The Latest At Insight Engines

Posted by Scott Wright on April 18, 2019

News and Press:

Tidying Expert Marie Kondo: Cybersecurity Guru?

Taking notes from Netflix smash hit “Tidying up With Marie Kondo”, Kurtis Franklin Jr. of Dark Reading interviews Insight Engines CEO Grant Wernick on taking the same approach of cleaning your room to cleaning your data.

“The more time I spend in the cybersecurity world, the more I see people just keep data — not insights” – Grant Wernick

Insight Engines Webinar: May 22nd

Join us for an informational webinar on How to use Natural Language Processing on Palo Alto Networks data. Where we will dive deep into PAN endpoint data and how to use Insight Engines to get the maximum visibility and value from them.

Sign up for the webinar here

Security Insights Weekly: Snippet

April 12th, 2019

The TRITON intrusion is shrouded in mystery. There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes.


The TRITON framework itself and the intrusion tools the actor used were built and deployed by humans, all of whom had observable human strategies, preferences, and conventions for the custom tooling of the intrusion operation. It is our goal to discuss these adversary methods and highlight exactly how the developer(s), operator(s) and others involved used custom tools in the intrusion.

If you suspect something fishy in your environment, turn the tides with the queries below:

[Recon Phase]

Which hosts have RDP traffic with failed patch updates in the past 30 days?

[Delivery Phase]

Show me hosts with files with hash "47f9cc543905a69a423f9110ae7deffb", 
hash "ee477fdee8b6ad4fe778a6fa4058f9aa", or hash 
"aca94bb7bdfb735f267f083e28f4db37" in the past 30 days

[Installation Phase]

Do any systems have new files named "*.acm", "*.ax", "*.cpl", "*.dll", 
"*.drv", "*.efi", "*.exe", "*.mui", "*.ocx", "*.scr", "*.sys", "*.tsp" 
from the past 30 days?

[Command & Control Phase]

Which hosts have external network traffic using port 43 or port 4444 
or port 8531 or port 50501 in the past 30 days?
Show me hosts with new registry entries and traffic to website 
"uk2[.]net" in the past 30 days
Are there hosts with ssh traffic on non-standard ports from the 
past 30 days?


Sign up for the Security Insights Weekly Newsletter.