Nächste SlideShare
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
- 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHO NEEDS MALWARE? UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM
- 2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 What are fileless attacks 2 How does a fileless attack work 3 Real world examples 4 Why traditional approaches don’t work 5 The CrowdStrike approach
- 3. POOL QUESTION HOW WOULD YOU RATE YOUR KNOWLEDGE OF FILELESS ATTACKS 1 TO 5 (1 = NONE. 5 = EXPERT) 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 4. WHAT IS A FILELESS ATTACK 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. An attack that does not require a malicious executable file to be written to disk
- 5. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THE REALITY OF FILELESS ATTACKS Fileless techniques are not new More prevalent than Ransomware 24% vs. 21% 78% of organizations are concerned about fileless attacks Only 51% of breaches include malware - Source Verizon BDR 2017 Not all attacks are 100% fileless 80% of attacks use some fileless techniques - Source CrowdStrike Incident Response
- 6. FILELESS ATTACK TECHNIQUES 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FILELESS TECHINQUES FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM § Spear phishing for credentials § Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell) § Registry persistence § Webshells
- 8. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1. Attacker identifies organization with vulnerable web application 2. Remote attacker uses SQL injection or other vulnerability to drop payload 3. Vulnerable webserver is compromised and becomes backdoor WEBSHELL ATTACKS
- 9. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FILELESS TECHINQUES FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM § Spear phishing for credentials § Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell) § Registry persistence § Webshells § Powershell-based credential dumpers
- 10. G O A L T O O L S T E C H N I Q U E HOW A FILELESS ATTACK TAKES PLACE I N I T I A L C O M P R O M I S E 1 Remote access to a system using a web browser. Can be web scripting language E.g. China Chopper GAIN ACCESS WebShell C O M M A N D A N D C O N T R O L 2 Run system commands to find out where we are RECON Sysinfo, Whoami P R I V I L E G E E S C A L AT I O N 3 Run a PowerShell script such as Mimikatz to dump credentials DUMP CREDENTIALS PowerShell P E R S I S T E N C E 4 Modifies Registry to create a backdoor E.g. On screen keyboard or sticky keys MAINTAIN PERSISTENCE Registry E X F I LT R AT I O N 5 Uses system tools to gather data and China Chopper Webshell to exfiltrate data EXFILTRATE DATA VSSAdmin, Copy, NET use, Webshell
- 11. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. REAL WORLD EXAMPLES § Fileless Malwre: Kovter § Fileless Attack: Nation State
- 12. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. KOVTER § Click-fraud § Fileless after initial infection § Hides encrypted malicious modules in the registry § Hides other malicious modules in PowerShell scripts § Uses shortcut file (.lnk) to download PowerShell scripts. The script launches PowerShell to start a shellcode
- 13. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. NATION STATE ATTACK § Weaponization: Spoofed website § Delivery: Spear phishing § PowerShell modules connect to a remote server § Install/run MimiKatz § Lateral movement through stolen credentials
- 14. MOVING LATERALLY WITHOUT MALWARE 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Attacker sets the bait with a fake website Extract credentials from initial victim Move laterally to other hosts
- 15. HOW TO PROTECT AGAINST FILELESS ATTACKS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 16. HOW WOULD YOU RATE YOUR CURRENT LEVEL OF PROTECTION AGAINST FILELESS ATTACKS (1 = POOR – 5 = EXCELLENT) 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 17. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EDUCATE 83%Rate traditional AV based signature efficacy good or excellent
- 18. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHY TRADITIONAL APPROACHES DON’T WORK No file to analyze No artifacts left behind Blind if prevention fails Uses legitimate applications No file to detonate Hands on keyboard
- 19. PROTECTS AGAINST ALL TYPES OF ATTACKS Protect against Known/ Unknown Malware/Malware Free Protect Against Zero-Day Attacks Endpoint Detection and Response Managed Threat Hunting BENEFITS FALCON ENDPOINT PROTECTION Machine Learning IOA Behavioral Blocking Block Known Bad Exploit Mitigation 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 20. PROCESS INJECTS A THREAD INTO SYSTEM PROCESS INJECTED THREAD READS CREDENTIALS FROM THE SYSTEM PROCESS MEMORY DUMPED CREDENTIALS ARE USED TO LOGIN INTO EXCHANGE SERVER MAILBOXES ARE EXPORTED OUT OF EXCHANGE INDICATORS OF ATTACK 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PROCESS CONDUCTS RECONNAISSANCE PROCESS ELEVATES PRIVILEGES WEB SERVER EXECUTES A PROCESS
- 21. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. KEY TAKEAWAYS THE THREAT IS REAL TRADITIONAL AV IS NOT ENOUGH CURRENT DEFENSES DO NOT WORK NEED TO THINK BEYOND MALWARE AND FOCUS ON STOPPING THE BREACH
- 22. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: How Adversaries Use Fileless Attacks To Evade Your Security Link in Resource List Website: crowdstrike.com Email: info@crowdstrike.com Number: 1.888.512.8902 (US)
Als Erste(r) kommentieren