CrowdCasts Monthly: When Pandas Attack

WHEN PANDAS ATTACK

Dmitri Alperovitch - Chris Scott - Adam Meyers

HOW TO DETECT, ATTRIBUTE, AND RESPOND TO MALWARE-FREE INTRUSIONS

TODAY’S SPEAKERS

2014 CrowdStrike, Inc. All rights reserved. 2

@DMITRICYBER

@CROWDSTRIKE | #CROWDCASTS

DMITRI ALPEROVITCH | CO-FOUNDER & CTO Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike. A renowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft. Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAFee, where he led the company’s global internet threat intelligence analysis and investigations. In 2010 and 2011, Alperovitch led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions, and gave thoses incidents their names.

TODAY’S SPEAKERS


@NETOPSGURU


CHRIS SCOTT | DIRECTOR, SERVICES Christoper Scott has over 15 years of Fortune 500/DoD/DIB business proficiency, including more than 7 years of targeted threat detection and prevention expertise. As a Director at CrowdStrike Services, Christopher supports a variety of engagements that include: security reviews, incident response, data loss prevention, insider threat analysis and engineering threat detection systems, business continuity and disaster recovery processes. In addition, Christopher assists in building risk recognition systems and advancing the CrowdStrike Services practice.

TODAY’S SPEAKERS


@ADAM_CYBER


ADAM MEYERS | VP, INTELLIGENCE Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations.


ADVANCED ATTACKERS EVADE IOC-BASED DETECTION HOW CAN YOU FIND AN ATTACK WHEN THERE IS NO MALWARE, NO COMMAND AND CONTROL, AND NO FILE-BASED ARTIFACTS?



REAL-WORLD CASE STUDIES


LET’S DIVE IN… WHO’S BEHIND THE ATTACK?



Comment Panda: Commercial, Government, Non-profit

Deep Panda: Financial, Technology, Non-profit

Foxy Panda: Technology & Communications

Anchor Panda: Government organizations, Defense & Aerospace, Industrial Engineering, NGOs

Impersonating Panda: Financial Sector

Karma Panda: Dissident groups

Keyhole Panda: Electronics & Communications

Poisonous Panda: Energy Technology, G20, NGOs, Dissident Groups

Putter Panda: Governmental & Military

Toxic Panda: Dissident Groups

Union Panda: Industrial companies

Vixen Panda: Government

CHINA

IRAN

INDIA

Viceroy Tiger: Government, Legal, Financial, Media, Telecom

RUSSIA

Energetic Bear: Oil and Gas Companies

NORTH KOREA

Silent Chollima: Government, Military, Financial

Magic Kitten: Dissidents Cutting Kitten: Energy Companies

Singing Spider: Commercial, Financial

Union Spider: Manufacturing

Andromeda Spider: Numerous

CRIMINAL

Deadeye Jackal: Commercial, Financial,

Media, Social Networking

Ghost Jackal: Commercial, Energy,

Financial

Corsair Jackal: Commercial, Technology,

Financial, Energy

Extreme Jackal: Military, Government

HACTIVIST/TERRORIST

UNCOVER THE ADVERSARY @CROWDSTRIKE | #CROWDCASTS

PARCEL ISLANDS

• 16°40′N 112°20′E • Claimed by:

–  Vietnam (Hoàng Sa Archipelago) –  Peoples Republic of China (Xisha Islands) –  Taiwan

• Originally occupied by French in 1938, the islands were taken by Japan and then China post World War II

• In 1974 armed conflict saw the occupation of the islands by victorious PLA forces over ARVN. Unified Socialist Vietnam renewed claims

Disputed Territory


HAIYANG SHIYOU 981

• Owned by: CNOOC Group – Displacement: 30,670 tons –  Length: 114 meters –  Beam: 90 meters –  Speed: 8 knots – Crew: 160

• Mission: Evaluate potential for Oil Reserves

• In theater 2 May – 16 Jul

May 2, 2014


May/June


CHINESE INTRUSION ACTIVITY

Increasing activity as conflict escalates

CHINESE INTRUSION ACTIVITY

Increasing tensions and intrigue


HD981 OPERATIONS MAY - JULY

2 May HD981 deployed near Parcel Islands

26 May Vietnamese fishing boat sinks after confrontation with Chinese vessels

June tensions continue to rise as HD981 moves closer to Parcel Islands and conducts drilling

16 July HD981 leaves the Parcel Islands in advance of typhoon season and to ‘review data’ from drilling operations

• Sunni extremists from the ISIS begin advance on key Iraqi industrial city Baiji

• 12 June, ISIS vehicles and personnel burn down courthouse and police station, and release prisoners from jail

• 18 June ISIS insurgents begin attacking Baiji refinery the largest in Iraq, this has the capability to refine over 300,000 barrels of oil per day

Mid June 2014


ISLAMIC STATE OF IRAQ AND SYRIA (ISIS)

Baiji

Top Oil Imports


CHINA OIL AT RISK


WHAT HAPPENED? THIS IS A STORY OF THE INCIDENT…



• Suspicious Logins Detected within Environment • Falcon Host Deployed to the Network with CSOC Monitoring

– Deployment Time is now Hours not Days –  The Cloud Allows Rapid Deployment and Increased Visibility

• Not Dependent on Hardware • No Infrastructure to Standup

• Visibility on Adversary Actions – Webshell Deployments and Usage – Usage of Sticky Keys – Usage of PowerShell with Custom Encryption

CASE STUDY: WEBSHELL ATTACK


• Watching the Adversary Change TTPs in Real-time – Uploading New Tools, Monitoring for Logons

• Security Teams able to Respond within Minutes – Removal of Infected Machines – Memory Capture with Attacker Tools Running

• Reduction in Incident Response Timing – Remediate Quicker – Reduce the Need for Deep Dive Forensics – Reduce the Cost of Incident Response

• Continued Visibility Going Forward – Detections Allowing Security Teams to Prevent Attacker Foothold

CASE STUDY: WEBSHELL ATTACK


ADVERSARIES ADJUSTING TTPS

Changes to Persistence •  Moving from Workstations back to Servers •  Reducing Footprint Forensic Evidence Reduction •  Utilizing Memory for Execution, Compression,

Exfiltration •  Automated Cleanup Processes Simplified Toolsets and Communication Webshells •  Compiled on the Fly, Direct to Memory •  Utilize SSL Certificates on External Accessible Sites •  Utilize Custom Encryption within Microsoft

PowerShell



SECURITY TEAMS MUST ADJUST


New Detection Methods

•  Must be Realtime or Near-Realtime, Sweeping for IOCs is a Losing Proposition

•  Must Detect Credential Theft as it Happens

•  Must Capture Adversaries Commands as Forensics are Being Reduced

Benefits of Detection Methods

•  Able to Respond Quicker

•  Reduce Exposure and Loss

•  Allow Security Teams to Adjust to Adversary TTPs on the Fly

•  Increasing Costs to the Adversary


NOW WHAT? HOW DID WE DETECT AND ATTRIBUTE THIS MALWARE-FREE INTRUSION?


TECHNOLOGY COMPONENTS

FALCON HOST CORE COMPONENTS


FALCON HOST TECH OVERVIEW

CLOUD-BASED APPLICATION

HOST-BASED DETECTION SENSOR

DETECT: STATEFUL EXECUTION INSPECTION

RECORD: ENDPOINT ACTIVITY MONITORING

INTELLIGENCE: ATTRIBUTION ENGINE

Email Received

Process Silently Executed

Executable Hides Itself From Task Manager

Executable Call Out to the Internet

Email Attachment Opened in

Acrobat Reader

Executable Saved in Windows/System32

Folder

Executable Modifies Windows

Registry to Autostart

1 2 3 4 5 6 7

REAL-TIME STATEFUL EXECUTION INSPECTION



LET’S TAKE A LOOK…

ENDPOINT PROTECTION DEMO


Please enter all questions

in the Q&A panel of

GoToWebinar

For information on the CrowdStrike Falcon Platform or CrowdStrike Services, contact [email protected]

Q&A


Q&A @CROWDSTRIKE | #CROWDCASTS

CrowdCasts Monthly: When Pandas Attack

Technology

Transcript of CrowdCasts Monthly: When Pandas Attack