An Integrated Workflow: Investigating and Remediating a Mass-Malware Infection

I recently had the opportunity to help a customer use Tanium to investigate and respond to an outbreak of the “Ponik” malware. Ponik is a downloader that can retrieve and install additional malware, as well as steal credentials, from an infected system. Though Ponik is an example of commodity mass-malware, it presented a good opportunity...

Hunting for Rogue PowerShell Profiles

During the earliest phases of an intrusion, attackers typically move to establish persistence on at least a subset of compromised systems. This might be to ensure that they can easily regain access to the victim environment, such as via a backdoor, or to keep other forms of malicious code running, such as a keystroke logger....

Avoiding Incident Response Groundhog Day

Ever since I began my information security career, February 2nd has held a special place in my heart.  When that date arrives I can’t help but think of the movie “Groundhog Day” with Bill Murray, and if you’ve spent any reasonable stretch of time doing incident response, then that reference has caused a grim smile to...

Rethinking the Investigation Phase of the Endpoint Security Lifecycle: A Closer Look at Tanium Trace

A frequently-cited metric when examining the current state of incident detection and response is “dwell time.” Research consistently highlights a significant gap — often measured in months — between the time at which a compromise occurs and when the victim ultimately detects the intrusion. We can all agree this gap serves as a useful barometer for measuring the success...

Introducing Tanium Trace: Changing the Game for Incident Response

For more than a decade, I’ve focused on a combination of designing secure networks, testing security controls, and investigating complex breaches. In each of these roles, I struggled to find tools that provided the visibility and control of all endpoints required to better prevent, detect and resolve security incidents. That is why I was excited — and...