Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about.
Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.
Al Barsha Night Partner +0567686026 Call Girls Dubai
ย
Evolving Cybersecurity Threats
1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CYBERSECURITY THREATS &
NEXT-GEN ENDPOINT
PROTECTION
2. Cayce Beames
๏ง Sr Analyst, GRC at CrowdStrike
๏ง 25 Years in IT and Security
๏ง Really rather technical
๏ง Co-founded a kids club to teach
electronics, programming and robotics:
www.thecomputerclub.org
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
3. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 Cybersecurity Threats
2 Attack Vectors
3 Ransomware
4 Why Traditional Security is Failing
5 What is โNext Gen Endpoint Protection?โ
6 Questions / Discussion
7. โLegitimate user credentials were used in most
hacking related data breaches, with some 81% of
them using weak, default, or stolen passwordsโ
2017 Verizon Data Breach Investigations Report (DBIR)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
11. CYBERSECURITY THREATS - ADVERSARIES
๏ง Adversaries are:
๏ง Better funded
๏ง More sophisticated
๏ง More patient
๏ง Attacks are
๏ง Well planned
๏ง Quietly executed
๏ง Often malware free
๏ง Encrypted
๏ง Cleaned up
๏ง leaving less evidence
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
12. IRAN
RUSSIA
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NATION STATE ADVERSARY GROUPS
INDIA
NORTH KOREA
CHINA
โPANDAโ
โBEARโ
โCHOLLIMAโ
โTIGERโ
โKITTENโ
13. ADVERSARY PROFILE: ROCKET KITTEN
OPERATIONAL
WINDOW
April 2014 - Present
OBJECTIVES
Recon
Lateral movement
Data Theft
TARGETING
Aerospace
Defense
Government
TOOLS
Word Macros
Core Impact
Gmail C2
FireMalv credential stealer
MPK post-exploitation toolkit
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
14. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OTHER ADVERSARY GROUPS
SINGING SPIDER
UNION SPIDER
ANDROMEDA SPIDER
CRIMINAL
HACKTIVIST/
ACTIVIST/
TERRORIST
DEADEYE JACKAL
GHOST JACKAL
CORSAIR JACKAL
EXTREME JACKAL
FRATERNAL JACKAL
15. ATTACK VECTORS
A look into a recent case
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
16. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ATTACK:
DEMOCRATIC NATIONAL COMMITTEE
Suspected Large
Scale Phishing
Campaign
WMI, Powershell and known
malware SeaDaddy used.
Malware fully modular for
command and control
IOCโs indicated
variation of known
adversary, Fancy
Bear
CrowdStrike observed
malicious activity in real
time โhands on
keyboardโ
Data was exfiltrated
prior to our
investigation, but
ShimCache showed
clear targeting
DNC IT team
reimages infected
systems and builds
new domain
infrastructure
17. RANSOMWARE
๏ง Propagates through unpatched/unknown ( โ0-dayโ ) vulnerability
๏ง Steals credentials
๏ง Propagates further with valid credentials and built-in (aka malware free) tools such as WMI and
psexec
๏ง Encrypts data or master boot record
๏ง Asks for ransom to be submitted in bitcoin
๏ง Provides multi-language call center for support
๏ง May, or may not decrypt your data, may also destroy your data as well
๏ง If email/domains are disabled, decryption keys may not be obtained
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
19. UNDERTRAINED,
UNDEREQUIPPED,
UNDERSTAFFED,
OVERWORKED
๏ง Threats are more complex.
๏ง Executives are not the security zealots that
the security team is. Security is a steep
learning curve for them.
๏ง Employees and contractors are pushed
harder.
๏ง Every budget dollar is scrutinized
๏ง Tools are poorly used or are the wrong
ones. Drowning in data. 27% of breaches
were reported by a 3rd party!
๏ง Processes are poorly executed and poorly
automated
๏ง Training โฆ How does your company train?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
20. Comparative Analysis
WHY TRADITIONAL SECURITY IS FAILING
Adversary
๏ง Well Funded
๏ง State vs Corporation
๏ง Organized Crime vs Individual
๏ง More Sophisticated
๏ง Better Tooling
๏ง Better Trained
๏ง More Patient
Organization Security Teams
๏ง Funding is up, but to what benefit?
๏ง Is it making a difference?
๏ง Not very sophisticated
๏ง Too much to do
๏ง Not enough time
๏ง Wrong, or poorly understood tools
๏ง Poorly trained
๏ง Less patient, too much stress!
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
21. WISDOM FROM SUN TZU
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
โIf you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will
also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle.โ
22. Do you know
if your endpoints
are currently
compromised by
a sophisticated
actor?
Are you protecting
your remote users
and compute
environments against
ransomware and
other polymorphic
threats?
Do your existing
security tools stop
malware-free
breaches?
?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
23. WHAT IS THIS โNEXT GENERATION
ENDPOINT PROTECTIONโ BUSINESS?!
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
24. NEXT-GEN ENDPOINT PROTECTION
๏ง The enterprise endpoint protection platform (EPP) is an integrated solution that has the
following capabilities:
๏ง Anti-malware
๏ง Personal firewall
๏ง Port and device control
๏ง EPP solutions will also often include:
๏ง Vulnerability assessment
๏ง Application control and application sandboxing
๏ง Enterprise mobility management (EMM)
๏ง Memory protection
๏ง Endpoint detection and response (EDR) technology (see "Market Guide for Endpoint
Detection and Response Solutions" )
๏ง Data protection such as full disk and file encryption
๏ง Endpoint data loss prevention (DLP)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
25. Next-Generation Endpoint Protection Cloud
Delivered. Enriched by Threat Intelligence
MANAGED
HUNTING
ENDPOINT DETECTION
AND RESPONSE
NEXT-GEN
ANTIVIRUS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
30. NEXT-GEN AVBENEFITS
PREVENTS
ALL TYPES OF
ATTACKS
Protect against Known/Unknown
Malware
Protect Against
Zero-Day Attacks
Eliminate Ransomware
No Signature Updates
No User ImpactโLess than 1%
CPU overhead
Reduce re-imaging time
and costs
BUSINESS VALUE
Machine
Learning
IOA
Behavioral
Blocking
Block
Known Bad
Exploit
Mitigation
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
31. TELEMETRY
170Countries/ 18BEvents per day
CORRELATION
Real-timeandRetrospective
CAPABILITIES
Detection/Prevention/Forensics
TM
Createsa BehavioralIOATimeline
FIND THE UNKNOWN
UNKNOWNS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
33. PREVENT AGAINST
SILENT FAILURE
DVR FOR
ENDPOINT
BUSINESS VALUE
5 Second
Enterprise Search
No Hardware or
Storage Costs
Full Spectrum
Visibility
Reduced
Time to Remediation
BENEFITS
ENDPOINT DETECTION
AND RESPONSE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
35. FINDING THE ADVERSARY
So You Donโt Have To
BREACH PREVENTION
SERVICES
Team of Hunters
Working for You
24 x 7
BUSINESS VALUE
Force Multiplier
Community
Immunity
BENEFITS
Reduce Alert Fatigue:
Focus on What Matters!
Stop the
โMegaโ Breach
MANAGED
HUNTING
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
36. FALCON ENDPOINT PROTECTION PLATFORM
Cloud Delivered
SERVICES
ENRICHED BY
POWERED BY
API
CROWDSTRIKE THREAT GRAPHTM
CROWDSTRIKE
INTELLIGENCE
CROWDSOURCED
INTELLIGENCE
THIRD-PARTY
INTELLIGENCE
FALCON OVERWATCH
Managed Hunting
FALCON HOST
Endpoint Protection
FALCON INTELLIGENCE
Threat Intelligence
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
37. SUGGESTED READING/VIEWING
๏ง Gartner Magic Quadrant for Endpoint Protection Platforms 2017 (public web listing)
๏ง http://branden.biz/wp-content/uploads/2017/03/Magic-Quadrant-for-Endpoint-Protection-Platforms-2017.pdf
๏ง CrowdStrike Cyber Intrusion Services Casebook
๏ง https://www.crowdstrike.com/resources/reports/crowdstrike-cyber-intrusion-services-casebook-2016/
๏ง CrowdStrike Global Threat Report
๏ง https://www.crowdstrike.com/resources/reports/2015-global-threat-report/
๏ง FireEye M-Trends Report
๏ง https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
๏ง Verizon Data Breach Investigation Report
๏ง http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
๏ง George Kurtz presenting at Evolve 2017
๏ง https://youtu.be/WtmX-a-cayQ
๏ง Abusing WMI, BlackHat 2015, Matt Graeber
๏ง https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-
Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
38. THANK YOU
Please enjoy some refreshments
Cayce Beames
Cayce.Beames@crowdstrike.com
https://www.linkedin.com/in/caycebeames/
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Editor's Notes
Better Funded
Nation state, organized crime and hacker collectives
More Sophisticated
Better trained, using more advanced technologies and developed tools taking advantage of undisclosed โzero dayโ vulnerabilities. Taking more data, not always what we would expect.
More Patient
Taking months to perform reconnaissance without detection
Well Planned
The time spent on reconnaissance, developing new tooling to exploit vulnerabilities,
Quietly Executed
Using techniques to avoid detection, including on-the-box system utilities and encryption.
Cleaned Up
Using secure delete, altering file times, clearing logs