Cynet 360 – User Guide
v3.7 | May 2020
Contents
4.3.5 Host System Overview View (IoT Discovery)
4.5.1 Investigating Domains and IP Addresses
5.1 Creating Alert Whitelist Profiles
5.1.1 Creating a Whitelist Profile from an Alert
5.1.2 Creating an Alert Whitelist Profile from the Whitelist Tab
5.2 Automatically Remediate Alerts
5.2.1 Creating Auto Remediation Rules
5.2.2 Editing Auto Remediation Rules
5.2.3 Deleting Auto Remediation Rules
6.2 Installing the CynetEPS Detection Engine
7.1 Performing Favorite Searches
7.7.1 Taking Actions on an Alert
7.7.6 Taking Remediation Actions
7.7.7 Auto-Remediation Actions
7.8.1 Activating Deception Users
7.8.2 Configuring Deception Users
7.9.1 Deception Office Documents
7.9.3 Deception ODBC Connection
7.9.5 Deception Stored Credentials
7.9.6 Activating Deception Files
7.9.7 Configuring Deception Files
7.9.8 Enabling Decoy Files in a Group
7.9.9 Adding a New Deception File
7.10.1 Activating the Deception Network
7.10.2 Configuring the Deception Network
8.1.1 Generating Alerts Reports
8.1.2 Generating Top Risks Report
8.1.3 Generating Vulnerabilities Assessment (VA) Reports
8.1.4 Generating Inventory Reports
9.1 Auditing Using the Cynet UI
9.2 Auditing using External Log Files
10.1 Integrating with Active Directory
10.1.1 Importing User Settings Data from Active Directory (AD)
10.1.2 Importing User Settings from a CSV File
10.1.4 Activate Chief Information Security Officer (CISO) Kit
10.3 Active Directory Authentication Settings
10.3.2 Setting the User Authentication Method
10.3.4 Configuring User SMS Confirmation Settings
10.4 Authenticating an Active Directory Group
10.5 Managing Multi-Factor Authentication (MFA)
10.5.1 Activating MFA for a User
10.5.2 Removing MFA for a User
10.6.1 Changing a User’s Password
11.1.1 Activating Deception Users
11.1.2 Configuring Deception Users
11.2.1 Deception Office Documents
11.2.3 Deception ODBC Connection
11.2.5 Deception Stored Credentials
11.2.6 Activating Deception Files
11.2.7 Configuring Deception Files
11.2.8 Enabling Decoy Files in a Group
11.2.9 Adding a New Decoy File
11.3.1 Activating the Deception Network
11.3.2 Configuring the Deception Network
12 Scanning On-Demand (Threat Hunting)
12.1.1 Enabling Threat Hunting
12.1.2 Configuring Threat Hunting Settings
14.2 Setting Up Cynet to Detect Threats
14.2.3 Configuring Scan Population Settings
14.2.4 Configuring Scan Schedule Settings
14.2.5 Setting Scan Frequency (Throttle Settings)
14.2.6 Excluding IP Addresses and Hosts from Scans
14.2.7 Excluding Analysis Policies from Scans
14.2.8 Excluding Domains from Scans
14.2.9 Configuring Network Traffic Analysis Settings
14.2.10 Configuring Log Parser Settings
14.2.11 Analytics Server Configurations
14.2.12 Monitoring Malicious Logins
14.3 Configuring Advanced Settings
14.3.1 Configuring Connection Settings
14.3.2 Configuring Privacy & Compliance Settings
14.3.3 Disabling Collection of Data
14.3.4 Configuring Cynet SOC Settings
14.3.5 Configuring Slave Server Settings
14.3.6 Configuring Console Settings
14.3.8 File Monitoring Settings
14.4.1 Dynamic Analysis Settings
14.5 Configuring Vulnerability Management Settings
14.5.1 Configuring Windows Patch Validation:
14.5.2 Unauthorized Applications
14.5.3 Application Patch Validation
14.5.5 Configuring UBA Management
14.6 Customizing Auto-Remediation Actions
14.6.1 Configuring Remediation Settings
14.7 Custom Remediation Playbooks
14.7.1 Configuring the Custom Remediation Playbook
14.7.2 Applying the Custom Remediation Playbook
14.8 Viewing System Information
14.9.3 Configuring Alert Settings
14.9.4 Unscanned Host Alert Settings
14.9.5 Email Alert Filter Settings
Appendix C Multi-Tenant Architecture
D.1 Understanding Cynet Binaries
D.2.2 Endpoint Services (Windows)
D.2.3 Endpoint Services (Linux)
D.3 CynetEPS Command-Line Flags
The Cynet SOC and Support are available to customers for any issues, questions, or comments:
Phone (IL): +972-72-336-9736
Phone (US): +1-347-474-0048
Phone (EU): +44-203-290-9051
Support Email: [email protected]
CyOps Email: [email protected]
Total Environment Visibility | 360° Prevention and Detection | Automated Remediation | ||
An organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all Users’ logging in and logging out, internal and external traffic, and process execution on hosts. This provides real-time contextual visibility into the entire environment’s activities. | Cynet continuously builds and integrates technologies to prevent and detect attack vectors that target Users, files, the network, and hosts: AV, NGAV, EDR, network analytics, UEBA, and deception This builds a robust security protection stack across all attack stages. | Cynet provides the widest set available of remediation actions for compromised hosts and Users, malicious files, and network communication. Cynet is shipped with pre-built remediation tools, making it the only solution with the ability to automatically block attacks at multiple post-compromise stages, such as privilege escalation, credential theft, and lateral movement. | ||
Context-Based Alert Operation | Easy Deployment and Maintenance | CyOps 24×7 Security Expertise | ||
In the case of malicious activity without a matching pre-built remediation, Cynet provides the full User, file, network, and host context for rapid insight into an attack’s impact and scope. The resolving process concludes with manually applying remediation action on the compromised entity that can be saved as policy to automate response to future occurrences. | Cynet is based on server-agent architecture. The server can be either on-site, IaaS, or hybrid, according to customer preference. It can either be a dissolvable executable or a lightweight agent that rapidly deploys up to 50,000 hosts in a single day. | Cynet complements its automated threat protection technology with integrated security services at no additional cost. CyOps is a 24/7 team of threat analysts and security researchers that proactively hunts for threats among Cynet’s customers, as well as responding to customer escalations, assisting with file analysis, incident response, and deep investigation. |
Cynet 360 Basics
This section provides instructions on logging into the system and a description of the Cynet 360 User Interface (UI).
Logging-into Cynet 360
To log into the Cynet 360 console, navigate to: https://*CYNET_SERVER*:8443.
*CYNET_SERVER* is the IP address hostname of your Cynet 360 server. Navigating to this URL brings up the Cynet 360 login page.
To log in for the first time, use the following default credentials:
Username: Operator
Password: qwdftyjkop
Note
We recommend that you change the default Operator credentials after initial login and after creating additional User accounts.
You may receive the message “Your connection is not private”. The reason for this is that Cynet uses a self-signed certificate. To remove this message, install a CA-issued certificate on the Cynet IIS site. To ignore this message and proceed, click Advanced followed by Proceed to localhost.
Interface Layout
The Cynet 360 UI provides a simple layout for navigating the system. There are nine main sections. You can easily navigate the UI using the main navigation menu on the left side of the screen. The main sections of the UI are as shown in the following screenshot.
Section | Description |
---|---|
Dashboard | Provides an overview of Alerts, Scans, and Analysis. See “Dashboard”. |
Alerts | Shows all alerts generated by the system. See “Finding Alerts”. |
Forensic | Shows all data from files, Users, hosts, and the network. See “Understanding Forensics”. |
Actions | Shows all remediation actions taken and the results of these actions. See “Actions”. |
Scanner | Shows all scan results of hosts in the environment. See “Running Host Scans”. |
Reports | Shows all reports generated by the system. See “Generating Reports”. |
Map | Shows a map of all configured locations. See “Maps”. |
Audit | Shows all User actions performed with the system. See “Auditing Actions”. |
Settings | Enables Users to modify all system configuration settings. See “Settings”. |
In addition to the main navigation menu, some pages contain sub-menus which you can use to navigate to other pages within the section, as shown in the following screenshot.
At the top of each page of the UI, the folowing displays:
Current date and time
Current logged-in User
A link to logout of the system
If the Cynet server is configured for multi-tenancy (as in the Master-Slave architecture), a drop-down menu appears next to the current logged-in User. This menu provides access to the other Cynet servers currently configured to point to this Master server. See D.2.1 “Cynet Server Services”.
Dashboard
The Dashboard provides a high-level overview of the current security status of the environment. It displays the current number of open alerts, files that have been analyzed, and hosts that have been scanned. The Dashboard enables navigation to other areas of the UI based on this information. There are five main parts to the dashboard, as shown in the following screenshot.
A: Open Alerts | D: Alerts by Date |
B: Threat Radar | E: Hosts Scanned |
C: Files |
A: Open Alerts
Open Alerts displays metrics for current open alerts of all severity levels and the numbers of Files, Users, Hosts, and amount of Network traffic associated with these open alerts. The colored ring around Total Alerts indicates the severity of the alerts.
To display the number of open alerts of a certain severity, place the cursor on a colored portion of the Total Alerts ring.
To navigate to the Files, Users, Hosts, or Network alerts pages, click the associated icon.
IMPORTANT!
Currently, system alerts do not display (for example, deception files).
B: Threat Radar
The central circular area displays the overall risk level (or Total Security Score) and the “radar” area, and indicates high risk Files, Users, Hosts, and Network traffic.
The Total Security Score is calculated from the current risk levels of every File, User, Host, and Network object, as well as from any Open Alert.
Individual risk scores for objects are shown as circles in the radar area. Objects with open alerts display as solid red circles. To view more details about these alerts, click on these circles.
If the alert has a severity score of over a 1000, a notification appears under the Cynet Radar.
To display the object name and the associated Alert, click an item in the radar area. To view the details of this object, click .
C: Files
The Files area displays metrics about files that have been scanned and analyzed by the system. The percentage of “whitelisted” files indicates the number of files that have been analyzed and deemed safe by security intelligence. The Cynet CyOps SOC determines if files are safe, based on metadata collected and behavioral analysis. The SOC reviews the remaining files.
D: Alerts by Date
Alerts by Date displays a graph of alerts generated over the past ten days. The graph is a timeline of alerts generated per day.
To see the number of alerts generated on a particular day, position the cursor over that day.
E: Hosts Scanned
Hosts Scanned displays metrics of recently-scanned Hosts. It shows statistics for the number of Hosts scanned in the past day, week, and month.
Working with Alerts—Basic
When Cynet 360 identifies a suspicious or dangerous activity, it generates an alert. Alerts are divided into the following categories:
All alerts
File alerts
User alerts
Network alerts
Host alerts
Analysts might want to investigate specific alerts recorded by the system to find out more information about them.
Finding Alerts
The Alerts page provides a customizable view of the alerts generated by the system. You can use individual filters to display specific alerts, and you can take actions on displayed alerts. This page contains the following information:
Section | Section Heading | Description |
---|---|---|
A | Alert Types Menu | Enables the filtering of alerts generated for Files, Users, Hosts, Network, or All Alerts. All Alerts is the default. It includes system alerts. |
B | Quick Search | Enables the quick filtering of displayed alerts using a keyword search. |
C | Alert Actions | Enables the export of displayed alerts to an Excel file and/or taking Remediation Action. See “Taking Remediation Actions”. |
D | Alerts Quick Filter Bar | Enables the quick filtering of alerts by Alert Name, Severity, Status, Host name, File name, User name, Network, or Alert Date. You can select all currently visible alerts and perform actions on multiple alerts. |
E | Load Entries | You can use the drop-down menu to display more or fewer alerts. The default is 25 alerts. |
F | Displayed Alerts | This section displays all alerts and relevant information about them according to the filter criteria set in the Alerts Filter Bar. To view details about the alert, click ![]() |
G | Alert Status | The Alert status is displayed below the Alert name. You can change the status individually or in a group. |
H | Total Open Alerts | Displays the current number of open alerts and the distribution of File, Users, Network, and Host alerts. |
Understanding Alerts
To view more details on displayed alerts, click .
Additional information displays as shown below.
Section | Description |
---|---|
Description | Displays a detailed description of the endpoint hostname of the triggered alert, IP address, OS version, CynetEPS version, and Configuration version. |
Recommendation | Displays Cynet SOC recommendations for remediation actions you can take, based on the type and severity of the alert. |
Process Tree | Displays all processes that were run that triggered the alert. The tree displays the parent process (topmost), and its children, based on the process calling order (the parent leaf triggered the child leaf). The down-most process is the last process in the calling tree—this process is the one that was detected as a malicious process, by the Alert in focus. |
Comments | For tracking and analysis purposes, Analysts or the CISO, can add comments based on the investigation and resolution of the alert. |
Path and Hash | Some alerts also indicate the file Path and Hash—to enrich the analysis and Incident Response with more metadata. |
Investigating Alerts
The Forensic page enables you to perform an in-depth investigation into an Alert. For more details on using Forensic features, see “Understanding Forensics”.
Searching for Alerts
Advanced Search enables you to customize a search for Files, Hosts, Users, and Network traffic based on any of the available metadata fields, or to change the displayed fields in the Inventory List on any Forensic page.
To begin an advanced search, or to edit the displayed file fields, click Advanced Search.
The following window displays:
Section | Section Heading | Description |
---|---|---|
A | Display Fields | Select or clear Display Fields to modify the Inventory. |
B | Search Fields | To specify search criteria, use Search Fields. |
C | Saved Searches | To save searches for future use, use Saved Searches. |
D | Saved Policies | To apply selected search criteria as an indicator that contributes to an object’s risk level in the future, save the search criteria to Saved Policies. Saved Policies can be configured to open an alert when the policy’s search criteria are matched. |
Display Fields
You can modify the Inventory List on the Forensic pages to display additional columns. To add or remove columns from the Inventory List, select or clear fields from the Display Fields menu.
After selecting the fields you want to view, the columns in the Inventory List automatically update.
Search Fields
Adding Search Field Parameters
To add a field to the Search Fields window:
In the Display Fields menu, click .
From the drop-down menu, select the appropriate logical Operator for each field added.
Enter search filters for each field.
To apply the search filters to the Inventory list, click Search.
To remove a field from the Search Fields window, click
Note
Fields not selected in the Display Fields menu can still be used in the Search Fields as search filters. Although these columns do not appear in the Inventory List, they are still applied to the search results.
Saved Searches
Search filters can be saved for future use in Saved Searches.
To save search filters:
Click Save Search.
Enter a name for the saved search.
Click OK.
The saved search appears in the Saved Searches menu.
To use the saved search, click the search name in Saved Searches. The Search Fields window populates with the search filters you saved.
To add your Saved Search to Favorite Searches, click the ☆.
To delete a Saved Search:
In Saved Searches, click X next to the Saved Search name.
Click OK.
The Saved Search is deleted.
Saved Policies
You can create Saved Policies to apply a custom risk level to objects based on collected indicators. You can also create Saved Policies to open an alert on objects relevant to the policy.
To create a Saved Policy:
Enter search filter criteria in Search Fields.
To save these filters as a policy click Save Policy.
Enter a policy name.
Enter a policy risk number between one and a thousand.
Select Open alert on policy match.
To reopen an alert for a new occurrence of an event based on your Saved Policy, select Reopen alert on new occurrence.
From the drop-down menu, select the alert severity.
Click OK.
The saved policy appears under Saved Policies. To apply the saved policy to a new search, click the policy name in Saved Policies. The Search Fields window populates with the filters in that saved policy.
To delete a Saved Policy, click X next to the Saved Policy name.
Objects that match the Saved Policy criteria appear in the object’s Details Page as a triggered indicator. The risk value you entered in Saved Policy is factored into the new risk level for the object.
If the saved policy was configured to open an alert on policy match, you receive the alert in the main alerts page.
The alert name is the policy name you selected.
Investigating File Alerts
The Forensic page Files tab provides visibility into all scanned files in the organization and enables you to obtain file-specific information. The default Files Inventory list containns the following parameters:
Parameter | Description |
---|---|
File Name | To access the File Details page, click File Name. COMMENT: Is this correct? |
Risk Level | The current risk level of the file. |
Company Name | The file publisher information. |
Endpoints | The number of endpoints where the file that triggered the alert resides. |
Antiviruses | The number of antivirus vendors that have signatures for this file. |
First Seen | The date and time when this file was first seen in the environment. |
Last Seen | The date and time when this file was last seen in the environment. |
You can select the columns to display in the Inventory List, as described in “Display Fields”.
File Details Page
The File Details page provides information collected by the system about the selected file. At the top of the File Details page, a timeline describes the lifecycle of the file, as shown in the following screenshot.
The file relationship screenshot displays how the file is related to other entities in the organization.
Section | Description |
A | This section displays associated Hosts, Processes (parent or child), Users, or Network entities. To obtain to the details page of an entity, click it. |
B | This section displays the File Name and the Risk Level. |
C | This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green. |
The lower section of the File Details page displays multiple tabs providing detailed information about this file, as shown in the following screenshot.
Note
Some tabs may not appear in the File Details page if there is no relevant data to be displayed for that category.
Section | Description |
---|---|
Details | Displays metadata about the file such as file size, path, publisher, and hashes. |
Alerts | Displays all alerts associated with this file. The relevant remediation action tools are associated with each alert. |
Occurrences | Displays all instances of the process on all hosts. Each row shows which host or hosts it ran on, and which User or Users ran the process. See “Occurrences”. |
Hosts | Displays the hosts which contain this file. |
Users | Displays all Users running this file. |
Static Analysis | Displays information collected during the static analysis of the file. |
Sockets | Displays the network traffic generated to and from this file. |
Domains | Displays the domains queried by this process to initiate network traffic. |
Process DLLs | Displays the DLL files loaded by this process. |
Dynamic Analysis | Displays the information collected and generated from a sandbox execution of the file in the Cynet SSE. |
Occurrences
The Occurrences tab displays each instance of a file throughout the environment. If a specific file was executed on two hosts, there would be two entries in the Occurrences tab.
To view additional information on each process occurrence, click +.
Each occurrence includes details about how the file ran during that instance, including the running User, command-line, and the path from which the file was run.
Static Analysis Results
To display Static Analysis results click the Static Analysis tab on the File Details Page.
The information in this section includes:
Section | Section Heading | Description |
A | The Meta area | Displays metadata such as hashes, product name (for example, “Microsoft Windows Operations System” / version information / build information), product description, digital signature, timestamp, scattering, and fingerprinting (for example, “MS Visual C++ 8.0 DLL). |
B | Strings in File | Displays all the text strings inside the file. |
C | The File Analysis area | Displays imported functions, as well as File Header Information. |
D | The File Headers Section | Displays file headers and portable execution (PE) sections and their respective hash. PE Section file types typically include .text, .rdata, .data, .pdata, .rsrc, and .reloc. |
Investigating Host Alerts
The Forensic Page Hosts tab displays all scanned hosts in the organization and enables you to obtain host-specific information. The default Hosts Inventory list contains the following columns:
Column | Description |
Host Name | This is the name of the file. To access the Host Details page, click the file name. |
Risk Level | This is the host’s current risk level. |
Last Scan | The date and time when this host was last scanned by the system. |
Host IP | The IP address of the endpoint. |
OS Version | The operating system of the endpoint. |
# Process | The number of processes detected that are running on the endpoint. |
# Logged Users | The number of Users logged in to the endpoint. |
# Connections | The number of network connections detected at the endpoint. |
You can select the columns to display in the Inventory List, as described in “Investigating User Alerts”.
Host Details Page
Click a host name to view its details. The Host Details page displays information collected by the system for the selected host. A timeline displays describing the lifecycle of the host.
The following host relationship screenshot displays how the host is related to other entities in the organization.
Section | Description |
---|---|
A | This section displays associated Files, Users, and Network entities. To access the details page of an entity, click on it. |
B | This section displays the Host Name and Risk Level. |
C | This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green. |
The lower section of the Host Details page displays multiple tabs providing detailed information about this host, as shown in the following screenshot.
Hosts Details
The following sections appear in Host Details:
Section | Description |
Details | Displays metadata about the host such as host name, IP Address, Operating system, and software versions. |
Alerts | Displays all alerts associated with this host. |
Files | Displays all the files & processes executed on this host. |
Users | Displays all the Users who are configured on the host and some additional information regarding User logins. |
Traffic | Displays the Domains accessed by this host as well as: open network sockets, cached DNS requests, configured IP addresses, ARP table entries, and NICs contained on the host. (The screenshot below displays the Host’s accessed Domains). |
Socket information presents full details regarding network activity on the protected asset IP & Port | |
Vulnerability Assessment | Provides a view of the Hosts Vulnerabilities, namely: a list of lacking Windows patches required to be installed on the Hosts (Windows Patches), and a list of the Unauthorized Applications installed on the Hosts (Unauthorized Applications) |
File Monitor | A complete list of the files currently monitored by Cynet on the Cynet-protected Hosts. |
System | Contains several lists of: security certificates, installed Operating System updates, Installed Software, and network shares on the Hosts. |
- Note
- Certain tabs might not appear in the Hosts Details page if there is no relevant data to be displayed for that category.
- Note
Hosts Map View
The Hosts Map view enables the Operator to view the organizations network segments and endpoints, in an inter-connected map display.
To access the Host Map view, select Map from the Hosts drop-down menu in Forensic.
Hosts can appear in three different colors, where different colors represent the risk status of the host:
Red: High Risk
Blue: Low Risk
To collapse or expand an object, click it.
When you click a host, the host’s detailed information appears below the map.
As for the Forensic Host Alerts, the tabs under Hosts Map provide Forensic metadata selected in the map (metadata: Details, Alerts, File, Users, Traffic, System, Vulnerability Assessment, and File Monitor).
Host Windows Events
Windows Events collected appear under the Host Windows Events.
In the general view you can see the Event ID collected by Cynet as well as the Event Type (for example in the screenshot below Security Event 4624).
Expanding the selection showcases the full details of the collected event, which reveals the parsed event data divided into metadata fields.
Once the data is parsed by the Cynet server you can use the free text search to find all events that match specific keys. COMMENT: Make sure these red boxes are OK
Host System Overview View (IoT Discovery)
The Hosts System Overview view enables the Operator to view the organization hosts that had communication with IoT devices.
To access the Host System Overview view, in the Forensics Page, click the Hosts tab and select System Overview.
After clicking, the following table appears:
The following sections appear in System Overview Details:
Section | Description |
Host | The Cynet-protected Endpoint or IoT device (= the device on which the Cynet EPS module is installed) |
MAC Address | Typically associated with a MAC Vendor |
IP | IP address of the Host |
First Seen | Select the start and end date for the investigated period |
Last Seen | Select the start and end date for the investigated period |
MAC Vendor | The Vendor of the Host (for example, HP or Xerox). This value is automatically updated when it is associated with the MAC Address. |
Comments | All comments about the Host entered by Operators. Note If a Comment field is not displayed, it indicates that there are no comments associated with this host. |
Investigating User Alerts
The Forensic page Users tab provides information on all scanned User accounts in the organization. You can also access User specific information.
The User Alert tab displays a list of all the Users’ accounts that have been logged into Cynet-protected hosts, as well as their metadata.
The default Users Inventory list contains the following columns:
Column | Description |
---|---|
Name | Displays the names of a User account that logged into a Cynet-protected asset (=a Cynet Host). To access the User Details Page, click the User’s Name. |
Risk | The risk column displays the current risk score, or risk level of the User account. |
Locked | Displays YES if the User account is currently locked out or NO if the User account is currently not locked out. To filter the results between locked out or not, or to see all the accounts, select an option from the drop-down menu. |
Disabled | Displays YES if the User account is currently disabled or NO if the User account is currently not disabled. To filter the results between disabled or not, or to see all the accounts, select an option from the drop-down menu. |
Running Files | Displays the number of files currently running on the User account. |
Password Age | Displays the age of the User account password in days. |
Last Login | The date and time of the last login to a Host from the User account. |
First Seen | The date and time when the User account was first seen in the environment. |
You can select the columns to display in the Inventory List, as described above in “Display Fields”.
User Details Page
The Forensic page User Details tab displays information collected by the system about the selected User. A timeline displays the recorded events of the User.
Click the + to display additional information about the objects.
The User Relationship screenshot displays how the User is related to other entities in the organization.
Section | Description |
---|---|
A | This section displays associated Files, Hosts, or Network entities. To access the details page of an entity, click it. |
B | This section displays the User Name and Risk Level |
C | This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green. |
The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.
Tab | Description |
---|---|
Details | Displays metadata about this User such as: User name Last login date Number of Files Running with the User The number of endpoints the User logged into in the last day, week, and month. |
Alerts | Displays all alerts associated with this User. |
Files | Displays all the files being run by this User. |
Hosts | Displays all Hosts this User has logged into. |
Domains | Displays a list of domains that the User tried to access. |
Sockets | Displays the sockets accessed by this User. |
Logins | Displays a list of all logins by this User across all scanned hosts. |
File Monitor | Displays file monitoring data. Default view displays all (can be filtered based on action type, Execute, Created, Deleted, Access, and Rename). |
Note
Certain tabs might not appear in the Details page if there is no relevant data to be displayed for that category.
Investigating Domains
The Forensic page Domains tab provides visibility into all Domains resolved on Hosts in the Cynet-protected environment.
The default Domains Inventory list contains the following columns:
Column | Description |
---|---|
Domain | This is the resolved domain. For additional information, click on the specific domain name (see below more details). |
Risk Level | This is the Domain’s current risk level. |
Classification | Displays the Domain classification based on security intelligence. |
Date In | The date and time when the Domain was first resolved. |
Last Seen | The last time the Domain was resolved. |
URL Count | The number of URLs visited with this Domain. |
Host Count | The number of Hosts that have resolved this Domain. |
Remote IP Count | The number of remote IP addresses that resolve to this Domain. |
Source IP Count | The number of local IPs that have resolved this Domain. |
User Count | The number of Users that have resolved this domain. |
You can select the columns to display in the Inventory List, as described in “Display Fields”.
Investigating Domains and IP Addresses
The Domains/IP Address Details page displays information collected by the system regarding the selected Domain. A timeline displays the User’s recorded events.
The following User Relationship screenshot displays how the User is related to other entities in the organization.
Section | Description |
A | This section displays associated Files, Hosts, and User entities. To access the details page of an entity, click it. |
B | This section displays the Domain Name and Risk Level |
C | This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green. |
The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.
Tab | Description |
---|---|
Details | Displays details about the domain, including: The number of endpoints that have accessed this domain The first/last time the domain was seen Domain properties Domain Overview Security Intelligence |
Alerts | Displays all alerts associated with this domain. |
Occurrences | Occurrences related to this domain (for example, IP address of the domain). |
Hosts | Displays the Hosts accounts that have requested the domain resolution. |
Users | Displays Users related to this domain. |
URLs | Displays each instance of a URL in this domain, as a remote IP address. |
Remote IPS to URLs | Displays the list of the Remote IPs obtained by the specific domain URL resolution (this can also be viewed, as the list of the remote IPs that the Cynet hosts have connected to, when requesting the specific URL/Domain). |
Investigating Sockets
The Forensic page Sockets tab provides visibility into all network Sockets created on Hosts in the environment.
The default Sockets Inventory list contains the following columns:
Column | Description |
---|---|
Host Name | The Host associated with the network traffic. To go to the Host Details page, click the Host Name. |
Risk Level | This is the network Socket’s current risk level. |
Local IP | This is the source IP address of the network traffic. To go to the Domain/ IP_Address_Details page, click Local IP. |
Local Port | This is the source port of the network traffic. |
Remote IP | This is the destination IP address of the network traffic. To go to the Domain/IP Address details page, click Remote IP. |
Remote Port | This is the destination port of the network traffic. |
First Seen | This is the date and time of when this network traffic was first seen by CynetEPS. |
Last Seen | This is the date and time of when this network traffic was last seen by CynetEPS. |
You can select the columns to display in the Inventory List, as described in “Display Fields”.
Clicking on the Host Name leads the User to the Host Forensics details page, related to the clicked Host that enables the User to obtain a holistic view of the clicked Host’s Users, Alerts, Files, Sockets, Domains, and Vulnerability Assessment.
To drill-down on the specific Host’s socket monitoring, click on the Host’s Local IP.
Socket Details View
When clicking on the Host’s Local IP column, in the Socket Alert view, the Socket Forensics view is shown. The Socket Forensics view displays detailed Socket information collected by the system regarding the selected Socket (Local IP of the specific Host).
A timeline displays the User’s recorded events.
The following Socket relationship screenshot displays how the Socket is related to other entities in the organization (Users, File, and Hosts). If the metadata allows it, information, Indicators are also provided (this is not the case in the following screenshot) COMMENT: Unclear
Section | Description |
A | This section displays associated Files, Hosts, and User entities. To access the details page of an entity, click it. |
B | This section displays the Socket (here, the Local IP) and its Risk Level. |
C | This section displays all detected Indicators for this Socket: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green. |
The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.
Tab | Description |
---|---|
Details | Displays details about the domain, including: The Local IP of the Socket The Remote IP of the Socket The Port used by the Socket The File’s SHA256, for exchanged files over the Socket Remote IP: Known vs Unknown? Local or external to the LAN? First and Last seen |
Files | Displays a list of the Files that have used the monitored Socket – including additional metadata (risk score incurred, NTFS owner, Running User, Host name, AV score, File type, File Status, Date in, and Last Seen). |
Hosts | Displays a list of the Host accounts that have used the Socket. Including the Host metadata (Risk score, Last scan date, Host IP, OS Version, # of Processes running, # of logged-in Users, and # of current connections). |
Users | Displays a list of the Users that have used the socket. Including the User’s account metadata (User Name, Risk level, Account Locked, Account Disabled, Running files – files run by this User, User’s Password age, Last login, First date seen in the Network, and Last date seen). |
Finding and Managing Alerts
When an alert is generated, Cynet offers Operators options for Whitelisting or Remediation.
Creating Alert Whitelist Profiles
Cynet 360 enables you to list applications and parameters that are authorized to run in the User’s environment. Cynet does not generate alerts for anything that is whitelisted.
There are two ways to create alert whitelist profiles: (COMMENT: The formatting for the 2 ways is not correct. The first step should be “1.” And not just a bullet, and the second way should have “2.”, but it should be under the “1.”. This structural error appears throughout the document.)
From the Alert: Create whitelisting profiles directly from the displayed alert. This enables Operators to:
Name and populate whitelist profiles by extracting available data from the Alert
Filter the whitelisting options to match the alert type
Add the Whitelist to the Audit
From the Whitelisting tab: Create whitelisting profiles manually from the whitelisting tab. This enables Operators to create profiles before they appear in an alert. (COMMENT – see above)
Creating a Whitelist Profile from an Alert
To create a whitelist rule from an alert:
From the alert list on the Alert, Forensic, or Actions page, select the alert.
Click Action.
Select the Whitelisting tab.
In the Profile Name field, enter a descriptive name.
Under Whitelisted by, select the relevant options.
Under Whitelist for, select the relevant options.
Click Create Profile.
Creating an Alert Whitelist Profile from the Whitelist Tab
The Whitelisting tab on the Settings menu enables Operators to create rules to exclude arguments from the detection and remediation mechanism. Examples of these arguments are:
Files
Users
Hashes
IP Addresses
To Configure a Whitelist Rule
From the Setting Page, select the Whitelisting tab.
Click Create (COMMENT – this is another example of Procedure steps that are different from the ones above – for your designer to remedy)
Enter the profile name
Select the alert to whitelist and the type of alert on which the exclusion will be based
Note
When you create a rule, you exclude arguments across all Cynet agents on the network.
- Enter the value according to the type of information selected
- Click +
Cynet 360 implements the Whitelist Rule.
Optional: The Whitelist can also be configured based on a specific scan group or host.
Notes
Once the Whitelist rule is added, the alert does NOT display anymore according to the rule that was set.
“All Alerts” means that the Whitelist is applied to all alerts under “Applied on alert”.
Automatically Remediate Alerts
The Auto Remediation page enables the Operator to manage rules that let Cynet 360 automatically perform remediation actions when an alert is generated. You can configure these rules to match alerts based on a number of factors. Cynet 360 takes remediation action mitigating the threat.
There are two ways to create Auto Remediation rules, using the Actions menu (as described below) and using the Alerts menu. For instructions on how to do so using the Alerts menu, see the Zendesk article, “Recommended Auto Remediation Rules”.
To access the Auto Remediation page, click Actions>Auto Remediation.
Column | Description |
---|---|
Name | The name of the Auto Remediation rule. |
Description | The description of the Auto Remediation rule. |
Remediation | The remediation action taken when this rule is matched. To filter the information displayed, select an option from the drop-down menu. |
Priority | The order in which the Auto Remediation rules are processed. |
Date In | The date and time when you create the Auto Remediation rule. |
Is Enabled | Filters alerts according to whether the selected remediation is enabled or not or selects all. |
Creating Auto Remediation Rules
To create a new Auto Remediation rule, click Create Rule.
The Auto Remediation rule creation menu opens.
Configuring General Parameters
You can configure the following general parameters:
Parameter | Description |
---|---|
Rule Name | Enter an alias for the rule. |
Description | Enter a description for the rule. |
Priority | Enter a number from 1 to 1000 (as per the firewall) used by the system to identify which rule to execute in the case where two Auto Remediation rules match an alert. The lower the number, the higher the priority. |
Matching
You can create an auto-remediation rule matched to specific host groups.
The fields required for matching to host groups are as follows:
Parameter | Description |
---|---|
Alert Name | Enter a regular expression (RegExp) to match the name of the alert. This enables matching of multiple alerts with individual names according to a pattern. To match all alert names, use the regular expression (.*) |
Host Groups | To match hosts in generated alerts, select host groups from the drop-down menu. When the host in the alert is included in a selected host group, a match is found. To match to all Host Groups, select all the checkboxes. |
Alert Severity | Select the severity to use when matching generated alerts. When the severity of an alert matches one that you have selected, a match is found. |
Advanced Matching
You can also create auto-remediation rules that match specific Files, Users, Networks, and Hosts.
The fields required for Advanced Matching are as follows:
Parameter | Description |
---|---|
File | To increase the chances of matching this rule to a generated alert you can enter a specific File Hash or File Name. To match to any File in an alert, leave this field blank. |
User | To increase the chances of matching this rule to a generated alert you can enter a specific User Name. To match to any User in an alert, leave this field blank. |
Network | To increase the chances of matching this rule to a generated alert you can enter a specific IP address, Domain, or URL. To match to any Network criteria in an alert, leave this field blank. |
Hosts to Match
To increase the chances of matching this rule to a generated alert you can add a specific Host.
Adding a new Host match:
Click Hosts to Match.
Click Add New Match. COMMENT: Each of these procedure steps should be numbered
In the Group Name field, to match the Host entry, add an alias.
In the Hosts to Match field, to match the Host Name, enter a regular expression.
- This enables matching of multiple Hosts with different names according to a pattern.
To match on all Host names, use the regular expression ( .* ).
In the Selected OS field, to find a match based on operating systems, select an operating system from the drop-down menu.
Operating systems in the list are taken from scanned Hosts.
To find a match based on all operating systems, select *ALL* from the drop-down menu.
To edit an existing Host match entry:
Click Hosts to Match.
Click Edit Match.
Note
The Group Name field is not functional when editing an existing Host match entry.
In the Hosts to Match field, to match the Host Name, enter a regular expression.
- This enables matching of multiple Hosts with individual names according to a pattern.
- To match on all Host names, use the regular expression ( .* ).
In the Selected OS field, to find a match based on operating systems, select an operating system from the drop-down menu.
Operating systems in the list are taken from scanned Hosts.
To find a match based on all operating systems, select *ALL* from the drop-down menu.
Actions
You can select the type of remediation you want to use. You can also decide what actions to take when a match is found.
Remediation Type
You can select the type of remediation from the drop-down menu.
The available options are:
File remediation
Host remediation
User remediation
Network remediation
Action
For each type of remediation selected, you can select an associated action from the drop-down menus.
The options for File Remediation Actions are:
Quarantine File
Delete File
Kill Process
MyRem
The options for Host Remediation Actions are:
Restart Machine
Shutdown Machine
Disable All Nics
Run Command
The option for User Remediation Action is:
Disable User
The option for Network Remediation Action is:
Block Traffic
DNS Remediation
When you have made all the necessary configuration changes for the Auto Remediation Rule, click Save. The new rule appears in the Auto Remediation dashboard.
Cynet Recommendations for Creating Rules
For files:
For alerts that contain “Adware”, set the rule: “Kill Process” only to workstation scanning groups
For alerts that contain “Worm”, set a rule to quarantine the file
For alerts that contain “Backdoor”, set a rule to quarantine the file
For networks:
For alerts that contain “Phishing site”, set a rule to “Block URL”
For alerts that contain “Malware Distribution” or “Compromised Website”, set a rule to “Block IP”
Note
Rules created for networks are applied to the local machine and not at the DNS level.
Editing Auto Remediation Rules
To edit an Auto Remediation rule, click the Rule Name.
The Auto Remediation editing menu opens.
Edit the rule using the same procedure as in “Creating Auto Remediation Rules”.
Deleting Auto Remediation Rules
To delete an Auto Remediation rule, select the rule in the Auto Remediation rule list.
Click Delete.
To delete the rule, click Confirm Delete.
NextGen AV
Cynet 360 has traditionally focused on protecting your organization from new and advanced cyber threats. In this version of Cynet 360, the new antivirus module further reduces the attack surfaces in your environment by also protecting you from known malware. Everything is done under one system with no requirement for an additional external antivirus program.
Note
NextGen AV works with Windows 8 and above.
Activating NextGen AV
To activate NextGen AV:
- Make sure that Port 5443 TCP from the endpoint to the server is open.
- Install the latest version of the CynetEPS detection engine to the endpoints in your environment.
For instructions, see section 6.2 “Installing the CynetEPS Detection Engine”. - In Cynet 360, enable the Windows Defender antivirus engine.
For instructions, see section 6.3 “Enabling Cynet 360”.
Installing the CynetEPS Detection Engine
Your Cynet support representative will provide the CynetEPS installation file. Install it on every endpoint in your environment.
Enabling Cynet 360 NGAV
To enable Cynet 360 antivirus:
- On the main menu, click Settings
.
- In the Scan Groups tab, scroll down to the Antivirus section and select Antivirus.
- In the Antivirus Engines section, Cynet Antivirus Engines and Antivirus Real Time Engine must be selected. If there are more antivirus engines listed, you can select them too.
Note: You must select at least one antivirus engine. - (Optional) Select Windows Defender to enable Cynet to work with Windows Defender.
- Make sure that Windows Defender Real Time is selected
- It is not necessary to select Keep Windows Defender Service Running.
Select the requested Antivirus option.
- Alert Only- enables alert mode only
When an alert is triggered, the following dialog box opens:
- Rename File- changes the .exe to. Cynet so that the User knows that the file is malicious
- Delete File- to delete the file
- Click Save.
Understanding Forensics
Performing Favorite Searches
The Forensic page is divided into five distinct sub-sections: Files, Hosts, Users, Domains, and Sockets. Each sub-section provides inventories for all data collected by Cynet 360. Each page of the Forensic section has the same basic layout:
Label | Parameter | Description |
---|---|---|
A | Sub Menu | Contains links to the inventories of all Files, Hosts, Users, Domains, and Network sockets observed by the system. |
B | Favorite Searches | Enables predefined searches to quickly search within the inventories. |
C | Advanced Search | Enables the Operator to search within inventories in any of the available metadata fields, or to change the displayed fields in the Inventory List. |
D | Actions | Enables the Operator to export inventories to Excel and/or to take Remediation Action. |
E | Quick Filter | Enables the Operator to quickly filter inventories by metadata and indicators such as file name, risk level, host name, and IP address. |
F | Inventory List | Lists every object that matches the filter criteria set in the Quick Filter Bar. To view more information and details about this object, click on the object name. |
G | Top Results | Shows objects with high risk levels and other risky items. |
File Favorite Searches
The Files page contains eight default favorite searches. The searches cannot be edited or deleted. They provide a quick and easy way to search for files based on the following parameters:
Parameter | Description |
---|---|
Internal Com | Files that have network communication to an internal IP address. |
External Com | Files that have network communication to an external IP address. |
Unique in Org | Files that are unique within your organization and exist only once. |
DLL | Files with the .dll extension. |
EXE | Files with the .exe extension. |
No GUI | Files that are running in a hidden window. |
Detected by Security Intel | Files that have been identified using Cynet’s security intelligence feeds. |
Start Up | Files that have made themselves persistent at the endpoint and execute when the computer starts up. |
Test | When performing an Advanced Search, Users can create their own search. Click the star to save this search. It is saved under Favorite Searches with the selected name (for example, Test). |
Host Favorite Searches
The Hosts page contains three default favorites that make it quick and easy to search for hosts. The default favorite searches cannot be edited or deleted.
Parameter | Description |
---|---|
High Risk | Hosts with a high-risk level. |
Internal Com | Hosts that have network communication to an internal IP address. |
External Com | Hosts that have network communication to an external IP address. |
User Favorite Searches
The Users page contains three default favorites that make it quick and easy to search for Users. The default favorite searches cannot be edited or deleted.
Parameter | Description |
---|---|
High Risk | User accounts with a high-risk level. |
Locked | User accounts that are locked out. |
Run Risky Files | User accounts running high risk files. |
Old Password Age | Indicates the last time the password was changed. |
Domain Favorite Searches
The Domains page contains two default favorites that make it quick and easy to search for domains. The default favorite searches cannot be edited or deleted. They provide a quick and easy way to search for domains based on:
Parameter | Description |
---|---|
High Risk | Domains with a high-risk level. |
Detected by Security Intel | Domains identified using Cynet’s security intelligence feeds. |
Socket Favorite Searches
The Socket page contains one default favorite that makes it quick and easy to search for sockets. The default favorite search cannot be edited or deleted.
Parameter | Description |
---|---|
High Risk | Network Sockets with a high-risk level. |
Taking Actions
This section contains information on all available actions in Cynet.
Actions can be run from the actual Alert, or from the top right of the Forensics and Alert pages.
Auto Remediation can be performed as well. For more information on Auto Custom Remediation, see “Auto Custom Remediation” below.
Taking Actions on an Alert
Alert actions can be used to change an alert status or to perform a remediation action on files, hosts, or Users.
To open the Alert Actions menu:
On the Alerts Dashboard, select one or more alerts.
Click the Actions button.
A menu opens indicating which alerts are currently selected.
You can:
A: Change the Alert Status to Open, Close, or Ignore
B: Add Comments. See “Add Comments”
C: Create a whitelist profile. See “Creating an Alert Whitelist Profile from the Whitelist Tab ”
D: Perform additional Analysis actions. See “Analysis Action”
E: Perform Remediation actions. See “Taking Remediation Actions”
Create a new Auto-Remediation rule based on the alert details. See “Configuring Remediation Settings “
Note
Only actionable tabs appear in the Action window, according to the selected alerts.
Domain Actions
The Actions icon enables the Operator to insert an IP/URL of an external address, then to perform a DNS remediation on that address for the entire organization.
Block Traffic
This action blocks specific traffic to and from the selected hosts.
DNS Remediation
This action redirects all traffic to the domain to a specified IP address. A new zone in the internal DNS server is created to resolve this domain to the specified IP address. Any Hosts that attempt to resolve the domain in the network are given the specified IP address from the internal DNS server. Traffic is prevented from reaching the actual domain’s IP address.
Hosts Actions
The Actions icon enables the Operator to run actions on all the Hosts in the organization.
The Actions feature enables the Operator to perform various types of actions on all the Hosts:
Run Command
This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.
Run Script
This action enables a specified file to be run on all Hosts.
To run a script on all Hosts:
Select a file from the local computer.
Upload the file to the Cynet server.
The Cynet server deploys the file to the Hosts for execution.
Add Comments
This action inserts a comment to a single alert or to multiple selected alerts simultaneously.
To add a comment to a single or multiple alerts:
From the Alert page, select the alert or alerts.
Click Actions.
Click Add Comments.
In the Add Comment window, enter your comment.
Click Add.
Analysis Action
Operators can take analysis actions on files scanned by Cynet 360.
To take an analysis action, open the Actions menu and select an action from the Analysis tab.
The following Analysis Actions are available:
Analysis Action | Description |
---|---|
Send to SOC | Sends the selected file(s) to the Cynet SOC for deep inspection and analysis. |
Send to Analysis | Sends the selected file(s) to the Server Sent Events (SSE) Sandbox for analysis. This requires that the Cynet SSE sandbox is configured. |
Verify File | Verifies that the selected file(s) still exist(s) on the Host(s). |
Get Memory Strings | Performs a dump of the strings in memory allocated by the selected file(s). |
Pull File | Pulls the selected file occurrence from the Host. This action is performed by selecting a specific file occurrence. It requires targeting a specified Host. Once pulled, the sample is available for download from the File Actions page. The sample has its extension stripped and is renamed to the file’s SHA256 hash. This action is limited to files of 100 MB or less. |
Deep Scan | Begins a deep scan of the selected file occurrence on the Host. This action is performed by selecting a specific file occurrence. It requires a specified instance of a process on a Host. |
Deep Scans
Cynet uses Deep Scans of files to monitor a specific file on an endpoint. Deep Scans monitors behaviors of a process for an extended period of time. This is a hybrid analysis combining normal scanning and sandboxing, where the deep scan analysis takes place on the endpoint. Deep Scans are initiated manually.
Initiating a Deep Scan
To initiate a Deep Scan of a file:
In Forensic, navigate to the Files Detail Page.
Click the Occurrences tab of the file to be scanned.
Note
Deep Scans can only be performed on one file per host at a time. After the deep scan has completed on the host, another deep scan can be performed on that host.
Only executable files can be added for Deep Scanning.
On the file’s Occurrence tab, select the file occurrence to be scanned.
Click Actions.
In the Actions menu, click Deep Scan.
Note
When you initiate a Deep Scan on a process occurrence, you are prompted to acknowledge that additional files (such as child processes) may be monitored as part of the scan.
Any currently-running deep scans on this host are terminated.
While the Deep Scan is running, you can view the current status of the scan. To view the current status of the Deep Scan, click the Deep Scans tab on the File Actions page.
When the Deep Scan is complete, the results can be viewed in the Deep Scan tab of the File Details Page of the specified file.
There are two options to view results: Advanced and Normal.
Advanced View shows additional information such as Hostname, Scope of the event or object, First Seen, and Last Seen timestamps.
Whitelisting Actions
The Whitelisting tab enables you to create whitelist profiles. Select alert activities such as files, processes, and commands, or the hosts, servers, and endpoints displayed in the Whitelisting tab to ensure that future alerts are disabled for the selection.
For more information, see “Creating an Alert Whitelist Profile from the Whitelist Tab ”.
Parameter | Description |
---|---|
Profile Name | User given name of the profile to whitelist |
Whitelist by | Lists the components of the alert by activities |
Whitelist for | Lists the components of the alert by affected recipients |
Taking Remediation Actions
You can take Remediation Actions on objects scanned by Cynet 360.
To take a Remediation Action:
Navigate to Forensic.
Select the file on which you want to take action.
Click .
Select the Remediation tab.
Select the Remediation Action you want to perform.
The Remediation tab has a sub-menu that enables navigation between the Remediation Actions available in the system.
File Remediation Actions
Cynet can take Remediation Actions on files observed on endpoints in the environment. File Remediation Actions can be taken from any Actions menu. The results of a File Remediation Action are recorded in the File Actions page.
The following File Remediation Actions are available:
Remediation Action | Description |
---|---|
Delete File | Deletes the selected File from the Host. |
Quarantine File | Quarantines the selected file from the host. A list of Quarantined files can be found on the File Actions Page. |
Kill Process | Kills the selected process on the hosts. This action leaves the file intact, only killing the process loaded in memory. |
User Remediation Actions
Cynet can take Remediation Actions on Users observed in the environment. User Remediation Actions can be taken from any Actions menu. The results of a User Remediation Action are recorded in the User Actions page.
The following User Remediation Actions are available:
Remediation Action | Description |
---|---|
Enable User | Enables the selected User account if it was disabled. |
Disable User | Disables the selected domain or local User account. |
Host Remediation Actions
Cynet can take Remediation Actions on Hosts scanned in the environment. Host Remediation Actions can be taken from any Actions menu. The results of a Host Remediation Action are recorded in the Host Actions page.
The following Host Remediation Actions are available:
Remediation Action | Description |
---|---|
Scan | Rescans the selected Host. |
Shut Down | Shuts down the selected Host. |
Restart | Reboots the selected Host. |
Change IP | Changes the IP address of the Host. |
Disable All NICs | Disables the Network Interface Card (NIC) on the selected Host. Using this action prevents any further remote connections to the Host. |
Run Command | Executes the specified commands on the selected Host. The output is captured and presented in the console. When the output contains multiple lines, it is preserved in a text file format. |
Pull File | Pulls an existing file from the endpoint. |
Run Script | Uploads a script and runs it on the endpoint. |
Delete Service | Deletes the specified service on the selected Host. |
Disable Service | Disables the specified service on the selected Host. |
Delete Schedule Task | Deletes the specified scheduled task on the selected Host. |
Disable Schedule Task | Disables the specified scheduled task on the selected Host. |
Isolate | Isolates the endpoint for access only to the Cynet server and Active Directory Server. |
Un-Isolate | Removes the Host isolation by removing the communication filter. |
Domain Remediation Actions
Cynet can take Remediation Actions to block network connections observed in the environment for a specific domain. Domain Remediation Actions can be taken from the Actions menu. The results of a Domain Remediation Action are recorded in the Network Actions page.
The following Domain Remediation Actions are available:
Remediation Action | Description |
---|---|
Block Traffic | Blocks traffic to specified IP addresses and domains. IP addresses are blocked by modifying the route table on the selected Host. Traffic to these IPs loops back to the localhost IP address. Domains are blocked by creating an entry in the hosts file for the selected Host and the domain resolves to the localhost IP address. |
DNS Remediation | Redirects all traffic to the domain to a specified IP address. Cynet does this by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any Hosts that attempt to resolve the domain in the network receive the specified IP address from the internal DNS server. Traffic is prevented from reaching the actual domain’s IP address. |
Auto-Remediation Actions
Operators can associate Auto-Remediation Actions to be triggered on Alerts, or create an Auto-Remediation rule on-the-fly.
As detailed in the Automatically Remediate Alerts section, Auto-Remediation is applied only upon strict rule-matching, based on the Alert’s entities (Files, Users, Hosts, or Network).
As for the rules, Auto-Remediation actions enable granular actions on the Alert’s aspects: Files, Users, Hosts, or Network.
To associate an Auto-Remediation Action to an Alert, or create an Auto-Remediation Action, through the Alerts View:
- Navigate to Alerts.
- Select the Alert on which you want to take action.
- Click
.
- Open the Auto-Remediation tab.
- To associate an existing Auto-Remediation Rule – Select the Auto-Remediation pre-defined Rule you want to associate with the Alert (the Auto-Remediation action can be available as part of the “Chosen Alerts” top pane in the Alert expandable right-hand drawer).
- It is also possible to create a new Auto-Remediation rule, by using the bottom section of the Set the Alert expandable right-hand drawer, by setting the Auto-Remediation rules to control the Auto-Remediation Action to be triggered) for more details refer to the Automatically Remediate Alerts section
Actions Page
The Actions page has six subsections. These are Files, Hosts, Users, Network, Playbooks, and Auto Remediation. Each subsection lists actions taken by Cynet 360.
Each page of the Actions section has the same basic layout:
A: The Sub-Menu
The Submenu has tabs for the following interfaces:
- File Actions
- Host Actions
- User Actions
- Network Actions
- Playbook Actions
- Auto Remediation
B: Action Tabs
Some action pages, such as the File Actions page, have Action Tabs providing additional actions to take. These include:
- Analysis – See “Hosts Actions”
The Actions icon enables the Operator to run actions on all the Hosts in the organization.
The Actions feature enables the Operator to perform various types of actions on all the Hosts:
Run Command
This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.
Run Script
This action enables a specified file to be run on all Hosts.
To run a script on all Hosts:
Select a file from the local computer.
Upload the file to the Cynet server.
The Cynet server deploys the file to the Hosts for execution.
Add Comments
This action inserts a comment to a single alert or to multiple selected alerts simultaneously
To add a comment to a single or multiple alerts:
From the Alert page, select the alert or alerts.
- Click Actions.
- Click Add Comments.
- In the Add Comment window, enter your comment.
- Click Add.
- Analysis Action
- Deep Scan – See “Deep Scans”
- Deception Files Actions – See “Running Host Scans
The Scanner page enables Operators to start and stop host scans and to view the status of host scans. They can perform ad hoc scans by clicking the Manual Scans tab.
The Scanner page also enables Operators to perform the following functions:
Section | Parameter | Description |
---|---|---|
A | Scanner Action Buttons: | Enables Operators to perform scan-related actions such as: |
| Start or Stop the Scanner service. | |
| Clears all displayed scan history and initiates the scanner service to rescan all Hosts immediately. | |
| Exports scan errors to an Excel file. | |
| Exports unscanned Hosts to an Excel file. | |
| Disables or Enables auto-refreshing of the scanned endpoints Table Data. | |
| Refreshes the Scanned Endpoints Table with the latest scan data received from the endpoints. | |
B | Quick Filter | Enables Operators to quickly filter scanned Hosts by IP/Host, Scan Group, Scan, Start Scan, End, Status, Status Distribution, or details. |
C | Today Scans | Displays the combined number of successfully scanned and failed scanned endpoints. |
D | Scanned Endpoints | Lists the attempted scans on endpoints by Cynet 360 according to the configuration settings in Scan Groups. See “Scan Groups”. |
E | Excel | Enables Operators to export the complete or filtered view of the scanner page. |
F | Actions | Enables Operators to restart a scan. |
- Deceptions
- Cynet360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and raises an alert on the illicit activity.
Each Deception alert contains details about which type of deception was triggered, the attacker IP address, the Victim IP address, hostname, and File name, if applicable.
The types of deceptions are:
- Deception Users
- Decoy Users and host names.
- Deception Files
- Decoy files
- Deception Network
- Decoy hosts and endpoints on the network.
To enable these deceptions:
- Activate the deception types.
- Configure the deception types.
Deception Users
Activating Deception Users
To activate deception users and files:
- On the main menu, click
.
- In the Scan Groups tab, navigate to Deception Users.
- Click Enable Deception Users.
Configuring Deception Users
To configure deception Users:
- On the main menu, click
.
- Click Deceptions.
- Click the Users tab.
To create a new deception User:
- Click Create.
- Select the Scan Group.
- Enter a User Name.
- Enter a Host Name.
- Enter a User Type.
- Click Add.
To edit an existing Deception User, click Edit and change the required settings.
To remove an existing Deception User, click Remove.
Deception Files
Cynet 360 supports different types of deception files.
Deception Type | Description |
---|---|
Office Documents | Cynet deploys Excel, Word, and PowerPoint documents to the host in a newly created user directory. These files contain beacons. When they are opened, they communicate with the Cynet server and generate an alert. Cynet enables Users to create their own deception files. |
Remote Desktop Files | Cynet deploys RDP files with saved imitation credentials on the host. When this file is executed, it attempts to connect to the Cynet server with invalid credentials and generates an alert. |
ODBC | Cynet configures an Open Database Connectivity (ODBC) connection on the host which points to the Cynet server. When this connection is used, it generates an error and an alert. |
NetBIOS | Cynet can configure network shares on the host, which are monitored. When the session is used, it generates any alert. |
Stored Credentials | Cynet implants invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, an alert is generated. |
Text Files | Cynet deploys text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal web application. If either of these invalid credentials are used, an alert is generated. |
Deception Office Documents
Cynet creates a new user folder such as C:\Users\admin_c493d82, with a randomly generated account name.
Within this directory, there will be several deception Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx) files. These files contain attractive filenames to lure attackers and are placed through the new user directory.
When one of these files is opened with Microsoft Office, the beacon within the document attempts to communicate with the Cynet server as well as the Cynet-controlled Web domain ad-stats.com. This ensures that the Cynet SOC can identify when deception files are opened outside the corporate LAN environment.
Deception RDP Files
Cynet creates a saved RDP connection file in the same directory as described above. The RDP connection file contains invalid credentials. The file attempts an RDP connection to the Cynet server on port TCP 8484 and fails. When the RDP attempt is made, an alert is generated in the Cynet console.
Deception ODBC Connection
ODBC is an open standard API for accessing databases. ODBC statements are used to connect to various databases such as Access, dBase, DB2, Excel, and others. Cynet uses the Windows built-in programming support for ODBC by planting an ODBC connection to a non-existent database in the environment. When an attacker attempts to use this ODBC connection to connect to the invalid database, an alert is generated in the Cynet console.
Cynet implants the ODBC connection by deploying various registry keys to the Windows host. The implanted ODBC can also be found in Control Panel > System & Security > Administrative Tools > Data Sources (ODBC).
To list the implanted connection as an SQL Server, click the System DSN tab.
Deception Text Files
Cynet can deploy text files with invalid domain credentials within a newly created user directory. Cynet can also deploy text files with credentials for a non-existent internal application. If the domain credentials are used for authentication or if the URL is accessed, an alert is generated in the Cynet console.
Deception Stored Credentials
The Windows Credential Manager is the “digital locker” where Windows stores login credentials on the network. This data can be accessed by Windows or other applications that use the stored credentials. There are three main types of stored credentials in the Credential Manager:
Windows Credentials
Only used by Windows and its services. For example, saved credentials for a network shared folder.
Certificate-based Credentials
Used together with smart card authentication. This is usually configured in higher security networks with Active Directory configured for smart card authentication.
Generic Credentials
General saved credentials that are defined by applications used on the computer. For example, Office365 or Windows Live.
Credentials saved in the Credential Manager are commonly targeted by threat actors. Cynet 360 plants invalid username and password credentials in the Credentials Manager. When a threat actor uses these credentials to authenticate in the environment, an alert is generated.
Activating Deception Files
To activate deception users and files:
- On the main menu, click
.
- In the Scan Groups tab, navigate to Deception Files.
- Click Enable Deception Files.
Configuring Deception Files
To configure deception Files:
- On the main menu, click
.
- Click Deceptions.
- Click the Files tab.
From here you can:
- Add a new deception file
- Edit existing deception files
- Enable deception files in groups
Decoy File Listener Port
This is the listener port that decoy files use when beaconing back to the Cynet server. The protocol used is TCP.
Enabling Decoy Files in a Group
To enable a Deception File in a Group: –
- Click the file name or
.
- Click
..
- Select an option to deploy.
Adding a New Deception File
Users can create a new Decoy File from an existing Office file.
To Add a New Deception File:
- From Settings>Deception tab, click Add New Decoy File.
- Selected a file to use as the Decoy.
- Click Generate Test File.
- A test Decoy File is downloaded to the destination of your choice.
- Enter a file name.
- Select a group.
- Select file deployment locations.
When this file is accessed, Cynet generates an alert.
Deception Network
Cynet 360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and generates an alert on the illicit activity.
To enable this feature:
- Activate the Deception Network.
- Configure the Deception Network.
Activating the Deception Network
To activate the Deception Network:
- On the main menu, click
.
- Click the Scan Groups tab and navigate to Deception Network.
- Click Enable, then Save.
Configuring the Deception Network
To configure the Deception Network:
On the main menu, click .
- Click the Deception tab.
- Click the Network tab.
- In the Max Decoy Hosts Per Endpoint field, enter the maximum number of hosts for each endpoint. The default is 10.
- In the Select Group field, enter the scan group to configure.
- Add a single or multiple decoy.
- To manually add a single decoy, click Add.
- To import multiple decoys from a CSV file, click Import.
- To see how the CSV file must be set up, click Download CSV Example.
Note: You can add and import as many decoys as you want, but only the maximum number will be distributed on your network. The decoys to be uploaded are selected by Cynet 360 at random.
To delete a decoy, select it from the list and click Delete Selected Decoys.
To delete all decoys, click Delete All Decoys.
IMPORTANT: Any change to the list of decoys (adding, importing, or deleting) causes Cynet 360 to automatically select new decoys.
C: The Quick Filter Bar
The Quick Filter Bar enables the Operator to quickly filter actions by file name, host name, IP address, and actions taken.
D: The Actions Area
The Actions Area enables the Operator to export displayed action lists to an Excel file and to take additional remediation actions. See “Hosts Actions
The Actions icon enables the Operator to run actions on all the Hosts in the organization.
The Actions feature enables the Operator to perform various types of actions on all the Hosts:
Run Command
This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.
Run Script
This action enables a specified file to be run on all Hosts.
To run a script on all Hosts:
- Select a file from the local computer.
- Upload the file to the Cynet server.
The Cynet server deploys the file to the Hosts for execution.
Add Comments
This action inserts a comment to a single alert or to multiple selected alerts simultaneously
To add a comment to a single or multiple alerts:
- From the Alert page, select the alert or alerts.
- Click Actions.
- Click Add Comments.
- In the Add Comment window, enter your comment.
- Click Add.
Analysis Action” and “File Remediation Actions”.
E: The Actions List
This section provides a list of all actions taken on Files, Hosts, Users, and Network traffic.
File Actions Tab
The File Actions tab provides visibility of all actions taken on files in the environment. See “File Remediation Actions”. The File Actions list contains the following information:
Parameter | Description |
---|---|
File Name | The name of the File on which action was taken. |
Host Name | The name of the Host on which action was taken. |
Host IP | The IP address of the Host on which action was taken. |
Time | The time that the file action was initiated. |
Action Taken | The type of file action taken. |
Status | The result of the file action taken. |
Status Info | Additional information about the file action taken. |
Retries | Select the range of Retry numbers to filter by |
Last Retry Time | Delimits the relevant Retry time frame to filter by |
Note: The maximum number of retries is 48. |
Analysis Actions Tab
The Analysis Actions tab provides information on all file analysis actions taken on files in the environment.
The Analysis list contains the following information:
Parameter | Description |
---|---|
File Path | The File name and the path of the File on which the action was taken. |
Host Name | The name of the Host on which action was taken. |
Hashes | The Hash of the file on which the analysis action was taken. |
Start Time | The time interval during which this action was started. |
Last Seen | The time interval during which that action was last seen. |
Static Result | The result of the static analysis on the file. |
Dynamic Result | The result of the dynamic analysis on the file. |
Deep Scans Tab
The Deep Scans tab provides information on all deep scan actions taken on files in the environment. See “Hosts Actions
The Actions icon enables the Operator to run actions on all the Hosts in the organization.
The Actions feature enables the Operator to perform various types of actions on all the Hosts:
Run Command
This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.
Run Script
This action enables a specified file to be run on all Hosts.
To run a script on all Hosts:
- Select a file from the local computer.
- Upload the file to the Cynet server.
The Cynet server deploys the file to the Hosts for execution.
Add Comments
This action inserts a comment to a single alert or to multiple selected alerts simultaneously.
To add a comment to a single or multiple alerts:
- From the Alert page, select the alert or alerts.
- Click Actions.
- Click Add Comments.
- In the Add Comment window, enter your comment.
- Click Add.
Analysis Action” and “Deep Scans”.
The deep scan list contains the following information:
Parameter | Description |
---|---|
Scan ID | A unique identifier for the Deep Scan that was initiated. |
Host Name | The Host name on which the Deep Scan was initiated. |
File Name | The File name on which the Deep Scan was initiated. |
SHA256 | The Hash of the file on which the Deep Scan was initiated. |
Date In | The date and time of when the Deep Scan action was initiated. |
Last Heartbeat | The date and time of when the Deep Scanner last checked in with the Cynet server. |
Status | The last status update from the Deep Scanner. |
Scan Detail | Details about the deep scan such as duration (in minutes), percentage completed, and the number of actions monitored by the deep scanner. |
Decoy Files Actions
The Decoy File Actions tab provides information about all actions taken in relation to decoy or deception files deployed across the system.
Parameter | Description |
---|---|
Root Directory | The name of the Decoy File Root Directory |
Full Path | The full path of the Decoy File |
Type | The type of Decoy File |
Host Name | The Host Name where the Decoy File is located |
Action | The type of action taken |
Last Attempt Status | The status of the Last Attempt |
Last Attempt Error Code | The Error Code of the Last Attempt |
Last Attempt Error Details | The Operator-defined details |
Last Attempt Error Time | The time delimited period for the relevant Last Attempt |
Send to Soc Tab
The Send to Soc tab provides information about all the files that have been sent to the SOC for further analysis or action. The Sent to SOC table contains the following information:
Parameter | Description |
---|---|
File Path | The File name and the path of the File on which the action was taken. |
Host Name | The name of the Host on which action was taken. |
Hashes | The Hash of the file on which the analysis action was taken. |
Start Time | The time interval during which this action was started. |
End Time | The time interval during which that action was ended. |
Status | The status of the action taken. |
Host Actions
The Host Actions tab provides information on all actions taken on Hosts in the environment. The Host Actions list contains the following information:
Parameter | Description |
---|---|
Host Name | The Host name on which the Action was taken. |
Time | The time the Host action was initiated. |
Action Taken | The type of Host action taken. |
Status | The result of the Host action taken. |
Status Info | Information about the Host action taken. |
Extra Details | Additional Information about the Host action taken. |
Retries | Select the range of Retry numbers to filter by |
Last Retry Time | Delimits the relevant Retry time frame to filter by |
|
Users Actions
The Users Actions tab provides information on all actions taken on Users in the environment. The User Actions list contains the following information:
Parameter | Description |
---|---|
User Name | The User account on which the Action was taken. |
Host Name | The Host name on which the User Action was taken. |
Time | The time the User Action was initiated. |
Action Taken | The type of User Action taken. |
Status | The result of the User Action taken. |
Status Info | Information about the User Action taken. |
Retries | Select the range of Retry numbers to filter by. |
Last Retry Time | Delimits the relevant Retry time frame to filter by. |
Note: The maximum number of retries is 48. |
Network Actions
The Network Actions tab provides visibility of all actions taken on network traffic in the environment. (See also “Taking Remediation Actions”.) The Network Actions list contains the following information:
The Network Actions page provides information on all actions taken on Network traffic in the environment. The Network Actions list contains the following information:
Parameter | Description | |
---|---|---|
Network Name | The Network object on which the Action was taken. | |
Host Name | The Host name on which the Network Action was taken. | |
Time | The time the Network Action was initiated. | |
Action Taken | The type of Network Action taken. | |
Status | The result of the Network Action taken. | |
Status Info | Information about the Network Action taken. | |
Retries | Select the range of Retry numbers to filter by. | |
Last Retry Time | Delimits the relevant Retry time frame to filter by. | |
Note: The maximum number of retries is 48. |
Running Manual Scans
The Manual Scans page enables Operators to initiate a manual scan of a Host and to view the status of an initiated manual scan.
This applies only to Interval mode.
The Manual Scans Page has three main sections:
Section | Parameter | Description |
---|---|---|
A | Host Name / IP | Enter the Host Name or the IP address of a Host to be manually scanned. |
B | Quick Filter | Enables Operators to quickly filter manually-scanned hosts by Scan Date, IP/Hostname, Distribution Type, Scan Status, or Scan Details. |
C | Manual Scans List | Lists the endpoints that Cynet 360 attempted to scan using Manual Scans. |
IMPORTANT!
Manually-scanned hosts MUST be configured in a Scan Group in Settings. If the host is not part of a configured scan group either by hostname, IP address, IP Range, or Active Directory OU, the manual scan will fail. This is because Cynet 360 does not know which scan credentials or distribution type to use when scanning the host.
Managerial Tasks
Generating Reports
The Reports page enables Operators to generate reports on alerts and risks that are generated by the system.
The main parts of the Reports page are as follows:
Section | Parameter | Description |
---|---|---|
A | Report Types | Use this drop-down menu to select the report type. There are four types of Reports: Alerts Report Top Risks Report Vulnerability Assessment Report Inventory Report |
B | Date Range | Select the Date Range for the report. |
C | Report Filters | You can filter Reports to show All objects, or only Files, Hosts, Users, or Network objects. |
D | Export Report | You can click the Adobe PDF icon to export the Report to PDF format. |
Generating Alerts Reports
The Alerts Report contains statistics on all alerts generated by the system within the specified date range. You can filter these reports to show alerts just for Files, Hosts, Users, or Networks.
The Alerts By Type graphic on the Reports page displays alerts by type over the given date range. Each object type is highlighted in a different color.
The Alerts By Status graphic displays the number of alerts based on their current status (open or closed). This graphic indicates the incidence of high, medium, and low severity alerts.
The radar area of the Report displays specific areas associated with these alerts in the given date range. All File, User, Host, and Network traffic generating these alerts is displayed.
To Generate an Alert Report
To generate an Alert Report.
- From the scroll-down menu, select Alert Report.
- In the Data Range fields, enter the start and end date.
- Click Go.
- Click
.
A PDF report is generated.
Generating Top Risks Report
The Top Risks Report displays reports for the Files, Hosts, Users, and Network traffic with the highest risk levels.
The 10 Most Risky Files graphic displays the riskiest objects based on the current Report filters you have selected.
The remaining part of this report displays the riskiest objects as well as some additional details.
To generate a Top Risk Report
- In the Data Range fields, enter the start and end date.
- From the scroll-down menu, select Top Risk Report.
- Click
.
- A PDF report is generated.
Generating Vulnerabilities Assessment (VA) Reports
VA Reports produce operational data generated by the system based on the VA configuration. There are four options for these reports:
- Missing KBs on Host (Microsoft OS patch)
- Agent Validation (Security policy compliancy)
- Application Patches Validation (3rd party application patch validation, for example, Java, Adobe)
- Unauthorized Applications
Each of the reports generates and downloads as a CSV file. You can send these reports to your IT team to resolve these issues.
To Generate a Vulnerability Assessment Report
- In the Data Range fields, enter the start and end date.
- From the scroll-down menu, select Vulnerability Assessment Report.
- From the list of Report Types display, select one.
- There are four types of reports:
- Missing KBs on Host
- Agent Validation
- Application Patch Validation
- There are four types of reports:
- Unauthorized Applications
A CSV file is generated.
Generating Inventory Reports
Inventory Reports produce operational data generated by the system based on the Cynet collection. This is part of the immediate visibility that Cynet provides. Typical Use Cases are:
- Creating and maintaining Configuration Management Database (CMDB)
- Understanding what is protected
- Finding old or non-supported OS
To generate an Inventory Report
- In the Data Range fields, enter the start and end date.
- From the scroll-down menu, select Inventory Report.
- Click Inventory Per Post
A CSV file is generated.
Note: Disable your web browser’s pop-up blocker for the Cynet web interface. PDF reports are presented in a separate browser tab and might be blocked by the pop-up blocker.
Auditing Actions
The Audit Page provides a full audit trail for all User actions performed in the system. You can save the audit records in the database and in external files.
This section describes how to access and use the Audit trail using the following methods:
- Cynet UI
- External Log files
Auditing Using the Cynet UI
To navigate to the Audit page, click the Audit icon.
The Audit page displays all User actions being performed in the system.
The table displays the following information:
Parameter | Description |
---|---|
User Name | The name of the User who executed the action that generated the audit. |
Requester IP | The IP address of the host that generated the request. |
Event Description | Displays details about the action. Includes a short title of the action. Might include a JSON payload with additional details. |
Event Type | The type of the Event. |
Category | The category of the action in the system. The options are:
|
Event Time | You can set the time frame for the events that you want to audit. You can enter the From date and the To date. |
You can select the number of entities to display per page. The default is 25.
To export the data to a spreadsheet, click .
Auditing using External Log Files
By default, all audit records are located at the following path: “C:\Cynet360\logs\audit”.
The audit Files are cyclical. For every system restart, or for every 50 MB, a new file is created in the following format: “CF_<CREATE_HOUR>T<CREATE_MINUTE>T<CREATE_SECOND>_<YYYYMMDD>.txt”
The file is text-based and includes all audit records. Each record appears in a new line: “date hour Audit action:<action code>;UserName:<User>; category:<category>; details:<description+Json>”
This is shown in the following example:
Managing Users
Manage Users from the Users page in the Settings menu. This page contains settings for User authentication to the Cynet console. You can add Users, delete Users, and you can edit User permissions. You can also change User passwords.
Integrating with Active Directory
The Active Directory Authentication section contains settings that determine the domains that the Cynet console uses for Active Directory authentication. In this section, you can manage the credentials that Cynet uses within each domain to validate Active Directory User authentication to the console.
To create a new set of credentials, in the Integrations tab, click Create.
The following dialog box opens:
Parameter | Description |
---|---|
Name | An alias for this set of credentials. |
Username | The User name of the account that is used to validate the credentials. |
Password | The password of the account that is used to validate the credentials. |
Domain | The domain in which the account exists. |
Note
The account used to validate the credentials does NOT need to be a domain administrator. It only needs to be a domain User.
To check if the Username and password are correct, click Validate Credentials.
To save these credentials, click Save.
The new credentials appear in the Manage Credentials section. To change existing credentials click Edit. To remove credentials click Delete.
When there is at least one set of credentials saved, you can enable Active Directory authentication on the Users settings tab.
Importing User Settings Data from Active Directory (AD)
You can configure Cynet to import User account attributes from Active Directory. To import User attributes from AD:
From the Settings page, select the Configuration tab.
Navigate to the Import Data Settings section.
Select the first field from the scroll-down menu under User Name.
(Optional) Click +.
Select the second field
Repeat until all the required fields are listed
Name all the selected fields with the corresponding attributes.
Click Save.
In the example below, each field is mapped to the corresponding attribute name in Active Directory. For example, the Role field is mapped to the ‘title’ attribute.
Note
Active Directory attribute names are case sensitive.
- The User data you can import from AD includes:
Parameter | Description |
---|---|
User Name | The User’s account name. |
Mobile | The User’s mobile phone number. |
Office Phone | The User’s office phone number. |
Role | The User’s job title. |
Department | The department in which the User works. |
Notes
The server imports User data from Active Directory once every 24 hours.
You can view imported User data on the User Details Page.
Importing User Settings from a CSV File
You can configure Cynet to import User account attributes from a Comma Separated Values (CSV) file. The User data that you can import from a CSV file includes:
Parameter | Description |
---|---|
User Name | The User’s account name. |
Mobile | The User’s mobile phone number. |
Office Phone | The User’s office phone number. |
Role | The User’s job title. |
Department | The department in which the User works. |
To import User attributes from a CSV file,
From the Settings page, select the Configuration tab.
Navigate to the Import User Data From CSV File section.
Select the first field from the scroll-down menu under User Name.
(Optional) Click +.
Select the second field
Repeat until all the required fields are listed
Give a number to each selected field.
That number corresponds to the index of data in the CSV file.
Click Save.
Click Choose File
Navigate to the location of the CSV file on your computer.
Select the CSV file to upload.
Click Upload CSV File.
- The file is parsed according to the field mapping configured in the section above. You can view imported User data on the User Details Page.
In the example below, each field is mapped to the corresponding index of data within the CSV file. For example, the Role field is mapped to index #3 in the CSV file.
The CSV file to match this mapping includes User data like the one below, where the User name field is first, mobile number second, office number third, and so on.
Creating New Users
To create a new local User:
From the Settings page, select the Users tab.
Enter the User Name.
Enter the Password.
Select the User Level.
Click Add.
The User Level options are:
Parameter | Description |
---|---|
Custom User | Enables Custom User permissions. You can use the “Custom User Access Permissions” drop-down menu to select which actions this User is enabled to perform. |
Operator | Enables Users to view all data, perform remediation actions, make configuration changes, and add, remove, and edit Users. |
Dashboard | Enables Users to access the Main Dashboard. Users cannot view data, perform remediation actions, or make any configuration changes. |
Custom User Access Permissions
When creating a new User, if Custom User is selected as the User Level, you must assign permissions to the new User.
To assign permissions to the new User:
In the Manage Local Users area, click Edit Permissions.
Click the drop-down arrow.
Click Save.
Activate Chief Information Security Officer (CISO) Kit
The CISO Kit integrates Cynet 360 with a mobile application to enable CISOs to receive warnings from the Cynet 360 system.
The CISO Kit is compatible with iPhone, iPad, and Apple Watch devices. It is a dashboard application that is available for Cynet 360 v3.6.2 and above, for SaaS installations only.
For more information about how to operate the CISO Kit from portable devices, refer to Cynet CISO Kit User Guide.
Adding Users to Groups
Select the Domain from the drop-down menu.
You can configure Domains in the Active Directory section of the Integrations page.
Enter a User name from the selected domain.
Select the User Level.
Authenticated Users in this group are assigned to this User level.
To add the User to this group, click Add.
All Users in this group can authenticate to the console using the Active Directory credentials.
The new Users appear in the Enabled Identities section.
Enabled Identities
When a group or User has been mapped, it appears in the Enabled Identities section.
To remove an enabled identity, click Remove.
Active Directory Authentication Settings
The Active Directory Authentication section maps Users or Groups within Active Directory domains to User levels in the Cynet console for authentication.
Before these settings can be configured, you must configure two other settings:
Integrations
Configure a domain in the Active Directory section of the Integrations settings tab.
Authentication Mode
Enable an authentication mode in the Manage Authentication Users section of the Users tab.
When you have configured the Domain and an Authentication mode, the AD Authentication section becomes available.
Setting the User Authentication Method
You can use this setting to configure which authentication method is enabled for Users when logging into the Cynet console.
To Configure the User Authentication Method:
From the Settings page, select the Users tab.
Select the level of authentication.
Enable Local Authentication Only—Only local Users in the Cynet User database are authenticated.
Enable Active Directory Authentication Only—Only Active Directory Users are authenticated.
Enable Local & Active Directory Authentication—Users from both the Cynet User database and Active Directory are authenticated.
Notes
If an authentication method that uses Active Directory is enabled, the AD Authentication section of settings becomes available. These settings map Users and groups in Active Directory to User levels in the Cynet console for authentication.
You must also configure the Active Directory domain in the Integrations settings. This page points the Cynet console to the domain to validate Active Directory credentials.
Cynet recommends enabling Active Directory & Cynet Users authentication method so that the Operator account (or any other local account) can be used to log into the console in the event that Active Directory authentication is not possible.
Managing Cynet Users
You can add, edit, or delete Local Users. You can also change User passwords.
The Operator account is the default login for the Cynet console, and it cannot be deleted. Cynet recommends changing the password of the Operator account from the default password to something more complex and secure.
Configuring User SMS Confirmation Settings
This setting enables the SMS Confirmation functionality. When Cynet observes unusual User logins, it sends an SMS to the User’s mapped mobile number.
To enable SMS Confirmation, in the Configuration tab:
Select Enable SMS Confirmations.
Click Save.
Authenticating an Active Directory Group
To add an Active Directory group for Cynet console authentication, in the Users tab:
Select a Domain from the drop-down menu.
The domains are configured in the Active Directory section of the Integrations page.
Select the Active Directory Group to map.
All groups from AD are listed in this drop-down menu.
Select the User Level. Authenticated Users in this group are given this User level.
To add this group, click Add.
All Users in this group are able to authenticate to the console using the Active Directory credentials.
Added Groups appear in Enabled Identities.
Managing Multi-Factor Authentication (MFA)
IMPORTANT!
MFA is available for local Users only.
Activating MFA for a User
To activate and configure the MFA feature for individual Users:
From the Users tab, navigate to Authentication Settings.
Select Enable Local Authentication Only.
Navigate to Manage Local Users.
Next to the relevant User, click Manage MFA.
From the Manage MFA Device window, enter the User’s phone number. The required format is a + followed by the country code, followed by the number. For example, +000123456789.
Click Assign MFA.
The first time the User attempts to login after the MFA is assigned, the phone validation screen opens. Cynet 360 sends a code to the User’s phone by SMS. The User enters that PIN code here.
Note
The PIN code sent by SMS is only valid for three minutes. If required, the User can click Resend SMS to request a new valid code.
The User is redirected to a QR code validation screen. The User either scans the QR code with a Google or Microsoft authenticator app or enters the manual key string.
Subsequent logins will be verified with the code provided by the Google or Microsoft authenticator app.
To resync the MFA or update the phone number, follow the same steps.
Removing MFA for a User
Password Complexity
Passwords must include at least 3 of the following 4 groups:
Lower case letters (a-z)
Upper case letters (A-Z)
Numbers (0-9)
Symbols ([email protected]#$%^&*)
Passwords must be between eight and twenty characters in length.
Changing a User’s Password
All Users can change their own passwords.
To change an account’s password, in the Manage Users tab:
Click Change Password.
Note
Passwords for Dashboard level Users can be changed by Operators. Operator-level account passwords cannot be changed by other Operators.
Enter your current password
Enter your new password.
Enter your new password to confirm.
Click Change.
If the new password does not meet the complexity requirements, you are prompted to re-enter a new password.
When Operators change another account’s password, the system prompts them to enter the new password twice. If the new password does not meet the complexity requirements, they must enter a new password.
Deleting a User
To delete a User from the Cynet console, click Delete User.
Note
The default Operator account cannot be deleted.
Deception
Cynet 360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and raises an alert on the illicit activity.
Each Deception alert contains details about which type of deception was triggered, the attacker IP address, the Victim IP address, hostname, and File name, if applicable.
The types of deceptions are:
Deception Users
Decoy Users and host names
Deception Files
Decoy files
Deception Network
Decoy hosts and endpoints on the network
To enable these deceptions:
Activate the deception types.
Configure the deception types.
Deception Users
Activating Deception Users
To activate deception Users and files:
On the main menu, click .
In the Scan Groups tab, navigate to Deception Users.
Click Enable Deception Users.
Configuring Deception Users
To configure deception Users:
On the main menu, click .
Click Deceptions.
Click the Users tab.
To create a new deception User:
Click Create.
Select the Scan Group.
Enter a User Name.
Enter a Host Name.
Enter a User Type.
Click Add.
To edit an existing Deception User, click Edit and change the required settings.
To remove an existing Deception User, click Remove.
Deception Files
Cynet 360 supports different types of decoy files.
Decoy Type | Description |
---|---|
Office Documents | Cynet deploys Excel, Word, and PowerPoint documents to the host in a newly-created User directory. These files contain beacons. When they are opened, they communicate with the Cynet server and generate an alert. Cynet enables Users to create their own decoys. |
Remote Desktop Files | Cynet deploys Remote Desktop (RDP) files with saved imitation credentials on the host. When this file is executed, it attempts to connect to the Cynet server with invalid credentials and generates an alert. |
ODBC | Cynet configures an ODBC connection on the host, which points to the Cynet server. When this connection is used, it generates an error and an alert. |
NetBIOS | Cynet can configure network shares on the host, which are monitored. When the session is used, it generates any alert. |
Stored Credentials | Cynet implants invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, an alert is generated. |
Text Files | Cynet deploys text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal Web application. If either of these invalid credentials is used, an alert is generated. |
Deception Office Documents
Cynet creates a new User folder such as C:\Users\admin_c493d82, with a randomly-generated account name.
Within this directory, there will be several deception Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx) files. These files contain attractive filenames to lure attackers and are placed through the new User directory.
When one of these files is opened with Microsoft Office, the beacon within the document attempts to communicate with the Cynet server as well as the Cynet-controlled Web domain ad-stats.com. This ensures that the Cynet SOC can identify when deception files are opened outside the corporate LAN environment.
Deception RDP Files
Cynet creates a saved RDP connection file in the same directory as described above. The RDP connection file contains invalid credentials. The file attempts an RDP connection to the Cynet server on port TCP 8484 and fails. When the RDP attempt is made, an alert is generated in the Cynet console.
Deception ODBC Connection
ODBC (Open Database Connectivity) is an open standard API for accessing databases. ODBC statements are used to connect to various databases such as Access, dBase, DB2, and Excel. Cynet uses the Windows built-in programming support for ODBC by planting an ODBC connection to a non-existent database in the environment. When an attacker attempts to use this ODBC connection to connect to the invalid database, an alert is generated in the Cynet console.
Cynet implants the ODBC connection by deploying various registry keys to the Windows host. The implanted ODBC can also be found in Control Panel > System & Security > Administrative Tools > Data Sources (ODBC).
To list the implanted connection as an SQL Server, click the System DSN tab.
Deception Text Files
Cynet can deploy text files with invalid domain credentials within a newly created User directory. Cynet can also deploy text files with credentials for a non-existent internal application. If the domain credentials are used for authentication or if the URL is accessed, an alert is generated in the Cynet console.
Deception Stored Credentials
The Windows Credential Manager is the “digital locker” where Windows stores login credentials on the network. This data can be accessed by Windows or other applications that use the stored credentials. There are three main types of stored credentials in the Credential Manager:
Windows Credentials
Only used by Windows and its services. For example, saved credentials for a network shared folder.
Certificate-based Credentials
Used together with smart card authentication. This is usually configured in higher security networks with Active Directory configured for smart card authentication.
Generic Credentials
General saved credentials that are defined by applications used on the computer, for example, Office365 or Windows Live.
Credentials saved in the Credential Manager are commonly targeted by threat actors. Cynet 360 implants invalid Username and password credentials in the Credentials Manager. When a threat actor uses these credentials to authenticate in the environment, an alert is generated.
Activating Deception Files
To activate deception Users and files:
On the main menu, click .
In the Scan Groups tab, navigate to Deception Files.
Click Enable Deception Files.
Configuring Deception Files
To configure deception Files:
On the main menu, click .
Click Deceptions.
Click the Files tab.
From here you can:
Add a new decoy file
Edit existing decoy files
Enable decoy files in groups
Decoy Files Listener Port
This is the listener port that decoy files use when beaconing back to the Cynet server. The protocol used is TCP.
Enabling Decoy Files in a Group
To enable a Decoy File in a Group: –
Click the file name or .
Click .
Select an option to deploy.
Adding a New Decoy File
Users can create a new Decoy File from an existing Office file.
To Add a New Decoy File:
From Settings>Deception tab, click Add New Decoy File.
Select a file to use as the Decoy.
Click Generate Test File.
A test Decoy File is downloaded to the destination of your choice.
Enter a file name.
Select a group.
Select file deployment locations.
When this file is accessed, Cynet generates an alert.
Deception Network
Cynet 360 deploys deception entities (honeypots) in your network to lure attackers. When these entities are used, Cynet 360 detects them and generates an alert on the illicit activity.
To enable this feature:
Activate the Deception Network.
Configure the Deception Network.
Activating the Deception Network
To activate the Deception Network:
On the main menu, click .
Click the Scan Groups tab and navigate to Deception Network.
Click Enable, then Save.
Configuring the Deception Network
To configure the Deception Network:
On the main menu, click .
Click the Deception tab.
Click the Network tab.
In the Max Decoy Hosts Per Endpoint field, enter the maximum number of hosts for each endpoint. The default is 10.
In the Select Group field, enter the scan group to configure.
Add a single or multiple decoy.
To manually add a single decoy, click Add
To import multiple decoys from a CSV file, click Import
To see how the CSV file must be set up, click Download CSV Example
Note
You can add and import as many decoys as you want, but only the maximum number is distributed on your network. The decoys to be uploaded are selected by Cynet 360 at random.
To delete a decoy, select it from the list and click Delete Selected Decoys.
To delete all decoys, click Delete All Decoys.
IMPORTANT!
Any change to the list of decoys (adding, importing, or deleting) causes Cynet 360 to automatically select new decoys.
When a file is accessed, Cynet triggers an alert.
Scanning On-Demand (Threat Hunting)
Cynet enables Operators to scan endpoints for threats. Operators can scan for threats on-demand, based on their awareness of Indicators of Compromise (IoCs).
To scan on demand:
Define the IoCs (file SHA256, file MD5, file name, full file path), and the extensions and folders to search.
Define the severity of the potential alert if a threat is found.
Cynet scans the endpoints. If a file that matches the IoC is found, an alert is generated.
Enabling Threat Hunting
To enable Threat Hunting:
On the Cynet Dashboard, navigate to Settings.
Click Scan Groups.
In the Threat Hunting section, select Enable Threat Hunting.
Enter a period of time (in minutes) for Cynet to check if there is a new search to perform.
To disable threat hunting, deselect Enable Threat Hunting.
Configuring Threat Hunting Settings
Operators can configure Threat Hunting settings based on their awareness of IoCs.
To configure Threat Hunting settings navigate to Settings > Threat Hunting.
Creating a List of IoCs to Search
From the Indication Type drop-down menu, select the Indication Type you want to search.
For each Alert Type, enter a Value and a Description of the Alert.
To add the new search indicator to the list, click .
The new search indicator appears in the list.
Note
Cynet generates an alert for any of the IoCs it finds. It is not necessary to find all of the IoCs simultaneously to generate an alert. In the Filter By Extension section, insert a file extension to scan.
Click .
The file extension is added to the list.
To add more file extensions, repeat Steps 4 and 5 above.
In the Filter By Directory section, insert a Directory to scan.
Click .
The Directory is added to the list.
To add more Directories, repeat Steps 6 and 7 above.
From the Alert Severity drop-down menu, select the severity of the alert.
You can select a Severity level from Informative, Low, Medium, High, and Critical.
To stop a running scan and start a new scan, in the Suppressed Mode section, select Suppress. To wait for the current scan to stop, leave this checkbox cleared.
To save the changes you made, click Save Changes.
Threat Hunting starts on all endpoints.
To stop a current scan, click Stop Current.
To restart the current scan, click Restart Current.
All endpoints are scanned. If they were scanned previously, they will be rescanned.
To delete all the IoCs, click Clear Search Criteria.
Treat Hunting Results
When Cynet finds a threat based on the defined IoCs, it generates an alert and sends an email.
The alert appears in the Alerts page.
To see details of the Alert, click .
Using the Cynet SIEM API
The Cynet Security Information and Event Management (SIEM) API is a new API that enables SIEM systems to extract information from Cynet.
Sockets
Domain occurrences
File occurrences
User login
Vulnerability Assessment (NEW!)
Cynet APIs are documented in the product at https://localhost:6443/help.
Relevant API entries:
Sockets
api/network/sockets?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
Domains
api/network/domains?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
File Occurrences
api/file/occurences?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
User
api/User/loggedIn?FromDate={FromDate}&ToDate={ToDate}&Offset={Offset}&Limit={Limit}
Vulnerability Assessment
Missing Windows patches – api/va/patches/missing
Existing Windows patches – api/va/patches/existing
Unauthorized Applications – api/va/riskyApps
Installed software – api/va/installedSoftwares
Applications patch – api/va/patchValidation
Installed agents – api/va/Agents
Notes:
Currently, there is no documentation to the fields of the internal objects (LoggedInUserSummaryDTO, SocketSummaryDTO, and FileOccurrenceModel)
The filter according to FromDate and ToDate is calculated as follows:
FromDate =< last-seen < ToDate
Defaults
Offset – 0
Limit – 500
FromDate – no filter
ToDate – no filter
Setting Up Cynet
You can configure Cynet 360 to meet your organizational needs according to the requirements of your operating environment.
Settings
The Settings Page provides extensive system management and configuration capabilities for the Cynet 360 platform. The page has the following tabs:
Scan Groups
You can define a population of hosts to scan by configuring settings in the following main Scan Group sections:
Scan Settings
Scan Population
Scan Schedule Settings
Configuration
You can configure system settings including:
Analytics Server Configurations
Exclusion Settings
Network Traffic Analysis Settings
Log Parser Settings
VPN Log Parser Settings
Import User Data Settings
Import User Data from CSV File
User SMS Confirmation Settings
EPS Configuration
You can define custom memory analysis methods for the EPS.
Note
Cynet recommends that you contact your Cynet Technical Support representative before creating a memory analysis method.
Deception
You can create new or edit existing deception files and configure or update Network settings for the deception files.
Advanced
You can configure settings for advanced scanning, including:
Connection Settings
Privacy & Compliance Settings
Master & Slave Server Settings
Policy Exclusion Settings
Throttle Settings
Domain Whitelisting Settings
Remediation Settings
Decoy Settings
Console Settings
File Monitoring
Windows Event Settings
Note
The terms Decoy and Deception are interchangeable.
Users
You can configure settings for User accounts accessing the Cynet system. These include:
Authentication Settings
Add/Edit/Delete Users
Change Passwords
Active Directory Authentication Settings
Maps
You can configure IP ranges for your Cynet environments on a map.
Analysis
You can configure settings for analysis actions of the system.
Dynamic Analysis Settings
Deep Scan Settings
Alerts
You can configure settings for alerts generated. These include:
Email Settings.
General Settings
Alert Settings
Unscanned Host Alert Settings
Email Alert Filter Settings
Integrations
You can specify Active Directory domains for User authentication.
Vulnerability Management
You can configure settings for the following cases:
Windows Patch Validation
Unauthorized Applications
Application Patch Validation
Agents Validation
User Behavior Analytics (UBA) Management
You can edit event triggers used to monitor User behavior.
Threat Hunting
You can configure settings for searches involving specific file information.
Whitelisting
You can configure settings to create whitelisted profiles and automatically exclude certain alert types.
Remediation
You can configure settings for Custom Remediation actions and Playbooks.
Cynet recommends that you contact your Cynet Support Technician before setting up custom remediation actions.
Windows Events
You can edit existing Windows Events configure settings, or create new configurations defining which Windows events to monitor for the selected scan group.
System Info
You can view information regarding the Cynet system in two sections:
Main Info
System Health
Setting Up Cynet to Detect Threats
The first part of Cynet’s breach protection strategy is detecting threats. Cynet initiates threat detection using the following methods:
Setting Up Scan Groups
Operators can use the Scan Groups page to configure endpoint scanning. You can configure groups based on the endpoint type, IP subnet, or scanner mode. You can use a “default group” or you can create a new scan group.
To create a new Scan Group:
Click Create.
Enter Group Name and Group Description (these are optional).
Click Save to create the new group.
To edit the Group Information section, select the appropriate Scan Group from the drop-down menu.
To Remove a Scan Group:
Select the correct group for deletion from the drop-down menu.
Click Remove.
Scan Group Settings
You can use scan groups to separate scan settings between subnets, computer types, and departments. All scan settings are saved to the group and are specific to that group. Scan groups can contain separate credentials for scanning, scan scheduling, and distribution types.
Setting Up the Distribution Type
The Distribution Type setting enables the system to push the Cynet endpoint scanner (CynetEPS) to the endpoints.
Distribution Types include:
Auto
The Auto Distribution Type cycles through all the Distribution Types. If one Distribution Type fails, the system proceeds to the next type and attempts to scan the host. Cynet uses this setting in the following order:
Launcher
Scheduled Tasks
Remote Procedure Calls (RPC)
SSH
Launcher
The Cynet Launcher Distribution Type authenticates to the endpoints using the configured account credentials via CynetLauncher.exe. It transmits the CynetEPS via SMB to be executed.
To enable this Distribution Type, ensure that port 445 is open at the endpoint.
Scheduled Tasks
The Cynet server authenticates to the endpoints using the configured account credentials via MSRPC and transmits a task message to the endpoints to execute the CynetEPS.
To enable this Distribution Type, ensure that TCP port 135 is open at the endpoint.
SSH
The Cynet server authenticates to the endpoints using the configured account credentials via SSH. It transmits the CynetEPS and runs the daemon.
To enable this Distribution Type, ensure that TCP port 22 is open at the endpoint.
RPC
The Cynet server authenticates to the endpoints using the configured account credentials via PsExec and transmits the CynetEPS via SMB to be executed.
To enable this Distribution Type, ensure that TCP port 445 is open at the endpoint.
Manually Installed Agent
In this case the Cynet server does not distribute the EPS to the hosts. The installation is performed using a third-party system such as WSUS, SSCM, or Big Fix.
To see Distribution Type settings, on the Scanner page, click Manual Scans.
Scan Group Information Settings
The Scan Account is the account used to authenticate to hosts when scanned. You can save multiple sets of credentials to be used on any scan group. Cynet hashes and encrypts all saved credentials in the Cynet database.
Note
Separate credentials are necessary for Windows, Linux, and MAC hosts. Hosts of each OS type must be placed in a separate scan group, with separate credentials for each scan group.
Selecting the Scanning Platform
You can select the relevant operating system from the drop-down menu.
All settings are adjusted based on this selection.
Note
You can only include one Operating System in a group.
To create a new scan account:
Select a Distribution Type (other than Manually Installed Agent) from the drop-down menu.
Click Create.
Enter an alias for this set of credentials.
The Service option uses the current credentials running on the server.
To use the Credentials option, enter a Username, password, and the domain (if an Active Directory account).
Note
If the credentials entered are a local Windows account or a local Linux account, you do not need to specify a domain.
To confirm that the credentials you entered are valid, click Validate Credentials. If the credentials validate successfully, a displays. If the validation fails, a
displays.
Note
“Validate Credentials” only works for Active Directory credentials. Local Windows accounts or local Linux accounts do not validate.
To save the credentials, click Save.
Creating Manually Installed Agents Groups
To create a group that contains a manually-installed agent:
Create a new Scan Group. See “Setting Up Scan Groups”.
In the Distribution Type section, select Manually Installed Agent.
Click Save.
This group now contains only agents that are manually installed.
Adding an Agent to a Manually-Installed Group
For specific details on how to work with Manually-Installed Agents, go to:
https://cynethelp.zendesk.com/hc/en-us/articles/360010559033-Cynet-360-Light-Agent-Manual-Installed-Agents-Windows-Linux-MAC
To pre-configure a host in the scan group population, go to:
https://cynethelp.zendesk.com/hc/en-us/articles/360015098014-Cynet-360-Configuration-Recommendations-First-Installation
To add a Manually-Installed Agent to a group:
Add the agent to the group population.
Use one of the suggested methods:
Host name
IP range
OU
Install the Agent using MSI.
The Agent is automatically associated to the group in which it was defined.
This feature supports Linux OS, providing the Distribution Platform parameter is set to Linux.
Changing a Group
You can delete a Host from one scan group and add it to another scan group.
You can also Export and Import the Host population.
Adding Agents to Groups Using CLI
To add a Manually-Installed Agent to a group as defined above, the argument
“-group” is added to the EPS.
For more details on how to do this, go to:
and
https://cynethelp.zendesk.com/hc/en-us/articles/360006766914-Use-logon-script-to-install-Cynet-MSI
The new argument points to the name of the group to which the EPS belongs.
To use this parameter:
Add “-group” to the MSI command line arguments.
Insert the target group name.
When using the MSI installation method, the Cynet MSI might have additional command line parameters for the group name. If the group name exists, it assigns the host to the relevant group. Otherwise it assigns the host to the default MSI group.
Changing Group
To move an agent from one group to another group, uninstall the MSI.
Reinstall the MSI with the new group name as the argument.
Setting the Scan Mode
This setting enables the system to configure the Cynet endpoint scanner (CynetEPS) to run on hosts.
The methods include:
Interval
The CynetEPS deploys to the configured endpoints at the specified scan interval. The CynetEPS self-terminates on the endpoints at the end of the scan cycle.
Always On
The CynetEPS deploys to the configured endpoints immediately. The CynetEPS continues to run after the initial scan completes. This ensures that any new change or activity on the endpoints is collected and sent back to the Cynet server for analysis in real-time.
Light Agent
The CynetEPS deploys to the configured endpoints immediately. The CynetEPS continues to run after the initial scan completes and a service is created so that the CynetEPS starts when the endpoints reboot.
Scan Mode settings are marked on the Scanner pages in the Status column. Hosts scanned in the Interval mode show the scan progress. Hosts scanned in the Always On and Light Agent modes display their current status.
Available scan modes are dependent on the selected Distribution Type.
Setting Up the Active Directory Domain
You can specify the Active Directory domain to scan.
In the Active Directory section, enter the domain name and click Save.
Setting the CPU Average Consumption
This setting enables you to configure the maximum CPU usage CynetEPS uses when running on endpoints in this scan group.
In the CPU Average Consumption section, select an option from the drop-down menu.
Notes
15% is the recommended option.
If you select 5% not all alert information is collected. That information is not retrievable.
Scan Interval
Scan Interval shows the time interval during which endpoints in this scan group are scanned. This time interval is set to 60 minutes.
Additional Settings
The following settings are rarely used. Some of them can only be configured by a Cynet Technical Support Specialist.
Some of the following settings are dependent on the distribution type or scan mode being used:
Network Attack Detection
Use this setting in Light Agent and Always On modes. It configures the CynetEPS to detect network-based attacks being performed on the host. The CynetEPS binds itself to the endpoint NIC to see all network traffic being performed on the host.
Internet Availability Check
You can configure the CynetEPS to check the endpoints for Internet connectivity. This setting weighs some threat indicators differently depending on their ability to connect directly to the Internet.
Memory Injection Remediation
You can configure the CynetEPS to automatically kill any process that performs a memory injection or an illegal usage of memory on a scanned host. It is most useful for immediate Ransomware mitigation.
Unscanned Group Alert
This setting generates an alert if most of the scan population of this group is not being scanned.
Advanced Detection Technology (ADT)
This setting turns on the Advanced Detection Technology (ADT) heuristic engine. The ADT engine enables the Cynet EPS to detect threats using behavioral analysis.
ADT—Behavioral Heuristic Remediation
This setting enables the behavioral heuristic remediation capabilities of the ADT.
ADT—Ransomware Heuristic Detection
This setting enables ransomware detection capabilities of the ADT engine in the Cynet EPS. It appears only in Always On and Light Agent modes. It is only available if you enable ADT.
ADT—Ransomware Heuristic Remediation
This setting enables the ransomware remediation capabilities of the ADT engine. It appears only when Ransomware Heuristic Detection is enabled. When Ransomware is detected using the ADT engine, it is automatically stopped.
ADT—Ransomware Heuristic Decoy Files
This setting enables ransomware detection through the use of hidden decoy files created on scanned endpoints. It appears only when Ransomware Heuristic Detection is enabled. These decoy files are different from the files described in “Deception Files”. These specific files are designed to detect modifications by ransomware.
ADT—Ransomware Heuristic Decoy Disk Space Limit
This setting limits the amount of disk space the Ransomware Heuristic Decoys can consume on an endpoint (in MB). It appears only when Ransomware Heuristic Decoys is enabled.
File Monitoring
You can monitor the following file events:
Create new
Access
Delete
Delete for rename
Renamed file
ADT—Fuzzy Hashing Detection
This setting enables the Cynet EPS to employ fuzzy hashing techniques to detect malware. The technique involves mathematically calculating similarities between files. The detection method enables the system to detect previously-unknown variants of malware through similar or shared code.
ADT—Fuzzy Hashing Remediation
This setting enables the remediation capabilities of the Fuzzy Hashing Detection mechanism. It appears only when Fuzzy Hashing Detection is enabled. When malware is detected using this method, it is automatically stopped.
Disable String Collection
This setting disables memory string collection by the EPS for all hosts in this scan group.
Memory Protection Mode
This setting enables the EPS to run in the kernel level. While in memory protection mode, the EPS gains visibility into kernel level threats and enables an anti-tampering mechanism, which prevents the EPS process from being terminated on the host.
Raw Disk Writing Prevention
This setting enables the EPS to prevent raw disk writing, such as writing to the MBR. It is available only when Memory Protection Mode is enabled.
Raw Disk Writing Process Termination
This setting enables the EPS to automatically terminate a process that attempts to perform a raw disk write. It appears only when Raw Disk Writing Prevention is enabled.
Memory Injection Prevention
This setting enables the EPS to pre-emptively terminate a process performing a memory injection at the kernel level. It appears only when Memory Protection Mode is enabled.
Local Alert Messages
This setting enables the EPS to display an alert on the host when a threat is detected.
Fast Scan Detection
This setting enables the EPS to send scan data from hosts to the Cynet server immediately for analysis. In normal operation, the EPS sends this data in increments to reduce network traffic congestion.
Fast Scan Remediation
This setting enables the EPS to automatically terminate any process that is detected as a threat using the fast scan detection method.
Windows Patch Validation
This setting enables the Windows Patch Validation function, as part of the Vulnerability Management feature. It enables monitoring and alerts when missing operating system patches are identified.
Unauthorized Applications
This setting enables the unauthorized applications validation function as part of the Vulnerability Management feature. It enables monitoring and alerts when unauthorized applications are identified.
Application Patch Validation
This setting enables the Application Patch Validation function as part of the Vulnerability Management feature. It enables monitoring and alerts when installed applications do not comply with the minimum configured version.
Agents Validation
This setting enables the Agent’s Validation function as part of the Vulnerability Management feature. It enables monitoring and alerts when a key application is not installed or is not running.
Vulnerability Assessment (VA) Indicator Period
Sets the time interval (in minutes) to search for new Vulnerability Assessment indicators.
Threat Hunting
When enabled, this setting supports searching on client endpoints by: SHA256, MD5, File Name, and Full File path.
Antivirus
When enabled, this setting detects malicious files on file execution events.
Antivirus Engines
You can select which Antivirus Engine is active on the endpoint’s scanner.
Antivirus Options
You can set Antivirus remediation options and enable antivirus file creation tracking.
Windows Events Monitoring
Enables Windows Event Monitoring.
Encryption Token
This setting is used to create a random encryption token to encrypt the password used for the Scan Account in this group. This ensures that the encrypted password token is unknown and stored passwords cannot be decrypted.
To ensure all configuration changes are saved, click Save.
Configuring Scan Population Settings
There are three ways to add endpoints to a scan group:
Individually via the hostname or IP address
IP address ranges
Active Directory by Organizational Units (OUs) or SGs COMMENT: define SG
Using the Host name or IP Address
You can add new endpoints to the scan group population by entering either an individual hostname such as “host1344”, or an IP address, such as 192.168.220.101.
To add the endpoint:
Click Endpoints.
Enter the Host Name or IP address.
Click Add.
- Note
- When entering a hostname, ensure that the Cynet server can resolve the hostname to an IP address to connect and scan the host.
- Note
You can import a Host name from a file.
To open the Import Hosts window, click Import.
Select a file to upload.
Click Upload CSV File.
A confirmation message opens.
An example CSV file is shown below:
The list in the CSV file is imported to the Population List:
Note
When uploading the file make sure that the CSV file contains only the Hostname. Also, the whole list must be in one column with no empty spaces or Headings.
Using IP Ranges
You can add new endpoints to the scan group population by entering an IP address range or CIDR range. Cynet looks for all active hosts within the range and adds them to the list.
Examples of IP range formats are:
IP range with subnet suffix: 192.168.1.0/24
IP range: 192.168.1.0 – 192.168.1.255
To add the endpoints:
Click IP Ranges.
Enter the IP range.
Click Add.
Note
When you enter a valid IP Range or CIDR range, the number of addresses within that range is displayed.
The IP range is displayed in the Population List.
Using Active Directory
You can add new endpoints to the scan group population by entering the names of Active Directory OUs or SGs. Cynet polls the active directory domain specified in Group Information settings and looks for all computer objects in this OU or SG.
To add an OU:
Click Active Directory.
Select OU.
Enter the OU name.
Click Add.
Methods for specifying and including or excluding OUs:
OU Type | Description |
---|---|
Add an entire AD OU Tree | * |
Add Specific OU | Servers |
Exclude Specific OU | Workstations. Excluded OUs are highlighted in red. |
Add nested OU | Workstations + Locations + Laptops |
Notes
You do not need to enter Distinguished Names (DNs) for OUs. Cynet performs a query in the tree structure for any OU that matches the name you enter.
If multiple OUs contain the same name but reside in different branches of the tree structure, use the Nested OU option (+ symbol) to specify the branch OU to be polled.
To manually poll Active Directory for the current list of computer objects in the specified OUs, and to refresh the endpoints list, click Sync, then Validate AD Connection.
Note
The Active Directory sync process might take a few minutes, depending on the number of OUs specified and the number of hosts that exist in the OUs. After the sync has completed, a ‘Synced Successfully’ message displays.
To add an SG:
Click Active Directory.
Select SG.
Enter the SG name.
Click Add.
Removing an Active Directory Listing
To remove a host, IP range, OU, or SG from the scan population, select the item and click Delete. Confirm the deletion.
Configuring Scan Schedule Settings
You can configure scan groups to be scanned according to a schedule. By default, all days and all times are enabled for scanning.
To disable scanning on a day of the week, clear that day’s checkbox.
To set time restrictions for scans, enter Start Time and End Time. Times are in 24-hour HH:MM format.
You can also configure a schedule for when scans must NOT be performed by clearing Scan Enabled.
To add a new scan schedule, configure the scan settings and click Add.
To disable the whole scan group:
Clear Scan enabled.
Click Update.
Cynet does not scan any hosts in this scan group.
Setting Scan Frequency (Throttle Settings)
You can use Scan Throttling settings to control the number of concurrent scans during scan cycles in order to scan environments more efficiently.
The following settings are available in the ADVANCED tab:
Max Concurrent Scanned Hosts
This is the maximum number of hosts the Cynet server can attempt to scan at any one time. This setting throttles the scanner and prevents flooding the network with scan attempts.
The default setting is 200 hosts.
Scanned Hosts Timeout
The timeout value for responses from the PsExec COMMENT: Define process when using the Remote Procedure Calls (RPC) distribution type.
The default setting is 80 seconds.
Concurrent Remediation Actions
Use this setting to specify the maximum number of remediation actions the server can attempt at any one time.
The default setting is 300 actions.
Excluding IP Addresses and Hosts from Scans
Individual IP addresses, IP address ranges, or Hostnames can be excluded from scanning, even if they are configured in a scan group.
To exclude them from being scanned:
In the CONFIGURATION tab, scroll down to EXCLUSION SETTINGS.
Enter an IP address or an IP address range into the text box.
Acceptable IP and IP Range formats are as follows:
Example | Format |
---|---|
Explicit IP address | 192.168.0.1 |
IP address range | 192.168.0.1-192.168.0.255 |
IP address with subnet prefix | 192.168.0.1/24 |
Hostname | johnsmith-lp |
To add the exclusion to the list, click Add.
Note
When a valid IP Range or CIDR COMMENT: Define range is entered, the number of addresses within that range is displayed.
To remove an IP address or IP address range from the exclusion list, select the item and click Delete.
Cynet confirms the deletion.
Excluding Analysis Policies from Scans
You can use Policy Exclusion Settings to exclude policies from running on specified hosts.
Note
Excluding policies from running on hosts might have an adverse effect on detection analysis. Policy exclusions must be discussed with a Cynet representative before any changes are made.
To exclude a policy from running on endpoints:
In the ADVANCED tab, scroll down to POLICY EXCLUSION SETTINGS.
Type a few characters of the Policy Title to exclude.
Cynet displays all matching Policy Titles.
Select the policy to exclude.
To select hosts to exclude, in the Wild Card field, enter a regular expression.
You can exclude multiple hosts from a policy by using regex.
Some examples are:
To exclude Hostname 123 from a policy, use Hostname123.
To exclude workstations that begin with the character W, use W*.
To add the host or wildcard exclusion for this policy, click Add.
When you have added the exclusion, a menu displays all exclusion entries. Entries display with the policy name and the host/regex match. These hosts are excluded from factoring this policy into its risk level during calculations.
To delete a policy exclusion, click Remove.
To edit a policy exclusion:
Click Edit.
You can now edit the wildcard field.
To apply the changes to the policy exclusion, click Save.
Excluding Domains from Scans
You can use Domain Whitelisting settings to filter out trusted domains from analysis.
To add a domain to the whitelist:
In the Advanced tab, scroll down to Domain Whitelisting Settings.
Enter the domain to be whitelisted.
Click Add Domain.
The domain is displayed in the list.
To edit an existing whitelisted domain entry:
Select the domain name.
Click Update.
To delete an existing whitelisted domain:
Select the domain name.
Click Remove.
Configuring Network Traffic Analysis Settings
You can configure Traffic Analysis settings (in Configuration) for the Network Interface Card (NIC) you want to use to analyze traffic from a SPAN port or a network tap port.
To configure Traffic Analysis settings:
In the Configuration tab, scroll down to Network Traffic Analysis Settings.
Select the NIC to be used for network traffic analysis.
Click Save Adapters.
Configuring Log Parser Settings
Log Parser Settings enables parsing and ingesting of log data from external sources such as a proxy server.
To configure a new set of logs to parse:
In the Configuration tab, scroll down to Log Parser Settings.
Click Create.
The Log Parser definition window displays.
In the Log Parser definition window, you can define how to parse proxy logs. The log entries consist of columns separated by one or more spaces.
Note
A column represents a field.
Optionally parsed fields are:
Source IP
The client IP address.
Destination IP
The Domain destination IP address.
User
The User identity for the requesting client.
Method
The method to obtain an object.
URL address
The requested URL.
Date
The time when the proxy server started to log the transaction. This happens at the end of a transaction lifecycle, after receiving the entire request and after sending the entire response to the HTTP client.
Host
The Hostname of the original requested URL.
Port
The Destination port.
Event Identifier
A unique number in each log that identifies it from all others.
Regex Separator
The character which separates fields of information in the log.
Fields Format Type
There are two types of field formats: By Name or By Offset. Parsing by name indicates parsing fields within the log according to the name of each field. Parsing by offset indicates parsing fields within the log according to each field’s column location.
Each log file has a different set of fields. Not all logs have the same fields. Each file provides its own parsing configuration.
Parser Modes of Operation
To extract a field from a log entry, the parser walks through a string formatted in the configuration table for the current log file and field. Each character in the formatted string indicates the next step the parser must take. The basic string format is an integer, indicating the location of the requested data in the column index. For example, the URL field string format could be “2” because the URL is in the third column of the log entry.
Formatting Rules
Columns are separated by one or more spaces unless they are in quotations.
The first column index is zero
For an undefined field use “100”
To add two columns, use index1 + index2
To remove a prefix: index – prefixSize
For example:
User = Bella. We want to parse only Bella (assuming the User is in second place).
Use string format = 1-5
For fields that are located differently in each row in the log and have a fixed prefix: ~ prefix.
For example: Every URL includes the prefix request=http://www.google.com
URL format string = ~ request= > the parser searches for the column index of current prefix in each line and extracts the data.
Remark: Must have a space between each index, +, -, ~ in string format!
For example: ~ request – 7 + 8.
Example:
In the example below, the proxy log is being parsed to match the correct fields:
When the parser is defined, click Save.
Note
The Proxy Parser name must include the word “proxy” with an integer following it for identification.
To test a defined parser for correct formatting:
Select the parser from the drop-down menu.
Enter your sample log string in the text box.
To begin parsing your log string, click Verify Parser.
Check that the field names match up to the correct fields within the log string.
To go back to fix defined parsers, click Edit.
To remove a defined parser, click Delete.
Parser Mode of Operation—Using Name Indication
In order to extract a field from a log entry, the parser walks through a string formatted in the configuration table for the current log file and field. Each character in the formatted string indicates the next step the parser must take. The basic string format uses key indicators, indicating the field name followed by the requested data. For example, the URL field http://www.gmail.com.
Example:
In the example below, the VPN log is being parsed to match the correct fields based on token names:
In the Log Parser definition window, enter a proxy parser name. Each field’s index displays in its corresponding field name.
Analytics Server Configurations
As part of the File Monitoring feature, Cynet uses an analytics server based on ELK COMMENT: Define. This configuration enables the connection between the Cynet server and the analytics server.
To configure the Analytics Server:
Select the Configure Analytics Server checkbox.
Complete the displayed fields.
Note
The File Monitoring feature does not work without the analytics server.
Monitoring Malicious Logins
Cynet 360 enables you to receive alerts whenever a malicious login is detected.
You can create fake credentials of a deception User, which you can then use to monitor failed logins. When a failed login to a deception User is detected, an alert is generated.
See section 0 for information about creating and managing deception Users.
IMPORTANT!
Adding credentials to a real host creates fake User credential files on the host acting as decoys.
Configuring Advanced Settings
This section describes advanced configuration settings.
Configuring Connection Settings
In this section, you can specify the Cynet primary and secondary server IP addresses, as well as a proxy IP address.
To configure Connection Settings:
Navigate to the Advanced tab.
Fill out the IP address fields as follows:
Field | Description |
---|---|
Primary Cynet Server Address | Specify the primary IP address and port of the Cynet server. This address is used by the EPS to send scan data. |
Secondary Cynet Server Address | Specify the secondary IP address and port of the Cynet server. This address is used when the primary server is unavailable. This is an Optional field. |
Sever Proxy Settings | If an Internet proxy is used, specify the proxy IP address and port for the Cynet server to synchronize with the Cynet Virtual Private Cloud (VPC). |
Configuring Privacy & Compliance Settings
You can use Privacy & Compliance settings to limit the amount of information collected from endpoints. You can also anonymize information to be sent to the Cynet SOC.
You can enable the following settings:
Setting | Description |
---|---|
Send Scan Errors to SIEM | Sends scan errors via syslog to the IP address configured in SIEM settings. |
Send Audit Records to SIEM | Enables the Cynet server to send audit messages via syslog to a configured SIEM. |
Unique File Analysis by SOC | Allows the system (Cynet SOC) to automatically send unique files to the SSE sandbox for analysis. |
Analyzed File Retention | Specify the number of days to keep analyzed file samples within the Cynet quarantine. The default is 30 days. |
Log File Retention | Specify the number of days to keep the Cynet system log files. The default is 7 days. |
External Data Privacy. | Prevents actual Hostnames and Usernames from being sent to the Cynet Soc. Host or User IDs are sent instead. |
Internal Data Privacy | Restricts sensitive, private data from being shown in the UI. |
Disabling Collection of Data
These settings prevent the CynetEPS from collecting certain information when performing scans.
You can disable the following data:
Data | Description |
---|---|
ARP Table Data Collection | Disables the collection of ARP Table data by the EPS. |
Certificate Data Collection | Disables the collection of Certificate data by the EPS. |
DNS Cache Data Collection | Disables the collection of DNS Cache data by the EPS. |
Hosts File Data Collection | Disables the collection of Hosts File data by the EPS. |
Installed Software Data Collection | Disables the collection of Installed Software data by the EPS. |
IP Settings Data Collection | Disables the collection of IP settings data by the EPS. |
User Login Data Collection | Disables the collection of User login data by the EPS. |
Microsoft Updates Data Collection | Disables the collection of Microsoft Updates data by the EPS. |
Network Interface Data Collection | Disables the collection of Network Interface data by the EPS. |
Network Share Data Collection | Disables the collection of Network Share data by the EPS. |
Configuring Cynet SOC Settings
The following additional advanced settings enable Operators to configure how data is transferred to and from the Cynet SOC.
Field | Description |
---|---|
Cynet SOC File Analysis | Automatically sends files to the Cynet SOC for further analysis. |
Automatic Updates | Enables the Cynet server to download and install updates from the Cynet VPC. |
Command Line Sync | Disables the synchronization of command-line parameters sent by the EPS to the Cynet SOC. Cynet does not recommend that you disable this parameter. |
File Whitelisting | Enables whitelisting of known files by the Cynet SOC. |
Memory String Sync | Enables the synchronization of memory strings sent by the EPS to the Cynet SOC. Cynet does not recommend that you disable this parameter. |
Note
Cynet recommends leaving these settings, especially the Anonymization and Disable … Collection settings, with their default values to perform complete threat analysis on hosts. Limiting collected data can negatively impact Cynet’s threat detection.
Configuring Slave Server Settings
You can use the Slave server settings to configure a Cynet server as a Slave server in a distributed architecture.
To configure a Cynet Server as a Slave Server, in the Master and Slave Server Settings section:
Enter the Slave Machine Name.
Enter the Cynet Client ID.
Enter the Slave IP address.
Click Add.
Configuring Console Settings
You can use the UI session Console setting to configure how long a session in the Cynet console lasts before automatically logging out a User.
The Inactivity Logout Timeout can range from 1 minute to 525,600 minutes, or one year. The default setting is 20 minutes.
Windows Events
You can collect Windows events and send the data to FileService on the Cynet server. The server stores these events in an Elasticsearch database.
You can use Cynet 360 to search the events by:
ID
Event type
Host name
Note
For more information, see the Cynet Zendesk article “Cynet 360 Release Notes- Version 3.4.9”.
Configuring Cynet 360 to Collect Windows Events
To configure Cynet 360 to collect Windows events:
- Enable the Windows events collection feature in Cynet 360:
On the main menu, click .
In the Scan Groups tab, scroll down to the Windows Events Monitoring section.
Select Enable Windows Events Monitoring.
Click Save.
Create a configuration to define which Windows events to monitor:
On the main menu, click .
In the Windows Events tab, click Create.
Create the new configuration and click Add.
View Windows events:
From the main menu, click .
On the top menu, click Hosts.
Select Windows Events.
Filter the results by:
Event ID
Event Type
Host Name
Source
Date Created
File Monitoring Settings
Cynet 360 enables you to monitor files more closely when:
Files are created
Files are renamed
Files are executed
These actions are saved in the Elasticsearch database, which can be easily queried for auditing purposes.
Note
File monitoring is only available for Windows, and only for Windows 7 and up.
Configuring File Monitoring
The following are the main steps to configure file monitoring in Cynet 360:
- Enable file monitoring in Cynet 360.
Set the extensions to be monitored.
Connect to the analytics server.
The following sections describe each of these steps in more detail.
Enabling File Monitoring
To enable file monitoring in Cynet 360:
- On the main menu, click
.
- On the main menu, click
In the Scan Groups tab, scroll down to the File Monitoring section.
Select Enable File Monitoring.
Click Save.
Setting File Monitoring Extensions
To specify the file extensions that you want to monitor for changes.
- On the main menu, click
.
- On the main menu, click
In the Advanced tab, scroll down to the File Monitoring section.
Enter a file extension and click +.
Repeat this step for as many file extensions as you like.
Enter the time interval in minutes in which file monitor reports will be sent to the server.
Click Save.
Connecting to the Analytics Server
The analytics server is the Elasticsearch database which Cynet uses to store File Monitoring events.
To configure the analytics server:
- On the main menu, click
.
- On the main menu, click
In the Configuration tab, select Configure Analytics Server.
Enter the connectivity settings for the analytics server.
To test the settings, click Test Connectivity.
Click Save.
Analysis
The Analysis page contains configuration settings for Cynet’s Smart Simulation Execution (SSE) sandbox. The SSE sandbox enables dynamic file analysis.
Dynamic Analysis Settings
The Cynet SSE dynamic analysis can be configured for either a local sandbox or a cloud-based sandbox. To enable the cloud-based sandbox:
Select Enable SSE Sandbox Analysis.
Select Enable Cloud Sandbox.
Click Save.
To enable a local Sandbox:
Select Enable SSE Sandbox Analysis.
Select Enable Local Sandbox.
Enter the Local Sandbox IP address.
Click Save.
Deep Scan Settings
You can configure the time intervals for the Deep Scan process. There are two available settings:
Deep Scan Update Interval
You can use this setting to configure how often the Cynet Deep Scanner (CynetDS.exe) sends data back to the Cynet server for analysis.
The minimum value is two minutes, and the default value is fifteen minutes.
Deep Scan Time Limit
You can use this setting to configure the time that the CynetDS runs on the endpoint to collect deep scan data. At the end of this time period, the CynetDS terminates.
- The minimum value is fifteen minutes, and the default value is three hundred minutes.
After configuring the settings, click Save.
Alert Process Tree
Cynet 360 includes a new process tree visualization. If an alert is triggered on a file, you can see which processes were run, up to five levels down. This enables you to better understand which processes took place in an attack, what went wrong, and who was involved.
Example
Cynet 360 detected suspicious activity regarding an Excel file. When you look at the Alert Process Tree visualization, it becomes clear that the issue is the macro file, not the Excel file.
Viewing the Alert Process Tree
To view the Alert Process Tree for an alert:
- From the main menu, click
.
- From the main menu, click
Locate the alert you want to investigate by:
Scrolling to the alert
Performing a search for the alert
Filtering the list of alerts by alert type
On the alert you want to investigate, click .
A detailed description of the alert is displayed and the Process Tree shows up to five levels of processes that were run, which triggered the alert.
The Process Tree shows the name of the processes, the order in which they were run, and the User(s) who ran the processes.
Configuring Vulnerability Management Settings
In the Vulnerability Management page, you can configure the following functions:
Windows Patch Validation
Unauthorized Applications
Application Patch Validation
Agents Validation
UBA Management
Configuring Windows Patch Validation:
The Cynet scanner queries the Windows Update subsystem at the endpoint and maps all the available Knowledge Bases (KBs) that are ready to be installed. When the EPS detects that there are KBs that have not been installed, it generates a medium level alert that includes the list of KBs that are not installed yet.
Operators can whitelist Windows KB updates, which are known to be missing or uninstalled. They can ensure that these updates do not generate an alert.
To add Windows KBs to the whitelist, type the name of the KB. Each KB displays on a new line.
Unauthorized Applications
The Cynet scanner queries the Windows Add/Remove programs subsystem at the endpoint. It compares the list received to the list of applications that are unauthorized to run on the endpoint. When the EPS detects that there are unauthorized applications installed at the endpoint, it generates a medium severity alert that includes the list of unauthorized applications installed at the endpoint.
Operators can add or remove applications from the unauthorized applications list. The list includes applications that Cynet’s R&D has classified as “Potentially” restricted.
To add an application to the unauthorized applications list, add the name of the application on a new line.
Note
Enter the name of the application exactly as it is displayed in “Add/Remove Programs” in Windows.
Application Patch Validation
The Cynet scanner queries the Windows Add/Remove programs subsystem at the endpoint and verifies that the latest patched version of the application is installed.
For example, if the organization’s security team defines that an Internet Explorer version below 11 is considered vulnerable, Cynet scans all the endpoints in the organization and generates a medium severity alert of all the endpoints containing an Internet Explorer version below version 11.
Operators can add or remove applications that must be installed with a minimum version.
Note
Enter the name of the application exactly as it is displayed in “Add/Remove Programs” in Windows.
Agents Validation
Operators can insert a list of third-party applications and processes, which are defined as crucial applications at the endpoint. The Cynet scanner queries the Windows task manager and Add/Remove programs to verify the following:
Is a third-party application installed?
Is a third-party application running?
Cynet scans all the endpoints in the organization and generates a medium severity alert which contains the list of endpoints that are not compliant:
Application is installed but not running
Application is not installed and not running
Operators can add or remove applications from the important third-party applications list.
When adding applications to the list:
Enter the name of the application as it is displayed in Windows “Add/Remove Programs”
Enter the process of the application as it displays in Windows Task Manager
Configuring UBA Management
Cynet 360 performs User and Entity Behavioral Analysis (UEBA) by collecting and analyzing User behavioral data. When unusual logins occur, Cynet can alert Users through the SMS Confirmation feature and request the User to confirm or decline the login. If the User declines the login, Cynet 360 generates an alert for unusual User behavior.
Cynet SMS verification messages are always sent from the phone number +1 (646) 846-8440 and are similar to the following examples:
The hyperlink within the message points to Cynet’s User verification site.
Configuring Users for UBA
To activate UBA, you must first configure a User with a mobile number. There are two methods to configure Users:
Selecting from Active Directory
Importing a CSV file
To configure the User from Active Directory:
From the Settings page, click the Configuration tab.
Scroll down to Import Users Data Settings.
Select the User.
In the drop-down menu, select Mobile.
In the Mobile field, check that a phone number is available or enter the User’s phone number.
Click Save.
To configure the User from a CSV file:
From the Settings page, click the Configuration tab.
Scroll down to Import Users data from CSV File.
In the User Name field, enter the first column in the CSV file you want to import. For example, to select the first column, enter 0.
In the drop-down menu, select Mobile.
In the Mobile field, enter the second column in the CSV file you want to import. For example, to select the second column, enter 1.
To select and upload the file, click Choose File, then click Upload CSV file.
To send an SMS alert to the User when suspected activity is detected, select the Enable SMS Confirmations checkbox.
Only when the User confirms in the SMS message that the activity is malicious is an alert opened in the system.
Managing UBA Policies
Set UBA policies to trigger events. At setup, the UBA Management tab contains the UBA Management pre-configured event triggers.
To manage UBA event triggers, click the UBA Management tab.
Configuring UBA Event Triggers
The UBA Management page enables you to:
Edit or update an existing UBA event trigger
Create a new UBA event trigger
To configure an existing UBA event trigger:
In the relevant event trigger field, click Edit.
From the Update Event window, you can modify pre-defined settings:
Name
Description
Query String
Keys
Question
Notification
Severity level
Time Interval in Minutes
Click Update.
To activate the event trigger, click Enable.
To create a new UBA event trigger:
CAUTION!
Event triggers are based on SQL queries. It is recommended that only advanced Users configure event triggers.
Click Create.
Populate the fields:
Enter the SQL query string for the event trigger
The Keys field is populated from the data entered in the Query String field. Clear the checkboxes of keys that must not be included in the notification message sent to the User
In the Question field, enter the question that the User will see in the SMS
To send a notification by SMS, select the SMS checkbox
Set the severity level of the event trigger
Set the time interval of the UBA event cycle
Click Save.
Customizing Auto-Remediation Actions
This section describes the range of remediation actions the User can take.
Configuring Remediation Settings
In the Advanced page you can use Remediation settings to configure auto-remediation to retry remediation actions if they initially fail.
Remediation Retry Attempts
You can set the maximum number of times the system attempts a remediation action. The default is 48 retries.
Remediation Retry Interval
You can set the time interval between remediation retries in minutes. The default is 30 minutes.
Custom Remediation Playbooks
The Custom Remediation Playbook feature enables the User to enhance the Cynet360 Remediation capabilities even further, by storing a collection of Custom Remediation Actions and running them sequentially or in parallel.
It is possible to use Playbooks as part of the Remediation actions as well as Auto-Remediation actions.
Each of these actions can run on the Cynet Server or on an EPS Endpoint, and can originate from a file, host, or User.
Configuring the Custom Remediation Playbook
Note
Before creating a Playbook, you must first create at least one Custom Remediation action.
To configure the Custom Remediation Playbook:
- On the main menu, click
.
- On the main menu, click
From the Remediation tab click PLAYBOOKS.
To add a new Playbook, click Create.
Applying the Custom Remediation Playbook
To apply the Custom Remediation Playbook to a File or User:
- From the main menu, click
.
- From the main menu, click
Select an entity from the list.
Click Actions.
Choose whether to use the Custom Remediation as part of a Remediation or Auto-Remediation.
Running custom Remediation as part of Remediation actions:
On the Remediation top menu, click the Playbook action.
Running custom Remediation as part of Auto-Remediation actions: On the top menu, choose Auto Remediation in the Auto-Remediation pane, and associate the Playbook action with the Auto-Remediation Alert action.
Viewing System Information
The System Info page provides general information about the system, as well as information regarding the health of the system.
Main Info
The Main Info section contains information about the Cynet installation.
Cynet Version
The current version of Cynet 360.
Cynet Installation Directory
The path of the Cynet system installation.
Disk Space
The amount of used disk space in MB compared to the total amount of available disk space in MB.
All system drives display, although Cynet monitors the disk on which it is installed for low disk space.
System Health
The System Health section contains information regarding the following services:
Service | Description (good health status is indicated with a ![]() |
---|---|
Cynet Service | Displays the health status of the main Cynet service. |
DB – CynetDB Service | Displays the health status of the Cynet database service. |
Sync Cloud | Displays the health status of the connection to the Cynet VPC cloud. |
Monitor – CSHelper Service | Displays the health status of the Cynet Helper service, which monitors the Cynet service and the CynetDB service. |
Local Smart Simulation Execution | Displays the health status of the connection to the Cynet SSE sandbox. Shows the status for local and cloud sandbox connections. |
Last Antivirus Update | Displays the date and the time of the last Antivirus update. |
Configuring Alerts
On the Alerts page, you can configure settings for the following:
Email Settings
To configure the Email Settings, from the Settings page, select the Alerts tab and scroll down to the Email Settings section.
You can configure the following settings for email alerts:
Setting | Description |
---|---|
Email Alert Recipients | The email addresses that receive email alerts when the system generates an alert. Multiple emails are comma-separated. |
SMTP Server | The IP address of the organization’s SMTP server, which is used to transport alert emails when generated by the system. |
SMTP SSL | Enable if the SMTP server requires an SSL connection to be established for sending mail. |
Email Alert Sender | Controls the “From” field in email alerts generated by the system. |
Note
If the SIEM Connectivity settings are changed to a port other than the default (port 514), the Cynet services must be restarted on the server for the changes to be applied.
General Settings
You can specify the SIEM server to which the Cynet server sends syslog messages. To define a SIEM server, enter an IP address and a port number.
The default port setting is 514.
Configuring Alert Settings
You can configure Alert Settings for the types of alerts to be enabled. Operators can exclude or filter out certain types of alerts.
Note
Cynet recommends that all alert types are enabled to ensure that all types of threats are detected causing alerts to generate.
To configure the Alert Settings, from the Settings page, select the Alerts tab and scroll down to the Alert Settings section.
You can enable the following Alert Settings:
Setting | Description |
---|---|
Port Scanning Alerts | Enables alerts to be generated for port scanning detection. Detections are only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings. |
Ransomware Alerts | Enables alerts to be generated for ransomware detection. |
ARP Poisoning Alerts | Enables alerts to be generated for ARP poisoning detection. |
Pass-the-Hash Alerts | Enables alerts to be generated for pass-the-hash detection. |
Critical Pass-the-Hash Alerts | Enables alerts to be generated for critical pass-the-hash detection. |
Show Mimikatz Alerts | Enables alerts to be generated for Mimikatz detection. |
Powershell Empire Alerts | Enables alerts to be generated for Powershell Empire detection. |
VSSAdmin Alerts | Enables alerts to be generated for VSSAdmin detection. |
DNS Tunneling Alerts | Enables alerts to be generated for DNS tunneling detection. Detection is only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings. |
ICMP Tunneling Alerts | Enables alerts to be generated for ICMP tunneling detection. Detection is only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings. |
SMB Scanning Alerts | Enables alerts to be generated for SMB scanning detection. Detection is only possible if “Network Attacks Detection” is enabled in the “Scan Groups” settings. |
Brute Force Alerts | Enables alerts to be generated for brute force attempt detection. |
Hacking Tool Alerts | Enables alerts to be generated for hacking tool detection. Detection only possible if “Credential Decoy Detection” is enabled in “Scan Groups” settings. |
Remote Access Tool Alerts | Enables alerts to be generated for remote access tool detection. |
Trojan Alerts | Enables alerts to be generated for trojan detection. |
HTTP Tunneling Alerts | Enables alerts to be generated for HTTP tunneling detection. Detection is only possible if “Network Attacks Detection” is enabled in “Scan Groups” settings. |
Unscanned Host Alert Settings
You can use these setting to generate alerts for specific hosts that are not being scanned by Cynet.
To add a host to the list:
Enter a few letters of a Hostname.
When the Hostname you want appears in the drop-down menu, select it from the menu.
Click Add.
To remove a host, select the host from the list and click Delete.
Email Alert Filter Settings
You can use the Email Alert Filter settings to configure the severity of email alerts sent out by email. By default, Cynet 360 sends all alert severity levels.
To configure the Email Alert Filter Settings:
From the Settings page, select the Alerts tab and navigate to the Email Alert Filter Settings section.
From the scroll down menu, select the required level:
Informative: Sends all severity levels of alerts to email recipients
Low: Sends only Low, Medium, High, and Critical severity alerts to email recipients
Medium: Sends only Medium, High, and Critical severity alerts to email recipients
High: Sends High, and Critical severity alerts to email recipients
Critical: Sends only Critical severity alerts to email recipients
Click Save.
Cynet solution includes file monitoring capabilities expanding the file based forensic visibility from mainly executables to full file-based activities on the protected asset.
The monitoring capabilities provide visibility to the following actions
• File Access
• File Deleted
• File Renamed
• File Executed
• File Created
Enabling the file monitoring feature requires several steps to be enabled:
- Configure Cynet analytic server (Shared with additional advance Cynet features)
- In the scan group setting page you must enable file monitoring
- Configuring which files types to collect from the endpoints:
Under setting Advance tab under the file monitoring section you must configure the file extensions Cynet monitors the disk.
Due to the nature of file monitoring it is ill-advised to monitor all the extensions by default since this creates a heavy burden on the Cynet EPS and might impact the end-customer machine performance.
Best practice recommendations are available (refer to the dedicated file monitoring installation guide).
Once configured, the data collected is displayed in the Forensic tab inside the file monitoring dashboard in the Files pillar.
The dashboard offers filters at the top of the screen to sort through action types and several key parameters such as Username or ProcessSHA256.
If you want to query deeper into the collected data, you can use the free text search option and it submits queries against the raw data of the events.
Expanding a single file event using the + presents all the data collected parsed and indexed based on key pair values.
Cynet enables log collection from Windows-based hosts using the Cynet EPS Agent deployed on the protected asset. The collection is empty by default and requires a number of steps to be enabled.
- Configure Cynet analytic server (Share with additional Cynet functions such as file monitoring—see Appendix A step 1)
- In the Scan Group Settings page, enable Windows Event Monitoring
- Configuring which event types to collect from the endpoints:
Under settings Windows Events section you can find the overview page displaying the current configured events to be collected. By current defaults it starts empty.
In the overview below you can see events 4103 collected from two scan groups and event 4104 collected from a single group.
You can create additional collection policies using the create button specifying the log type and ID using the upper section , or collecting custom fields for more advance logs using the lower section.
Once the data is collected, you can drill into the collected Windows events inside the forensic dashboard under the hosts pillar Windows Events section:
The main Windows event dashboard is unfiltered and enables you to go over all the events collected in the environment. You can use the top section to filter based on various key values
Hosts , Event ID , specific Event Types
If you want to query deeper into the collected data you can use the free text search option and it cab query against the raw data of the events.
Expanding a single event using the + presents all of the data collected parsed and indexed, based on key pair values.
Cynet offers a multi-tenant architecture built to fit the requirements of MSSP COMMENT: Define and Large Enterprise customers.
The Multi-Tenant architecture is delivered using multiple servers hosting Cynet application and database services. There are several architectures involving multi-tenant servers. Some of them are built on top of a simple single server, which is a single-site approach, while others are built with components designed for scale leveraging. COMMENT: This is unclear…Dockers and additional Cynet components
In both cases, each server instance is named as a “site” and is managed by a server acting as the Global manager server.
This multi-tenant approach enables the Global Manager to provide a single surface for all activities related to operating multiple sites.
Once the Global Manager server is configured and connected to the all of the sites, a new set of capabilities appears in the UI. These enable navigation between the various sites based on the User privileges and the ability to view and take actions on the entire environment, such as specifying a central security policy or creating a new site
Site Navigation
Navigation between the sites is the most basic of control that enables the User to move between the servers that are managed and connected to the Global Manager. The default view for global Operators and Users who have access to multiple sites is, is the “ALL” option. This provides the User with full visibility and control (based on User access privileges) over all of the environments.
*Selecting a site navigates to the single site dashboard giving the same look and feel as a single standalone server.
Global Views
As part of the visibility provided by the Global Manager the User is able to access the summarized data for alerts & forensic artifacts from the Global Manager all dashboards , each of the dashboards providing different aspects of visibility towards the environment. COMMENT: This paragraph requires rewriting – it is quite unclear.
Global Alert view
The Alerts tab in the Global Manager when selected under the “All” site displays all the alerts that triggered in the environments across all sites. The alert itself is presented at the same as a normal site alert would appear inside a standalone interface , with some additional information regarding the site displayed on the right.
The User can view the overview details for a quick reference, the alert site origin and general status in the global environment and expand the alert to view all the relevant forensic meta data without drilling into the single site interface directly. COMMENT: Requires rewrite.
Global Forensic View
Inside the “All” forensic view, the User can receive an overview of all the various forensic artifacts collected by Cynet, divided into several pillars. The information collected contains some of the metadata to provide a quick check across the environment. Clicking a forensic object directs the User to the full forensic data inside the site.
Global Forensic Files
The Global Forensic Files view displays all the executable files running across the environment. The User can enter a specific file name or SHA256 and receive an immediate response if it is a file that ran in the environment. Clicking on a file or SHA256 takes the User directly to the site forensic page where the file was executed.
Global Forensic Hosts
The Global Forensic Hosts view provides a quick summary of all hosts in the environment across sites, and an easy way to find a specific asset that exists from basic key information associated with that asset.
Clicking on the asset drills down to the host forensic page of the specific site where the host resides.
Global Forensic Users
The Global Forensic Users view provides a quick overview of all Users that exist in the environment across sites. The common use case is to identify a User as part of an investigation, or quickly understand when the last login of a specific User took place.
Clicking on a User take you to the Users forensic area inside the site where the User resides.
Global Forensic Domains
In the Global Forensic Domain view, the User can quickly identify remote domain access and identify how many Hosts or Users have access to specific domains.
Clicking on a domain takes the User to the Domain Forensic page inside the site where the domain was accessed.
Global Audit log
Auditing information is collected in the Global Manager server and all access is monitored across the sites. The activities performed are also logged, and this information can be exported to a SIEM platform or other third parties using Syslog.
Global User Configuration
Once Users are created, there are two levels of permission assigned to them.
- Site Access Rights
These specify to which sites the User has login access. A single site means that a User has a normal standalone experience using Cynet without any global dashboards. Having access to multiple sites enables a global dashboards view and site navigation.
- User Access Privilege
Each site access is mapped to a permission authorization level. A User may have custom permission or Operator rights to a single or multiple sites. The User privileges define the actions that a User can take and to which view capabilities they have access.
In multi-tenant environments there is an additional privilege level named Global Operator that is mapped to a full administration of the environment. This means that full access to all of the sites is managed by the global Operator. Additional rights exist relating to the Global Manager operations such as creating additional global Operators, creation of new sites, and maintenance activities to sites already managed by the Global Manager.
Once a User is created and mapped to permissions, modifying or adding permissions to a new site is performed via the User Permission matrix.
SIEM Integration
Configuring SIEM integration using a Global Manager enables an option to integrate with the Global Manager site providing visibility to activities on the Global Manager level to the SIEM. In addition, the User can configure the site integration with the SIEM centrally from the same interface.
Global Site Security Configuration
The Global Manager provides central administration to all the sites enabling a quick way to set the security policy for all the sites managed by the Global Manager. The User can establish a global policy to enforce a template of all of the sites, or modify the configuration on a per-site basis via the Central Scan Group menu.
Selecting a feature from the list of Cynet capabilities present various options of the feature as checkboxes that the User can enforce globally or per scan group on each site.
Each site connected to the Global Manager provides a list of all the scan groups and their settings updated to the current configuration on the site. This enables the User to view the settings applied and configure them from a single dashboard.
This section describes the features of the Global Manager.
Global Operator
The permission level of a global Operator enables the User to manage site creation and perform other maintenance operations on the Global Manager level. On top of the administrative rights to the Global Manager server, a global Operator has full administrative access to all the sites managed by the Global Manager server.
Client Site Manager
Site Status
The Global Sites status displays the current connectivity status of all the sites in the environment and reflects the connectivity of the Global Manager to the sites and acts as a basic health indicator for the site itself.
The client ID specified next to each site reflects the ID that this customer instance has with Cynet relating to the license activation process and contact ID for the CyOps SOC team.
Cloud Sync represents the health of the connection between the Cynet Site Server and the Cynet VPC Back Office cloud.
This is a crucial connection that is the pipeline for some of Cynet’s security capabilities as well as threat intelligence and Cynet SoC team remote assistance in monitoring alerts and assisting in investigation and incident response.
Create Site
Site creation in a Global MSSP environment has two main options depending on the infrastructure and architecture of the environment.
In a simple global environment, each new site is a standalone server (Physical / virtual), which must be installed and configured as a standalone Cynet server before they are connected to the Global Manager
In an Advanced Global environment with the central management worker services and additional servers hosting the Hosts Server & Docker Server, Sites are created as virtual services, and Docker instances enable automated site creation to take place using the auto deployment tool. COMMENT: Paragraph really unclear – Please review.
Users can create new sites automatically using the auto deployment tool by specifying the contact details relating to the site owner / point of contact and specifying a Client ID, which is provided by Cynet or acquired as part of an ongoing MSSP license agreement.
Auto-Deployed Sites Action
This displays the status of actions performed using the auto-site deployment tool. The following information is important for Client deployment purposes:
Token: This is the unique identifier agents use to connect to their server sites.
Action: Logs the action relevant to the site (such as creation, deletion).
Status: Presents the outcome of the performed action. Starts as pending and goes towards either success or failure.
*All actions have a default fail time and retry mechanism. For more details refer to the Global Manager Installation Guide.
Client Sites
Once a site is created, it appears under the client sites with information relating to the server IP and port binding to both the API and DB, which is required for the Global Manager to connect and manage the site.
Site deletion is performed using the Remove button.
Site renaming is performed using the Edit button.
COMMENT: TBD.
The Traffic Router is a Cynet proxy component that acts as a gateway between the protected Cynet Assets to the Cynet Server.
Traffic routers are used in several use cases:
- Single site roaming devices support (DMZ)
- Single site isolated network
- Multi-site environments (MSSP)
Traffic routers have two modes of operation based on the required use case:
Static Mode
In Static Mode the traffic router forwards all agent traffic to the next hop configured – the Cynet server.
This scenario is used to support roaming devices or sub-networks that are not directly connected to the Cynet Server.
By placing the traffic router in the DMZ and providing a publicly accessible address for the roaming assets, the User can connect the roaming assets to the traffic router and have the traffic router forward the traffic to the Cynet server transparently to the protected asset. COMMENT: Rewrite
Using the DMZ approach limits the Cynet server exposure to external threats and improves overall security architecture for roaming devices protection.
Dynamic
In multi-tenant environments, using a traffic router is mandatory as the traffic router is responsible for directing the connected agents to their Cynet site server
When configured as a dynamic traffic router, a connection to the Global Manager enables the traffic router to receive a list of all of the active tokens and site mappings. This enables the traffic router to be aware of the sites available. Once an agent connects to the traffic router in this mode, the token is validated to match an existing site and then the traffic is forwarded to the Cynet server site.
COMMENT: TBD
The Master server will need access to the Slave server(s) database to retrieve all data related to the Slave server’s scanned endpoints. This connection occurs on TCP port 3333. The Slave server will communicate with the Master server using an API in the web console via TCP port 8443.
Note
The default web console listening port is TCP 8443. However, this can be changed in the configuration settings. The connection from a Slave server to a Master server must be on the configured Web console port for the Master server.
The following are binaries used by Cynet 360 to scan endpoints. See the “Cynet Server Services” section for more information about the executables and services that run on the Cynet server for analysis, detection, and remediation of threats.
Executables (Windows)
The following executable is run from the C:\Windows\ directory:
CynetEPS.exe
The Endpoint Scanner (EPS) process is deployed by the Cynet 360 server to Windows endpoints to be scanned. It deploys certain child processes (see below) and collects indicators from files, Users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.
The following are child processes dynamically spawned by CynetEPS.exe:
CynetMS.exe – The Memory Scanner (MS) process scans memory usage by running processes for malicious activity.
CynetAR.exe – The Auto Run (AR) process collects data regarding autorun entries, drivers, task, and services for processes scheduled to run at boot (persistence).
CynetGW.exe – The GUI Window (GW) process collects data regarding Windows activity for each process, to detect processes running in hidden windows.
CynetSD64.exe – The Software Dev 64-Bit (SD64) process collects DLL dependencies for 64-bit processes running on the system. Since the CynetEPS is running as a 32-bit process, the CynetSD64 process is necessary to collect this data from 64-bit processes.
CynetLauncher.exe – The Launcher executable is a remote execution process that runs on endpoints to distribute the CynetEPS executable for scanning.
CynetDS.exe – The Deep Scan executable runs on endpoints for forensic analysis of a specified process. The CynetDS can only monitor one process per host at a time, but multiple hosts can have the deep scan running at the same time. See “Deep Scan Settings” for more information.
CynetRunner.exe – The Runner executable is deployed to endpoints when certain remediation actions are used. When “Run Command” or “Run File” actions are used, this process handles the execution of the action, and collects the response output. The output can then be viewed in the console interface.
CynetRunner64.exe – The 64-bit version of the CynetRunner.exe process (see above).
Daemons (Linux & Mac)
The following daemon is run from the /opt/Cynet/ directory:
CynetEPS
The Endpoint Scanner (EPS) daemon is deployed by the Cynet 360 server to Linux or Mac endpoints to be scanned. It collects indicators from files, Users, hosts, and network data for threat analysis. This process handles all communication between the endpoint and the Cynet server.
The following are services used by Cynet 360 for various purposes. Services are listed as services that run on the server, and services that run on the scanned endpoints in the environment.
The services listed below are only found on the Cynet server for processing scan data from scanned endpoints.
CSHelper (cshelper.exe) – The CSHelper service acts as a watchdog service for the other Cynet services on the server. It constantly checks that all other Cynet services are running and automatically restarts any that are not currently running. This service can also check if updates to the Cynet server version exist. If the system is configured for automatic updates, it begins the update process and restarts the Cynet services after the update has completed.
Cynet (cynet.exe) – The Cynet service is the central Cynet service, which coordinates actions between all other Cynet services. It performs start-up checks, performs database updates or maintenance if necessary, performs threat analysis queries, heartbeat back to the Cynet VPC, performs threat intelligence queries, sends file to the sandbox for analysis, and performs remediation actions on endpoints (if actions are taken manually or through auto-remediation).
CynetListener (cynetlistener.exe) – The CynetListener service is responsible for listening for raw scan data coming in from endpoints. This service places this data in a temporary queue where it is processed by the CynetProtobufHandler service, when available.
CynetProtobufHandler (cynet.protobufprocessor.exe) – The CynetProtobufHandler service is responsible for processing raw scan data collected from endpoints by the server and processing the data so it can be stored in the appropriate database location.
Redis (redis-server.exe) – The Redis service is a queue application responsible for the communication between the Cynet database and the frontend Web interface. The queuing provides quick page loads when using the Web interface, especially with actions that require complex queries to the database.
[OPTIONAL] CynetSyslog (Cynet.Syslog.exe) – The CynetSyslog service can be configured to run a syslog listener. This service accepts incoming syslog messages through a configured port and archives them on the Cynet server. The Cynet server can also be configured to parse syslogs (see “Configuring Log Parser Settings”).
The service listed below is installed on any Windows host with the Light Agent installed.
CynetLauncher
This service is created when the light agent is installed on a Windows host. This service runs the CynetLauncher.exe once at boot up, which invokes the CynetEPS process on the endpoint with the necessary command-line parameters.
Note
The CynetLauncher service does not stay in the ‘Running’ state after it is run. To verify the light agent is running, check the task manager and look for the CynetEPS process to be running.
The services listed below are installed on any Linux host with the Light Agent installed.
Cyservice
This service is created when the light agent is installed on a Linux host. This service starts the CynetEPS daemon when the system boots. It is placed in the /etc/init.d/ directory.
The services listed below are installed on any Linux host with the Light Agent installed.
com.cyneteps.service.plist
This service is created when the light agent is installed on a Mac host. This service starts the CynetEPS daemon when the system boots. It is placed in the /Library/LaunchDaemons/ directory.
The CynetEPS process that runs on Windows endpoints contains several command-line flags that activate or deactivate certain functionality of the Cynet scanner while it scans endpoints. The flags can be seen in the “Command Line” column in the Windows Task Manager.
A typical CynetEPS execution with a full command-line of flags can look like this:
CynetEPS.exe 192.168.200.100 –port 443 –cpulimit 15 –scanid 52 –alwayson –driver -donetworkcheck –adthransom –adtdokill –ualert –fh -fhdokill
Note
The first command-line argument specifies the IP address of the Cynet server. It is a required argument for the CynetEPS to run. There is no flag to define this argument.
The table in the following section contains a list of the command-line flags and values that are available to control the functionality of the CynetEPS. These flags are set at the time of execution and are typically set by the Cynet server when scanning endpoints. They may also be used to set the default configuration of the Light Agent during agent installation. Consult Cynet support for any questions regarding these flags.
Flag | Description |
---|---|
-port <port> | This flag, along with a port number, defines the port the EPS uses when sending scan data back to the Cynet server. Example: -port 443 |
-secip <ip> | This flag along with an IP address defines a secondary IP address for the EPS to send scan data to. This IP address is only used if the primary IP address (specified in the first command-line argument) is unavailable. Example: -secip 192.168.100.200 |
-secport <port> | This flag along with a port number defines the port for the secondary IP address the EPS uses when sending scan data back to the Cynet server. Example: -secport 8443 |
-cpulimit <value> | This flag along with a numeric value defines the maximum amount of CPU usage that the CynetEPS and CynetMS can consume when scanning the host. 60% of this value is allocated to the CynetEPS process, while the remaining 40% is allocated for the CynetMS process. Example: -cpulimit 15 (9% to CynetEPS, 6% to the CynetMS) |
-memsize <value> | This flag along with a numeric value defines the maximum amount of memory usage the CynetEPS and CynetMS can consume when scanning the host (in Megabytes). This limit is applied to the CynetEPS and CynetMS process respectively. Example: -memsize 300 |
-heartbeat <value> | This flag along with a numeric value defines the interval in which the CynetEPS heartbeats back to the Cynet server (in seconds). The default value is 300 (5 minutes). Example: -heartbeat 15 |
-donetworkcheck | This flag enables the CynetEPS to perform an Internet connectivity check. This connectivity is factored into the risk score analysis. Example: -donetworkcheck |
-nomemstr | This flag disables memory string collection by the CynetEPS when analyzing processes on endpoints during scanning. Example: -nomemstr |
-ps <ip> | This flag along with the host’s IP address enables the EPS to bind to the NIC configured with this IP address to detect network-based attacks. Example: -ps 192.168.1.10 |
-pps <value> | This flag along with a numeric value defines the maximum number of network packets the CynetEPS analyzes per second. If this limit is exceeded, the Network Monitor within the CynetEPS enters sleep mode until it has completed analyzing all packets in the current queue. Example: -pps 10000 |
-ualert | This flag enables the CynetEPS to display a pop-up on the endpoint desktop when an alert is generated by Cynet to notify the User. Example: -ualert |
-driver | This flag enables the CynetEPS to install a driver on the system for the self-protection mode. This mode ensures that the EPS process cannot be killed on the host. It also provides kernel level visibility. Example: -driver |
-driverblockraw | This flag enables blocking any attempt to write to the MBR. Example: -driverblockraw |
-driverkillraw | This flag enables automatic remediation for any attempt to write to the MBR. Any process that was blocked from writing to the MBR is killed. Example: -driverkillraw |
-driverloghandle | This flag enables logging for process handles on scanned endpoints. This flag is typically only used for troubleshooting. Example: -driverloghandle |
-debugconfig | This flag stores all scan data in an unencrypted data file on the endpoint, so it is human-readable. This flag is typically only used for troubleshooting. Example: debugconfig |
-disableupdate | This flag disables the CynetEPS from automatically updating its arguments from the Cynet server. This flag is typically only used for troubleshooting. Example: -disableupdate |
-showconsole | This flag enables the CynetEPS to display all activity to a command prompt at execution. This flag is typically only used for troubleshooting. Example: -showconsole |
-savelog (-loglevel <value>) | This flag enables the CynetEPS to log all activity to a log file located at C:\Windows\clog\CynetEPSLog.txt. Optionally, the –loglevel flag can be used in conjunction to specify what types of events must be saved in the log. This flag is typically only used for troubleshooting. Log Levels: all trace debug info (default) warn error fatal off Example: -savelog Example: -savelog –loglevel all Example: -savelog –loglevel 1 |
-debugms | This flag enables the CynetMS to log all activity to a log file located at C:\Windows\System32\CynetLoggerMS.txt or C:\Windows\CynetLoggerMS.txt (depending on the working directory). This flag is typically only used for troubleshooting. Example: -debugms |
-savejson | This flag enables the CynetEPS to create JSON files locally, which simulates data files sent back to the Cynet server (called PCQ files). These JSON files are typically saved to C:\Windows\system32\CynetEPSJson#.file. This flag is typically only used for troubleshooting. Example: -savejson |
-savezip | This flag enables the CynetEPS to save all PCQ files to a single ZIP file. This ZIP file is typically saved to C:\windows\CynetEPSJson.zip. This flag is typically only used for troubleshooting. Example: -savezip |
-osharecycle <value> | This flag, along with a numeric value, defines the minimum amount of time the CynetEPS takes to collect information from a remotely opened file (in minutes). Example: -osharecycle 3 |
-fh | This flag enables the Fuzzy Hashing detection mechanism. With the Fuzzy Hashing technique, Cynet can mathematically calculate similarities in code to detect similar variants of malware. Example: -fh |
-fhdokill | This flag enables remediation based on threats detected using the Fuzzy Hashing technique. Processes are automatically killed when detected. Example: -fhdokill |
-decoy | This flag enables the CynetEPS to monitor for brute force attempts on decoy files and Users that were deployed to the endpoint. Example: -decoy |
-adtdisable | This flag disables the ADT (Advanced Detection Technology) heuristic engine on the CynetEPS. This functionality is enabled by default on the CynetEPS unless this flag is set. Cynet does NOT RECOMMEND disabling this feature, as it is an important mechanism for threat detection. Example: -adtdisable |
-adthdokill | This flag enables the CynetEPS to automatically kill processes determined to be malicious by the ADT Heuristic Engine. Example: -adthdokill |
-adthransom | This flag enables the CynetEPS ransomware detection mechanism in the ADT Heuristic Engine. Example: -adthransom |
-adtnodecoy | This flag disables the decoy file feature for ransomware detection in the ADT Heuristic detection. With this feature, hidden decoy files are deployed to specific locations on the file system for ransomware detection. Cynet does NOT RECOMMEND disabling this feature, as it affects the ability to detect new variants of ransomware. Example: -adtnodecoy |
-adtdecoylimit <value> | This flag, along with a numeric value, defines the maximum disk space that can be used by the ransomware heuristic decoy files (in Megabytes). Example: -adtdecoylimit 100 |
-adtnoproccb | This flag disables…COMMENT: Missing text? Example: adtnoproccb |
-fastscan | This flag enables the CynetEPS external threat intelligence Example: -fastscan |
-fastscandokill | This flag enables the CynetEPS to automatically remediate threats detected using external threat intelligence. Example: -fastscandokill |
The following terms and abbreviations are used throughout this document:
Term / Abbreviation | Definition |
AV | Antivirus |
CISO | Chief Information Security Officer |
CMDB | Configuration Management Database |
CSV | Comma Separated Value |
DNS | Domain Name System |
EDR | Endpoint Detection and Response |
EPS | Endpoint Scanner |
IoC | Indicators of Compromise |
IP | Internet Protocol |
KB | Knowledge Base |
MFA | Multi-Factor Authentication |
NGAV | Next Generation Antivirus |
Object | A file, User, host, network, or socket |
ODBC | Open Database Connectivity |
OS | Operating System |
OU | Organizational Unit |
RDP | Remote Desktop |
RPC | Remote Procedure Calls |
SOC | Security Operations Center |
SIEM | Security Information and Event Management |
SSE | Server Sent Events |
SSH | Secure Shell |
UBA | User Behavior Analytics |
UEBA | User and Entity Behavior Analytics |
UI | User Interface |
URL | Uniform Resource Locator (Web address) |
VPC | Virtual Private Cloud |