All posts by Jeff Petters

What is an SMB Port + Ports 445 and 139 Explained

smb port hero image

The SMB protocol enables “inter-process communication,” which is the protocol that allows applications and services on networked computers to talk to each other – you might say SMB is one of the languages that computers use to talk to each other.

How Does The SMB Protocol Work?

In early versions of Windows, SMB ran on top of the NetBIOS network architecture. Microsoft changed SMB in Windows 2000 to operate on top of TCP and use a dedicated IP port. Current versions of Windows continue to use that same port.

Microsoft continues to make advancements to SMB for performance and security: SMB2 reduced the overall chattiness of the protocol, while SMB3 included performance enhancements for virtualized environments and support for strong end-to-end encryption.

SMB Protocol Dialects

Just like any language, computer programmers have created different SMB dialects use for different purposes. For example, Common Internet File System (CIFS) is a specific implementation of SMB that enables file sharing. Many people mistake CIFS as a different protocol than SMB, when in fact they use the same basic architecture.

Important SMB implementations include:

  • CIFS: CIFS is a common file sharing protocol used by Windows servers and compatible NAS devices.
  • Samba: Samba is an open-source implementation of Microsoft Active Directory that allows non-Windows machines to communicate with a Windows network.
  • NQ: NQ is another portable file sharing SMB implementation developed by Visuality Systems.
  • MoSMB: MoSMB is a proprietary SMB implementation by Ryussi Technologies.
  • Tuxera SMB: Tuxera is also a proprietary SMB implementation that runs in either kernel or user-space.
  • Likewise: Likewise is a multi-protocol, identity aware network file sharing protocol that was purchased by EMC in 2012.

What Are Ports 139 And 445?

SMB has always been a network file sharing protocol. As such, SMB requires network ports on a computer or server to enable communication to other systems. SMB uses either IP port 139 or 445.

  • Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
  • Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

smb port 139 and 445

How To Keep These Ports Secure

Leaving network ports open to enable applications to function is a security risk. So how do we manage to keep our networks secure and maintain application functionality and uptime? Here are some options to secure these two important and well-known ports.

  1. Enable a firewall or endpoint protection to protect these ports from attackers. Most solutions include a blacklist to prevent connections from known attackers IP addresses.
  2. Install a VPN to encrypt and protect network traffic.
  3. Implement VLANs to isolate internal network traffic.
  4. Use MAC address filtering to keep unknown systems from accessing the network. This tactic requires significant management to keep the list maintained.

how to keep ports 139 and 445 secure

In addition to the network specific protections above, you can implement a data centric security plan to protect your most important resource – the data that lives on your SMB file shares.

Understanding who has access to your sensitive data across your SMB shares is a monumental task. Varonis maps your data and access rights and discovers your sensitive data on your SMB shares. Monitoring your data is essential to detect attacks in progress and protect your data from breaches. Varonis can show you where data is at-risk on your SMB shares and monitor those shares for abnormal access and potential cyberattacks.  Get a 1:1 demo to see how Varonis monitors CIFS on NetApp, EMC, Windows, and Samba shares to keep your data safe.

Varonis Gets Lightning Fast with Solr

Varonis Gets Lightning Fast with Solr

Any security practitioner that has had to perform forensic analysis on a cybersecurity incident likely describes the process as “searching for a needle in a stack of needles.” Even Tony Stark’s magnet isn’t going to help. Anyone who has used a SIEM or any other monitoring system to figure out how gigabytes of data was stolen knows how difficult that task can be.

Varonis leverages Solr to optimize and streamline the process of analyzing data related to a cybersecurity incident. Solr makes the stack of needles smaller – enabling security teams to analyze incidents faster.


How is Varonis using Solr?

The Solr server is a repository for the most current Varonis log and alert data, making searches in the Varonis WebUI lightning fast. The Varonis WebUI presents the searches in a clean and customizable view that you can filter and narrow down to find the correct needle in that stack of needles.

New events and alerts are available in the Varonis WebUI immediately, and Solr indexes the data as it is received. The Varonis WebUI correlates and contextualizes the data into understandable and actionable alerts, which can combine seemingly unrelated events into a clear picture of a coordinated cyberattack.

The new Solr search engine starts providing data while the search is running. The search field has autocomplete, so you can see possible search parameters as you type, just like in Google. You can save searches, set your favorite filters or queries, and easily access them again in the future.

What are the Advantages of Solr?

Solr is an open-source search optimized database that is used throughout the software industry. With the new WebUI powered by Solr, customers are seeing faster alerts, easier forensic analysis, and quicker query return.

Some of the features of Solr that Varonis uses are:

  • Advanced Full-Text Search Capabilities: Solr uses the Lucene search engine to implement powerful and optimized searching and indexing
  • Optimized for High Volume Traffic: Solr has proven its capability to operate at extremely large scales all over the world
  • Easy Monitoring: Solr includes self-monitoring tools via Java Management Extensions (JMX) for system performance and uptime monitoring
  • Highly Scalable and Fault-Tolerant: Solr scales up and down easily depending on your loads and use cases. Rebalancing and fault tolerance are built into Solr out of the box
  • Near Real-Time Indexing: Solr can index and search at the same time

The Varonis WebUI is an awesome tool for advanced alerting and investigating cybersecurity incidents. The WebUI is fast and easy to navigate, but the real power is how Varonis analyzes the data and uses advanced threat models to paint an easy to understand picture of cybersecurity attacks.

See the new Varonis WebUI in a free 1:1 Demo – and experience how fast and easy responding to cybersecurity threats with Varonis can be.

What is Mimikatz: The Beginner’s Guide

what is mimikatz hero

Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that their authentication protocols were vulnerable to attack. Instead, he inadvertently created one of the most widely used and downloaded hacker tools of the past 20 years.

Rendition Infosec’s Jake Williams said, “Mimikatz has done more to advance security than than any other tool I can think of.” If you’re tasked with protecting Windows networks, it’s essential to keep up with the latest Mimikatz updates to understand the techniques hackers will use to infiltrate your networks – and stay one step ahead.

What is Mimikatz?

Mimikatz is an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.

Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.

mimikatz definition

What Can Mimikatz Do?

Mimikatz originally demonstrated how to exploit a single vulnerability in the Windows authentication system. Now the tool demonstrates several different kinds of vulnerabilities. Mimikatz can perform credential-gathering techniques such as:

  • Pass-the-Hash: Windows used to store password data in an NTLM hash. Attackers use Mimikatz to pass that exact hash string to the target computer to login. Attackers don’t even need to crack the password, they just need to use the hash string as is. It’s the equivalent of finding the master key to a building on the floor. You need that one key to get into all the doors.
  • Pass-the-Ticket: Newer versions of windows store password data in a construct called a ticket.  Mimikatz provides functionality for a user to pass a kerberos ticket to another computer and login with that user’s ticket. It’s basically the same as pass-the-hash otherwise.
  • Over-Pass the Hash (Pass the Key): Yet another flavor of the pass-the-hash, but this technique passes a unique key to impersonate a user you can obtain from a domain controller.
  • Kerberos Golden Ticket: This is a pass-the-ticket attack, but it’s a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all of the other tickets. A golden ticket gives you domain admin credentials to any computer on the network that doesn’t expire.
  • Kerberos Silver Ticket: Another pass-the-ticket, but a silver ticket takes advantage of a feature in Windows that makes it easy for you to use services on the network. Kerberos grants a user a TGS ticket, and a user can use that ticket to log into any services on the network. Microsoft doesn’t always check a TGS after it’s issued, so it’s easy to slip it past any safeguards.
  • Pass-the-Cache: Finally an attack that doesn’t take advantage of Windows! A pass-the-cache attack is generally the same as a pass-the-ticket, but this one uses the saved and encrypted login data on a Mac/UNIX/Linux system.

what can mimikatz do

Where to Download Mimikatz

You can download Mimikatz from Benjamin Delpy’s GitHub – he offers several options to download, from the executable to the source code. You will need to compile with Visual Studio 2010 or later.

How Do You Use Mimikatz

When you run Mimikatz with the executable, you get a Mimikatz console in interactive mode where you can run commands in real time.

Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.

Checking Version of Mimikatz

There are 2 versions of Mimikatz: 32bit and 64bit. Make sure you are running the correct version for your installation of Windows. Run the command ‘version’ from the Mimikatz prompt to get information about the Mimikatz executable, the Windows version, and if there are any Windows settings that will prevent Mimikatz from running correctly.

Extracting clear text passwords from memory

The sekursla module in Mimikatz lets you dump passwords from memory. To use the commands in the sekurlsa module, you must have Admin or SYSTEM permissions.

First, run the command:

mimikatz # privilege::debug

The output will show if you have appropriate permissions to continue.

Next, start the logging functions so you can refer back to your work.

mimikatz # log nameoflog.log

And finally, output all of the clear text passwords stored on this computer.

mimikatz # sekurlsa::logonpasswords

Using Other Mimikatz modules

The crypto module allows you to access the CryptoAPI in Windows which lets you list and export certificates and their private keys, even if they’re marked as non-exportable.

The kerberos module accesses the Kerberos API so you can play with that functionality by extracting and manipulating Kerberos tickets.

The service module allows you to start, stop, disable, etc. Windows services.

And lastly, the coffee command returns ascii art of coffee. Cause everyone needs coffee.

There is so much more to Mimikatz. If you are looking at penetration testing or you just want to dig into the Windows authentication internals, check out some of these other references and links:

Want to Mimikatz in action and learn how Varonis protects you from infiltration?  Join our free Live Cyber Attack Workshop and see our engineers execute a live cyberattack in our security lab.

What is an Active Directory Forest?

What is an Active Directory Forest?

An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, users, computers, and group policies.

“But wait?” you say. “I thought Active Directory was just one domain?”

A single Active Directory configuration can contain more than one domain, and we call the tier above domain the AD forest. Under each domain, you can have several trees, and it can be tough to see the forest for the trees

This additional top-level layer creates security challenges and increased potential for exploitation, but it can also mean greater isolation and autonomy when necessary: the trick is to understand AD forests and different strategies to protect them.

active directory forest diagram

How to Create a Forest Design?

Say you want to create a forest, or (and more likely) you have inherited a forest that you need to clean up. It’s common to see several different domains and GPOs in one or more forests that try to coexist due to earlier attempts at consolidation or acquisition.

First, determine if there are any organizational requirements that require a completely separate set of security policies. Frame the conversation with a focus on data security:

  • Are there over-arching policies you can set at the AD forest level?
  • Do you need additional domains with different security policies or segregated network connectivity?
  • Are there legal or application requirements that require separate domains in the forest?

Once you have the “autonomy and isolation” requirements documented, the design team can build the forest, domains, and GPOs according to each team or organization’s needs.

How Many Forests are Required?

In some cases, it might be necessary to create separate AD forests based on the autonomy or isolation requirements. Adding additional forests multiplies the complexity to manage the AD schema. There are some considerations to make if you decide to add another forest to your AD schema:

  • Can you achieve sufficient isolation without creating a second forest?
  • Do all of the stakeholders understand the ramifications of separate forests?
    • Management of 2 separate forests means you will have double the application servers and IT costs.
  • Do you have the resources to manage another forest?
    • A single IT team should not manage both AD forests. Security professionals recommend one (1) IT team per forest for segregation of duties.
    • Best practice is to migrate new or acquired domains into a single AD forest.

Single Forest vs Multi-Forest Active Directory Design

A single AD forest is a simpler solution long-term and generally considered best practice. It’s possible to create a secure environment without the additional overhead of a 2nd AD forest with multiple domains by leveraging GPOs, established data owners, and a least privilege model.

Multi-forests do provide an extra layer of security across the two domains, but at a significant increase to IT cost. Multi-forests do not make you more secure by default. You still need to configure GPOs and permissions appropriately for each AD forest.

Forest Design Models

types of active directory forest design models

There are three primary ways to design an AD forest: you can mix and match those designs to meet your organization’s security needs. Every Active Directory has at least one AD forest, and there are cases where multiple AD forests are required to meet business and security objectives. Here are a few different Forest Models. Each model has different advantages and disadvantage, and unique use cases.

Organizational Forest Model

In an organizational forest, user accounts and resources are stored and managed together. This is the standard configuration.

Characteristics of an organizational forest model:

  • Provides autonomy to users and resources in the forest
  • Isolates services and data from anyone outside the forest
  • Trust relationships between forests can allow access to some resources that live in outside forests

Resource Forest Model

A resource forest separates user accounts and resources into different forests. You would use this configuration to separate a manufacturing system or mission-critical system from the primary forest, so any problems with one forest allow the other to continue operation.

Characteristics of a Resource Forest Model:

  • Users live in the organizational forest
  • Resources live in one or more additional forests
  • Only alternative administrative user accounts live in the resource forests
  • Trusts enable resource sharing with the users
  • This model provides service isolation, so if one forest goes down the others will continue to operate as normal.

Restricted Access Forest Model

A restricted access forest totally isolates the users and resources in it from other forests. You would use this configuration to completely secure data and limit users to specific datasets.

Characteristics of a Restricted Access Forest Model:

  • No trusts exist to other forests
  • Users from other forests are not able to access resources in the restricted access forest
  • Users need a 2nd computer to access the restricted forest
  • Can be housed on a completely separate network if necessary

Active Directory Forests Best Practices

AD forests have been around since 2000, so there are many different theories about the best way to configure Active Directory and forests. Current best practices include:

  • When possible, consolidate to a single forest
  • Secure resources and data via GPO and apply a least privileged model
  • Use GPOs to further limit users ability to create new folders without following a set process. The least privileged permissions model.
  • Give your domain admins a 2nd admin account they use only when required per the change management process.
  • If you have multiple AD forests with trust relationships, consider consolidation.
  • If you need to create a restricted access forest, make sure it is truly restricted. As secure as we want the primary forest to be, a restricted access forest should be Castle Black. Put a 700’ wall around it and keep it there.

active directory forest best practices

If Active Directory holds the keys to the kingdom, the AD forest is the keyring for some of those keys: it’s important not only to secure Active Directory, but to understand how to configure and manage the AD forest in order to prevent data breaches and reduce security vulnerabilities.

Want to learn more about how to protect Active Directory – regardless of how many AD forests you have?  Learn about 5 FSMO Roles in Active Directory, and check out the difference between AD for Windows and Azure Active Directory.  Prefer an audio/visual experience instead?  We’ve got you covered: watch an on-demand webinar on 4 Tips to Secure Active Directory.


What is a Domain Controller, When is it Needed + Set Up

domain controller hero image

A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.

The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD). While attackers have all sorts of tricks to gain elevated access on networks, including attacking the DC itself, you can not only protect your DCs from attackers but actually use DCs to detect cyberattacks in progress.

What is The Main Function of a Domain Controller?

domain controller use

The primary responsibility of the DC is to authenticate and validate user access on the network. When users log into their domain, the DC checks their username, password, and other credentials to either allow or deny access for that user.

Microsoft Active Directory or Microsoft AzureAD are the most common examples, while Samba is the Linux based equivalent DC.

Why is a Domain Controller Important?

Domain controllers contain the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes a DC a primary target during a cyberattack.

Domain Controller vs. Active Directory


Active Directory is a type of domain, and a domain controller is an important server on that domain. Kind of like how there are many types of cars, and every car needs an engine to operate. Every domain has a domain controller, but not every domain is Active Directory.

Do I Need a Domain Controller?

In general, yes. Any business – no matter the size – that saves customer data on their network needs a domain controller to improve security of their network. There could be exceptions: some businesses, for instance, only use cloud based CRM and payment solutions. In those cases, the cloud service secures and protects customer data.

The key question you need to ask is “where does my customer data live and who can access it?”

The answer determines if you need a domain – and DC – to secure your data.

domain controller benefits and limitations

Benefits of Domain Controller

  • Centralized user management
  • Enables resource sharing for files and printers
  • Federated configuration for redundancy (FSMO)
  • Can be distributed and replicated across large networks
  • Encryption of user data
  • Can be hardened and locked-down for improved security

Limitations of Domain Controller

  • Target for cyberattack
  • Potential to be hacked
  • Users and OS must be maintained to be stable,  secure and up-to-date
  • Network is dependent on DC uptime
  • Hardware/software requirements

How to Set Up a Domain Controller + Best Practices

best practices for setting up a domain controller

  • Configure a stand-alone server for your domain controller.
    • If you are using Azure AD as your domain controller you can ignore this step.
    • If not, your DC should act exclusively as a DC.
  • Limit both physical and remote access to your DC as much as possible.
    • Consider local disk encryption (BitLocker)
    • Use GPOs to provide access to the SysAdmins in charge of administering Active Directory, and allow no other users to log in, either on the console or via Terminal Services.
  • Standardize your DC configuration for reuse

Setting up a secure and stable DC doesn’t not mean you are secure forever. Attackers will still try to hack into your DC to escalate privileges or enable lateral movement throughout your network. Varonis monitors AD for out-of-policy GPO changes, Kerberos attacks, privilege escalations, and more.

Want to see how it works? Get a personalized 1:1 demo to how Varonis protects DCs and Active Directory from cyberattacks.

What is Data Classification? Guidelines and Process

data classification title

In order to protect your sensitive data, you have to know what it is and where it lives.

Data Classification Defined

Data classification is the process of analyzing structured or unstructured data and organizing it into categories based on the file type and contents.

Data classification is a process of searching files for specific strings of data, like if you wanted to find all references to “Szechuan Sauce” on your network. Or if you needed to know where all HIPAA protected data lives on your network. Or if you want to prepare for data privacy regulations and need to identify any personally identifiable information (PII) on your data stores.

definition of data classification

Data classification is usually based on a file parser combined with a string analysis system. A file parser allows the data classification engine to read the contents of several different types of files. A string analysis system then matches data in the files to defined search parameters.

RegEx –short for regular expression – is one of the more common string analysis systems that defines specifics about search patterns. For example, if I wanted to find all VISA credit card numbers in my data, the RegEx would look like:

\b(?<![:$._’-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

That sequence tells the RegEx system that we are looking for a pattern with a 4 digit number starting with the number 4 followed by a dash and a second 4 digit number and… you get the idea. Only a string of characters that matches the RegEx directly generates a positive result.

Although there are some parallels between the two, data classification is not the same as data indexing. Classification looks for identifiers based on patterns and returns a list of files and how many matches it found for each pattern. It doesn’t necessarily index those files. Indexing enables search, and you’ll need to search those matches to fulfill data subject access requests and right-to-be-forgotten requests.

Reasons for Data Classification

reasons to implement data classification

The Center for Internet Security (CIS)- which devotes an entire section to data classification protections – says data classification is important because “in several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.”

Beyond data security concerns, there are several other reasons to implement a data classification process:

  • Identify sensitive files, intellectual property, and trade secrets
  • Secure (and lock down) critical data
  • Track regulated data to comply with regulations like HIPAA, PCI, or GDPR
  • Optimize search capabilities with data indexing
  • Discover statistically significant patterns or trends inside data
  • Optimize storage by identifying duplicate or stale data

Data Classification Process: 4 Steps

Data classification processes differ slightly depending on the objectives for the project. Any data classification project requires automation to process the astonishing amount of data that companies create every day. In general, there are some ubiquitous criteria required to create any data classification process:

  1. Define the objectives of the data classification process. What are you looking for? Why?
  2. Create workflows based on the selected classification tools. How does the classification process work? Is there a process in place to scan new data? Is there a process to create new classification criteria?
  3. Define the categories and classification criteria. What kinds of data should you search for? What process will you follow to validate the classification results?
  4. Define outcomes and usage of classified data. How are the results organized – and how do you plan to make business decisions based on those results?

Data Classification Tips

  • Use automated tools to process large volumes of data quickly
  • Leverage RegExes and Luhn: create custom classification patterns or implement software that does the heavy lifting for you
  • Validate your classification results: nobody likes a false positive.
  • Figure out how to best use your results and apply classification to everything from data security to business intelligence.

Data Classification FAQ

How does Varonis do Data Classification differently?

Varonis has over 400 pre-configured RegExes to discover all manners of PII, PHI, and GDPR data with a fully customizable classification engine you can configure for any business purposes. Varonis monitors over 60 file types out of the box (including documents, spreadsheets, and more), and identifies new data that needs to be re-scanned (without starting the whole thing over) to catch new and recently added sensitive files, including:

  • Personal information: credit card numbers, passport numbers, driver’s license numbers, social security numbers, IBAN, and more
  • Financial records
  • Security file types (.cer, crt, p7b, etc.)
  • Regulated data (GDPR, HIPAA, PII, PHI, PCI, Sarbanes Oxley, GLBA, etc.)

The Varonis Data Classification Engine can process ~100 GB of data in an hour (caveats about your own hardware and network capacity) and includes rigorous false positive checks that reduce the workload to analyze the classification results. Not every 16 character numeric string is a credit card number, for instance, and Varonis knows the difference.

What Comes After Data Classification?

Varonis brings context to that classification. Varonis not only identifies the data that you’re looking for, but shows you who can access to that data – and who is accessing that data. Once you identify and classify sensitive data, you can take action on it: apply labels, lock down permissions, monitor access, alert on suspicious activity, and meet compliance requirements like right-to-be-forgotten. The Varonis Data Classification Engine allows you to protect your most sensitive and important data from unwanted access, accidental data leaks, and security attacks.

See the Data Classification Engine in action with a 1:1 demo.

Windows PowerShell vs. CMD: What’s The Difference?

powershell vs cmd hero

Back in the day, booting the then-cutting-edge IBM 8086 from the floppy brought you to a green text screen with a cursor blinking at the familiar C:\> prompt. Hacking boot.ini and config.sys to get my games to run was my first introduction to programming.

Eventually that C:\> got replaced with a pretty GUI and boot from hard disk. That command prompt (CMD) still lived on for decades. Only recently did CMD get an upgrade, or replacement, with PowerShell, the shell application Microsoft introduced with Windows 7.

CMD served us well for a good long time, but PowerShell is like going straight from steam engines to autonomous battery powered cars.

Windows Command Prompt

Windows Command Prompt – also known as CMD – is the original shell for the Microsoft DOS operating system. CMD was the default shell until Windows 10 build 14791 when Microsoft made PowerShell the default option. CMD is one of the last remnants of the original MS-DOS operating system that Microsoft replaced

Windows PowerShell

powershell cmdlets positives

Windows PowerShell is the new Microsoft shell that combines the old CMD functionality with a new scripting/cmdlet instruction set with built-in system administration functionality. PowerShell cmdlets allow users and administrators to automate complicated tasks with reusable scripts. System administrators save significant time by automating administration tasks with PowerShell.

PowerShell vs. CMD

PowerShell vs. CMD is like comparing apples to kumquats. They are completely different, despite the illusion that the ‘dir’ command works the same way in both interfaces.

PowerShell uses cmdlets, which are self-contained programming objects that expose the underlying administration options inside of Windows. Before PowerShell, sysadmins navigated the GUI to find these options, and there was no way to reuse the workflow of clicking through the menus to change options on a large scale.

PowerShell uses pipes to chain together cmdlets and share input/output data the same way as other shells, like bash in linux. Pipes allow users to create complex scripts that pass parameters and data from one cmdlet to another. Users can create reusable scripts to automate or make mass changes with variable data – a list of servers, for example.

One of the (many) neat functions of PowerShell is the ability to create aliases for different cmdlets. Aliases allow a user to configure their own names for different cmdlets or scripts, which makes it more straightforward for a user to switch back and forth between different shells: ‘ls’ is a linux bash command that displays directory objects, like the ‘dir’ command. In PowerShell, both ‘ls’ and ‘dir’ are an alias for the cmdlet ‘Get-ChildItem.’

what powershell uses

When to Use PowerShell

For systems administrators and other IT functions, PowerShell is the way to go. There isn’t any command left in CMD that isn’t in PowerShell, and PowerShell includes cmdlets for any administration function you could need. Third-party software vendors are extending PowerShell with custom cmdlets, like the NetApp PowerShell Toolkit that manages Data ONTAP.

PowerShell knowledge can be a differentiator for employment or even a job requirement, so it’s a worthwhile skill to invest in.

To get started on your PowerShell journey, check out this tutorial for the basics – and learn how to automate Active Directory tasks with our free PowerShell course by Adam Bertram, a Microsoft PowerShell MVP (pro-tip: use the code ‘blog’).

Zero-Day Vulnerability Explained

Zero-Day Vulnerability Explained

A zero-day vulnerability is a software bug or exploit that hasn’t been patched. It’s like a hole in the bottom of your shoe that you haven’t noticed yet, but a curly-mustachioed villain has found it and is considering putting rusty nails on your gas pedal. Hackers can use these bugs and exploits to steal your data before you’re able to find and patch the weakness.

What are Vulnerabilities?

Vulnerabilities allow attackers to slip past your defenses and into your network, like the unpatched software that allowed the Equifax hack.

As security professionals, we regularly deal with all kinds of vulnerabilities like software bugs, hacks, and human vulnerabilities.

Software bugs – like the one that led to the Equifax data breach – are faults in the code that hackers can use to get through to your data. Software hacks use existing functionality as part of an attack: the Golden Ticket attack, for instance, is a privilege escalation hack that takes advantage of the way Microsoft Kerberos functions normally. Human vulnerabilities are exploited most frequently by social engineering attacks, which often abuse trust (or naiveté) to steal passwords or send money to African princes.

What Makes a Zero-Day Vulnerability?

attributes of zero day vulnerability attack

In short, urgency and immediacy make a zero-day vulnerability.

These are software bugs that developers have zero days to fix because by the time they’re identified, they are already massive security risks that could cause significant damage. Most of the time, zero-day bugs are not public knowledge and are patched before attackers can build an exploit kit to take advantage of the flaw.

As long as the zero-day vulnerability is not public, developers have time on their side. However, once the exploit becomes public knowledge, it becomes a race for developers to get a patch out before damage is done.

Many organizations offer bounties for discovering zero-day vulnerabilities in their software. Microsoft and Google offer cash rewards for reporting vulnerabilities to them directly, with some rewards north of $100k.

Zero-Day Exploit

A zero-day exploit is different from a zero-day vulnerability. Zero-day exploits do not have to be existing vulnerabilities: they could be a brand new malware of ransomware program. A zero-day exploit is a brand new kind of attack in progress that requires immediate remediation.

When a zero-day vulnerability isn’t discovered and patched before the attackers find the flaw, however, it becomes a zero-day exploit as well.

Zero-day exploits are difficult to detect and defend against: they are unknown until it’s too late, and their nature is under-researched. Signature-based security solutions can’t detect a zero-day exploit, and there are no software vulnerability patches immediately available. You need to react to zero-day exploits quickly to prevent widespread damage to the network or data theft.

How to Defend Against Zero-Day Attacks

You can create a secure network that is resilient against zero-day attacks. By monitoring data and comparing current activity to an established baseline, you can detect abnormalities caused by zero-day attacks. Every cyberattack – zero-day or otherwise – leaves digital footprints in both the data and on the network.

For example, a zero-day exploit that grants an attacker access to a user account will likely cause that user account act abnormally. The attacker might try to search the network for credit card numbers or password lists, or try to elevate the account to a Domain Admin. With Varonis, either of those activities will trigger one of several behavior-based threat models and flag it as suspicious activity. So what can you do to protect yourself against zero-day vulnerabilities?

how to defend against zero day attacks

  • Monitor your core data – including files, folders, emails, Active Directory, VPN, DNS, and Web Proxies – for behaviors that could indicate a zero-day cyberattack
  • Enforce a least-privilege model to prevent lateral movement and data exfiltration from a zero-day attack
  • Update software and security (including IPS and Endpoint) packages as soon as they are available to defend against known zero-day vulnerabilities
  • Back up critical systems and establish recovery and incident response plans
  • Enforce strict software and internet use policies and train users to identify phishing attacks and other security risks

That last point is key. Empower the team to report behaviors on their systems that are out of place – employees are often the last line of defense against a zero-day attack.

Zero-Day Attack Examples

Each year there are at least a dozen or so different zero-day vulnerabilities identified and patched by software vendors. One of the most infamous is the Strutshock vulnerability used in the Equifax data breach. Developers patched that vulnerability in March of 2017, but Equifax didn’t apply the update – making it a zero-day attack.

Other notable zero-day attacks:

Tips to Prevent Zero-Day Vulnerabilities

Protecting your network from zero-day attacks requires behavior-based data monitoring that helps protect against both known and unknown threats. Varonis establishes behavioral baselines to detect unusual behavior in unusual activity in your network, and alerts on suspicious activity so you can respond and stop the threat before it becomes a data breach. Signature-based systems won’t detect a zero-day exploit, but a data-centric solution can detect the digital footprints of a zero-day exploit attack in progress.

See how Varonis detects attacks with a free 1:1 demo – and discover the best practices to defend against zero-day attacks.

IDS vs. IPS: What is the Difference?

ids vs ips

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) also analyzes packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping stop the attack.

How Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Work

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both parts of the network infrastructure. IDS/IPS compare network packets to a cyberthreat database containing known signatures of cyberattacks — and flag any matching packets.

The main difference between them is that IDS is a monitoring system, while IPS is a control system.

IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

  • Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
  • Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

Many IDS/IPS vendors have integrated newer IPS systems with firewalls to create a Unified Threat Management (UTM) technology that combines the functionality of those two similar systems into a single unit. Some systems provide both IDS and IPS functionality in one unit.

The Differences Between IDS and IPS

venn diagram on ids vs ips

Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.

IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.

The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.

*Point of emphasis: IDS/IPS are only as effective as their cyberattack databases. Keep them updated and be prepared to make manual adjustments when a new attack breaks out in the wild and/or the attack signature isn’t in the database.

Why IDS and IPS are Critical for Cybersecurity

what ids and ips cover

Security teams face an ever-growing threat of data breaches and compliance fines while continuing to struggle with budget limitations and corporate politics. IDS/IPS technology covers specific and important jobs of a cybersecurity strategy:

  • Automation: IDS/IPS systems are largely hands-off, which makes them ideal candidates for use in the current security stack. IPS provides the peace of mind that the network is protected from known threats with limited resource requirements.
  • Compliance: Part of compliance often requires proving that you have invested in technologies and systems to protect data. Implementing an IDS/IPS solution checks off a box on the compliance sheet and addresses a number of the CIS Security controls. More importantly, the auditing data is a valuable part of compliance investigations.
  • Policy enforcement: IDS/IPS are configurable to help enforce internal security policies at the network level. For example, if you only support one VPN, you can use the IPS to block other VPN traffic.

Varonis DatAlert complements IDS/IPS: while network security is critical for protection from data breaches — and IDS/IPS solutions fill that role perfectly — Varonis monitors real-time activity on data, which is a critical layer to any cybersecurity strategy.

When a new ransomware attack breaks out the IDS/IPS might not have the signatures ready to prevent the attack at the network level. Varonis, however, not only includes signature-based ransomware detection, but also recognizes the characteristics and behavior of a ransomware attack — multiple files modified in a short time for example — and automatically triggers an alert to stop the attack before it spreads.

Want to see how it works? Get a 1:1 demo to see how Varonis complements your IDS/IPS for a strong cybersecurity strategy.

What is a Brute Force Attack?

Brute Force Attack

A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force attack in progress is the best counter: once attackers have access to the network, they’re much harder to catch.

Types of Brute Force Attacks

The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.

The reverse brute-force attack uses a common password like “password,” and subsequently tries to brute force a username to go with that password. Since password is one of the most common password in 2017, this technique is more successful than you might think.

Motives Behind Brute Force Attacks

Cyber Kill Chain

Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entry into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax, or a webpage that contains a list of username and passwords exposed to the world.

There is little finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for them – result.

How to Defend Against Brute Force Attacks

How to Defend Against Brute Force Attacks

Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.

  • Increase password length: More characters equal more time to brute force crack
  • Increase password complexity: More options for each character also increase the time to brute force crack
  • Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
  • Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
  • Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success

The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We’ve got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack under way), threat models that detect potential credential stuffing, and more – all designed to detect and prevent brute force attacks before the attack escalates.

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Ready to get ahead of brute force attacks? Get a 1:1 demo to learn how Varonis detects attacks so you can stop attackers proactively.

What is ITAR Compliance? Definition and Regulations

ITAR Compliance

The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

Who Needs To Follow ITAR Compliance?

who needs to be ITAR complaint?

Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

  • Wholesalers
  • Distributors
  • Computer Software/ Hardware vendors
  • Third-party suppliers
  • Contractors

Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

ITAR Regulations

ITAR regulations are simple: only U.S. citizens can access items on the USML list.

ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

Penalties for ITAR Compliance Violations

Penalties for ITAR Compliance Violations
The penalties for ITAR infractions are stiff:

  • Civil fines up to $500,000 per violation
  • Criminal fines of up to $1 million and/or 10 years imprisonment per violation

In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

Types of Defense Articles

There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

    1. Firearms, Close Assault Weapons and Combat Shotguns
    2. Guns and Armament
    3. Ammunition/Ordnance
    4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
    5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
    6. Surface Vessels of War and Special Naval Equipment
    7. Ground Vehicles
    8. Aircraft and Related Articles
    9. Military Training Equipment and Training
    10. Personal Protective Equipment
    11. Military Electronics
    12. Fire Control, Laser, Imaging and Guidance Equipment
    13. Materials and Miscellaneous Articles
    14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
    15. Spacecraft and Related Articles
    16. Nuclear Weapons Related Articles
    17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
    18. Directed Energy Weapons
    19. Gas Turbine Engines and Associated Equipment
    20. Submersible Vessels and Related Articles
    21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

How to Secure Your ITAR Data

Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

  • Discover and Classify Sensitive Data
    Locate and secure all sensitive data
    Classify data based on business policy
  • Map Data and Permissions
    Identify users, groups, folder and file permissions
    Determine who has access to what data
  • Manage Access Control
    Identify and deactivate stale users
    Manage user and group memberships
    Remove Global Access Groups
    Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    Audit and report on file and event activity
    Monitor for insider threats, malware, misconfigurations and security breaches
    Detect security vulnerabilities and remediate

ITAR Compliance FAQs

  1. How can Varonis help me find all of my ITAR data?
    The Data Classification Engine identifies and classifies ITAR regulated data on your core data stores – both on-premise and in the cloud. With a pre-built library of more than 400 patterns for common laws and standards, you can identify ITAR data and even apply custom tags, flags, and notes to regulated data.
  2. Who can access this ITAR data?
    Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
  3. How will I know if my ITAR data is accessed?
    Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
  4. How can I manage access to ITAR data?
    The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.