SlideShare a Scribd company logo

CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response

Download as PPTX, PDF
Brendon Macaraeg
Brendon Macaraeg

Today’s attackers are more brazen and patient than ever – often masquerading as legitimate users while they search the victim’s environment for their most prized data. And the longer these attackers remain undetected, the greater the cost to the business, be that your reputation or loss of IP. Therefore, organizations must detect and respond to incidents as quickly, efficiently and accurately as possible. In this webinar, we provide unique insights into how one Fortune 500 organization successfully responded to a sustained and sophisticated breach. You’ll hear from the incident responders and digital forensics experts who actually worked the case, and learn the the cutting-edge techniques that were used. We will cover topics such as:   * Typical infrastructure weaknesses prevalent in organizations today * How attackers exploit IT infrastructure weaknesses * The prevalence of attacker attempts to re-enter environments, even after full remediation * How state-of-the-art digital detection and forensics tools like * Falcon Host & Falcon Forensics speed remediation by providing immediate visibility AND rear-view mirror look at past activities incident response, DFIR, reducing dwell time, cybersecurity, cyber security, best practices

Technology
1 of 25
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TAKING DWELL-TIME OUT OF INCIDENT RESPONSE
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 INTRODUCTION AGENDA: IR CASE OVERVIEW AND SEQUENCE OF EVENTS4 6 DETECTING ATTACKERS BEFORE THEY GET BACK IN 2 CURRENT INCIDENT RESPONSE TRENDS 3 CROWDSTRIKE’S INVESTIGATIVE METHODOLGY 7 KEY TAKEAWAYS 8 Q&A
BREACHES WE STOP
RYAN JAFARKHANI PRINCIPAL CONSULTANT 2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED. • Host & Network Forensics • Malware Analysis/Reverse Engineering • Intel/Attribution HAS WORKED 70+ INVESTIGATIONS IN: • State Sponsored • Financial Crime • Insider Threats 6+ YEARS SPECIALIZED EXPERIENCE IN: PRIOR TO CROWDSTRIKE:
ERIC OPDYKE CONSULTANT 2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED. • Host & Network Forensics • Malware Analysis/Reverse Engineering • Penetration Testing • State sponsored attacks SPECIALIZED EXPERIENCE IN: 6+ YEARS PRIOR TO CROWDSTRIKE:
2015 CrowdStrike, Inc. All rights reserved. 6 MOST COMMON BREACH TYPES:  Intellectual Property (IP) Theft  Monetary Theft  Web Server Compromise  Data Destruction  Credential Theft MOST COMMON INITIAL ATTACK VECTORS:  Distributed Denial of Service (DDoS)  Web Server Vulnerabilities  Web Application Vulnerabilities  Misconfigured DMZ Servers  Spear Phishing  Third-party Trust Relationships  Strategic Web Compromise  Weak Authentication Mechanisms  Malicious Insider Threats  SQL Injection 2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED.
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1: MULTIPLE ATTACKER S In 25% of CrowdStrike’s engagements, we identified multiple distinct adversaries in the client environment. 2: REINFECTION ATTEMPTS On average, adversaries engage in reinfection attempts within two days of comprehensive remediation efforts. 3: SELF DETECTION RATES IMPROVING CrowdStrike has seen a marked increase in the number of organizations self- detecting breaches, far above what has been previously reported. 4: CREDENTIALS A CRITICAL TARGET Regardless of adversary or motivation, the most common goal of attackers is to secure domain and enterprise credentials. 5: COMPROMISED ACCOUNTS HOARDED Unlike large-scale attacks of the past, adversaries no longer need to compromise hundreds of accounts to accomplish their objectives. 6: VARIATION IN DURATION The review of CrowdStrike investigations found wide variation in the duration of investigations. INCIDENT RESPONSE TRENDS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TRADITIONAL IR = SLOW RESPONSE Customers wait for a remediation plan before any actual remediation work occurs MONTHS MONTHS MANY DAYS WEEKS BREACH DISCOVERY IR START VISIBILITY IR FINISHED REMEDIATE
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INCIDENT RESPONSE SERVICES By providing the client an immediate and comprehensive view into attacker activity, we stop breaches fast. Identify how attackers have been or are accessing the client’s environment Mitigate attackers existing access with appropriate methods Determine methods to track future actions and block future access END GOAL Get customers back to normal business operations quickly
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INVESTIGATIVE METHODOLOGY The power of Falcon Host and Falcon Intelligence provides immediate visibility and threat actor information that informs our remediation efforts – and gets our clients back to business FAST. SERVICES FALCON INTEL FALCON HOST
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IR CASE: BACKGROUND  Client: Research and Technology defense contractor  FBI notified the client of breach February 2015  Data theft occurred over Christmas 2014  Two foreign IP addresses were involved  CrowdStrike Services engaged and responded and on-site within 24 hours
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OVERALL ENGAGEMENT GOALS  GAIN VISIBILITY by deploying technical tools to 200 hosts  ANSWER: Who? What? Where? When? How? - Falcon Host: provides real-time visibility and answers: “What’s happening now?” - Falcon Forensic Collector: provides rear-views, answers: “What happened in the past?” - Deploy network monitoring technology to main egress points MAIN TOOLS USED DURING ENGAGEMENT:
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IR CASE: INFRASTRUCTURE WEAKNESSES  No central logging for any log sources  Local users had administrative privileges  Shared local administrator account enabled  Service accounts with Domain Admin privileges  Flat network (DMZ can access corporate network) THESE ARE TYPICAL INFRASTRUCTURE WEAKNESS CROWDSTRIKE SERVICES ENCOUNTERS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. REARVIEW INSIGHTS WITH FALCON FORENSICS  Services team utilized Falcon Forensics Collector (FFC): Windows console application designed to gather system information for incident response engagements  Collects information such as: drivers, dirlistings, hashes, registry entries, event log entries and much more  Support full disk forensics and established attacker’s past activities  Enables Services team to provide client with instantaneous evidence of attacker activity
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OCT. 13, 2011 - FIRST ATTACKER ACTIVITY: RAN REMOTE EXECUTION UTILITY ON CLIENT’S SERVER IR CASE TIMELINE OF EVENTS JULY 24, 2014: INITIAL DATA THEFT BEGINS ■ Falcon Forensics identified data theft that started and continued to Feb. 2015 ■ Attacker utilized C# Chopper Web Shell components on OWA servers. ■ From July to Nov. 2014, the attacker periodically dumped credentials on the client's domain controller and cached credentials on other hosts in the environment. JULY 14, 2014 - ATTACKER LEVERAGED CREDENTIAL THEFT UTILITIES AND REMOTE ACCESS CAPABILITIES GOAL: ACCESS INFORMATION WITHIN THE CLIENT'S ENVIRONMENT AND ALSO GAIN FUTURE ACCESS. JAN. 15, 2014 – SECOND ATTACKER ACTIVITY: RAN REMOTE SCANNER ON CLIENT SERVER
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FEB. 17, 2015 ATTACKER LEVERAGED THE WEB SHELL ON CLIENT WEB SERVER TO CONDUCT RECONNAISSANCE AND ACCESSED SEVERAL SERVER DIRECTORIES AND FILES IR CASE TIMELINE OF EVENTS – CONTINUED DEC. 25-29 – SECOND DATA THEFT OCCURS: RAN REMOTE EXECUTION UTILITY ON CLIENT’S SERVER FEB. 7, 2015 – FBI NOTIFIES CLIENT OF ATTACK THAT OCCURRED DEC. 25 FEB. 9, 2015 – CROWDSTRIKE IR ENGAGEMENT BEGINS FEB. 17-24: FORENSICS AND REMEDIATION PERIOD: ATTACKER EJECTED FROM CLIENT’S ENVIRONMENT HOURS TO REMEDIATION 100
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IR CASE ATTACK IMPACT Theft of more than 500 GB of proprietary data THE DAMAGE? October 2011 EARLIEST EVIDENCE OF ATTACKER ACTIVITY:  Leveraged web shells as primary backdoor  Used Administrator and Service accounts  Attacker leveraged TeamViewer and Remote Desktop to move laterally  41 pieces of malware and utilities  49 compromised accounts  14 compromised and/or accessed systems ATTACKER TTPs AND THEIR IMPACT:
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FALCON HOST DETECTS AND KEEPS THE ATTACKER OUT  After remediation, the attacker returned to the environment, which is common  But detecting a returning attacker and reacting quickly is not common.  From the initial email alert Falcon Host generated, it took the client less than 45 minutes to react and pull the systems affected  Client permanently decommissioned systems  We haven’t heard a peep since
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CLIENT RECOMMENDATIONS TO PREVENT FUTURE BREACHES  Client should continue focus on detection  Review logs available  Utilize effective host-based and network-based visibility tools to monitor for activity  Goals: identify future activity quickly and take remediation actions based on detection
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. REMEDIATION-FOCUS IR = FAST RECOVERY We start immediately to mitigate damage and remove attackers. HOURS DAYS/WEEKS BREACH & DISCOVERY IR START IR FINISHED REMEDIATE HOURS VISIBILITY FALCON HOST
Expert IR practitioners can leverage your security investments and the latest technology Choose an IR team that partners with clients to ensure effective engagements Effective IR staff prepare you for the future with knowledge to client’s IT staff 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. KEY TAKEAWAYS Documentation should be clear and recommendations should be actionable
WE STOP BREACHES CROWDSTRIKE TOTAL VALUE ENDPOINT PROTECTION MANAGED HUNTING RESPONSE SERVICES THREAT INTELLIGENCE PEOPLEPROCESS TECHNOLOGYINTELLIGENCE OUR CUSTOMERS 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
An IR engagement provides clients an immediate and comprehensive view into attacker activity: Who is the adversary? Can you help eject him? How should we reduce risk of future attacks? YOUR NEXT STEP: COMPROMISE ASSESSMENT Are there signs of current or past targeted attack? 1 2 3 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Q & A
www.crowdstrike.com

Recommended

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviour
DefCamp
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
Adam Barrera
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 

Recommended

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviour
DefCamp
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
Adam Barrera
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
PROIDEA
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human DashboardNTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
North Texas Chapter of the ISSA
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-Virus
North Texas Chapter of the ISSA
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
ClearDATACloud
 

More Related Content

What's hot

You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human DashboardNTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
North Texas Chapter of the ISSA
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-Virus
North Texas Chapter of the ISSA
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 

What's hot (20)

You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human DashboardNTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-Virus
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
 

Similar to CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response

5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
ClearDATACloud
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 

Similar to CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response (20)

#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
 
Sammanfattning av 2014 Trustwave Global Security Report
Sammanfattning av 2014 Trustwave Global Security Report Sammanfattning av 2014 Trustwave Global Security Report
Sammanfattning av 2014 Trustwave Global Security Report
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle CybercrimeDual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle Cybercrime
 
Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
 
Webinar: Is There A Blind Spot In Your Cyberthreat Vision?
Webinar: Is There A Blind Spot In Your Cyberthreat Vision?Webinar: Is There A Blind Spot In Your Cyberthreat Vision?
Webinar: Is There A Blind Spot In Your Cyberthreat Vision?
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
Diagnosis SOC-Atrophy: What To Do When Your SOC Is SickDiagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & Handling
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability Scan
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Ethical hacking interview questions and answers
Ethical hacking interview questions and answersEthical hacking interview questions and answers
Ethical hacking interview questions and answers
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response

  • 1. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TAKING DWELL-TIME OUT OF INCIDENT RESPONSE
  • 2. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 INTRODUCTION AGENDA: IR CASE OVERVIEW AND SEQUENCE OF EVENTS4 6 DETECTING ATTACKERS BEFORE THEY GET BACK IN 2 CURRENT INCIDENT RESPONSE TRENDS 3 CROWDSTRIKE’S INVESTIGATIVE METHODOLGY 7 KEY TAKEAWAYS 8 Q&A
  • 4. RYAN JAFARKHANI PRINCIPAL CONSULTANT 2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED. • Host & Network Forensics • Malware Analysis/Reverse Engineering • Intel/Attribution HAS WORKED 70+ INVESTIGATIONS IN: • State Sponsored • Financial Crime • Insider Threats 6+ YEARS SPECIALIZED EXPERIENCE IN: PRIOR TO CROWDSTRIKE:
  • 5. ERIC OPDYKE CONSULTANT 2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED. • Host & Network Forensics • Malware Analysis/Reverse Engineering • Penetration Testing • State sponsored attacks SPECIALIZED EXPERIENCE IN: 6+ YEARS PRIOR TO CROWDSTRIKE:
  • 6. 2015 CrowdStrike, Inc. All rights reserved. 6 MOST COMMON BREACH TYPES:  Intellectual Property (IP) Theft  Monetary Theft  Web Server Compromise  Data Destruction  Credential Theft MOST COMMON INITIAL ATTACK VECTORS:  Distributed Denial of Service (DDoS)  Web Server Vulnerabilities  Web Application Vulnerabilities  Misconfigured DMZ Servers  Spear Phishing  Third-party Trust Relationships  Strategic Web Compromise  Weak Authentication Mechanisms  Malicious Insider Threats  SQL Injection 2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED.
  • 7. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1: MULTIPLE ATTACKER S In 25% of CrowdStrike’s engagements, we identified multiple distinct adversaries in the client environment. 2: REINFECTION ATTEMPTS On average, adversaries engage in reinfection attempts within two days of comprehensive remediation efforts. 3: SELF DETECTION RATES IMPROVING CrowdStrike has seen a marked increase in the number of organizations self- detecting breaches, far above what has been previously reported. 4: CREDENTIALS A CRITICAL TARGET Regardless of adversary or motivation, the most common goal of attackers is to secure domain and enterprise credentials. 5: COMPROMISED ACCOUNTS HOARDED Unlike large-scale attacks of the past, adversaries no longer need to compromise hundreds of accounts to accomplish their objectives. 6: VARIATION IN DURATION The review of CrowdStrike investigations found wide variation in the duration of investigations. INCIDENT RESPONSE TRENDS
  • 8. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TRADITIONAL IR = SLOW RESPONSE Customers wait for a remediation plan before any actual remediation work occurs MONTHS MONTHS MANY DAYS WEEKS BREACH DISCOVERY IR START VISIBILITY IR FINISHED REMEDIATE
  • 9. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INCIDENT RESPONSE SERVICES By providing the client an immediate and comprehensive view into attacker activity, we stop breaches fast. Identify how attackers have been or are accessing the client’s environment Mitigate attackers existing access with appropriate methods Determine methods to track future actions and block future access END GOAL Get customers back to normal business operations quickly
  • 10. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INVESTIGATIVE METHODOLOGY The power of Falcon Host and Falcon Intelligence provides immediate visibility and threat actor information that informs our remediation efforts – and gets our clients back to business FAST. SERVICES FALCON INTEL FALCON HOST
  • 11. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IR CASE: BACKGROUND  Client: Research and Technology defense contractor  FBI notified the client of breach February 2015  Data theft occurred over Christmas 2014  Two foreign IP addresses were involved  CrowdStrike Services engaged and responded and on-site within 24 hours
  • 12. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OVERALL ENGAGEMENT GOALS  GAIN VISIBILITY by deploying technical tools to 200 hosts  ANSWER: Who? What? Where? When? How? - Falcon Host: provides real-time visibility and answers: “What’s happening now?” - Falcon Forensic Collector: provides rear-views, answers: “What happened in the past?” - Deploy network monitoring technology to main egress points MAIN TOOLS USED DURING ENGAGEMENT:
  • 13. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IR CASE: INFRASTRUCTURE WEAKNESSES  No central logging for any log sources  Local users had administrative privileges  Shared local administrator account enabled  Service accounts with Domain Admin privileges  Flat network (DMZ can access corporate network) THESE ARE TYPICAL INFRASTRUCTURE WEAKNESS CROWDSTRIKE SERVICES ENCOUNTERS
  • 14. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. REARVIEW INSIGHTS WITH FALCON FORENSICS  Services team utilized Falcon Forensics Collector (FFC): Windows console application designed to gather system information for incident response engagements  Collects information such as: drivers, dirlistings, hashes, registry entries, event log entries and much more  Support full disk forensics and established attacker’s past activities  Enables Services team to provide client with instantaneous evidence of attacker activity
  • 15. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OCT. 13, 2011 - FIRST ATTACKER ACTIVITY: RAN REMOTE EXECUTION UTILITY ON CLIENT’S SERVER IR CASE TIMELINE OF EVENTS JULY 24, 2014: INITIAL DATA THEFT BEGINS ■ Falcon Forensics identified data theft that started and continued to Feb. 2015 ■ Attacker utilized C# Chopper Web Shell components on OWA servers. ■ From July to Nov. 2014, the attacker periodically dumped credentials on the client's domain controller and cached credentials on other hosts in the environment. JULY 14, 2014 - ATTACKER LEVERAGED CREDENTIAL THEFT UTILITIES AND REMOTE ACCESS CAPABILITIES GOAL: ACCESS INFORMATION WITHIN THE CLIENT'S ENVIRONMENT AND ALSO GAIN FUTURE ACCESS. JAN. 15, 2014 – SECOND ATTACKER ACTIVITY: RAN REMOTE SCANNER ON CLIENT SERVER
  • 16. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FEB. 17, 2015 ATTACKER LEVERAGED THE WEB SHELL ON CLIENT WEB SERVER TO CONDUCT RECONNAISSANCE AND ACCESSED SEVERAL SERVER DIRECTORIES AND FILES IR CASE TIMELINE OF EVENTS – CONTINUED DEC. 25-29 – SECOND DATA THEFT OCCURS: RAN REMOTE EXECUTION UTILITY ON CLIENT’S SERVER FEB. 7, 2015 – FBI NOTIFIES CLIENT OF ATTACK THAT OCCURRED DEC. 25 FEB. 9, 2015 – CROWDSTRIKE IR ENGAGEMENT BEGINS FEB. 17-24: FORENSICS AND REMEDIATION PERIOD: ATTACKER EJECTED FROM CLIENT’S ENVIRONMENT HOURS TO REMEDIATION 100
  • 17. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IR CASE ATTACK IMPACT Theft of more than 500 GB of proprietary data THE DAMAGE? October 2011 EARLIEST EVIDENCE OF ATTACKER ACTIVITY:  Leveraged web shells as primary backdoor  Used Administrator and Service accounts  Attacker leveraged TeamViewer and Remote Desktop to move laterally  41 pieces of malware and utilities  49 compromised accounts  14 compromised and/or accessed systems ATTACKER TTPs AND THEIR IMPACT:
  • 18. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FALCON HOST DETECTS AND KEEPS THE ATTACKER OUT  After remediation, the attacker returned to the environment, which is common  But detecting a returning attacker and reacting quickly is not common.  From the initial email alert Falcon Host generated, it took the client less than 45 minutes to react and pull the systems affected  Client permanently decommissioned systems  We haven’t heard a peep since
  • 19. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CLIENT RECOMMENDATIONS TO PREVENT FUTURE BREACHES  Client should continue focus on detection  Review logs available  Utilize effective host-based and network-based visibility tools to monitor for activity  Goals: identify future activity quickly and take remediation actions based on detection
  • 20. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. REMEDIATION-FOCUS IR = FAST RECOVERY We start immediately to mitigate damage and remove attackers. HOURS DAYS/WEEKS BREACH & DISCOVERY IR START IR FINISHED REMEDIATE HOURS VISIBILITY FALCON HOST
  • 21. Expert IR practitioners can leverage your security investments and the latest technology Choose an IR team that partners with clients to ensure effective engagements Effective IR staff prepare you for the future with knowledge to client’s IT staff 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. KEY TAKEAWAYS Documentation should be clear and recommendations should be actionable
  • 22. WE STOP BREACHES CROWDSTRIKE TOTAL VALUE ENDPOINT PROTECTION MANAGED HUNTING RESPONSE SERVICES THREAT INTELLIGENCE PEOPLEPROCESS TECHNOLOGYINTELLIGENCE OUR CUSTOMERS 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 23. An IR engagement provides clients an immediate and comprehensive view into attacker activity: Who is the adversary? Can you help eject him? How should we reduce risk of future attacks? YOUR NEXT STEP: COMPROMISE ASSESSMENT Are there signs of current or past targeted attack? 1 2 3 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 24. Q & A

Editor's Notes

  1. Today’s attackers are more brazen and patient than ever – often masquerading as legitimate users while they search the victim’s environment for their most prized data. And the longer these attackers remain undetected, the greater the cost to the business, be that your reputation or loss of IP. Therefore, organizations must detect and respond to incidents as quickly, efficiently and accurately as possible. Join us March 15th as we provide unique insights into how one F500 organization successfully responded to a sustained and sophisticated breach. You’ll hear from the incident responders and digital forensics experts who actually worked the case, and learn the the cutting-edge techniques that were used. We will cover topics such as:   Typical infrastructure weaknesses prevalent in organizations today How attackers exploit IT infrastructure weaknesses The prevalence of attacker attempts to re-enter environments, even after full remediation How state-of-the-art digital detection and forensics tools like Falcon Host & Falcon Forensics speed remediation by providing immediate visibility AND rear-view mirror look at past activities
  2. Typical infrastructure weaknesses prevalent in organizations today How attackers exploit IT infrastructure weaknesses The prevalence of attacker attempts to re-enter environments, even after full remediation How state-of-the-art digital detection and forensics tools like Falcon Host & Falcon Forensics speed remediation by providing immediate visibility AND rear-view mirror look at past activities
  3. The CrowdStrike Services team offers the full spectrum of proactive and response services to help customers respond tactically to cybersecurity incidents as well as continually mature and strategically evolve their overall security posture.
  4. Chopper is a feature rich web shell that gives attackers the ability to manipulate files and databases; it also provides remote command shell access. Q for CS team: how much into the weeds do we want to go to describe attacker methods (i.e. use Chopper web shell to exploit OWA/Exchange server weakness (would we need to point out that Microsoft has since fixed this vulnerability?)
  5. \
  6. REMIND THE AUDIENCE THAT THE CASE WE JUST STUDIED TOOK 100 HOUSRS TOTAL FOR FORENSICS AND REMEDIATION Falcon Intelligence aids Services by providing current IOCs, IOAs and adversary-specific profiles: our team knows what to look for BEFORE an engagement starts. Falcon Host provides immediate visibility to see what attackers are doing. Net result? Remediation efforts are completed in days and weeks, not months HOWEVER, OUR SERVICS TEAM IS TECHNOLOGY AGNOSTIC: if you have made an investment in another endpoint detection & response tool, our team can make use of it. This is about helping you, the client, remediate the situation.
  7. CrowdStrike Total Value
  8. Next step: establish the status of your environment with a compromise assessemtn. We will assess your environment for threats that may already have established a presence in your network. We will seek to answer these questions: • Is there currently targeted attack activity affecting your operations? • What can you do to reduce the risk of a targeted attack? • How can you deter and prevent attacks that target your environment and confidential customer information? Of all our proactive services, this is perhaps the most important: perhaps you had a CA six months ago. Great, but do you know what your environment status is now?
  9. Thank you for attending today’s CrowdCast on taking the dwell time out of an incident response engagement. As I mentioned when we started, we’d leave about 10-15 minutes for questions, so if you haven’t already go ahead and post your questions in the Zoom chat window. We’ll do our best to answer as many of these as we can.
  10. So that wraps up this CrowdCast today! Thanks to Eric and Ryan from the Crowdstrike Services team for their valuable time and insights on working quickly to get one of our customers back to business quickly. Visit the URL displayed to learn more. We will send follow-up email with more information our our Compromise Assessment offering to help you bolster your organization’s security posture.