Today, September 8, 2017, Equifax, one of the largest credit reporting agencies in the United States, has disclosed that they suffered a massive data breach because their network was compromised by unknown hackers. According to the Equifax’s press release, attackers gained access to personal data of almost 143 million Americans. Social security numbers, birth dates and addresses of nearly half the population lost in this breach of the US could be misused by hackers for years to come. Credit card numbers of US-customers and non-US customers were also stolen. After Equifax announced the cyberattack, their shares dropped 13%.

Official information posted on the Equifax website states: “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.” The breach was disclosed only yesterday, meaning it took six weeks to detect the cyberattack.

Network security solutions like GREYCORTEX that identify anomalous behavior within your network are especially important in this situation. These solutions mean your IT team can identify malware by its anomalous movement within the network, and identify it as it replicates. GREYCORTEX MENDEL identifies such anomalous behavior, offers deep network visibility, and differentiates between human and machine behavior, meaning you can find infected devices within your network and secure your company’s data and reputation.


As you may have noticed, we have posted a lot on LinkedIn recently about new cyber attacks. The biggest link between these is that those attacks are commonly caused by not following best practices, or relying only on “legacy” security tools and/or the use of weak passwords.

Even with the use of today’s most advanced security tools, it can all fail at the weakest link of the security chain – people. According to csoonline, 56% of IT decision-makers claim that targeted phishing attacks are their top security threat. And this fear isn’t wrong. Everyone can be conned, even conmen. In many cases, it’s easier to get inside of the network if you abuse that fact. The most commonly used methods of exploiting people are phishing and blackmailing.

Phishing in its simplest form can be easily detected by regular humans. Because it’s not targeted, people on the receiving end can simply ask question “why did I get this email when it has nothing to do with me?” When it comes to more advanced phishing forms, like “whale” (going for the big target, e.g. top management or CEO) or spear phishing (targeted attacks against certain group/ individual), the attacker does the research and gets to know as much as possible about victims, which can be done with a search on the Internet or dumpster diving (think about what you throw away – are there any documents?). Once equipped with knowledge about the target, those attempts are way more effective.

Let’s examine it the security context. In this example, paraphrased from Christopher Hadnagy’s book “Social Engineering: The Art of Human Hacking,” an overconfident CEO is the target. The CEO thought that it’s not possible to hack him mainly for two reasons: he doesn’t utilize much technology in his personal life, and he thought that he was too smart to fall for phishing. Turns out he wasn’t that smart after all. In this example, the CEO expected an audit and readied himself for it. After scouring various sources of information, attackers decided to go with: the name of his favorite baseball team, favorite restaurant, and that he contributed funding to cancer research. On one Friday evening, a phone call took place. In it, the attacker approached the CEO with a plea asking about small contribution to the cancer cure research stating that here will be also a contest for contributors – winners will get two tickets to CEO’s favorite baseball team match (claiming that they know that baseball is not everyone’s cup of tea) and a voucher to one of three restaurants, including CEO’s favorite one. The CEO was willing to contribute, motivated by his desire to cure cancer and the possibility of winning tickets and a voucher, he told the attacker his email address, so they would be able to send him a .pdf file. That file contained a malicious code and CEO opened it, thus providing the attacker with access to his computer and everything in its reach.

Now that his computer has been compromised, as well as access to everything within the organization his authority (and passwords) will let him touch. So what to do? The attacker has access from his computer, so access rights to sensitive files are not an issue, nor is it an issue for the security team that the CEO is accessing files throughout the company. Is there a way to identify that the “CEO” accessing sensitive data is not actually the “real” CEO? Here’s where NTA technology can help. The next step following gaining access to the CEO’s accounts is to exfiltrate data. Network traffic analysis identifies that the computer in question is transmitting data where it shouldn’t, and/or in volumes that it shouldn’t. The computer can then be quarantined, the CEO alerted, and the attacker caught.

But while phishing may be the attack that’s on the mind of management, IT teams understand that “legacy” security tools, like sandbox, IDS, endpoint security or even a firewall, are not sufficient anymore. Let’s look at why.

Modern malware has many methods of detecting if it has infiltrated a “real” environment, or in cases of targeted attacks, if it has hit the right target. When such malware determines that it could be exposed, it lies dormant. This means that if you check everything that enters your company using a sandbox, malicious software can still enter the network if it is sufficiently advanced.

Known threats are usually detected by known patterns or hashes used by endpoint security or IDS, which makes them ineffective against new or advanced threats. Some endpoint security tools use AI to determine malicious behavior and are better equipped to fight new threats, but not every device can have endpoint security. Personal or “bring your own device (BYOD)” are a great example – like a laptop that an employee brings from home and connects to the network – or an IoT sensor where endpoint software cannot be installed. These devices are connected, but not secured by endpoint security.

Firewalls are essential to any networks security infrastructure, and stop communication that goes through them, meaning that generally they are able to protect the company for any threat that comes from the external network. But what if the attack starts after a user accidentally opens a communication link which allows the attacker to get behind the firewall and inside the network? What if the threat was brought inside the company by other means than through the Internet and then tries to spread in the internal network?

While the technology is different in each of these possible attacks, they all have one thing in common – attackers who exploit a gap in the security. The best gap fillers currently available are NTA solutions, like MENDEL from GREYCORTEX. MENDEL monitors all network traffic and analyzes changes of behavior in hosts, detects policy violations, data leaks, and much more. Not every unauthorized entry can be prevented before hit happens. Relying on legacy security tools means it can take months (some statistics reference nearly 200 days) to detect attackers as they move in the network. NTA solutions like MENDEL lower this time to between minutes and a few hours, often before actual damage happens in the network or the attacker knows they’ve gained access.

The question is not if you will get hacked. The question is when you will get hacked. And when that happens, are you ready for it and can you stop it, or will you still rely solely on best practices, as the CEO did, or on “legacy” security tools?


April 16, 2019
GREYCORTEX has released the latest version of our MENDEL network traffic analysis solution. Version 3.3 has several important new features which improve detection and response for the network security team.
The biggest is that MENDEL’s detection and visibility capabilities are now available for SCADA/ICS environments. This new capability goes beyond support for several protocols found in earlier versions of MENDEL, and extends it to a whole new module, including the ability to visualize not just devices, but time series in IEC 61850 Goose, SNMP, and IEC104 protocols.
Not content with just SCADA features, we have added new reporting for managers and security analysts, detection and logging of TLS 1.3, and fingerprinting of encrypted traffic on the JA3 framework, as well as increasing the capabilities of the multi-sensor configurations.
New features

  • New managerial and security analyst reports summarize network data and security threats
  • New module for processing and visualization of SCADA protocols, including new dashboards for visualizing time series in IEC 61850 Goose, SNMP, and IEC 104 protocols
  • Added support for parsing CC-link protocol
  • Added support for parsing Enip/CIP protocol
  • Added support for parsing Kerberos protocol
  • Added support for parsing TFTP protocol
  • Added support for parsing IKEv2 protocol
  • Added support for parsing FTP protocol including parsing FTP data streams
  • Added detection engine for SSL/TLS client fingerprints JA3
  • Added multi-disc installation of MENDEL
  • Added GUI localization into Polish and Korean
  • Introduced new light color scheme
  • Integration with firewalls from Check Point

Please note New system of reports will replace in the near future the old type of reports. If you use them don’t forget to configure new reports.

  • Improved installer with enhanced user interface and new features
  • Improved dark color scheme
  • Redesigned severity color scheme
  • Reorganized main menu for better accessibility
  • Redesigned user dashboards for better user experience
  • Improved network capture module for better performance and less resource consumption
  • Improved network models for faster detection and reduced storage demands
  • Improved task planner and optimization of parallelized processing in the service for better resource consumption and management creating faster processing for multiple sensors on one collector
  • Improved detection and reparation of unusual, incomplete, or swapped flows
  • Improved parsing of incomplete or unidirectional flows
  • Improved network capture default configuration for better capture on all configurations
  • Improved processing of Active Directory events for better calculation of logged users
  • Improved Mikrotik plugin
  • Added button to restore user dashboards to default
  • Improved creation of complex firewall rules in plugin
  • Improved HTTP proxy pairing for incomplete or invalid communication

Bug Fixes
In general, our development team focused on improving the user experience and reporting.
Contact your local GREYCORTEX partner to find out how you can put MENDEL v3.3 to work for you.


March brings the most recent version of GREYCORTEX MENDEL; Version 3.0. As part of this release, MENDEL 3.0 brings several new features SOC administrators will love, as well as continued expansion for SCADA networks and upgraded hardware support.

Specifically, MENDEL now supports the latest in DELL Rx40 hardware. Those in SCADA network environments will enjoy updates to the MENDEL IDS system. Version 3.0 also includes visibility for the NFS (Network File System) and IEC 60870 5 101/104 protocols. SOC users will note that dashboards have been adjusted to better accommodate multiple sensors, and that the overall capacity for sensors connected to one collector has been increased to 30. Finally, MENDEL’s capabilities have been expanded to include the ability to add your own blacklist file, as well as export files to IBM Qradar SIEM via the LEEF format.
New Features

  • GREYCORTEX has added support for the latest Dell servers (Rx40) so users will now be able to use the latest hardware.
  • SCADA support continues, with updates to the MENDEL IDS engine to include visibility IEC 60870 5 101/104 protocols – bringing new security for professionals in the energy infrastructure sector.
  • SOC administrators will appreciate several new features in version 3.0, including new dashboard settings suitable for multiple sensors for better SOC visualization, as well as the ability to add up to 30 sensors on one collector, and finally; LEEF expert format for events exported to IBM Qradar SIEM, and the ability to upload users’ own blacklists in .csv file.

Several MENDEL features were improved. These included easier license extension, host identification, decryption performance, status monitoring, and data export.
Bug Fixes

In general, our development team focused on improving the user experience and reporting.

Please note that updating to version 3.0 requires appliance restart and may take up to one hour.

Contact your local GREYCORTEX partner to find out how you can put MENDEL v3.0 to work for you.


GREYCORTEX launched a new 2.3 version MENDEL Analyst. It added standardized support of NetFlow and IPFIX, new ways of data presentation and several performance improvements and more.
New features

  • New tool in GUI “Network Analysis” – user defined aggregated statistics for better analysis of network traffic and security incidents
  • Standardized NetFlow with IPFIX fully supported
  • New user account administration page
  • Changelog page with history and enhanced updating using RPM packaging system


  • Major performance improvements of signature-based detection engine
  • Improved DNS cache with TTL support for better hostname resolution
  • Improved algorithm for matching hosts with Active Directory users
  • Inserted GUI URLs kept after login
  • Improved export of charts
  • Enhanced system log management with filtering by time and a system component



GREYCORTEX MENDEL is a solution for detection, monitoring and analysis of advanced security incidents in network traffic. This solution is based on a combination of various types of detection technologies:

  • Intrusion Detection System (IDS), including Deep Packet Inspection (DPI)
  • Network Behavior Analysis (NBA); the analysis is based on the principles of artificial intelligence
  • Network Performance Monitoring (NPM) and Application Performance Monitoring (APM)
  • A tool for event correlation and risk assessment

During the initial design, the focus was on custom Advanced Security Network Metric (ASNM), large scale data mining based on artificial intelligence, and unique specialized algorithms providing detection of the entire scale of threats and anomalies. Immediate outcomes can be obtained via an intuitive user interface and user-defined reports. GREYCORTEX also brings a whole lot of other interesting options, e.g. for forensic purposes, it provides a complex and detailed overview and history of network traffic, behavior of users, network hosts, applications and services.


The main input is a network data from a mirror port on a backbone switch or a network tap. The NBA detectors are able to accept summarized data in the format of custom ASNM metrics or according to NetFlow v5/9 and IPFIX for IPv4 and IPv6. In addition to the network traffic, the product is able to identify identity context using the company’s LDAP or the Active Directory services. These technologies can also be used for user management and authentication.
Detection signatures dataset containing over 30,000 rules is obtained from external sources. IP address blacklists and their reputation (trustworthiness) are also obtained. These lists are regularly updated on an hourly or on a daily basis. This enables the tool to obtain information about generally known malware and about Command and Control (C&C) attack servers, sources of attack, and known botnets. Moreover, uses a list of known sources of spam, information about Tor[1] networks and about proxy servers as well as information about ownership and geographic position of the communicating hosts and domains.


The ASNM protocol is used to track over 70 attributes of each individual flow in the network. For each flow, it generates information about the source and the target, its duration, size of the data portion and packet counters. MENDEL also retrieves information about frequency spectrum and performance such as Application Response Time (ART), Round Trip Time (RTT), Jitter, and other.
The functions enabling the detection of anomalous and potentially undesirable behavior work similarly in NetFlow protocol; however, thanks to ANSM, they are more detailed and therefore more effective. Another difference consists in the ability to identify consistent bidirectional flows in the network. For application detection, a custom application protocol recognition mechanism similar to NBAR (Network-Based Application Recognition) standard used in Cisco devices is employed; the mechanism can recognize hundreds of protocols. The DPI technology enables extraction of metadata for almost 30 application protocols, even in tunneled traffic.


The incident detection is based on two methods, first based on signatures (IDS) and anomaly detection (NBA) based on machine learning and artificial intelligence. The whole mechanism of learning consists in detailed modelling of the whole network on various levels. From models of the entire network to models of individual services of individual hosts and devices.
The application is continuously learning to distinguish characteristics of anomalous flows from the normal ones based on probability and statistical models without the need for decoding or decrypting the data. After installation into a network, it is necessary to let the application train itself in a new environment for at least a couple of hours. It gains the complete knowledge after approximately one week.
The following algorithms of machine learning are based on the ASNM protocol:

  • Selection of relevant individual metrics
  • Bayesian analysis based on learned probability of events
  • GMM/EM (Gaussian Mixture Models/Expectation-Maximisation) probability models

Probability based (Bayesian) modelling provides almost 1,000 parameters divided for each flow of a host in a network or subnetwork and its services provided locally or remotely. A separate model is created for each service of the host, network device, services aggregated on the network, subnetwork mask, state and ASN (Autonomous System Number).


GREYCORTEX MENDEL enables the user to export the created events in various formats and send them via e-mail or to remote SIEM (Security Information and Event Management) servers for archiving or further processing. This makes it possible to generate alerts based on defined conditions and notifications about the detected anomalies. In this way, it is possible to create user configured reports containing text or graphic visualization of the detected events, network performance or applications and other data in the system. The messages can include a variety of adjustable elements including tables and graphs. The messages can be exported to standard document formats such as DOCX or PDF.
The e-mail system supports connection to standard e-mail servers with SMTP protocol and encrypted communication based on PGP (Pretty Good Privacy). The data exports can also be performed in preset intervals or during detection of a particularly important event. The tool also supports export to SIEM systems using Syslog, CEF format (Common Event Format) or IDEA (Intrusion Detection Extensible Alert). These messages can be previously configured and filtered according to the requirements of system integration.
It is possible to detect:

  • RAT Trojan horses (Remote Access Trojan) including C&C system activities
  • Zero-day type of vulnerabilities and exploitation of services
  • Malware on mobile and embedded devices
  • Long-term APT attacks (Advanced Persistent Threats)
  • Data leaks with DNS, SSH, HTTP(S), etc.
  • Tunneled traffic
  • Protocol anomalies indicating a long-term port scanning and other attacker activities
  • Masquerade attacks (the attacker pretends to be someone else), dictionary attacks and brute force attacks
  • Spam detection
  • Preparation for data theft and exfiltration (e.g. by employees)
  • Automated data harvesting
  • Data theft (e.g. from web applications)
  • Phishing attacks
  • Violation of internal security rules and policies
  • Faulty network settings
  • Network and application performance issues
  • Dos and DDoS attacks
  • New or unknown devices, e.g., of the BYOD type (Bring Your Own Device)

Data fusion and correlation techniques enable the detection of a wide spectrum of threats and activities. These techniques analyze the most interesting information about a particular network obtained through various detection mechanisms. It is possible to find event correlations, eliminate false positives and perform risk estimates. The system is also compatible with systems for risk categorization such as CVSS (Common Vulnerability Scoring System) or NIST Critical Infrastructure Cybersecurity Framework, etc.


The application is supplied as a hardware appliance or as an installation ISO file for a virtual hypervisor. Depending on the mode of deployment, the appliance is supplied with 2, 4 or 8 network interfaces enabling the monitoring of the required number of source lines. The solution can be installed in a probe/collector configuration that enables monitoring geographically remote networks or as a cloud.
We tested the version 2.2.0 of the product at Karel Engliš College (VŠKE). For testing purposes, we selected the virtual deployment on the base of a fully functional 30-day demo. To ensure that the application runs correctly, it is necessary that the server includes a processor with at least 8 virtual cores, 32 GB of RAM, disk capacity of 500 GB and two network interfaces; VM-ESXi virtualization system was used. The installation went smoothly, without any issues.
Tabs for the individual configuration areas are placed well, they enable a quick transition to settings of monitored networks and policies (Policies tab), Detection mechanisms (Detection tab), notifications and exports (Exports tab), and authenticating mechanisms, users and their rights (Users tab). In the Network tab, there is a practical priority setting.


At first glance, working with GREYCORTEX is very pleasant, mainly thanks to the elaborate filtering options and user-configurable overview dashboards. The possibility of a quick display of the communication of each device and all its services was interesting for me. In particular, it is the security visibility and transparency network that the applications brings. The overview of incidents detected at the level of detection patterns is ideally complemented by incidents identified by NBA methods.
In the Detection tab, it is possible to display the defined blacklists and false alarms, set the NBA detection mechanisms and policies for IDS rules, create the necessary correlation rules, also capture and save network traffic on the basis of a defined filter into PCAP format files.
The Export tab allows to define exports; we at VŠKE use SIEM; therefore, the possibility of exporting the data into this system was interesting for us. However, we encountered an issue particularly relevant for schools; instead of one application we now need two: SIEM and GREYCORTEX.


What particularly excites me about this product is the possibility to analyze incidents (we have quite a few of them in the student subnetwork) both from the point of view of their progress in time and in the smallest details. I also appreciate the elaborate elimination of false alarms. The documentation fulfills the basic criteria, but I believe it would be convenient to add some examples of typical settings. The product is still being developed and I am curious about what next the producer will come up with.
Doc. Ing. Jaroslav Dočkal, CSc.
Graduate of VDU Martin and VAAZ, currently the vice-dean of science and creative development at Karel Engliš College. He gives lectures at Masaryk University and University of Defence. He’ is also a lecturer at Cisco Academy, a tutor of HP and a member of DSM magazine editorial board.


GREYCORTEX is happy to announce the latest version of GREYCORTEX MENDEL; Version 2.9.0. This version includes several new important features: the first is the Flow Exporter, which gives you the possibility to export flows from MENDEL to your SIEM solution. The second important feature is the ability to execute script commands to other devices e.g. a firewall systems in order to block communications. SCADA network protocols Modbus and DNP3 L7 visibility have also been added, as has the ability to audit commands executed from ssh connections.
New Features

  • Added a Flow Export feature, which allows you to export flows from MENDEL to your favorite SIEM tool. This allows you to have the same data detail of a much more expensive SIEM-specific flow export tool, at a fraction of the cost.
  • Added ability to execute and send scripts, e.g. to a firewall – which means you can identify and stop incoming malware at the firewall, without ever leaving MENDEL.
  • Added integrated Modbus and DNP3 SCADA protocol visibility. Think of it as MENDEL for the industrial control systems. GREYCORTEX takes its next steps into protecting not just “traditional” networks, but also SCADA systems as well with these protocols.
  • Added SSH auditing (turn on the SSH audit signature in status monitor signatures)
  • Added possibility to filter by group of entities (subnet, host, mac, user) to extend filtering options using comma “,”, e.g. src:, & dst: which shows communication between source IPs or and destination IP In a nutshell: much more efficient filtering capabilities are now yours. Identify communication from not just one source and destination, but several hosts to a single destination, so complicated attacks are now clear.
  • MENDEL is powerful and detailed, but now it works just as well for the T1 Security Analyst. New installations and newly created users will see new default dashboards with Overview, Performance, and Security tabs included, for ease of use by everyone.

Several different features of MENDEL were improved. These included improvements to the installation and update process, optimization of flows, and detection features – including the ability to choose your favorite IDS ruleset, or better L7 application service recognition.
Bug Fixes
In general, our development team focused on repairing inconsistencies in user experience and connectivity.


GREYCORTEX is happy to report that it is able to detect the BadRabbit ransomware. This ransomware appeared in Eastern Europe (Russia, Ukraine) but has begun to spread across several countries including South Korea, Poland, the Baltic, and regions. It uses an NSA-based exploit known as “EternalRomance” to enter networks and spreads by SMB port.
MENDEL is able to detect this ransomware in two different ways:

  • MENDEL’s integrated ruleset includes a rule specifically detecting the BadRabbit ransomware.
  • Independent from this IDS rule, MENDEL’s advanced artificial intelligence and machine learning detects the ransomware’s anomalous port sweep activity.

This detection capability demonstrates that MENDEL can identify unknown threats before rules are created in rules-based security tools. MENDEL provides network security teams vital extra time to protect their networks.


We are happy to announce the latest version of GREYCORTEX MENDEL. Version 2.8 includes three new important features: the first is the Event Collector. Released as part of v2.7 (a limited release), the Event Collector offers the opportunity to centrally monitor events from several remote GREYCORTEX MENDEL collectors. The second major new feature is the Correlation Engine. This tool correlates individual, less-serious events – which together may be indicative of attacks within the network, to more effectively alert security analysts. Finally, MENDEL 2.8 includes proxy pairing functionality which identifies source or destination addresses hidden by proxy servers, which will allow security analysts to better identify potential issues on the network and provide even greater visibility.
New Features

  • Added a beta version of the Correlation Engine, including seven tuned rules which further increase security (The feature may be turned on by going to Settings->System Components)
  • Added a proxy pairing feature to display source or destination addresses hidden by a proxy server


  • Optimized the display of charts and tables in the Network module
  • Added information about the type of key exchange algorithms in HTTPS and TLS flows
  • Improved the calculation of flow metrics to show values valid for specific parts

Bug Fixes

  • Fixed issues with disabling deep packet inspection and enabling rules in IDS
  • Fixed an issue with updates to older installations
  • Fixed issues with MS-SQL protocol parsing at higher speeds
  • Fixed an issue with displaying current values on the Network Services tab
  • Fixed an issue with displaying multiple VLAN IDs in a single flow
  • Fixed issues with parsing SMB flows
  • Fixed issues with editing export definitions
  • Fixed an issue with pagination results in the Peers graph
  • Fixed issues with restarting services
  • Fixed an issue with filtering by protocol type
  • Fixed an issue with deleting user-defined filters
  • Fixed an issue with saving user-created or user-defined filters
  • Fixed an issue with displaying VLAN statistics in the Analysis module
  • Fixed an issue with exporting records in CEF and Syslog formats
  • Fixed an issue with long hostnames
  • Fixed issues with calculating the minimum and maximum duration of flows
  • Fixed link formatting in Exports
  • Fixed an issue with displaying ASN names in flows
  • Fixed an issue with displaying host information in the Analysis module
  • Fixed the calculation of RTT and ART metrics in long term flows with unfinished communication
  • Fixed an issue with the validation of row counts in Column Manager


Network management is a stressful proposition, comprising not only the administration of the network, but also maintaining its performance, provisioning devices, etc. With the number of devices in a network growing – due in part to IoT within the office and BYOD which come and go frequently, and the risks of advanced persistent malware, the stress is only increasing.

Luckily, GREYCORTEX MENDEL helps reduce the stress of network administration. According to recent studies, 76% of IT Professionals cite lack of visibility as a challenge in addressing issues in their networks. MENDEL offers full network visibility, up to, and including the application layer, without profiling a specific subnet or host. This means that whenever a new device enters the network, or a subnet or host is moved, identifying vulnerabilities or reconnecting appropriate devices is easy to accomplish.

MENDEL also helps network administrators improve their security, especially against advanced threats hiding within a network. It is common to use firewalls, antivirus, but also SIEMs, IPS, sandboxes, etc to protect a network. These various solutions all overlap for layered security, but each can be defeated.

Currently it takes 46 days to detect a network breach. MENDEL steps into these gaps by identifying anomalous network traffic activity, differentiating between human and machine activity, and integrating robust IDS rulesets to identify threats before they can do damage – often within hours. In some cases, like the recent WannaCry ransomware attack, MENDEL was able to identify the attack in a matter of minutes, well before it could start encrypting files.

MENDEL is based on machine learning and big data analysis. It installs in 30 minutes and can be configured in under two hours. It monitors networks using network traffic analysis without slowing traffic. Because deployment is painless, and network speed is preserved, a risk free 30 day trial is truly “risk free.” To find out more about MENDEL, or to see what may be hiding in your network from a 30 day trial, contact your local distributor or GREYCORTEX directly.