Introducing Tanium Threat Response: A New Way To Ease The Pain Of EDR Investigations

Tanium Threat Response was developed to empower security teams to detect, investigate, and remediate incidents using a single platform. The Tanium platform eases the collaboration challenges faced by EDR and IT teams, providing an integrated view of the entire enterprise. Using the power of Tanium IOC Detect, Tanium Trace, and Tanium Incident Response, Tanium Threat...

An Integrated Workflow: Investigating and Remediating a Mass-Malware Infection

I recently had the opportunity to help a customer use Tanium to investigate and respond to an outbreak of the “Ponik” malware. Ponik is a downloader that can retrieve and install additional malware, as well as steal credentials, from an infected system. Though Ponik is an example of commodity mass-malware, it presented a good opportunity...

Hunting for Rogue PowerShell Profiles

During the earliest phases of an intrusion, attackers typically move to establish persistence on at least a subset of compromised systems. This might be to ensure that they can easily regain access to the victim environment, such as via a backdoor, or to keep other forms of malicious code running, such as a keystroke logger....

Back to the Basics: Detecting Malicious Windows Services with Tanium

“The theme I really want you to take away [from this presentation] is: if you really want to protect your network, you really have to know your network.” TAO Chief, NSA, USENIX Enigma 2016 An essential part of “knowing your network” is tracking endpoint persistence mechanisms – the myriad of ways in which an operating...

Avoiding Incident Response Groundhog Day

Ever since I began my information security career, February 2nd has held a special place in my heart.  When that date arrives I can’t help but think of the movie “Groundhog Day” with Bill Murray, and if you’ve spent any reasonable stretch of time doing incident response, then that reference has caused a grim smile to...

It’s Time to Get Serious About Ending Endpoint ‘Tool Bloat’

Have you managed to acquire a pile of security tools in your organization that sit unused? It’s a common issue and it’s one we see a lot in the endpoint security space. If all these products did what they said on the box or in their marketing collateral, it wouldn’t be nearly such a costly...

Don’t Get Hijacked! Searching for DLL Load Order Attacks with Tanium

DLL Hijacking, commonly referred to as load order or search order hijacking, is a well-documented malware persistence technique that continues to elude detection and pose a significant challenge for investigators. For anyone unfamiliar with this technique, have no fear! In this post we will discuss a brief background of load order hijacking and introduce a...

The Time to Change Federal Cybersecurity is Now

This week, Federal CIO Tony Scott is expected to release a public report on ideas submitted from industry, government and academia to the American Council for Technology and Industry Advisory Council (ACT-IAC), a public-private partnership, for how agencies can stay ahead of and recover from cyber attacks. The report is a milestone in the race...

In Conversation: Nasdaq’s Brad Peterson and Tanium’s Orion Hindawi on the Six Questions Every Board Must ask their InfoSec Leadership

When facing a massive data breach, a company’s status quo — and perhaps its very existence — can all be gone in a matter of seconds. Tanium co-founder & CTO Orion Hindawi and Brad Peterson, Executive Vice President and Chief Information Officer for Nasdaq, understand better than most that countless companies are teetering on the brink of a preventable...

Tanium Incident Response Updates: WMI, Scheduled Tasks and Enhanced File Search

On Friday, October 30, Tanium released an updated version of our Incident Response module. I’m excited about several of the new capabilities introduced by this point update, including the ability to hunt for malicious WMI event consumers, conduct at-scale analysis of scheduled tasks and search for files at rest within seconds. In this post, I’ll...