities between files. This detection method

allows the system to detect previously unknown variants of malware through similar or shared code between

malware.

▪ ADT - Fuzzy Hashing Remediation (appears only when Fuzzy Hashing Detection is enabled) – This setting

enables remediation capabilities of the Fuzzy Hashing detection mechanism. When malware is detected using

this method, it will automatically be stopped.

▪ Disable String Collection – This setting disables memory string collection by the EPS for all hosts in this scan

group.

▪ Memory Protection Mode – This setting enables the EPS to run in the kernel level. While in memory protection

mode, the EPS gains the visibility to kernel level threats and enables an anti-tampering mechanism, which

prevents the EPS process from being terminated on the host.

▪ Raw Disk Writing Prevention (appears only when Memory Protection Mode is enabled) – This setting enables

the EPS to prevent raw disk writing, such as writing to the MBR.

▪ Raw Disk Writing Process Termination (appears only when Raw Disk Writing Prevention is enabled) – This

setting enables the EPS to automatically terminate a process that attempt to perform a raw disk write.

▪ Memory Injection Prevention (appears only when Memory Protection Mode is enabled) – This setting enables

the EPS to pre-emptively terminate a process performing a memory injection at the kernel level.

77

▪ EPS Alert Messages – This setting enables the EPS to display an alert message on the host when a threat is

detection.

▪ EPS Fast Scan Detection – This setting enables the EPS to send scan data from hosts to the Cynet server

immediately for analysis. In normal operation, the EPS sends this data in increments to reduce network traffic

congestion.

▪ EPS Fast Scan Remediation – This setting enables the EPS to automatically terminate any process that is

detected as a threat using the fast scan detection method.

▪ Enable Windows Patch Validation – this setting enables the Windows Patch validation function, as part of the

Vulnerability Management feature.

▪ Enable Unauthorized Applications Validation – this setting enables the unauthorized applications validation

function, as part of the Vulnerability Management feature.

▪ Enable Application Patch Validation – this setting enables the application patch validation function, as part of

the Vulnerability Management feature.

▪ Enable Agents Validation - this setting enables the agent's validation function, as part of the Vulnerability

Management feature.

▪ Encryption Token – This setting is used to create a random encryption token to encrypt the password used for

the Scan Account in this group. This ensures that the encrypted password token is unknown and cannot be

decrypted.

Click the Save button to ensure all configuration changes are saved.

78

SCAN POPULATION SETTINGS

There are three ways to add endpoints to a scan group: individually via hostname/IP address, IP address ranges, or

Active Directory OUs.

▪ Endpoints – New endpoints can be added to the scan group population by entering either an individual

hostname or IP address.

✓ Example: Explicit hostname host1344

✓ Example: Explicit IP Address 192.168.220.101

▪ Import from File

o Click on Import will open the following Dialog window

o Once choose the file and uploading the system will show confirmation message

NOTE When entering a hostname, ensure the Cynet server is able to resolve the hostname to an IP address to connect

and scan the host.

79

o Example for CSV file:

o The list form the CSV will be imported to the population List:

80

▪ IP Ranges – New endpoints can be added to the scan group population by entering an IP address range or CIDR

range. The system will look for all active hosts within the range and add then to the list.

✓ Example: IP Range w/ subnet suffix 192.168.1.0/24

✓ Example: IP Range 192.168.1.0-192.168.1.255

▪ Active Directory – New endpoints can be added to the scan group population by entering the names of Active

Directory OUs. The system will poll the active directory domain specified in the Group Information setting and

look for all computer objects in this OU.

✓ Example: Entire AD OU Tree .*

✓ Example: Add specific OU Servers

✓ Example: Exclude specific OU !Workstations

✓ Example: Nested OU Workstations+LocationA+Laptops

NOTE When a valid IP Range or CIDR range is entered, the number of addresses within that range will appear to the

right of the Add button.

NOTE Distinguished Names (DNs) for OUs do not need to be entered. The system will perform a query in the tree

structure for any OU that matches the entered name.

NOTE If multiple OUs contain the same name but reside in different branches of the tree structure, use the Nested OU

option (+ symbol) to specify the branch OU that should be polled.

NOTE When Uploading File make sure that the CSV file contain only Hostname and all of the list in the same column

without empty spaces or Titles

81

To exclude an OU from being polled, prefix the OU name with the “!” character. Excluded OUs will be highlighted in red.

Click the Sync button to manually poll Active Directory for the current list of computer objects in the specified OUs and

refresh the endpoints list.

To remove a host, IP range, or OU from the scan population, select the item and click the Delete button. The system will

prompt you to confirm the deletion.

NOTE The Active Directory sync may take a few minutes, depending on the number of OUs specified and the number of

hosts that exist in the OUs. Once the sync has completed, there should be a ‘Synced Successfully’ message.

82

SCAN SCHEDULE SETTINGS

Scan groups can be configured to be scanned according to a schedule. By default, all days and all times are enabled for

scanning.

A. To disable scanning on a day of the week remove the check from the checkbox.

B. To set time restrictions for scans, enter the Start and End times. Times are in HH:MM format (24-hour format).

C. Alternatively, a schedule can be configured of when scans should NOT be performed by removing the check

from the Scan Enabled check box.

D. To add a new scan schedule, click the Add button and configure the scan settings.

NOTE To disable the whole scan group, uncheck the “scan enabled” checkbox and then click Update. This will ensure

that the system does not scan any hosts in this scan group.

A B

D

C

83

CONFIGURATION

The Configuration page contains settings such as Analytics Server, Excluded IP Ranges, Log & VPN Parser, and Traffic

Analysis settings.

ANALYTICS SERVER CONFIGURATIONS

As part of File Monitoring feature, Cynet needed analytics server (based on ELK), this configuration is to setup the

connection between Cynet server and the analytics server. Once checking “Configure analytics server” checkbox, need to

fill the following fields.

EXCLUSION SETTINGS

Individual IP addresses or IP address ranges or Hostnames can be excluded from scanning, regardless if they are

configured in a scan group. To exclude them from being scanned:

Enter an IP or IP Range into the text box. Acceptable IP/IP Range formats are as follows:

▪ Example – Explicit IP Address:192.168.0.1

▪ Example – IP Address Range:192.168.0.1-192.168.0.255

▪ Example – IP Address w/ subnet prefix:192.168.0.1/24

▪ Example – Shai-LG-Laptop

Click the Add button to add the exclusion to the list.

NOTE File Monitoring feature can’t work without analytics server.

84

To remove an IP address or IP range from the exclusion list, select the item and click the Delete button. The system will

prompt you to confirm the deletion.

NETWORK TRAFFIC ANALYSIS SETTINGS

The Traffic Analysis settings allows configuration of which network interface card (NIC) to use for analyzing traffic from a

SPAN port or network tap port.

1. Select the NIC to be used for network traffic analysis

2. Click Save Adapters the Configuration settings.

NOTE When a valid IP Range or CIDR range is entered, the number of addresses within that range will appear to the

right of the Add button.

85

LOG PARSER SETTINGS

The Log Parser settings allows for parsing and ingesting log data from external sources such as a proxy server. To

configure a new set of logs to parse:

Click the Create button. This will open the Log Parser definition Window.

In the Log Parser definition window, you can define how to parse proxy logs. Any log entry will consist of columns

separated by one or more spaces. (a column represents a field).

Optionally parsed fields:

▪ Source IP - The IP address of the requesting instance, the client IP address.

▪ Destination IP – Domains destination IP address.

▪ User - The user identity for the requesting client.

▪ Request method - The request method to obtain an object.

▪ URL - This column contains the URL requested.

▪ Date - The time when proxy server started to log the transaction, which normally happens at the end of a

transaction lifecycle, after the entire request was received from and the entire response was sent to the HTTP

client

▪ Host - Hostname from the original URL requested.

▪ Port – Destination port.

▪ Event Identifier - A unique number in every log that identifies it from all others.

▪ Regex Separator – The character(s) which separate fields of information in the log.

▪ Fields Format Type – There are two type of field formats: By Name or By Offset. Parsing by name indicates

parsing fields within the log according to each field’s name. Parsing by offset indicates parsing fields within the

log according to each field’s column location.

Every log file has a different set of fields. In addition, not all logs have the same fields. Therefor each file provides its own

parsing configuration.

Parser mode of operation:

In order to extract a field from a log entry, the parser walks through a string, formatted in the configuration table for the

current log file and field. Each character in the formatted string indicates the next step the parser should take. The basic

86

string format is an integer, indicating the column index where the requested data is. For example, the URL field string

format may be “2” because the URL is in the third column of the log entry.

Formatting rules:

▪ Columns are separated by one or more spaces unless they are in quotations.

▪ First column index is zero.

▪ For undefined field set “100”

▪ Adding 2 columns: index1 + index2

▪ Remove prefix: index - prefixSize. For example: user = Bella and want to get only Bella (assuming that the user is

in second place) User string format= 1-5

▪ For fields which are seated differently in each row in the log and have a fixed prefix: ~ prefix. For example:

every URL includes the prefix request=http://www.google.comURL format string = ~ request=-> the parser will

search for the column index of current prefix in each line and extract the data.

▪ Remark, must have space between each index, +, -, ~ in string format! For example: ~ request – 7 + 8.

Example: In the example below, the following proxy log is being parsed to match the correct fields:

In the Log Parser definition window, a proxy parser name is entered and each field’s index is entered to its

corresponding field name.

Once the parser is defined, click Save to save it.

20161208 748 192.168.0.227 200 user 80 GET http://dm.com/default.jpg

209.85.153.118 image/jpeg4

0 1 2 3 4 5 6 7 8 9

87

To test a defined parser to ensure it is formatted correctly:

1. Ensure the correct parser is selected from the drop-down menu

2. Enter your sample log string in the text box

3. Click the Verify Parser button to begin parsing your log string

4. Check that the field names match up to the correct fields within the log string

▪ If necessary, you can go back to fix defined parsers by clicking the Edit Parser button.

▪ To remove a defined parser, click the Delete button.

Parser mode of operation – using Name Indication:



string format is using key inductions, indicating the filed name and then the requested data is. For example, the URL field

url:http://www.gmail.com; .

NOTE The Proxy Parser name must be formatted correctly, and include the word “proxy” and an integer following it to

identify it.

1

2

4

3

http://www.gmail.com/

88

Example: In the example below, the following VPN log is being parsed to match the correct fields based on token names:

In the Log Parser definition window, a proxy parser name is entered, and each field’s index is entered to its


<189>date=2018-08-09 time=09:51:08 devname="Cynet-FW"

devid="FG100ETK18000005" logid="0000000013" type="traffic"

subtype="forward" level="notice" vd="root" eventtime=1533797468

srcip=192.168.1.35 srcname="Cynet-Office-LAB" srcport=51235

srcintf="port16" srcintfrole="lan" dstip=52.114.7.36 dstport=443

dstintf="wan1" dstintfrole="wan" poluuid="12d62dd6-8f3a-51e8-499b-

f7ba3b95e538" sessionid=24606457 proto=6

action=https://github.com/rreer/ert policyid=1 policytype="policy"

service="HTTPS" dstcountry="Hong Kong" srccountry="Reserved"

trandisp="snat" transip=213.57.20.194 transport=51235 appid=41469

app="Microsoft.Portal" appcat="Collaboration" apprisk="elevated"

applist="default" duration=2 sentbyte=3512 rcvdbyte=4130 sentpkt=9

rcvdpkt=7 utmaction="allow" countapp=1 devtype="Windows PC"

devcategory="Windows Device" osname="Windows 10 / 2016"

mastersrcmac="9c:5c:8e:86:c5:80" srcmac="9c:5c:8e:86:c5:80"

srcserver=0

89


1. Ensure the correct parser is selected from the drop-down menu 2. Enter your sample log string in the text box 3. Click the Verify Parser button to begin parsing your log string 4. Check that the field names match up to the correct fields within the log string



Once finished configured the parser setting, we need to configure the log file path location:

For more information on defining parsers, click the Help button, or contact Cynet support.

1

2

4

3


90

VPN PARSER SETTINGS

The VPN Parser settings allows for parsing and ingesting log data from VPN sources. To configure a new set of logs to

parse:

Click the Create button. This will open the Log Parser definition Window.

In the Log Parser definition window, you can define how to parse VPN logs. Any log entry will consist of columns

separated by one or more spaces. (a column represents a field).

Optionally parsed fields:

▪ Source IP - The IP address of the requesting instance, the client IP address. ▪ Destination IP – Domains destination IP address. ▪ User Name - The user identity for the requesting client. ▪ Login Time - The time when the VPN session was initiated. ▪ Host Name - Hostname from the original URL requested. ▪ OS Information – Details about the operating system used to initiate the VPN session. ▪ Event Identifier - A unique number in every log that identifies it from all others. ▪ Regex Separator – The character(s) which separate fields of information in the log. ▪ Fields Format Type – There are two type of field formats: By Name or By Offset. Parsing by name indicates

parsing fields within the log according to each field’s name. Parsing by offset indicates parsing fields within the log according to each field’s column location.

91

Every log file has a different set of fields. In addition, not all logs have the same fields. Therefor each file provides its own

parsing configuration.

Parser mode of operation – using Offset:



string format is an integer, indicating the column index where the requested data is. For example, the URL field string

format may be “2” because the URL is in the third column of the log entry.

Example: In the example below, the following VPN log is being parsed to match the correct fields:

In the Log Parser definition window, a proxy parser name is entered and each field’s index is entered to its


<134> VPN: 2008-08-21 08:01:22 connect2a [192.168.1.2] jsmith

Primary authentication successful for host-test2 from 10.2.6.152

0 1 2 3 4 5 6

7 8 9 10 11 12 13

92


1. Ensure the correct parser is selected from the drop-down menu 2. Enter your sample log string in the text box 3. Click the Verify Parser button to begin parsing your log string 4. Check that the field names match up to the correct fields within the log string



Once finished configured the parser setting, we need to configure the log file path location:

For more information on defining parsers, click the Help button, or contact Cynet support.

1

2

4

3


93

COLLECTING LOGS USING SYSLOG:

Cynet can be configured to collect the data using syslog listener. In order to do it we must perform the following steps:

1. Open the Cynet server and navigate to: Cynet360\app\CynetSyslog

2. Edit the Cynet.Syslog.exe.config

a. Configure IP (should be local host) b. Configure the syslog port (should use 514) c. Configure output folder and naming convention

94

3. After the configuration save and run the Cynet.Syslog.exe file

4. Now you should see the events coming on the command line screen and the logs being created

5. Once the log file is being created you can configure log parser and configure the syslog output folder as log file directory for importing the files.

NOTE as best practice we suggest separating different syslog sources to different listeners by configuring different

ports. That will make it much simple to pars the data.

95

IMPORT USER DATA SETTINGS

Cynet can be configured to import user account attributes from Active Directory. These settings map the field of

information to the AD attribute name. User data that can be imported from AD includes:

▪ User Name – User’s account name. ▪ Mobile – User’s mobile phone number. (Used for SMS verification below) ▪ Office Phone – User’s Office phone number. ▪ Role – User’s job title. ▪ Department – User’s department in the organization.

In the example below, each field is being mapped to the corresponding attribute name in Active Directory. For example,

the Role field is being mapped to the ‘title’ attribute.

Click Save to save the mapping settings. The server will then import user data from Active Directory once every 24 hours.

Imported user data can be viewed on the User Details Page.

NOTE Active Directory attribute names are case sensitive.

96

IMPORT USER DATA FROM CSV FILE

Cynet can be configured to import user account attributes from a comma separated value (CSV) file. These settings map

the field of information to the field index in the csv file. User data that can be imported from a csv file includes:

▪ User Name – User’s account name. ▪ Mobile – User’s mobile phone number. (Used for SMS verification below) ▪ Office Phone – User’s Office phone number. ▪ Role – User’s job title. ▪ Department – User’s department in the organization.

In the example below, each field is being mapped to the corresponding index of data within the csv file. For example, the

Role field is being mapped to index #3 in the csv file.

The csv file to match this mapping would include user data like the one below where the user name field is first, mobile

number second, office number third, etc.

To upload this csv file, click the Choose File button and navigate to the location of the csv file on your computer. Once

selected, click Open.

Click Upload CSV File to upload the file. This file will be parsed according to the field mapping configured in the section

above. Imported user data can be viewed on the User Details Page.

97

USER SMS CONFIRMATIONS SETTINGS

This setting will enable the SMS Confirmation functionality. When unusual user logins occur observed by the Cynet

system, it will send an SMS to the user’s mapped mobile number (user data is mapped via Active Directory or CSV file,

see those setting in the sections above). For more information about this functionality, see the User SMS Confirmation

section.

To enable the SMS Confirmation, click the checkbox and the click Save.

98

EPS CONFIGURATION

The EPS configuration page contains advanced configuration settings for memory-based analysis by the Cynet Endpoint

Scanner (EPS).

MEMORY STRINGS SETTINGS

The Memory Strings settings are used to configure the Cynet EPS to search for specific strings within the memory

contents on endpoints. This functionality can be used to find customized indicators of compromise within the memory

contents of any process running on endpoints.

To create a new Memory String search, click on Add Memory String. The following are the fields available when creating

a new memory signature.

GENERAL SETTINGS

▪ Name – Provide an Alias for the signature pattern rule ▪ Patterns – In this section, we will add the Hex values of the string we found for the signature as they appear in

the memory page. Note that the additional boxes are allowing us to add more strings that are not connected directly to our first string in the condition that the following is true:

▪ They have to have the same privileges on the base address and location address. ▪ They must be of the same type. ▪ The base address of the second signature must be equal in size to the first signature ▪ The location address size of the second signature must be equal to the location address size of the first

signature. ▪ If one of the strings is located in the base address, then the other strings must be located at the base

address and vice versa. ▪ If none of the strings are located at the base address, then they can be located at any address within

the spool. ▪ Scan Type – This setting refers to the type of activity we will be looking to match with the signature in memory:

New Page, New Process, Existing Page, or All [of the above] types. ▪ Get Strings – This setting enables the EPS to collect the memory strings for signature matching. This should

always be enabled for matching to work. ▪ Action – This setting refers to the action the EPS will take when it matches the specified signature pattern.

CHECK PAGE DATA SETTINGS

▪ CMD – This setting allows the EPS to match on the entire signature patterns (AllOff) or on one of the signature patterns (AnyOff)

▪ Should run on Cynet Server? – This setting can be used to include or exclude the Cynet server from this signature matching.

NOTE The EPS Configuration settings is used to configure advanced methods of detecting malware artifacts within

memory. These settings should only be configured with the assistance of Cynet engineers.

99

FILTER BY PAGE METADATA SETTINGS

▪ State (HEX) – Match on the meminfo.State value. ▪ Type (HEX) – Match on the meminfo.Type value. ▪ Protect (HEX) – Match on the meminfo.Protect value. ▪ Is page in image base? – Match on the existence of the isimagebase() function. ▪ Allocation protect (HEX) – Match on the meminfo.AllocationProtect value. ▪ Base address – Match on the base address being equal to the allocation base, or not. (i.e.

meminfo.BaseAddress = meminfo.AllocationBase). ▪ Region Size – Match on the meminfo.RegionSize value between the high and low values. ▪ File names action type – This configures if the EPS will match by a specific file name or match on any file name.

If set to “Ignore”, the EPS will ignore matching by file name(s). If set to “Scan Only”, the EPS will match on the specified file names.

▪ File Names – Match by file name(s) File name can be ignored with the setting above. Multiple file names can be split by a semi-colon “;”.

▪ Alert name – Provide a name for alerts generated by this signature. ▪ Alert Severity – Provide a severity for alerts generated by this signature. ▪ Alert Type – Provide a type for alerts generated by this signature. ▪ Open Automatic alert – Automatically open alert without validation from the Cynet SOC.

100

DECOY FILES

Decoy files are a defense mechanism employed by Cynet 360 using honeypot tactics. Cynet 360 is able to deploy various

deception entities on scanned hosts, which are used to lure attackers. When these entities are used, Cynet 360 is able to

detect them and alert on the illicit activity. See the Group Information Settings section of this document to see the

Decoy configuration settings. The two settings that need to be enabled are the Use Decoy Files and Allow Credential

Decoys.

There are multiple forms in which Cynet deploys the deception capabilities. The following list is a high-level explanation

of each deception type. See the sub-sections for each type for details:

▪ Office Documents – Cynet will deploy Excel, Word, and PowerPoint documents to the host in a newly created user directory. These files contain beacons, which will communicate back to the Cynet server when opened and generate an alert. – Cynet Platform allow the users to create their own decoys.

▪ Remote Desktop Files – Cynet will deploy RDP files with saved imitation credentials on the host. When this file is executed, it will attempt to connect to the Cynet server with invalid credentials and generate an alert.

▪ ODBC – Cynet will configure an ODBC connection on the host, which points to the Cynet server. When this ODBC connection is used, it will generate an error and an alert.

▪ NetBIOS – Cynet will configure network shares on the host, which are monitored. When the session is used, it will generate any alert.

▪ Stored Credentials – Cynet will implant invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, it will generate an alert.

▪ Text files – Cynet will deploy text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal web application. If either of these invalid credentials are used, it will generate an alert.

Every Decoy alert will contain details about which type of decoy was triggered, the attacker IP address, the Victim IP

address, hostname and File name (if applicable).

101

DECOY OFFICE DOCUMENTS

Cynet will create a new user folder such as C:\Users\admin_c493d82, with a randomly generated account name.

Within this directory, there will be several decoy Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint

(.pptx). These files contain attractive filenames to lure attackers and are placed through the new user directory.

When one of these files is opened with Microsoft Office, the beacon within the document will attempt to communicate

back to the Cynet server as well as the Cynet controlled web domain ad-stats.com. This ensures that the Cynet SOC can

identify decoy files being opened outside the corporate LAN environment.

DECOY RDP FILES

Cynet will create a saved RDP connection file in the same directory as described above. This RDP connection file contains

invalid credentials saved within it. The file will attempt an RDP connection the Cynet server on port TCP 8484 and will

fail. Once the RDP attempt is made, the alert will be generated within the Cynet console.

102

DECOY ODBC CONNECTION

ODBC (Open Database Connectivity) is an open standard API for accessing databases. ODBC statements are used to

connect to various databases such as Access, dBase, DB2, Excel, and others. Cynet uses the Windows built-in

programming support for ODBC by planting an ODBC connection to a non-existent database in the environment. When

an attacker attempts to use this ODBC connection to connect to the invalid database, an alert will generated in the Cynet

console.

Cynet implants the ODBC connection by deploying various registry keys to the Windows host. The planted ODBC can also

be found in Control Panel > System & Security > Administrative Tools > Data Sources (ODBC).

Then click the System DSN tab and the planted connection will be listed as an SQL Server.

DECOY TEXT FILES

Within the newly created user directory, Cynet will deploy text files with invalid domain credentials, as well as

credentials for a non-existent internal application. If the domain credentials are used for authentication or if the URL is

accessed, an alert will be generated in the Cynet console.

103

DECOY STORED CREDENTIALS

The Windows Credential Manager is the “digital locker” where Windows stores login credentials on the network. This

data can be accessed by the Windows or other applications that can use the stored credentials. There are three main

types of stored credentials in the Credential Manager:

▪ Windows Credentials – Only used by Windows and its services. For example, saved credentials for a network shared folder.

▪ Certificate-based Credentials – Used together with smart card authentication. This is usually configured in higher security network with Active Directory configured for smart card authentication.

▪ Generic Credentials – General saved credentials that are defined by applications used on the computer. For example, Office365 or Windows Live.

The credentials saved in the Credential Manager are commonly targeted by threat actors. Cynet 360 will plant invalid

username and password credentials in the Credentials Manager. When a threat actor uses these credentials to

authenticate in the environment, an alert will be generated.

DECOY FILES MANAGEMENT

In the Decoy Files tab Cynet user could manage all decoy files, including the following actions:

104

▪ Decoy File Deployment Setting – once Decoy file chosen the use can customize where to deploy it and for what groups.

▪ Add New Decoy File – Allow to create new decoy file from existing office file, clicking on the add new Decoy File will open the following dialog box

o Choose file to use for decoy o Fill the decoy name – it’ll use for managing but also part of the alert details. o Click on generate test file → it’ll download test file o Click + and choose groups and file deployment locations.

Once someone will access the file Cynet platform will detect it and trigger and alert.

105

THREAT HUNTING

Allows the customer to scan the endpoints – on demand – for threats according to IOCs

Process:

- End user defines the IOCs (file SHA256, file MD5, file name, file full path), the extensions and folders to search

in

- End user defines the severity of the alert that would be raised in case a threat was found

- The system scans the endpoints, and if a file that answers the IOC is fount, it generates an alert

CONFIGURATION \ SETTINGS

ENABLE\DISABLE TH

- Settings -> Scan groups

- Choose the relevant group

- Check\Uncheck – “Enable Threat Hunting”

- If checked – “Threat Hunting Period” – define the time interval [in minutes] to check if there is a new search to

perform

CONFIGURE TH SETTINGS

In order to configure the Threat Hunting, go to:

Settings -> THREAT HUNTING

- “Create/Remove search indicator by type” – lets you create the list of IOCs to search.

o For each IOC – select the type, the value, and the description of the alert that would be raised

o make sure to press the “+” button to add new entry to the list

o Notice – the system would alert for any of the IOCs that were found (no need for ALL of the IOCs

together)

- Filter By Extension – insert a list of file extensions that should be scanned (make sure to press the “+” button to

add new entry to the list)

- Filter By Directory – insert a list of folders to scan (make sure to press the “+” button to add new entry to the

list)

- Alert Severity - severity of the alert that would be raised in case a threat was found

- Suppressed Mode – whether or not to stop current scan (if exists) and immediately start the new scan, or wait

for the current scan to stop

- Save Changes – saves the changes, and start the process of threat hunting on all endpoints

- Stop current – any endpoint that did not start to scan yet – will not scan anymore

- Restart current – any endpoints would execute the scan (never mind if they executed it already, or not)

- Clear Search Criteria – delete all the IOCs

106

TH RESULTS

If a threat was found, according to the define IOCs, an alert would be presented, and mail would be sent.

The alert would be presented in the “Alerts” page. The details of the alert:

107

ADVANCED

The Advanced page contains advanced configuration settings for Cynet such as Connectivity, Deep Scan, Privacy &

Compliance, Master/Slave, Policy Exclusions and Scan Throttling settings.

CONNECTIVITY SETTINGS

▪ Primary Cynet Server IP & Port – The IP address and port number endpoints will send scan results to. ▪ Secondary Cynet Server IP & Port (Optional) – The secondary IP address and port number endpoints will send

scan results to if the primary IP address fails to accept scan data. This is typically a failover Cynet server or a Cynet server with an external IP address.

▪ Server Proxy Settings – If an internet proxy is used, enter the proxy IP address and port number to allow the Cynet server to sync to the Cynet cloud.

PRIVACY & COMPLIANCE SETTINGS

The Privacy & Compliance settings are used to limit the amount of information collected from endpoints and anonymize

information sent to the Cynet SOC.

▪ Send Scan Errors to SIEM – This setting will send scan errors via syslog to the IP address configured in the SIEM settings. (See also General Settings for SIEM configuration)

▪ Unique File Analysis by SOC – This setting will allow the system to automatically send unique files to the SSE sandbox for analysis.

▪ Analyzed File Retention – This setting will limit the amount of days a file analyzed by the SSE sandbox will be kept.

▪ Log File Retention – This setting will limit log files to those generated in the past X days. ▪ Data Anonymization – These settings will prevent hostnames and usernames from being sent to the Cynet SOC

when performing security intelligence lookups. A host or user ID will be sent to the Cynet SOC instead of real hostnames or usernames.

108

▪ Disable … Collection - These settings will prevent the CynetEPS from collecting this information when performing scans. Fields available for ignoring are:

✓ ARP Table entries ✓ Certificates ✓ DNS Cache ✓ Host file information ✓ Installed Software ✓ IP Settings ✓ User data ✓ MS Updates ✓ Network interfaces ✓ Network Shares

▪ Cynet SOC File Analysis – This setting will automatically send files to the Cynet SOC if further analysis is necessary.

▪ Automatic Updates – This setting allows the system to download critical update files from the Cynet virtual private cloud connection.

▪ Command Line Sync – This setting disables the sync of command-line parameters of processes to the Cynet SOC.

▪ File Whitelisting – This setting enables whitelisting of known files by the Cynet SOC. ▪ Memory String Sync - This setting disables the sync of memory strings to the Cynet SOC.

NOTE Cynet recommends leaving these settings, especially the Anonymization and Disable … Collection settings, to

their default values to perform complete threat analysis on hosts. Limiting collected data can negatively impact

Cynet’s threat detection.

109

MASTER & SLAVE SERVER SETTINGS

The Master and Slave server settings are used to configure a Cynet server as either a primary or relay server in a

distributed architecture.

Configure Master Server

▪ Ensure Master setting is selected. (default setting) ▪ In the Slave IP List settings, enter a Name for the slave server, the Client ID (provided by Cynet

representatives), and the IP address of the slave server. ▪ Then click Add to register then entered IP address as a slave server. ▪ Slave servers will appear in a list alongside the server name, client ID, and IP address. To remove any servers,

click the Delete button. ▪ Click Save at the bottom of the page to save these settings.

Configure Slave Server

▪ Ensure the Slave setting is selected. ▪ Enter the IP address and port of the master server (default port is TCP 8443). ▪ Click Save at the bottom of the page to save these settings.

110

POLICY EXCLUSION SETTINGS

The policies exclusions settings are used to exclude policies from running on specified host(s). This functionality provides

support for Cynet policies to be ignored locally.

To exclude a policy from running on endpoint(s):

▪ Enter the Policy Title to be excluded. After typing a few characters, the system will display all policies that match. Then Select the desired policy to exclude.

▪ Enter in the Wild Card field a regular expression to choose which host(s) should be excluded. Multiple hosts can be excluded from a policy by using regex.

✓ Example: Hostname123To exclude Hostanme 123 from this policy ✓ Example: W.*For workstations that begin with the W character

▪ Then click the Add to add the host/wildcard exclusion for this policy. ▪ Once the exclusion has been added, a menu will appear with all exclusion entries. Entries are listed with the

policy name and the host/regex match. These hosts will be excluded from factoring this policy into its risk level during calculation.

NOTE Excluding policies from running on hosts could have an adverse effect on detection analysis. Policy exclusions

should be discussed with a Cynet representative before any changes are made.

111

▪ To delete a policy exclusion, click the Remove button. ▪ To edit a policy exclusion, click the Edit button and the wildcard field will become editable. Once the changes

are made, click Save to apply the changes to the policy exclusion.

THROTTLE SETTINGS

The Scan Throttling settings are used to control the number of concurrent scans during scan cycles to scan environments

more efficiently.

▪ Max Concurrent Scanned Hosts – Maximum number of hosts the Cynet server will attempt to scan at any one time. This setting throttles the scanner from flooding the network with scan attempts.

▪ Total Scanned Hosts Timeout – Time out value for attempted RPC connections to endpoints. If this timeout is exceeded, endpoints are considered unreachable.

▪ Sync Response Timeout – Time out value for response from the PsExec process when using the RPC distribution type.

▪ Concurrent Remediation Actions - This setting is used to specify the maximum number of remediation actions the server will attempt at any one time.

112

DOMAIN WHITELISTING SETTINGS

The Domain Whitelisting settings are used to filter out trusted domains from analysis.

To add a domain to the whitelist:

▪ Enter the domain to be whitelisted. ▪ Click the Add Domain button. The domain should then appear in the list below.

To edit an existing whitelisted domain entry:

▪ Select the domain name. This will make the entry editable. ▪ Once the changes have been made, click the Update button.

To delete an existing whitelisted domain, select the domain name and click the Remove button.

REMEDIATION SETTINGS

The Remediation settings are used to configure the auto-remediation system to retry remediation actions if they initially

fail.

▪ Remediation Retry Attempts – sets the maximum number of times the system will re-attempt a remediation action. The default is 48 retries.

▪ Remediation Retry Interval – sets the time interval between remediation retries (in minutes). The default is 30 minutes.

113

DECOY SETTINGS

The Decoy Files setting is used to configure how decoy files interact with the Cynet system.

▪ Decoy Files Listener Port- The listener port that decoy files will use when beaconing back to the Cynet server (Protocol used is TCP).

For more information about Decoy Files, see the Decoys section of this document, which explains the types of decoys

that are deployed and how they are triggered.

CONSOLE SETTINGS

The UI Session Timeout setting is used to configure how long a session in the Cynet console will last before it

automatically logs out a user.

▪ UI Session time - The value (in minutes) the system will allow before automatically logging a user out of the system. Values can range from 1 minute to 525,600 minutes (1 year). The default value is 20 minutes.

FILE MONITORING

The File Monitoring Setting allow to customize the file extensions and the time interval for monitoring

▪ Extensions - Add file extensions which will be monitored for changes, the value will start with ‘.’ And the file extension

▪ Polling Interval – Control the time interval for reporting the data to the Cynet server.

114

USERS

The Users page contains the settings for user authentication to the Cynet console. From these settings, users can be

added, deleted, or permission can be edited. User passwords can also be changed on this page.

AUTHENTICATION SETTINGS

▪ Select Authentication Mode – This setting configures which authentication mode will be enabled for users

when logging into the Cynet console. Options are:

▪ Enable Local Authentication Only – Only local users in the Cynet user database will be authenticated.

▪ Enable Active Directory Authentication Only – Only Active Directory users will be authenticated.

▪ Enable Local & Active Directory Authentication – Users from both the Cynet user database and Active

Directory will be authenticated.

▪ Manage Cynet Users – In this section, local users can be added, edited, or deleted. The following sections

include instruction on how to perform these actions for local user accounts:

▪ Add New User

▪ Edit User Permissions

▪ Delete User

▪ Change Password

NOTE If an authentication mode that uses Active Directory is enabled, the Active Directory Authentication section of

settings will become available. These settings map users/groups in Active Directory to user levels in the Cynet console

for authentication.

NOTE You must also configure your Active Directory domain in the Integrations settings. This page points the Cynet

console to the domain to validate Active Directory credentials.

NOTE Cynet recommends enabling Active Directory & Cynet Users authentication mode, so that the operator (or any

other local account) can still be used to log into the console in the event that Active Directory authentication is not

possible.

NOTE The operator account is the default login for the Cynet console, and it cannot be deleted. Cynet recommends

changing the password of the operator account from the default password to something more complex and secure.

115

ADD NEW USER

To add a new user to access the Cynet console:

▪ Enter a User name, Password, and User Level (see above for user level privileges).

When assigning user permissions, there are three levels of user access:

▪ Custom User – This user level provides custom user permissions. Use the Custom User Access Permissions drop-down menu to select which actions this user is allowed to perform.

▪ Operator – This user level provides the ability to view all data, perform remediation actions, make configuration changes, and add/remove/edit users.

▪ Dashboard – This user level provides the ability to access only to the Main dashboard, and cannot view data, perform remediation actions, or make any configuration changes.

▪ Click Add to add the new user.

EDIT USER PERMISSIONS

To edit a user’s access the Cynet console:

▪ Click the Edit Permission button next to the user name.

NOTE If the “Custom” user level is selected, be sure to use the Custom User Access Permissions drop-down menu to

assign proper permissions to the user.

116

▪ A window will appear with the Custom User Access Permissions drop-down menu. Select or deselect the permissions appropriate for the user account.

▪ Click Save to apply the changes.

DELETE USER

To delete a user from the Cynet console:

▪ Click the Delete User button.

NOTE Operator level users are not editable because they already have full access permission. To change a user’s user

level, it must first be deleted and then recreated with the appropriate user level.

NOTE The default Operator account cannot be deleted.

117

CHANGE PASSWORD

All Cynet users can change their own passwords. To change an account’s password:

▪ Click the Change Password button.

If changing your own password: the system will prompt you to enter your current password, and your new password

twice. Then click Change to apply the password change. If the new password does not meet the complexity

requirements (see below), you will be prompted to re-enter both the current and new password.

If changing another account’s password: the system will prompt you to enter the new password twice. If the new

password does not meet the complexity requirements (see below), you will be prompted to re-enter the new password.

NOTE Passwords for Dashboard level users can be changed by operators. Operator level account passwords cannot be

changed by other Operators.

118

Password Complexity - Passwords must include at least 3 of the following 4 groups:

▪ Lower case letters (a-z) ▪ Upper case letters (A-Z) ▪ Numbers (0-9) ▪ Symbols (!@#$%^&*)

Password length should be between 8 and 20 characters.

ACTIVE DIRECTORY AUTHENTICATION SETTINGS

The Active Directory Authentication section maps users or groups within Active Directory domains to user levels in the

Cynet console for authentication.

Before these settings can be configured two other settings must be configured first:

1. Integrations – Configure a domain in the Active Directory section of the Integrations settings tab.

2. Authentication Mode – Enable an authentication mode in the Manage Authentication Users section of the

Users settings tab.

Once those two configuration settings are fulfilled, this section will become available.

ADD GROUP

To add an Active Directory group for Cynet console authentication:

▪ Select the Domain from the drop-down menu. (These domains are configured in the Active Directory section of

the Integrations page)

▪ Next, Select the Active Directory Group to map. All groups from AD will be pulled and listed in this drop-down

menu.

119

▪ Next, select the User Level. Authenticated users in this group will be given this user level.

▪ Lastly, click Add to add this group. All users in this group will be able to authenticate to the console using the

Active Directory credentials.

Groups added will appear in the Enabled Identities section below.

ADD USER

▪ Select the Domain from the drop-down menu. (These domains are configured in the Active Directory section of

the Integrations page)

▪ Next, enter a User name from the selected domain.

120

▪ Next, select the User Level. Authenticated users in this group will be given this user level.

▪ Lastly, click Add to add this group. All users in this group will be able to authenticate to the console using the

Active Directory credentials.

Users added will appear in the Enabled Identities section below.

ENABLED IDENTITIES

Once a group or user has been mapped, it will appear in the Enabled Identities section.

To remove an enabled identity, click the Remove button next to it.

121

MAPS

The Maps page contains configuration settings for the Map section of the console. With these settings, map

regions/locations can be added, removed, or edited.

To add or edit a region, click on an area of the map (zoom into the map using the zoom-in buttons or the mouse wheel).

The Edit Coordinate window will appear for a new or existing regions. In this window, you can enter the region name

and the IP address range for that location.

The click the Save Changes button to complete the region configurations.

To delete an existing region, click the Delete button in the Edit Coordinate window,

122

ANALYSIS

The Analysis page contains configuration settings for Cynet’s Smart Simulation Execution (SSE) sandbox, which provides

the system with dynamic analysis of a process.

DYNAMIC ANALYSIS SETTINGS

The Cynet SSE dynamic analysis can be configured with either an on-premise server or a cloud-based instance. The

settings below how to configure each.

Cloud Sandbox Configuration

1. Click the Enable Sandbox checkbox 2. Click the Cloud Dynamic Analysis checkbox. 3. Click the Save button to save changes.

On Premise Sandbox Configuration

1. Click the Enable Sandbox checkbox 2. Click the Local SSE IP Address checkbox 3. Enter the IP address of the SSE sandbox server 4. Click the Save button to save changes.

123

DEEP SCAN SETTINGS

These settings configure the time intervals for the Deep Scan process. See the Deep Scans section for more information

about starting a Deep Scan.

▪ Update Interval – This timer is used to configure how often the Cynet Deep Scanner (CynetDS.exe) sends collected data back to the Cynet server for analysis.

▪ Time Limit – This timer is used to configure how long the CynetDS will run on the endpoint to collect deep scan data. At the end of this timer, the CynetDS will terminate.

NOTE Minimum value for the Update Interval is 2 minutes, and the minimum value for the Time Limit is 15 minutes.

124

ALERTS

The Alerts page contains configuration settings for alerts generated by the system and how they are handled.

EMAIL SETTINGS

▪ Email Alert Recipients – The email addresses that should receive email alerts when the system generates an alert. Multiple emails should be comma separated.

▪ SMTP Server – The IP address of the organization’s SMTP server, which will be used to transport alert emails when generated by the system.

▪ SMTP SSL – This setting can be enabled if the SMTP server requires an SSL connection to be established for sending mail.

▪ Email Alert Sender – This setting controls the “from” field in email alerts generated by the system.

NOTE If the SIEM Connectivity settings are changed to a port other than the default (port 514), the Cynet services must

be restarted on the server in order for the changes to be applied.

125

GENERAL SETTINGS

▪ SIEM Server – The IP address of the organization’s SIEM system, which should receive syslog messages from the system.

▪ Minimum Alert Severity Display Filter – This setting will limit alerts displayed on the dashboard based on the severity. By default, all severity alerts are displayed

ALERT SETTINGS

The Immediate Alert Notification Settings are used to configure the types of alerts that should be enabled for alerts. This

setting exists in case customers want to exclude or filter out certain types of alerts.

NOTE Cynet recommends having all alert types enabled to ensure all types of threats are being detected and alerted on.

126

UNSCANNED HOST ALERT SETTINGS

These setting are used to generate alerts for specific hosts that are not being scanned by Cynet.

To add hosts to alert on failed scans, enter a Hostname then click Add.

To remove a host, select the host from the hosts list, and click Delete.

EMAIL ALERT FILTER SETTINGS

The Alert Severity Configuration settings are used to configure the minimum severity of alerts that will be sent out by

email. By default, Cynet 360 will send all alerts (Informative and above), however the system can be configured to send

only certain severities and above.

127

INTEGRATIONS

The Integrations page contains configuration settings for integration with other systems, such as Active Directory.

ACTIVE DIRECTORY

The Active Directory section contains settings on which domains the Cynet console will use for Active Directory

authentication (see also the Users settings tab). From here, you can manage the credentials that will be used within each

domain to validate Active Directory Credentials used during authentication to the console.

To create a new set of credentials, click the Create button in the top right-hand corner.

In the pop-up window, the following fields must be filled out:

▪ Name – An alias for this set of credentials

▪ Username – The user name of the account that will be used to validate credentials

▪ Password – The password of the account that will be used to validate credentials

▪ Domain – The domain the account exists in.

NOTE The account used to validate credentials does NOT need to be a domain admin. It only needs to be a domain

user.

128

Click the Validate Credentials button to check if the username and password that was entered are correct.

The click Save to save these credentials.

Once saved, the entered credentials will appear under the Manage Credentials section. Existing credentials can be

changed by clicking the Edit button or removed by clicking the Delete button.

Once there is at least one set of credentials saved, the Active Directory authentication can be enabled on the Users

settings tab.

129

VULNERABILITY MANAGEMENT

The Vulnerability Management page contains the configuration of the functions which are a part of the Vulnerability

Management feature.

▪ Windows Patch Validation:

• In this function, the Cynet scanner queries the Windows Update subsystem on the endpoint and maps

all the available KB’s ready to be installed. Once the EPS detects that there are KB’s which haven’t been

installed, it will generate a medium level alert which will include the list of KB’s that are not installed

yet.

• In the “Windows Patch Validation” configuration section, the operator is able to whitelist windows KB

updates which are known to be missing\uninstalled and prefers that they will not generate an alert.

• In order to add a Windows KB to the whitelist, type the name of the KB, with a line separating each KB.

▪ Unauthorized Applications:

• In this function, the Cynet scanner queries the Windows Add\Remove programs subsystem on the

endpoint, and compares the list received to the list of applications which are unauthorized to run on

the endpoint. Once the EPS detects that there are unauthorized applications installed on the endpoint,

it will generate a medium severity alert which will include the list of the unauthorized applications

installed on the endpoint.

• In the “Unauthorized Applications” configuration section, the operator is able to add\remove

applications from the unauthorized applications list. The list is already populated with applications

which Cynet’s R&D classified as “Potentially” restricted.

• In order to add an application to the unauthorized applications list, create a new line with the name of

the application exactly how it is configured in the add\remove programs subsystem of Windows.

130

▪ Application Patch Validation:

• In this function, the Cynet scanner queries the Windows Add\Remove programs subsystem on the

endpoint and verifies if the installed applications on the endpoint are with the latest patched version.

For example, if the security team of the organization defined that any Internet Explorer version under

11 is considered vulnerable, Cynet will scan all of the endpoints in the organization and generate a

medium severity alert of all the endpoints which contain an Internet Explorer version under 11.

• In the “Application Patch Validation” configuration section, the operator is able to add\remove

applications which are required to be installed with a minimum version.

The name of the application should be written as it is displayed in “Add\Remove Programs” in

Windows.

▪ Agents Validation:

• In this function, the operator is able to insert a list of 3rd party applications and processes, which were

defined as crucial applications on the endpoint. The Cynet scanner queries the Windows task manager

and Add\Remove programs and in order to verify the following:

I. If a 3rd party application is installed

II. If a 3rd party application is running.

• Cynet will scan all the endpoints in the organization and generate a medium severity alert which will

contain the list of endpoints that are not compliant:

I. Application is installed but not running

II. Application is not installed and not running.

• In the “Agents Validation” configuration sections, the operator is able to add\remove applications from

the necessary 3rd party applications list.

I. The name of the application should be written as it is displayed in Windows “Add\Remove

Programs”.

II. The process of the application should be written as it is displayed in Windows Task Manager.

131

UBA MANAGEMENT

The UBA Management page contains the configuration of the functions which are a part of the UBA Management

feature.

▪ Configure UBA policy:

• Allow to disable \ enable policy.

• Edit Policy: Define policy action, define alert severity, Define policy query.

132

▪ Create New Policy

• In this function, the Cynet perform allow the user to create is own policy, in the current version the

policy creation is based on SQL queries → only for advanced and mature users.

Once UBA policy will triggered and if configured action: SMS, the system will send SMS confirmation to the user:

▪ User SMS Confirmation

• Cynet 360 is engineered to perform user and entity behavioral analysis (UEBA) by collecting user

behavioral data and processing this data through machine learning algorithms. As part of this learning

process, Cynet can prompt users in the environment when unusual logins occur through the SMS

Confirmation feature.

• When an unusual login occurs, the Cynet system will send an SMS text message to the user’s mobile

phone number and prompt for a login verification. This verification allows the user to approve or

disapprove the login. The Cynet 360 system will then use this response to determine if an alert for

unusual user behavior should be generated.

133

The Cynet system will import users’ mobile phone information from Active Directory or through a parsed CSV file. See

the Import User Data from AD or Import User Data from CSV file settings. Cynet SMS verification messages will always

come from the following phone number:

+1 (646) 846-8440.

The example above shows a typical SMS Confirmation

message from Cynet when an unusual login has occurred.

The hyperlink within the message will send users to Cynet’s

user verification site.

The example to the right shows the verification site, where

users can respond to the unusual login. Responses will be

sent to your Cynet server, where it can be analyzed and

included in the user behavior analysis.

134

THREAT HUNTING

The Threat Hunting allows the customer to scan the endpoints – on demand – for threats according to IOCs on rest.

Process:

- End user defines the IOCs (file SHA256, file MD5, file name, file full path), the extensions and folders to search

in

- End user defines the severity of the alert that would be raised in case a threat was found

- The system scans the endpoints, and if a file that answers the IOC is fount, it generates an alert

ENABLE\DISABLE TH

- Settings -> Scan groups

- Choose the relevant group

- Check\Uncheck – “Enable Threat Hunting”

- If checked – “Threat Hunting Period” – define the time interval [in minutes] to check if there is a new search to

perform

CONFIGURE TH SETTINGS

In order to configure the Threat Hunting, go to:

Settings -> THREAT HUNTING

- “Create/Remove search indicator by type” – lets you create the list of IOCs to search.

o For each IOC – select the type, the value, and the description of the alert that would be raised

o make sure to press the “+” button to add new entry to the list

o Notice – the system would alert for any of the IOCs that were found (no need for ALL of the IOCs

together)

- Filter By Extension – insert a list of file extensions that should be scanned (make sure to press the “+” button to

add new entry to the list)

- Filter By Directory – insert a list of folders to scan (make sure to press the “+” button to add new entry to the

list)

- Alert Severity - severity of the alert that would be raised in case a threat was found

- Suppressed Mode – whether or not to stop current scan (if exists) and immediately start the new scan, or wait

for the current scan to stop

- Save Changes – saves the changes, and start the process of threat hunting on all endpoints

- Stop current – any endpoint that did not start to scan yet – will not scan anymore

- Restart current – any endpoints would execute the scan (never mind if they executed it already, or not)

- Clear Search Criteria – delete all the IOCs

135

TH RESULTS

If a threat was found, according to the define IOCs, an alert would be presented, and mail would be sent.

The alert would be presented in the “Alerts” page. The details of the alert:

136

WHITELISTING

The Whitelisting tab on the setting menu offers the ability to create rules to exclude arguments from the detection and

remediation mechanism. Those arguments that can be files / users/ Hashes / IP Addresses / etc. - will be excluded across

all Cynet agents on the network.

In order to apply the whitelist rule, it required to select a related alert, Type and a value.

137

SYSTEM INFO

The System Info page provides information about the health of the system and version.

MAIN INFO

The Main Info section contains information about this Cynet installation.

▪ Cynet Version – Running version of Cynet 360 ▪ Cynet Directory – Path of Cynet system installation. ▪ Disk Space – The amount of used disk space (MB) / amount of total disk space (MB). All system drive will be

displayed, however Cynet will monitor the disk it is installed on for low disk space.

SYSTEM HEALTH

The System Health section contains information regarding the system services, cloud sync, and SSE connection.

▪ Cynet Service – Displays the health status of the main Cynet service. ▪ DB- CynetDB Service – Displays the health status of the Cynet database service. ▪ Sync Cloud – Displays the health status of the connection to the Cynet VPC cloud. ▪ Monitor – CSHelper Service – Displays the health status of the Cynet Helper service, which monitors the

Cynet service and CynetDB service. ▪ Smart Simulation Execution (SSE) – Displays the health status of the connection to the Cynet SSE sandbox

(shows status for on premise and cloud sandbox connections) ▪ Guest Account is Active – Displays the status of the Guest account on the Cynet server (See also the Decoy

Files Settings section for more information).

138

FEATURES & FUNCTIONALITY The Cynet 360 platform offers a number of features and functionality it employs on top of the core threat detection

engine. Some of these features include analysis, remediation, forensic, deception, and user verification functionality.

ANALYSIS ACTIONS

Files scanned by Cynet 360 can have analysis actions taken on them. To take an analysis action, open any Actions menu

and select an action from the Analysis tab.

▪ Send to SOC – This action will send the selected file(s) to the Cynet SOC for deep inspection and analysis by Cynet’s team of security experts.

▪ Send to Analysis - This action will send the selected file(s) to the SSE Sandbox for analysis. This requires the Cynet SSE sandbox to be configured.

▪ Verify File - This action will verify that the selected file(s) still exists on the host(s). ▪ Get Memory Strings - This action will perform a dump of the strings within memory allocated by the selected

file(s). ▪ Pull File – This action will pull the selected file occurrence from the host. This action is only available by

selecting a specific file occurrence, because it requires targeting a specified host to pull the process from. Once pulled, the sample will be available for download from the File Actions page. The sample will have the extension stripped, and will be renamed to the file’s SHA256 hash. This action is limited to files 100MB or less in size.

▪ Deep Scan (only appears for file Occurrences) – This action will begin a deep scan of the selected file occurrence on the host. This action is only available by selecting a specific file occurrence, because it requires targeting a specified instance of a process on a host. For more see the Deep Scans section below.

139

DEEP SCANS

Cynet employs the use of Deep Scans of files to monitor a specific file on an endpoint to monitor behaviors of a process

for an extended period of time. This is a hybrid analysis between normal scanning and sandboxing, in which the deep

scan analysis takes place on the endpoint.

To initiate a Deep Scan of a file navigate to the Files Detail Page, and the Occurrences tab of the file to be deep scanned.

Deep Scans must be initiated manually.

1. On the file’s occurrence tab, Check the file occurrence to be scanned 2. Click the Actions button to the right.

3. In the Actions menu, select the Deep Scan option.

When the Deep Scan is running, check on the Deep Scans tab on the File Actions page to view the current status.

NOTE Deep Scans can only be performed on one file per host at a time. Once the deep scan has completed on the host,

another deep scan can be performed on that host.

NOTE When you initiate a Deep Scan on a process occurrence, you will be prompted to acknowledge that additional files

(such as child processes) may be monitored as part of the scan. Any currently running deep scans on this host will be

terminated.

1

2

3

140

Once the Deep Scan has completed, results can be viewed in the Deep Scan tab of the File Details Page of the specified

file. There are two options to view results: Advanced or Normal.

Advanced View will show additional information over the Normal view about the actions observed by the Deep Scan,

such as Hostname, Scope of the event/object, First Seen, and Last Seen timestamps.

141

REMEDIATION ACTIONS

Objects scanned by Cynet 360 can have remediation actions taken on them. To take a remediation action, open any

Actions menu and select an action from the Remediation tab.

ACTIONS MENU BUTTONS

The Remediation tab also has a sub-menu which allows for navigation between the various types of remediation actions

available within the system.

← FILE ACTIONS

← USER ACTIONS

← HOST ACTIONS

← NETWORK ACTIONS

142

FILE ACTIONS

Cynet can take an action on files observed on endpoints in the environment. File actions can be taken from any Actions

menu. Results of a file action will be recorded in the File Actions page.

▪ Delete File –This action will delete the selected file(s) from the host(s). ▪ Quarantine File - This action will quarantine the selected file(s) from the host(s). A list of Quarantined files can

be found on the File Actions Page of the console. ▪ Un-Quarantine File – This action will un-quarantine the selected file(s) from the host(s). This action is only

available on the File Actions page, because it can only be performed on a file that has been quarantined already.

▪ Kill Process - This action will kill the selected process(es) on the hosts(s). This action leaves the file intact, only killing the process loaded in memory.

USER ACTIONS

Cynet can take an action on users observed in the environment. User actions can be taken from any Actions menu.

Results of a user action will be recorded in the User Actions page.

▪ Disable User - This action will disable the selected user account (domain or local accounts). ▪ Enable User - This action will enable the selected user account if it has been disabled.

143

HOST ACTIONS

Cynet can take an action on hosts scanned in the environment. Host actions can be taken from any Actions menu.

Results of a host action will be recorded in the Host Actions page.

▪ Scan Host - This action will re-scan the selected host(s) once. ▪ Shut Down Host - This action will shut down the selected host(s). ▪ Restart Host - This action will reboot the selected host(s). ▪ Change IP - This action will change the IP address of the host(s). ▪ Disable All NICs - This action will disabled the NIC on the selected host(s). Using this action will prevent any

further remote connections to the host(s). ▪ Run Command - This action will execute the specified commands on the selected host(s) and the output will be

captured and presented in the console. If the output contains multiple lines, it will be preserved in a text file format.

▪ Run File - This action will allow a specified file to be run on the selected host(s). First, select a file from the local computer, then upload the file to the Cynet server. The Cynet server will then deploy the file to the host(s) to be executed.

▪ Delete Service - This action will delete the specified service on the selected host(s). ▪ Disable Service - This action will disable the specified service on the selected host(s). ▪ Delete Schedule Task - This action will delete the specified scheduled task on the selected host(s). ▪ Disable Schedule Task - This action will disable the specified scheduled task on the selected host(s). ▪ Isolate - This action will isolate the host(s) by filtering any incoming\outgoing communication from\to the host

except Cynet server and permitted IP’s (can be configured) ▪ UnIsolate - This action will UnIsolate the host(s) by removing the filter of the communication.

144

NETWORK ACTIONS

Cynet can take an action to block network connections observed in the environment. Network actions can be taken from

any Actions menu. Results of a network action will be recorded in the Network Actions page.

▪ Block Traffic – This action will block traffic to specified IP addresses and domains. IP addresses will be blocked by modifying route table on the selected host(s) so traffic to those IPs loops back to the localhost IP address. Domains are blocked by creating an entry in the hosts file for the selected host(s) so the domain resolves to the localhost IP address.

▪ DNS Remediation – This action will redirect all traffic to the domain to a specified IP address. This is done by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any hosts that attempt to resolve the domain in the network will be given the specified IP address from the internal DNS server, preventing traffic from reaching the actual domain’s IP address.

145

APPENDIX: SYSTEM COMPONENTS INTEGRATION WITH SIEM – NEW API FOR EXTRACTING DATA FROM CYNET

New API to allow SIEM systems to extract information from Cynet:

- Sockets

- Domain occurrences

- File occurrences

- User login

- Vulnerability Assessment (NEW!)

Our APIs are documented in the product in the following link – https://<server-name>:6334/help. Relevant API entries

- Sockets

o api/network/sockets?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

- Domains

o api/network/domains?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

- File occurrences

o api/file/occurences?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

- User

o api/user/loggedIn?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

- Vulnerability Assessment

o Missing Windows patches - api/va/patches/missing

o Existing Windows patches - api/va/patches/exsiting

o Unauthorized Applications - api/va/riskyApps

o Installed Software - api/va/installedSoftwares

o Applications patch - api/va/patchValidation

o Installed agents - api/va/Agents

Notices:

1. Currently – no documentation to the fields of the internal objects (LoggedInUserSummaryDTO,

SocketSummaryDTO, FileOccurenceModel, etc…)

2. The filter according to FromDate and ToDate is calculated this way:

FromDate =< last-seen < ToDate

3. Defaults

a. Offset – 0

b. Limit – 500

c. FromDate – no filter

d. ToDate – no filter

146

MULTI-TENANCY

In a distributed architecture, Cynet servers can be configured in a Master/Slave configuration. In this architecture, there

will be one Master server, and there can be multiple Slave servers configured to communicate with the Master server.

For more information about configuration, see the Master & Slave Settings sections for configuration settings of both

Master and Slave servers.

Cynet provides a single console to view data from multiple locations. When logging into the Master server, the console

will by default display all data related to the Master server’s database. To view the console for configured Slave servers,

use the drop-down menu in the Menu Section next to the Logout button and select the appropriate Slave server.

This will reload the current console with all the data from the selected Slave server. Each Slave server will contain its

own settings, scan data, and alerts but will be available to be viewed from the Master server’s console.

MASTER/SLAVE NETWORK COMMUNICATION

The Master server will need access to the Slave server(s) database to retrieve all data related to the Slave server’s

scanned endpoints. This connection occurs on TCP port 3333. The Slave server will communicate with the Master server

using an API in the web console via TCP port 8443*

TCP / 3333

TCP / 8443*

Cynet Master Server Cynet Slave Server

NOTE The default web console listening port is TCP 8443, however this can be changed in the configuration settings. The

connection from a Slave server to Master server should be on the configured web console port for the Master server.

147

CYNET BINARIES

The following are binaries used by Cynet 360 to scan endpoints. See the Cynet Server Services section for more

information about the executables and services that run on the Cynet server for analysis, detection, and remediation of

threats.

EXECUTABLES (WINDOWS)

The following executables are run from the C:\Windows\ directory.

▪ CynetEPS.exe – The Endpoint Scanner (EPS) process is deployed by the Cynet 360 server to Windows endpoints to be scanned. It deploys certain child processes (see below) and collects indicators from files, users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.

The following are child processes dynamically spawned by CynetEPS.exe

▪ CynetMS.exe – The Memory Scanner (MS) process scans memory usage by running processes for malicious activity.

▪ CynetAR.exe – The Auto Run (AR) process collects data regarding autorun entries, drivers, task, services, etc. for process scheduled to run at boot (persistence).

▪ CynetGW.exe – The GUI Window (GW) process collects data regarding window activity for each process, to detect processes running in hidden windows.

▪ CynetSD64.exe – The Software Dev 64-Bit (SD64) process collects DLL dependencies for 64-bit processes running on the system. Since the CynetEPS is running as a 32-bit process, the CynetSD64 process is necessary to collect this data from 64-bit processes.

▪ CynetLauncher.exe - The Launcher executable is a remote execution process which runs on endpoints to distribute the CynetEPS executable for scanning.

▪ CynetDS.exe – The Deep Scan executable runs on endpoints for forensic analysis of a specified process. The CynetDS can only monitor one process per host at a time, but multiple hosts can be have the deep scan running at the same time. See the Deep Scans section for more information.

▪ CynetRunner.exe – The Runner executable is deployed to endpoints when certain remediation actions are used. When “Run Command” or “Run File” actions are used, this process will handle the execution of the action, and collect the response output. The output can then be viewed in the console interface.

▪ CynetRunner64.exe – The 64-bit version of the CynetRunner.exe process (see above).

DAEMONS (LINUX & MAC)

The following daemons are run from the /opt/Cynet/ directory.

▪ CynetEPS – The Endpoint Scanner (EPS) daemon is deployed by the Cynet 360 server to Linux or Mac endpoints to be scanned. It collects indicators from files, users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.

148

CYNET SERVICES

The following are services used by Cynet 360 for various purposes. Services are listed as services which run on the

server, and services that run on the scanned endpoints in the environment.

CYNET SERVER SERVICES

The services listed below are only found on the Cynet server for processing scan data from scanned endpoints. For more

information about Stopping/Starting procedures for these services, see the Stop/Start Cynet Server Services section of

this guide.

▪ CSHelper (cshelper.exe) – The CSHelper service acts as a watchdog service for the other Cynet services on the server. It will constantly check that all other Cynet services are running, and will automatically restart any that are not currently running. This service can also check if updates to the Cynet server version exist. If the system is configured for automatic updates, it will begin the update process and restart the Cynet services after the update has completed.

▪ Cynet (cynet.exe) – The Cynet service is the central Cynet service, which coordinates actions between all other Cynet services. It will perform start-up checks, perform database updates or maintenance if necessary, perform threat analysis queries, heartbeat back to the Cynet VPC, perform threat intelligence queries, send file to the sandbox for analysis, and perform remediation actions on endpoints (if actions are taken manually or through auto-remediation)

▪ CynetListener (cynetlistener.exe) – The CynetListener service is responsible for listening for raw scan data coming in from endpoints. This service will place this data in a temporary queue, where it will be processed by the CynetProtobufHandler service when available.

▪ CynetProtobufHandler (cynet.protobufprocessor.exe) – The CynetProtobufHandler service is responsible for processing raw scan data collected from endpoints by the server and processing the data so it can be stored in the appropriate database location.

▪ Redis (redis-server.exe) – The Redis service is a queue application responsible for the communication between the Cynet database and the frontend web interface. The queuing provides quick page loads when using the web interface, especially with actions which require complex queries to the database.

▪ [OPTIONAL] CynetSyslog (Cynet.Syslog.exe) – The CynetSyslog service can be configured to run a syslog listener. This service will accept incoming syslog messages through a configured port and archive them on the Cynet server. The Cynet server can also be configured to parse syslogs (see the Log Parser settings section of this guide).

149

ENDPOINT SERVICES (WINDOWS)

The service listed below is installed on any Windows host with the Light Agent installed.

▪ CynetLauncher – This service is created when the light agent is installed on a Windows host. This service will run the CynetLauncher.exe once at boot up, which invokes the CynetEPS process on the endpoint with the necessary command-line parameters.

ENDPOINT SERVICES (LINUX)

The services listed below is installed on any Linux host with the Light Agent installed.

▪ cyservice – This service is created when the light agent is installed on a Linux host. This service starts the CynetEPS daemon when the system boots. It is placed in the /etc/init.d/ directory.

ENDPOINT SERVICES (MAC)

The services listed below is installed on any Linux host with the Light Agent installed.

▪ com.cyneteps.service.plist – This service is created when the light agent is installed on a Mac host. This service starts the CynetEPS daemon when the system boots. It is placed in the /Library/LaunchDaemons/ directory.

NOTE The CynetLauncher service will not stay in the ‘Running’ state after it is run. To verify the light agent is running,

check the task manager and look for the CynetEPS process to be running. See the Validation section of the Windows

Light Agent Installation procedure for more details.

NOTE Check the Validation section of the Linux Light Agent Installation procedure for more details about checking the

status of this service.

NOTE Check the Validation section of the Mac Light Agent Installation procedure for more details about checking the

status of this service.

150

CYNETEPS COMMAND-LINE FLAGS

The CynetEPS process that runs on Windows endpoints contains a number of command-line flags that activate or

deactivate certain functionality of the Cynet scanner while it scans endpoints. The flags can be seen in the “Command

Line” column in the Windows Task Manager.

A typical CynetEPS execution with a full command-line of flags may look like this:

CynetEPS.exe 192.168.200.100 –port 443 –cpulimit 15 –scanid 52 –alwayson –driver

-donetworkcheck –adthransom –adtdokill –ualert –fh -fhdokill

NOTE The first command-line argument specifies the IP address of the Cynet server. It is a required argument for the

CynetEPS to run. There is no flag to define this argument.

151

The table in the following section contains a list of the command-line flags and values that are available to control the

functionality of the CynetEPS. These flags are set at the time of execution and are typically set by the Cynet server when

scanning endpoints. They may also be used to set the default configuration of the Light Agent during agent installation.

Consult Cynet support for any questions regarding these flags.

Flag Description

-port <port> This flag along with a port number defines the port the EPS will use when sending scan

data back to the Cynet server.

Example: -port 443

-secip <ip> This flag along with an IP address defines a secondary IP address for the EPS to send scan

data to. This IP address will only be used if the primary IP address (specified in the first

command-line argument) is unavailable.

Example: -secip 192.168.100.200

-secport <port> This flag along with a port number defines the port for the secondary IP address the EPS

will use when sending scan data back to the Cynet server.

Example: -secport 8443

-cpulimit <value> This flag along with a numeric value defines the maximum amount of CPU usage that the

CynetEPS and CynetMS are allowed to consume when scanning the host. 60% of this value

is allocated to the CynetEPS process, while the remaining 40% is allocated for the CynetMS

process.

Example: -cpulimit 15 (9% to CynetEPS, 6% to the CynetMS)

-memsize <value> This flag along with a numeric value defines the maximum amount of memory usage the

CynetEPS and CynetMS are allowed to consume when scanning the host (in Megabytes).

This limit is applied to the CynetEPS and CynetMS process respectively.

Example: -memsize 300

-heartbeat <value> This flag along with a numeric value defines the interval in which the CynetEPS will

heartbeat back to the Cynet server (in seconds). The default value is 300 (5 minutes).

Example: -heartbeat 15

-donetworkcheck This flag enables the CynetEPS to perform an internet connectivity check. This connectivity

is factored into the risk score analysis.

Example: -donetworkcheck

-nomemstr This flag disables memory string collect by the CynetEPS when analyzing processes on

endpoints during scanning.

Example: -nomemstr

-ps <ip> This flag along with the host’s IP address allows the EPS to bind to the NIC configured with

this IP address to detect network based attacks.

Example: -ps 192.168.1.10

-pps <value> This flag along with a numeric value defines the maximum number of network packets the

CyneEPS will analyze per second. If this limit is exceeded, the Network Monitor within the

CynetEPS will enter a sleep mode until it has completed analyzing all packets in the

current queue.

152

Flag Description

Example: -pps 10000

-ualert This flag enable the CynetEPS to display a pop-up on the endpoint desktop when an alert

is generated by Cynet to notify the user.

Example: -ualert

-driver This flag enables the CynetEPS to install a driver on the system for the self-protection

mode. This mode ensures that the EPS process cannot be killed on the host. It also

provides kernel level visibility.

Example: -driver

-driverblockraw This flag enables blocking any attempt to write to the MBR.

Example: -driverblockraw

-driverkillraw This flag enables automatic remediation for any attempt to write to the MBR. Any process

that was blocked from writing to the MBR will be killed.

Example: -driverkillraw

-driverloghandle This flag enables logging for process handles on scanned endpoints. This flag is typically

only used for troubleshooting.

Example: -driverloghandle

-debugconfig This flag stores all scan data in an unencrypted data file on the endpoint so it is human-

readable. This flag is typically only used for troubleshooting.

Example: debugconfig

-disableupdate This flag disables the CynetEPS from automatically updating its arguments from the Cynet

server. This flag is typically only used for troubleshooting.

Example: -disableupdate

-showconsole This flag enables the CynetEPS to display all activity to a command prompt at execution.

This flag is typically only used for troubleshooting.

Example: -showconsole

-savelog

(-loglevel <value>)

This flag enables the CynetEPS to log all activity to a log file located at

C:\Windows\clog\CynetEPSLog.txt. Optionally, the –loglevel flag can be used in

conjunction to specify what types of events should be saved in the log. This flag is

typically only used for troubleshooting.

Log Levels:

1 - all

2 - trace

3 - debug

4 - info (default)

5 - warn

6 - error

7 - fatal

8 - off

Example: -savelog

Example: -savelog –loglevel all

153

Flag Description

Example: -savelog –loglevel 1

-debugms This flag enables the CynetMS to log all activity to a log file located at

C:\Windows\System32\CynetLoggerMS.txt or C:\Windows\CynetLoggerMS.txt (depending

on the working directory). This flag is typically only used for troubleshooting.

Example: -debugms

-savejson This flag enables the CynetEPS to create json files locally, which simulates data files sent

back to the Cynet server (called PCQ files). These json files are typically saved to

C:\Windows\system32\CynetEPSJson#.file. This flag is typically only used for

troubleshooting.

Example: -savejson

-savezip This flag enables the CynetEPS to save all PCQ files to a single zip file. This zip file is

typically saved to C:\windows\CynetEPSJson.zip. This flag is typically only used for

troubleshooting.

Example: -savezip

-osharecycle <value> This flag along with a numeric value defines the minimum amount of time the CynetEPS

will take to collect information from a remotely opened file (in minutes).

Example: -osharecycle 3

-fh This flag enables the Fuzzy Hashing detection mechanism. With the Fuzzy Hashing

technique, Cynet is able to mathematically calculate similarities in code to detect similar

variants of malware.

Example: -fh

-fhdokill This flag enables remediation based on threats detected using the Fuzzy Hashing

technique. Processes will automatically be killed when detected.

Example: -fhdokill

-decoy This flag enables the CynetEPS to monitor for brute force attempts on decoy files and

users that were deployed to the endpoint.

Example: -decoy

-adtdisable This flag disables the ADT (Advanced Detection Technology) heuristic engine on the

CynetEPS. This functionality is enabled by default on the CynetEPS unless this flag is set.

Cynet does NOT RECOMMEND disabling this feature, as it is an important mechanism for

threat detection.

Example: -adtdisable

-adthdokill This flag enables the CynetEPS to automatically kill processes determined to be malicious

by the ADT Heuristic Engine.

Example: -adthdokill

-adthransom This flag enables the CynetEPS Ransomware detection mechanism in the ADT Heuristic

Engine.

Example: -adthransom

-adtnodecoy This flag disables the decoy file feature for Ransomware detection in the ADT Heuristic

detection. With this feature, hidden decoy files are deployed to specific locations on the

154

Flag Description

file system for Ransomware detection. Cynet does NOT RECOMMEND disabling this

feature, as it affects the ability to detect new variants of Ransomware.

Example: -adtnodecoy

-adtdecoylimit <value> This flag along with a numeric value defines the maximum disk space that can be used by

the ransomware heuristic decoy files (in Megabytes).

Example: -adtdecoylimit 100

-adtnoproccb This flag disables…

Example: adtnoproccb

-fastscan This flag enables the CynetEPS external threat intelligence

Example: -fastscan

-fastscandokill This flag enables the CynetEPS to automatically remediate threats detected using external

threat intelligence.

Example: -fastscandokill

Cynet360 User Guide · Hosts Map View ... size and prior skill. Natively-built protection across...

Documents

Transcript of Cynet360 User Guide · Hosts Map View ... size and prior skill. Natively-built protection across...