In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors.
While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy?
View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure.
Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.
1. OPERATIONALIZING THREAT INTELLIGENCE
Adam Meyers, Vice President Intelligence; CrowdStrike
Elia Zaitsev, Sales Engineer; CrowdStrike
USING ACTIONABLE THREAT INTELLIGENCE TO FOCUS
SECURITY OPERATIONS
2. TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 2
ADAM MEYERS |
VP, INTELLIGENCE
Recognized speaker, trainer, and intelligence expert with 15+ years
of cyber security industry experience
10 years in the DIB supporting US GOV customers on topics
ranging from wireless, pen testing, IR, and malware analysis
@ADAM_CYBER
@CROWDSTRIKE | #CROWDCASTS
3. 2014 CrowdStrike, Inc. All rights reserved. 3
ELIA ZAITSEV |
SALES ENGINEER
+7 years of IT security industry experience providing sales support
and technical implementation of enterprise security products
Currently supports sales of CrowdStrike’s Falcon Platform,
including endpoint threat detection & response, endpoint activity
monitoring, and threat intelligence
@CROWDSTRIKE | #CROWDCASTS
#TWITTERHATER
5. RELEASE OF PUBLIC
INDICATORS AND
INTELLIGENCE
Operation Aurora
APT 1
Babar
Uroburos
2014 CrowdStrike, Inc. All rights reserved. 5
@CROWDSTRIKE | #CROWDCASTS
6. 2014 CrowdStrike, Inc. All rights reserved. 6
ACTIONABLE INTELLIGENCE
WHAT DO YOU DO WITH INDICATORS?
Enterprise Security Systems have basic
configurations out of the Box
Detection needs to be updated at line speed
No standard taxonomy to express threat intelligence
@CROWDSTRIKE | #CROWDCASTS
8. 2014 CrowdStrike, Inc. All rights reserved. 8
Comment Panda: Commercial, Government, Non-profit
Deep Panda: Financial, Technology, Non-profit
Foxy Panda: Technology & Communications
Anchor Panda: Government organizations, Defense &
Aerospace, Industrial Engineering, NGOs
Impersonating Panda: Financial Sector
Karma Panda: Dissident groups
Keyhole Panda: Electronics & Communications
Poisonous Panda: Energy Technology, G20,
NGOs, Dissident Groups
Putter Panda: Governmental & Military
Toxic Panda: Dissident Groups
Union Panda: Industrial companies
Vixen Panda: Government
CHINA
IRAN
INDIA
Viceroy Tiger: Government, Legal,
Financial, Media, Telecom
RUSSIA
Energetic Bear: Oil and Gas
Companies
NORTH KOREA
Silent Chollima:
Government, Military,
Financial
Magic Kitten: Dissidents
Cutting Kitten: Energy Companies
Singing Spider: Commercial, Financial
Union Spider: Manufacturing
Andromeda Spider: Numerous
CRIMINAL
Deadeye Jackal: Commercial, Financial,
Media, Social Networking
Ghost Jackal: Commercial, Energy,
Financial
Corsair Jackal: Commercial, Technology,
Financial, Energy
Extreme Jackal: Military, Government
HACTIVIST/TERRORIST
UNCOVER THE ADVERSARY @CROWDSTRIKE | #CROWDCASTS
9. 2014 CrowdStrike, Inc. All rights reserved. 9
Don’t fear change
Not all behaviors change - good intel and pattern
analysis can identify the new TTPs
Consume and operationalize threat
intelligence quickly
Threat intelligence is of no help after an incident
or when consumed from a public release long
after the campaign finished
GET TO KNOW
THE ADVERSARY
@CROWDSTRIKE | #CROWDCASTS
10. INDICATIONS AND WARNINGS: Q1 ZERO DAY
14 FEB 2014
SWC campaign
affecting NGO/
think tank sites
leverages
CVE-2014-0502
3 FEB 2014
CVE-2014-0497
exploit used to
distribute
Tapaoux
malware
17 JAN 2014
Spoofed GIFAS
drive-by sites
lead to
CVE-2014-0322
exploit
11 FEB 2014
AURORA
PANDA uses
VFW website in
SWC activity
leverages
CVE-2014-0322
.
24 MAR 2014
Microsoft
identifies
CVE-2014-1761
and its limited
use in targeted
attacks
2014 CrowdStrike, Inc. All rights reserved. 10
11. 2014 CrowdStrike, Inc. All rights reserved. 11
CASE STUDY: CHINA TARGETING THE OIL SECTOR
STRATEGIC ASSESSMENT OF CHINA’S ENERGY
SECTOR, STATE CONTROL & NATIONAL AGENDA,
AND CHINA’S DOMESTIC OIL SECTOR
@CROWDSTRIKE | #CROWDCASTS
12. 2014 CrowdStrike, Inc. All rights reserved. 12
Goblin Panda
Wet Panda
Vixen Panda
Violin Panda
Temper Panda
Poisonous Panda
Comment Panda
Anchor Panda
CHINA IRAN
INDIA
Viceroy Tiger
RUSSIA
Energetic Bear
Clever Kitten
Flying Kitten
Corsair Jackal
Ghost Jackal
ACTIVIST
ENERGY SECTOR TARGETING @CROWDSTRIKE | #CROWDCASTS
13. Second-largest oil consuming country in
the world
Largest oil importer in the world
Investing in international oil assets
Declining domestic oil output
Reinvestment in China’s domestic oil
sector
2014 CrowdStrike, Inc. All rights reserved. 13
CHINA’S
ENERGY SECTOR
@CROWDSTRIKE | #CROWDCASTS
14. Hydroelectric
Power 6%
Natural Gas 4%
Nuclear
<1%
Other
Renewables
1%
2014 CrowdStrike, Inc. All rights reserved. 14
CHINA’S
ENERGY SECTOR
Total Energy Consumption
@CROWDSTRIKE | #CROWDCASTS
15. 2014 CrowdStrike, Inc. All rights reserved. 15
STATE CONTROL & NATIONAL AGENDA
383 Plan
863 Plan
Indigenous Innovation
Top Five National Oil Companies:
CNPC/Petro China, Sinopec,
CNOOC, Sinochem Group,
Zhuhai Zhen Rong Co.
2
3
4
1
@CROWDSTRIKE | #CROWDCASTS
16. 2014 CrowdStrike, Inc. All rights reserved. 16
DOMESTIC OIL SECTOR
PRESENT DAY
Mature Oil Basins
Drilling in the Western Provinces
Offshore Shallow-Water Drilling
Deep-Water Drilling
East and South China Seas
Territorial Disputes
FUTURE
@CROWDSTRIKE | #CROWDCASTS
17. TECHNOLOGICAL DEFICIENCIES
2014 Crowdstrike, Inc. All rights reserved. 17
Exploration Technologies
3D and 4d seismic imaging
Oil Spill Prevention Technologies
2010 and 2011 oil spills in Bohai Bay
Deep-Water Oil Drilling Technologies
300-3,000 meters deep
Resulting Cyber Espionage
@CROWDSTRIKE | #CROWDCASTS
18. 2014 CrowdStrike, Inc. All rights reserved. 18
Looming energy crisis
Declining domestic oil supply
Patent development is slow
Technological deficiencies
CHINA’S MOTIVATIONS
INTELLIGENCE ASSESSMENT
TARGETS
ASSESSMENT
Exploration technology:
3D and 4D seismic
Oil spill prevention technology
Deep-water oil drilling technology
Increasing cyber espionage
Increasing Chinese military
presence in the East and South
China Seas
Increasing corporate espionage
to outbid others for international
oil assets
@CROWDSTRIKE | #CROWDCASTS
19. 2014 CrowdStrike, Inc. All rights reserved. 19
ORGANIZATIONS WITH SUPERIOR INTELLIGENCE
CAPABILITIES ARE FAR MORE SUCCESSFUL AT
MITIGATING TARGETED ATTACKS
@CROWDSTRIKE | #CROWDCASTS
20. INCREASED SHARING OF INDICATORS AND INTELLIGENCE
2014 CrowdStrike, Inc. All rights reserved. 20
Organizations have access to far more
information than they have ever had
before
OSINT and managed intel threat feeds
Whitepapers
Malware dumps like VirusTotal, Contagio,
and VirusShare
Presentations by researchers
The private sector is now capable
of building government-level intel
capabilities
INCREASED SHARING OF INTELLIGENCE & INDICATORS
21. 2014 CrowdStrike, Inc. All rights reserved. 21
AN ORGANIZATION’S SUCCESS WILL BE
MEASURED BY THE ABILITY TO DETECT, RESPOND,
AND MITIGATE THESE PATTERNS OF ATTACK
22. 2014 CrowdStrike, Inc. All rights reserved. 22
@CROWDSTRIKE | #CROWDCASTS
DEMOS [ ]DATA VISUALIZATION
PACKET CAPTURE
LOG AGGREGRATION / SIEM
THREAT INTELLIGENCE
23. For additional information, please
contact crowdcasts@crowdstrike.com
- or – intel@crowdstrike.com
Q & A
2014 CrowdStrike, Inc. All rights reserved. 23
@CROWDSTRIKE | #CROWDCASTS
Q&A