Upload
crowdstrike
View
1.746
Download
1
Tags:
Embed Size (px)
DESCRIPTION
When Pandas Attack: How to detect, attribute, and respond to malware-free intrusions. What can you do to protect your networks when today’s advanced attackers are evading IOC-based detection? Learn how to find an attacker when there is no malware, no command and control, and file-based artifacts.
Citation preview
WHEN PANDAS ATTACK
Dmitri Alperovitch - Chris Scott - Adam Meyers
HOW TO DETECT, ATTRIBUTE, AND RESPOND TO MALWARE-FREE INTRUSIONS
TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 2
@DMITRICYBER
@CROWDSTRIKE | #CROWDCASTS
DMITRI ALPEROVITCH | CO-FOUNDER & CTO Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike. A renowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft. Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAFee, where he led the company’s global internet threat intelligence analysis and investigations. In 2010 and 2011, Alperovitch led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions, and gave thoses incidents their names.
TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 3
@NETOPSGURU
@CROWDSTRIKE | #CROWDCASTS
CHRIS SCOTT | DIRECTOR, SERVICES Christoper Scott has over 15 years of Fortune 500/DoD/DIB business proficiency, including more than 7 years of targeted threat detection and prevention expertise. As a Director at CrowdStrike Services, Christopher supports a variety of engagements that include: security reviews, incident response, data loss prevention, insider threat analysis and engineering threat detection systems, business continuity and disaster recovery processes. In addition, Christopher assists in building risk recognition systems and advancing the CrowdStrike Services practice.
TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 4
@ADAM_CYBER
@CROWDSTRIKE | #CROWDCASTS
ADAM MEYERS | VP, INTELLIGENCE Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations.
2014 CrowdStrike, Inc. All rights reserved. 5
ADVANCED ATTACKERS EVADE IOC-BASED DETECTION HOW CAN YOU FIND AN ATTACK WHEN THERE IS NO MALWARE, NO COMMAND AND CONTROL, AND NO FILE-BASED ARTIFACTS?
@CROWDSTRIKE | #CROWDCASTS
2014 CrowdStrike, Inc. All rights reserved. 6
REAL-WORLD CASE STUDIES
2014 CrowdStrike, Inc. All rights reserved. 7
LET’S DIVE IN… WHO’S BEHIND THE ATTACK?
@CROWDSTRIKE | #CROWDCASTS
2014 CrowdStrike, Inc. All rights reserved. 8
Comment Panda: Commercial, Government, Non-profit
Deep Panda: Financial, Technology, Non-profit
Foxy Panda: Technology & Communications
Anchor Panda: Government organizations, Defense & Aerospace, Industrial Engineering, NGOs
Impersonating Panda: Financial Sector
Karma Panda: Dissident groups
Keyhole Panda: Electronics & Communications
Poisonous Panda: Energy Technology, G20, NGOs, Dissident Groups
Putter Panda: Governmental & Military
Toxic Panda: Dissident Groups
Union Panda: Industrial companies
Vixen Panda: Government
CHINA
IRAN
INDIA
Viceroy Tiger: Government, Legal, Financial, Media, Telecom
RUSSIA
Energetic Bear: Oil and Gas Companies
NORTH KOREA
Silent Chollima: Government, Military, Financial
Magic Kitten: Dissidents Cutting Kitten: Energy Companies
Singing Spider: Commercial, Financial
Union Spider: Manufacturing
Andromeda Spider: Numerous
CRIMINAL
Deadeye Jackal: Commercial, Financial,
Media, Social Networking
Ghost Jackal: Commercial, Energy,
Financial
Corsair Jackal: Commercial, Technology,
Financial, Energy
Extreme Jackal: Military, Government
HACTIVIST/TERRORIST
UNCOVER THE ADVERSARY @CROWDSTRIKE | #CROWDCASTS
PARCEL ISLANDS
• 16°40′N 112°20′E • Claimed by:
– Vietnam (Hoàng Sa Archipelago) – Peoples Republic of China (Xisha Islands) – Taiwan
• Originally occupied by French in 1938, the islands were taken by Japan and then China post World War II
• In 1974 armed conflict saw the occupation of the islands by victorious PLA forces over ARVN. Unified Socialist Vietnam renewed claims
Disputed Territory
2014 CrowdStrike, Inc. All rights reserved. 9
HAIYANG SHIYOU 981
• Owned by: CNOOC Group – Displacement: 30,670 tons – Length: 114 meters – Beam: 90 meters – Speed: 8 knots – Crew: 160
• Mission: Evaluate potential for Oil Reserves
• In theater 2 May – 16 Jul
May 2, 2014
2014 CrowdStrike, Inc. All rights reserved. 10
May/June
2014 CrowdStrike, Inc. All rights reserved. 11
CHINESE INTRUSION ACTIVITY
Increasing activity as conflict escalates
CHINESE INTRUSION ACTIVITY
Increasing tensions and intrigue
2014 CrowdStrike, Inc. All rights reserved. 12
HD981 OPERATIONS MAY - JULY
2 May HD981 deployed near Parcel Islands
26 May Vietnamese fishing boat sinks after confrontation with Chinese vessels
June tensions continue to rise as HD981 moves closer to Parcel Islands and conducts drilling
16 July HD981 leaves the Parcel Islands in advance of typhoon season and to ‘review data’ from drilling operations
• Sunni extremists from the ISIS begin advance on key Iraqi industrial city Baiji
• 12 June, ISIS vehicles and personnel burn down courthouse and police station, and release prisoners from jail
• 18 June ISIS insurgents begin attacking Baiji refinery the largest in Iraq, this has the capability to refine over 300,000 barrels of oil per day
Mid June 2014
2014 CrowdStrike, Inc. All rights reserved. 13
ISLAMIC STATE OF IRAQ AND SYRIA (ISIS)
Baiji
Top Oil Imports
2014 CrowdStrike, Inc. All rights reserved. 14
CHINA OIL AT RISK
2014 CrowdStrike, Inc. All rights reserved. 15
WHAT HAPPENED? THIS IS A STORY OF THE INCIDENT…
@CROWDSTRIKE | #CROWDCASTS
2014 CrowdStrike, Inc. All rights reserved. 16
• Suspicious Logins Detected within Environment • Falcon Host Deployed to the Network with CSOC Monitoring
– Deployment Time is now Hours not Days – The Cloud Allows Rapid Deployment and Increased Visibility
• Not Dependent on Hardware • No Infrastructure to Standup
• Visibility on Adversary Actions – Webshell Deployments and Usage – Usage of Sticky Keys – Usage of PowerShell with Custom Encryption
CASE STUDY: WEBSHELL ATTACK
2014 CrowdStrike, Inc. All rights reserved. 17
• Watching the Adversary Change TTPs in Real-time – Uploading New Tools, Monitoring for Logons
• Security Teams able to Respond within Minutes – Removal of Infected Machines – Memory Capture with Attacker Tools Running
• Reduction in Incident Response Timing – Remediate Quicker – Reduce the Need for Deep Dive Forensics – Reduce the Cost of Incident Response
• Continued Visibility Going Forward – Detections Allowing Security Teams to Prevent Attacker Foothold
CASE STUDY: WEBSHELL ATTACK
2014 CrowdStrike, Inc. All rights reserved. 18
ADVERSARIES ADJUSTING TTPS
Changes to Persistence • Moving from Workstations back to Servers • Reducing Footprint Forensic Evidence Reduction • Utilizing Memory for Execution, Compression,
Exfiltration • Automated Cleanup Processes Simplified Toolsets and Communication Webshells • Compiled on the Fly, Direct to Memory • Utilize SSL Certificates on External Accessible Sites • Utilize Custom Encryption within Microsoft
PowerShell
@CROWDSTRIKE | #CROWDCASTS
2014 CrowdStrike, Inc. All rights reserved. 19
SECURITY TEAMS MUST ADJUST
@CROWDSTRIKE | #CROWDCASTS
New Detection Methods
• Must be Realtime or Near-Realtime, Sweeping for IOCs is a Losing Proposition
• Must Detect Credential Theft as it Happens
• Must Capture Adversaries Commands as Forensics are Being Reduced
Benefits of Detection Methods
• Able to Respond Quicker
• Reduce Exposure and Loss
• Allow Security Teams to Adjust to Adversary TTPs on the Fly
• Increasing Costs to the Adversary
2014 CrowdStrike, Inc. All rights reserved. 20
NOW WHAT? HOW DID WE DETECT AND ATTRIBUTE THIS MALWARE-FREE INTRUSION?
@CROWDSTRIKE | #CROWDCASTS
TECHNOLOGY COMPONENTS
FALCON HOST CORE COMPONENTS
2014 CrowdStrike, Inc. All rights reserved. 21
FALCON HOST TECH OVERVIEW
CLOUD-BASED APPLICATION
HOST-BASED DETECTION SENSOR
DETECT: STATEFUL EXECUTION INSPECTION
RECORD: ENDPOINT ACTIVITY MONITORING
INTELLIGENCE: ATTRIBUTION ENGINE
Email Received
Process Silently Executed
Executable Hides Itself From Task Manager
Executable Call Out to the Internet
Email Attachment Opened in
Acrobat Reader
Executable Saved in Windows/System32
Folder
Executable Modifies Windows
Registry to Autostart
1 2 3 4 5 6 7
REAL-TIME STATEFUL EXECUTION INSPECTION
2014 CrowdStrike, Inc. All rights reserved. 22
2014 CrowdStrike, Inc. All rights reserved. 23
LET’S TAKE A LOOK…
ENDPOINT PROTECTION DEMO
@CROWDSTRIKE | #CROWDCASTS
Please enter all questions
in the Q&A panel of
GoToWebinar
For information on the CrowdStrike Falcon Platform or CrowdStrike Services, contact [email protected]
Q&A
2014 CrowdStrike, Inc. All rights reserved. 24
Q&A @CROWDSTRIKE | #CROWDCASTS