Maximizing Your Non-Persistent Agent’s Effectiveness

September 16, 2015

As we noted in our previous blog post about persistent agents, endpoint security and investigation can be a sticking point for many organizations. Particularly for those whose security posture is still evolving, persistent agents may be too time- and/or resource-intensive for an organization to maximize its effectiveness.

Still, the convenience of a persistent agent is that it doesn’t have to be manually installed every time you want to investigate an endpoint. That’s why with Cyber Triage 1.1, we’ve given you the option to perform a remote install — to push the agent to any endpoint whether it’s down the hall or across the world.

How Do We Do It?

Our approach with pushing collection agents is to rely on infrastructure that IT may already have configured, or that is relatively easy for them to configure. In Cyber Triage 1.1, we used PsExec, a tool from Microsoft that allows you to run commands on other systems without having to install special software on that target system.

We chose PsExec for three reasons:

  1. It works on all Windows platforms, from XP to Windows 10.
  2. Approaches using Windows Remote Management (WinRM) involved more dependencies and configuration. All PsExec needs is to have file sharing enabled.
  3. Most customers we spoke to told us that their corporate environments are configured to support PsExec.

While PsExec was not without its own challenges, we were able to work around them:

  • Because PsExec will copy only a single executable, we had to change our agent to have fewer dependencies. Ultimately, this turned out to improve the software itself in terms of minimizing the agent’s footprint on the target system.
  • PsExec’s license prevents us from being able to distribute PsExec as part of Cyber Triage. Cyber Triage users will need to download PsExec and configure Cyber Triage to use it, an easy step-by-step process.

Making Triage Simpler

Because we want Cyber Triage to be very easy to use, it includes its own diagnostics and validation of user-provided inputs to help diagnose problems that may occur when trying to connect to a remote system. Instead of generic error messages, we will perform additional tests to help focus on the problem. Most often, these problems result from an incorrectly configured target system or input of incorrect host name or passwords.

Cyber Triage also ensures that password hashes for administrative accounts are not pushed to the target system. Once an attacker gains access to a system, they often try to break accounts by dumping password hashes from accounts that have logged into that system. It’s best not to push domain-level administrator password hashes to endpoints, and Cyber Triage comes with this best practice already built into its system.

What’s Next for Cyber Triage

We’ll continue to refine Cyber Triage’s agent along with its UI. Our next releases will update these in the Cyber Triage standalone version that runs on a responder’s desktop or laptop. In parallel, we’re working on the client / server version with a REST API that will enable you to integrate Cyber Triage with SIEMs and other systems, perform bulk collections, and hunt for indicators.

Remote agent install offers the same convenience as a persistent agent without the infrastructure requirements. In Cyber Triage 1.1, this convenience extends to a reduced footprint and fewer potential security issues. To learn more and to get a trial version for yourself, contact us.

Simplify your incident response with Cyber Triage