Home  >  APT29  >  Results  >  BlackBerry Cylance  >  Configuration

BlackBerry Cylance Configuration

Product Versions

Cylance Enterprise with CylanceGUARD managed threat hunting.

  • Includes CylancePROTECT, CylanceOPTICS and CylanceGUARD
  • CylancePROTECT: 2.0.1540, CylanceOPTICS: 2.4.2100.1060


  • Machine learning driven detection and prevention of malware and PUPs
  • Memory Defense for fileless malware and exploit attack detection and prevention
  • Script Control for detection and prevention of malicious and unwanted scripts
  • Device Control for removable media protection
  • Application Control for locking down specified systems from any additional changes
  • CylanceGUARD for managed threat hunting and analysis
  • Mapping detection techniques to advanced attacks targeted against specific operating systems and MITRE ATT&CK
  • Comprehensive and highly extensible API for ease of automation and integration
  • Root Cause Analysis and contextual awareness leveraging “flight data recorder-like” visibility
  • Enterprise wide, distributed, instantaneous query capability using Cylance’s proprietary CEMENT protocol
  • Comprehensive forensic artifact tracking and contextual data integration such as:
    • PowerShell Tracing
    • WMI Attributes and Parameters
    • Enhanced PE Parsing
    • Win32 API and Kernel Audit messages
  • Fast Incident Response: Take incident response actions fast, quarantining, acquiring suspicious files, and/or isolating compromised endpoints from the network.
  • Automated Response: Customize automated response actions associated with rule sets to eliminate the dwell time between threat detection and incident response actions, examples include:
    • Logging off users
    • Deploy packages to collect additional data and/or forensic artifacts
    • Terminate processes and/or process trees

Vendor Configuration

All Windows, MITRE, CylanceGUARD and Machine Learning detection rules were enabled. Most customers will also need to implement exceptions within some rules depending on the configurations, applications and activity that is present on their systems being used in the environment. CylanceGUARD packages were configured for rapid threat hunting and advanced analysis.

All capabilities were configured as Alert or Monitor only as this was purely a test against the detection capabilities of the platform. No Automated responses or package playbooks were configured for this testing, aside from the GUARD and default packages.

Also, it should be noted that Cylance’s platform would have prevented the attacks that were conducted at many points within the kill chain. From quarantining binaries to preventing successful exploits and scripts from running, however the platform was configured to allow these attacks to occur.

During the re-test portion of the evaluation, Cylance created an additional 14 rules which are all available to the public as well as disabled truncation on PowerShell trace data to ensure full visibility of the PowerShell scripts was possible.