Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about.
Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Evolving Cybersecurity Threats
1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CYBERSECURITY THREATS &
NEXT-GEN ENDPOINT
PROTECTION
2. Cayce Beames
Sr Analyst, GRC at CrowdStrike
25 Years in IT and Security
Really rather technical
Co-founded a kids club to teach
electronics, programming and robotics:
www.thecomputerclub.org
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
3. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 Cybersecurity Threats
2 Attack Vectors
3 Ransomware
4 Why Traditional Security is Failing
5 What is “Next Gen Endpoint Protection?”
6 Questions / Discussion
7. “Legitimate user credentials were used in most
hacking related data breaches, with some 81% of
them using weak, default, or stolen passwords”
2017 Verizon Data Breach Investigations Report (DBIR)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
11. CYBERSECURITY THREATS - ADVERSARIES
Adversaries are:
Better funded
More sophisticated
More patient
Attacks are
Well planned
Quietly executed
Often malware free
Encrypted
Cleaned up
leaving less evidence
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
12. IRAN
RUSSIA
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NATION STATE ADVERSARY GROUPS
INDIA
NORTH KOREA
CHINA
‘PANDA’
‘BEAR’
‘CHOLLIMA’
‘TIGER’
‘KITTEN’
13. ADVERSARY PROFILE: ROCKET KITTEN
OPERATIONAL
WINDOW
April 2014 - Present
OBJECTIVES
Recon
Lateral movement
Data Theft
TARGETING
Aerospace
Defense
Government
TOOLS
Word Macros
Core Impact
Gmail C2
FireMalv credential stealer
MPK post-exploitation toolkit
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
14. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OTHER ADVERSARY GROUPS
SINGING SPIDER
UNION SPIDER
ANDROMEDA SPIDER
CRIMINAL
HACKTIVIST/
ACTIVIST/
TERRORIST
DEADEYE JACKAL
GHOST JACKAL
CORSAIR JACKAL
EXTREME JACKAL
FRATERNAL JACKAL
15. ATTACK VECTORS
A look into a recent case
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
16. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ATTACK:
DEMOCRATIC NATIONAL COMMITTEE
Suspected Large
Scale Phishing
Campaign
WMI, Powershell and known
malware SeaDaddy used.
Malware fully modular for
command and control
IOC’s indicated
variation of known
adversary, Fancy
Bear
CrowdStrike observed
malicious activity in real
time “hands on
keyboard”
Data was exfiltrated
prior to our
investigation, but
ShimCache showed
clear targeting
DNC IT team
reimages infected
systems and builds
new domain
infrastructure
17. RANSOMWARE
Propagates through unpatched/unknown ( “0-day” ) vulnerability
Steals credentials
Propagates further with valid credentials and built-in (aka malware free) tools such as WMI and
psexec
Encrypts data or master boot record
Asks for ransom to be submitted in bitcoin
Provides multi-language call center for support
May, or may not decrypt your data, may also destroy your data as well
If email/domains are disabled, decryption keys may not be obtained
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
19. UNDERTRAINED,
UNDEREQUIPPED,
UNDERSTAFFED,
OVERWORKED
Threats are more complex.
Executives are not the security zealots that
the security team is. Security is a steep
learning curve for them.
Employees and contractors are pushed
harder.
Every budget dollar is scrutinized
Tools are poorly used or are the wrong
ones. Drowning in data. 27% of breaches
were reported by a 3rd party!
Processes are poorly executed and poorly
automated
Training … How does your company train?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
20. Comparative Analysis
WHY TRADITIONAL SECURITY IS FAILING
Adversary
Well Funded
State vs Corporation
Organized Crime vs Individual
More Sophisticated
Better Tooling
Better Trained
More Patient
Organization Security Teams
Funding is up, but to what benefit?
Is it making a difference?
Not very sophisticated
Too much to do
Not enough time
Wrong, or poorly understood tools
Poorly trained
Less patient, too much stress!
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
21. WISDOM FROM SUN TZU
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will
also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle.”
22. Do you know
if your endpoints
are currently
compromised by
a sophisticated
actor?
Are you protecting
your remote users
and compute
environments against
ransomware and
other polymorphic
threats?
Do your existing
security tools stop
malware-free
breaches?
?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
23. WHAT IS THIS “NEXT GENERATION
ENDPOINT PROTECTION” BUSINESS?!
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
24. NEXT-GEN ENDPOINT PROTECTION
The enterprise endpoint protection platform (EPP) is an integrated solution that has the
following capabilities:
Anti-malware
Personal firewall
Port and device control
EPP solutions will also often include:
Vulnerability assessment
Application control and application sandboxing
Enterprise mobility management (EMM)
Memory protection
Endpoint detection and response (EDR) technology (see "Market Guide for Endpoint
Detection and Response Solutions" )
Data protection such as full disk and file encryption
Endpoint data loss prevention (DLP)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
25. Next-Generation Endpoint Protection Cloud
Delivered. Enriched by Threat Intelligence
MANAGED
HUNTING
ENDPOINT DETECTION
AND RESPONSE
NEXT-GEN
ANTIVIRUS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
30. NEXT-GEN AVBENEFITS
PREVENTS
ALL TYPES OF
ATTACKS
Protect against Known/Unknown
Malware
Protect Against
Zero-Day Attacks
Eliminate Ransomware
No Signature Updates
No User Impact—Less than 1%
CPU overhead
Reduce re-imaging time
and costs
BUSINESS VALUE
Machine
Learning
IOA
Behavioral
Blocking
Block
Known Bad
Exploit
Mitigation
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
31. TELEMETRY
170Countries/ 18BEvents per day
CORRELATION
Real-timeandRetrospective
CAPABILITIES
Detection/Prevention/Forensics
TM
Createsa BehavioralIOATimeline
FIND THE UNKNOWN
UNKNOWNS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
33. PREVENT AGAINST
SILENT FAILURE
DVR FOR
ENDPOINT
BUSINESS VALUE
5 Second
Enterprise Search
No Hardware or
Storage Costs
Full Spectrum
Visibility
Reduced
Time to Remediation
BENEFITS
ENDPOINT DETECTION
AND RESPONSE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
35. FINDING THE ADVERSARY
So You Don’t Have To
BREACH PREVENTION
SERVICES
Team of Hunters
Working for You
24 x 7
BUSINESS VALUE
Force Multiplier
Community
Immunity
BENEFITS
Reduce Alert Fatigue:
Focus on What Matters!
Stop the
“Mega” Breach
MANAGED
HUNTING
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
36. FALCON ENDPOINT PROTECTION PLATFORM
Cloud Delivered
SERVICES
ENRICHED BY
POWERED BY
API
CROWDSTRIKE THREAT GRAPHTM
CROWDSTRIKE
INTELLIGENCE
CROWDSOURCED
INTELLIGENCE
THIRD-PARTY
INTELLIGENCE
FALCON OVERWATCH
Managed Hunting
FALCON HOST
Endpoint Protection
FALCON INTELLIGENCE
Threat Intelligence
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
37. SUGGESTED READING/VIEWING
Gartner Magic Quadrant for Endpoint Protection Platforms 2017 (public web listing)
http://branden.biz/wp-content/uploads/2017/03/Magic-Quadrant-for-Endpoint-Protection-Platforms-2017.pdf
CrowdStrike Cyber Intrusion Services Casebook
https://www.crowdstrike.com/resources/reports/crowdstrike-cyber-intrusion-services-casebook-2016/
CrowdStrike Global Threat Report
https://www.crowdstrike.com/resources/reports/2015-global-threat-report/
FireEye M-Trends Report
https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
Verizon Data Breach Investigation Report
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
George Kurtz presenting at Evolve 2017
https://youtu.be/WtmX-a-cayQ
Abusing WMI, BlackHat 2015, Matt Graeber
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-
Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
38. THANK YOU
Please enjoy some refreshments
Cayce Beames
Cayce.Beames@crowdstrike.com
https://www.linkedin.com/in/caycebeames/
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Editor's Notes
Better Funded
Nation state, organized crime and hacker collectives
More Sophisticated
Better trained, using more advanced technologies and developed tools taking advantage of undisclosed “zero day” vulnerabilities. Taking more data, not always what we would expect.
More Patient
Taking months to perform reconnaissance without detection
Well Planned
The time spent on reconnaissance, developing new tooling to exploit vulnerabilities,
Quietly Executed
Using techniques to avoid detection, including on-the-box system utilities and encryption.
Cleaned Up
Using secure delete, altering file times, clearing logs