An Inside Look At The WannaCry Ransomware Outbreak
•
2 likes•1,766 views
Gain in-depth information on the massive WannaCry ransomware attack On Friday, May 12, the WannaCry ransomware variant swept the globe. In a short period of time, WannaCry (also known as Wanna Decryptor and WannaCryptor) infected over 230,000 systems in 150 countries. It was a particularly effective piece of malware because it not only encrypted data and held it for ransom, but it also spread like wildfire to other systems. Entire organizations found themselves looking at a ransom note on their screens and wondering what to do next. As the situation continues to unfold, please join us as Adam Myers, VP of Threat Intelligence at CrowdStrike, presents an in-depth look at the WannaCry ransomware. Register for this webcast to learn: -A complete technical understanding of the WannaCry threat -What analysts were seeing on the day of the WannaCry outbreak -How to prevent WannaCry infections and protect against ransomware going forward
Report
Share
Report
Share
Download to read offline
Recommended
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
Learn how to prevent & detect even the most complex “file-less” ransomware exploits
Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.
Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics
Wannacry | Technical Insight and Lessons Learned
This presentation is an overview of the Ransomware Wannacry. The slides talk about the techniques used and the lessons learned.
How to Replace Your Legacy Antivirus Solution with CrowdStrike
The Time Has Come To Replace Your Antivirus Solution
After decades of frustration and failure, the security industry is ready to replace legacy antivirus systems with more effective solutions. As breaches continue to make headlines, we are left to wonder if anything can really stop modern threats. The answer is yes, but it requires us to approach the problem in a new way. Instead of continually adding functionality and complexity to legacy security architectures, we need a complete reset. This is exactly what CrowdStrike offers with its cloud-delivered endpoint protection platform.
The key to this new approach is going beyond malware to understanding and address cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent.
In this CrowdCast, Dan Larson, Sr. Director of Technical Marketing, will discuss:
- The typical challenges with legacy antivirus implementations and how we solve them
- How CrowdStrike offers a greater level of protection, especially against modern threats
- How cloud-delivered endpoint protection reduces operational burden
- How to migrate from legacy antivirus to CrowdStrike Falcon
Link to on-demand webcast: https://www.crowdstrike.com/resources/crowdcasts/time-come-replace-antivirus-solution/
Cyber Security Extortion: Defending Against Digital Shakedowns
Real world lessons from CrowdStrike Services experts investigating complex cyber extortion attacks
The criminal act of theft is as old as civilization itself, but in the cyber realm new ways to steal your organization's data or profit by holding it hostage, continue to evolve. With each advancement in security technology, adversaries work tirelessly on new techniques to bypass your defenses. This webcast, "Cyber Extortion: Digital Shakedowns and How to Stop Them" examines the evolution of cyber extortion techniques, including the latest "datanapping" exploits. Whether it's an attack on a major movie studio, a massive healthcare system, or a global entertainment platform, recent extortion attempts demonstrate how critical it is to understand today's threat landscape so you can ensure that your organization mounts the best defense possible.
Download this presentation to learn what security experts from the cyber defense frontlines are discussing. Learn about:
•The range of extortion techniques being used today, including commonalities and differences in approaches
•Commodity type ransomware/datanapping vs. hands-on attacks — how are they alike and what are their differences?
•Potential outcomes of paying vs. not paying when attempting to recover data after an attack
•Real world examples of successful attacks and those that were thwarted or mitigated
•Strategies for keeping your organization from being targeted and what to do if you become the victim of a cyber shakedown
ATT&CK Updates- Defensive ATT&CK
Lex Crumpton leads MITRE's defensive ATT&CK efforts. In 2021, they added data sources and detections for monitoring processes interacting with LSASS.exe and detecting credential dumping tools. In 2022, they plan to add more detections and develop the Cyber Analytic Repository to share analytic knowledge. Crumpton invites attendees to learn more about defensive ATT&CK on their website and contact them directly with any other questions.
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
Los ciberdelincuentes han demostrado que siguen encontrando lagunas para llevar a cabo sus ataques de ransomware. Y uno de los recursos clave de que necesitan para tener éxito es el privilegio. Eliminar el privilegio de la ecuación es parte fundamental de la estrategia para proteger a las empresas de ataques que pueden causar daños masivos.
Cyber Threat Hunting Workshop
Slide presentation for Cyber Threat Hunting Workshop at International Telecommunication Union (ITU) Global Cyber Drill 2020 Event.
Ransomware
This presentation is about Ransomware. It tells you about how ransomware creates problem and how it can be removed. It also describes different types of Ransomware.
Recommended
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
Learn how to prevent & detect even the most complex “file-less” ransomware exploits
Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.
Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics
Wannacry | Technical Insight and Lessons Learned
This presentation is an overview of the Ransomware Wannacry. The slides talk about the techniques used and the lessons learned.
How to Replace Your Legacy Antivirus Solution with CrowdStrike
The Time Has Come To Replace Your Antivirus Solution
After decades of frustration and failure, the security industry is ready to replace legacy antivirus systems with more effective solutions. As breaches continue to make headlines, we are left to wonder if anything can really stop modern threats. The answer is yes, but it requires us to approach the problem in a new way. Instead of continually adding functionality and complexity to legacy security architectures, we need a complete reset. This is exactly what CrowdStrike offers with its cloud-delivered endpoint protection platform.
The key to this new approach is going beyond malware to understanding and address cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent.
In this CrowdCast, Dan Larson, Sr. Director of Technical Marketing, will discuss:
- The typical challenges with legacy antivirus implementations and how we solve them
- How CrowdStrike offers a greater level of protection, especially against modern threats
- How cloud-delivered endpoint protection reduces operational burden
- How to migrate from legacy antivirus to CrowdStrike Falcon
Link to on-demand webcast: https://www.crowdstrike.com/resources/crowdcasts/time-come-replace-antivirus-solution/
Cyber Security Extortion: Defending Against Digital Shakedowns
Real world lessons from CrowdStrike Services experts investigating complex cyber extortion attacks
The criminal act of theft is as old as civilization itself, but in the cyber realm new ways to steal your organization's data or profit by holding it hostage, continue to evolve. With each advancement in security technology, adversaries work tirelessly on new techniques to bypass your defenses. This webcast, "Cyber Extortion: Digital Shakedowns and How to Stop Them" examines the evolution of cyber extortion techniques, including the latest "datanapping" exploits. Whether it's an attack on a major movie studio, a massive healthcare system, or a global entertainment platform, recent extortion attempts demonstrate how critical it is to understand today's threat landscape so you can ensure that your organization mounts the best defense possible.
Download this presentation to learn what security experts from the cyber defense frontlines are discussing. Learn about:
•The range of extortion techniques being used today, including commonalities and differences in approaches
•Commodity type ransomware/datanapping vs. hands-on attacks — how are they alike and what are their differences?
•Potential outcomes of paying vs. not paying when attempting to recover data after an attack
•Real world examples of successful attacks and those that were thwarted or mitigated
•Strategies for keeping your organization from being targeted and what to do if you become the victim of a cyber shakedown
ATT&CK Updates- Defensive ATT&CK
Lex Crumpton leads MITRE's defensive ATT&CK efforts. In 2021, they added data sources and detections for monitoring processes interacting with LSASS.exe and detecting credential dumping tools. In 2022, they plan to add more detections and develop the Cyber Analytic Repository to share analytic knowledge. Crumpton invites attendees to learn more about defensive ATT&CK on their website and contact them directly with any other questions.
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
Los ciberdelincuentes han demostrado que siguen encontrando lagunas para llevar a cabo sus ataques de ransomware. Y uno de los recursos clave de que necesitan para tener éxito es el privilegio. Eliminar el privilegio de la ecuación es parte fundamental de la estrategia para proteger a las empresas de ataques que pueden causar daños masivos.
Cyber Threat Hunting Workshop
Slide presentation for Cyber Threat Hunting Workshop at International Telecommunication Union (ITU) Global Cyber Drill 2020 Event.
Ransomware
This presentation is about Ransomware. It tells you about how ransomware creates problem and how it can be removed. It also describes different types of Ransomware.
Introduction to penetration testing
Introduction to penetration testing
Summary
What’s Pen-testing ?
Why Perform Pen-testing ?
Pen-testing Methodology.
Real world to Pen-testing
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
From ATT&CKcon 3.0
By Haylee Mills, Splunk
Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.
WannaCry ransomware outbreak - what you need to know
The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
La exposición a ciber-riesgos crece a gran velocidad y, con cada vez más frecuencia, vemos que adversarios muy sofisticados amenazan a las organizaciones en toda LATAM! Descubra cómo hacerles frente con el apoyo de nuestros servicios especializados de CyberSOC y Respuesta a Incidentes (CSIRT).
You Can't Stop The Breach Without Prevention And Detection
The document discusses the need for a balanced approach to endpoint security that includes both prevention and detection. It argues that relying solely on prevention is not sufficient, as attacks will always get through, requiring detection capabilities to identify breaches. Likewise, detection alone is insufficient, as preventing attacks upfront reduces workload. The document outlines the key components needed to properly unify next-generation antivirus and endpoint detection and response, including complete visibility of endpoint activity, large-scale analysis capacity, and the ability to derive insights and indicators of attack from collected data. An integrated approach is advocated that allows prevention and detection to strengthen one another.
Social engineering
Social engineering is a form of hacking that exploits human trust and helpfulness. It is done through impersonation, phone calls, email, or in-person interactions to obtain sensitive information. Anyone can be a target if the social engineer can build rapport and trust. Common techniques include pretending to need technical help, claiming to be from the same organization, or creating a sense of urgency or fear in the target. Education and strict security policies are needed to combat social engineering threats.
ATT&CK Updates- Campaigns
The document introduces the concept of "campaigns" in ATT&CK, which are groupings of intrusion activity tied to a specific adversary, time period, and targets. It notes that campaigns are intended to provide additional context on the evolution of malicious cyber operations and changes in adversary behavior over time. The document outlines the proposed components of campaigns in ATT&CK v12, which include descriptive information, techniques and software used, sectors targeted, and links to relevant adversary groups. It provides examples of existing operations and newly proposed campaigns that would be converted or added to ATT&CK in v12.
WannaCry Ransomware
This presentation lets you understand about the biggest cyber-attack extortion in the history of the internet. It contains all details of what, how and whys of WannaCry Ransomware.
What is Penetration Testing?
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
OPSEC for OMBUDSMEN
The document discusses operational security (OPSEC) best practices for social media. It provides tips for identifying critical information exposed on social media, understanding what enemies could learn about you and your family online, and developing countermeasures. The document emphasizes that information shared online is at risk of being made public and used against individuals by enemies. It recommends only sharing information that would be told directly to enemies and assuming any online information could become public.
Cyber Threat Intelligence - It's not just about the feeds
The document discusses cyber threat intelligence and how it can support defensive cyber operations. It defines cyber threat intelligence and outlines different data source types that can be used, including internal incident data and external threat intelligence. It describes the Lockheed Martin Cyber Kill Chain and Diamond Models for structuring threat information and identifying gaps. Actionable threat intelligence requires both internal and external data across the cyber kill chain phases to generate useful context. Threat intelligence can help with incident response, penetration testing, and establishing an intelligence-led defensive posture focused on the most relevant threats.
Ethical Hacking PPT (CEH)
The document discusses Certified Ethical Hacking (CEH). It defines CEH as a course focused on offensive network security techniques. It contrasts ethical hacking with malicious hacking, noting ethical hacking involves identifying vulnerabilities with permission to help strengthen security. It outlines the hacking process and differences between white hat, black hat, and grey hat hackers. Finally, it provides tips for system protection and advantages of ethical hacking over traditional security approaches.
Endpoint Detection & Response - FireEye
This document summarizes a presentation given by Ranjit Sawant of FireEye. The presentation covered the following key points:
1) Attackers are increasingly leveraging COVID-19 themes in cyber attacks, with malicious emails related to COVID-19 increasing fourfold in March 2020. However, these emails still represent a small percentage of overall malicious emails detected.
2) FireEye Endpoint Security provides capabilities to detect and respond to advanced threats, going beyond just malware to track indicators of compromise, behavior, and attacker techniques across the attack lifecycle.
3) The presentation included a war story example of how FireEye Endpoint Security was used to investigate and respond to a sophisticated nation-state attacker targeting an Asian bank.
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
Ransomware: Wannacry
I presented this slides in the "Privacy Protection" subject, teached by Prof. Josep Domingo-Ferrer in the Master in Computer Security Engineering and Artificial Intelligence.
Introduction to MITRE ATT&CK
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Threat Hunting
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Threat Modelling - It's not just for developers
The document discusses threat modeling and describes how to build threat intelligence from first principles when threat data is lacking. It provides background on the author and outlines a plan to discuss protecting networks through specific examples, understanding customers, preparing for conferences, and managing technical debt. Detection techniques and their corresponding ATT&CK techniques are also mapped out.
Evolving Cybersecurity Threats
Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about.
Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.
Cloud-Enabled: The Future of Endpoint Security
As the cost and complexity of deploying and maintaining on-premises security continues to rise, many endpoint security providers have embraced the cloud as the ideal way to deliver their solutions. Yet, incorporating cloud services into legacy architectures limits their ability to fully engage the tremendous power the cloud offers.
CrowdStrike Falcon recognized the value of cloud-delivery from the beginning, developing architecture built from the ground up to take full advantage of the cloud. CrowdStrike’s cloud-powered endpoint security not only ensures rapid deployment and infinite scalability, it increases your security posture by enabling real-time advanced threat protection across even the largest, distributed enterprises.
In this CrowdCast, Jackie Castelli, Sr. Product Manager will discuss:
•The advantages of endpoint protection purpose-built for the cloud – why it allows you to take full advantage of the cloud’s power
•The common concerns organizations face when evaluating cloud-based endpoint security - can privacy and control be assured?
•Real-world examples demonstrating the unique advantages offered by CrowdStrike Falcon’s innovative cloud-powered platform
More Related Content
What's hot
Introduction to penetration testing
Introduction to penetration testing
Summary
What’s Pen-testing ?
Why Perform Pen-testing ?
Pen-testing Methodology.
Real world to Pen-testing
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
From ATT&CKcon 3.0
By Haylee Mills, Splunk
Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.
WannaCry ransomware outbreak - what you need to know
The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
La exposición a ciber-riesgos crece a gran velocidad y, con cada vez más frecuencia, vemos que adversarios muy sofisticados amenazan a las organizaciones en toda LATAM! Descubra cómo hacerles frente con el apoyo de nuestros servicios especializados de CyberSOC y Respuesta a Incidentes (CSIRT).
You Can't Stop The Breach Without Prevention And Detection
The document discusses the need for a balanced approach to endpoint security that includes both prevention and detection. It argues that relying solely on prevention is not sufficient, as attacks will always get through, requiring detection capabilities to identify breaches. Likewise, detection alone is insufficient, as preventing attacks upfront reduces workload. The document outlines the key components needed to properly unify next-generation antivirus and endpoint detection and response, including complete visibility of endpoint activity, large-scale analysis capacity, and the ability to derive insights and indicators of attack from collected data. An integrated approach is advocated that allows prevention and detection to strengthen one another.
Social engineering
Social engineering is a form of hacking that exploits human trust and helpfulness. It is done through impersonation, phone calls, email, or in-person interactions to obtain sensitive information. Anyone can be a target if the social engineer can build rapport and trust. Common techniques include pretending to need technical help, claiming to be from the same organization, or creating a sense of urgency or fear in the target. Education and strict security policies are needed to combat social engineering threats.
ATT&CK Updates- Campaigns
The document introduces the concept of "campaigns" in ATT&CK, which are groupings of intrusion activity tied to a specific adversary, time period, and targets. It notes that campaigns are intended to provide additional context on the evolution of malicious cyber operations and changes in adversary behavior over time. The document outlines the proposed components of campaigns in ATT&CK v12, which include descriptive information, techniques and software used, sectors targeted, and links to relevant adversary groups. It provides examples of existing operations and newly proposed campaigns that would be converted or added to ATT&CK in v12.
WannaCry Ransomware
This presentation lets you understand about the biggest cyber-attack extortion in the history of the internet. It contains all details of what, how and whys of WannaCry Ransomware.
What is Penetration Testing?
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
OPSEC for OMBUDSMEN
The document discusses operational security (OPSEC) best practices for social media. It provides tips for identifying critical information exposed on social media, understanding what enemies could learn about you and your family online, and developing countermeasures. The document emphasizes that information shared online is at risk of being made public and used against individuals by enemies. It recommends only sharing information that would be told directly to enemies and assuming any online information could become public.
Cyber Threat Intelligence - It's not just about the feeds
The document discusses cyber threat intelligence and how it can support defensive cyber operations. It defines cyber threat intelligence and outlines different data source types that can be used, including internal incident data and external threat intelligence. It describes the Lockheed Martin Cyber Kill Chain and Diamond Models for structuring threat information and identifying gaps. Actionable threat intelligence requires both internal and external data across the cyber kill chain phases to generate useful context. Threat intelligence can help with incident response, penetration testing, and establishing an intelligence-led defensive posture focused on the most relevant threats.
Ethical Hacking PPT (CEH)
The document discusses Certified Ethical Hacking (CEH). It defines CEH as a course focused on offensive network security techniques. It contrasts ethical hacking with malicious hacking, noting ethical hacking involves identifying vulnerabilities with permission to help strengthen security. It outlines the hacking process and differences between white hat, black hat, and grey hat hackers. Finally, it provides tips for system protection and advantages of ethical hacking over traditional security approaches.
Endpoint Detection & Response - FireEye
This document summarizes a presentation given by Ranjit Sawant of FireEye. The presentation covered the following key points:
1) Attackers are increasingly leveraging COVID-19 themes in cyber attacks, with malicious emails related to COVID-19 increasing fourfold in March 2020. However, these emails still represent a small percentage of overall malicious emails detected.
2) FireEye Endpoint Security provides capabilities to detect and respond to advanced threats, going beyond just malware to track indicators of compromise, behavior, and attacker techniques across the attack lifecycle.
3) The presentation included a war story example of how FireEye Endpoint Security was used to investigate and respond to a sophisticated nation-state attacker targeting an Asian bank.
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
Ransomware: Wannacry
I presented this slides in the "Privacy Protection" subject, teached by Prof. Josep Domingo-Ferrer in the Master in Computer Security Engineering and Artificial Intelligence.
Introduction to MITRE ATT&CK
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Threat Hunting
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Threat Modelling - It's not just for developers
The document discusses threat modeling and describes how to build threat intelligence from first principles when threat data is lacking. It provides background on the author and outlines a plan to discuss protecting networks through specific examples, understanding customers, preparing for conferences, and managing technical debt. Detection techniques and their corresponding ATT&CK techniques are also mapped out.
What's hot (20)
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
Similar to An Inside Look At The WannaCry Ransomware Outbreak
Evolving Cybersecurity Threats
Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about.
Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.
Cloud-Enabled: The Future of Endpoint Security
As the cost and complexity of deploying and maintaining on-premises security continues to rise, many endpoint security providers have embraced the cloud as the ideal way to deliver their solutions. Yet, incorporating cloud services into legacy architectures limits their ability to fully engage the tremendous power the cloud offers.
CrowdStrike Falcon recognized the value of cloud-delivery from the beginning, developing architecture built from the ground up to take full advantage of the cloud. CrowdStrike’s cloud-powered endpoint security not only ensures rapid deployment and infinite scalability, it increases your security posture by enabling real-time advanced threat protection across even the largest, distributed enterprises.
In this CrowdCast, Jackie Castelli, Sr. Product Manager will discuss:
•The advantages of endpoint protection purpose-built for the cloud – why it allows you to take full advantage of the cloud’s power
•The common concerns organizations face when evaluating cloud-based endpoint security - can privacy and control be assured?
•Real-world examples demonstrating the unique advantages offered by CrowdStrike Falcon’s innovative cloud-powered platform
How to Replace Your Legacy Antivirus Solution with CrowdStrike
This document summarizes CrowdStrike's endpoint security product Falcon and argues that it provides more effective protection than legacy antivirus solutions. It notes that antivirus has an efficacy rate of only 45% against modern threats and is ineffective at stopping sophisticated attacks. CrowdStrike's Falcon uses techniques like machine learning, IOAs, and threat intelligence to prevent a wider range of attacks while having a smaller system footprint than antivirus. It also provides detection capabilities like endpoint detection and response to eliminate attack dwell time. The document aims to convince readers to replace their legacy antivirus with CrowdStrike's Falcon.
3 Reasons You Need Proactive Protection Against Malware
3 Reasons You Need Proactive Protection Against Malware
Triangulum - Ransomware Evolved - Why your backups arent good enough
A close look at how leveraging backup and recovery principals with Infrascale can help organizations beat ransomware attacks. Very cool technology which also augments DR/BC preparedness.
Nominum 2016 Fall Data Revelations Security Report
The document provides an analysis of cybersecurity threats based on examining over 100 billion DNS queries per day over a 6 month period. Some key findings include:
- Malicious DNS queries and domains tripled over the period, driven by increased botnet activity, particularly from the Necurs botnet.
- Approximately 5 million new domains are generated daily, with 75% receiving only 1 query, indicating they are likely generated maliciously by domain generation algorithms (DGAs) for command and control of botnets and malware.
- The "Razzie Awards" are given to the worst cyberthreats of 2016, with the Necurs botnet receiving the "Botnet Award" as one of the world
Nominum Data Science Security Report, Fall 2016
Nominum’s “Data Revelations” analyzes some of the biggest cyberthreats impacting organizations and individuals today, including ransomware, DDoS, mobile malware and IoT-based attacks. Since DNS is the launch point for over 90% of cyberattacks, it offers a superior vantage point from which to examine, understand, thwart and proactively prevent threats. By applying machine learning, artificial intelligence, natural language processing and neural networks, Nominum Data Science is able to predict and prevent some of the most sophisticated and dangerous cyberthreats to ever hit the internet.
Ransomware all locked up book
Ransomware is a type of malware that encrypts files on an infected device and demands ransom payment to decrypt the files. It works by preying on human emotions like fear of losing important files. For cybercriminals, ransomware is a lucrative business that earned over $24 million from just 2,453 attacks in 2015. There are three main types - encryption ransomware, master boot record ransomware, and lockscreen ransomware. Ransomware poses a big threat to both individuals and businesses alike, though some myths persist that it only targets one group over another. The document discusses whether to pay ransoms or not.
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike Falcon with next-gen AV protects your Mac-based organization
If your organization has moved to a Mac-based platform, or are considering it, you may be aware that threats targeting Mac devices are on the rise. A new webcast from CrowdStrike, "Defending Against Threats Targeting the Mac Platform" discusses how the increase in Mac adoptions has given rise to a new class of targeted threats and explains why standard security solutions can't protect you.
In this CrowdCast, Peter Ingebrigtsen, as discussed why more companies are switching to the Mac platform, the new threats targeting Macs, and what you can do to better protect your organization.
Download the slides to learn:
Why more IT departments are switching to the Mac platform
How new threats targeting Macs are able to bypass standard security measures
How CrowdStrike's next-gen AV employs machine learning and behavioral analytics to defend against threats aimed at the Mac platform
On-Demand CrowdCast Link: https://www.crowdstrike.com/resources/crowdcasts/defending-threats-targeting-mac-platform/
Crypto trap for social media 9.4.2016
TrapX CryptoTrap™ helps enterprises detect and defeat ransomware. The CryptoTrap deception technology deceives attackers and lure them away from an organization’s valuable assets.
Combating Insider Threats – Protecting Your Agency from the Inside Out
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
Debunked: 5 Myths About Zero Trust Security
In 2018, Zero Trust Security gained popularity due to its simplicity and effectiveness. Yet despite a rise in awareness, many organizations still don’t know where to start or are slow to adopt a Zero Trust approach.
The result? Breaches affected as many as 66% of companies just last year. And as hackers become more sophisticated and resourceful, the number of breaches will continue to rise.
Unless organizations adopt Zero Trust Security. In 2019, take some time to assess your company’s risk factors and learn how to implement Zero Trust Security in your organization.
Ransomware: 2016's Greatest Malware Threat
Ransomware has troubled many individuals and companies and it has been called the greatest malware threat of 2016. Learn how it works and how to protect yourself.
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Targeted ransomware attacks have grown significantly in recent years, targeting organizations specifically. These attacks spread to pre-selected organizations through methods like spear phishing and exploiting vulnerabilities. They encrypt files on multiple computers within an organization, demanding high ransom amounts from the few victims affected. The document discusses the growth of targeted ransomware gangs since 2017 and recommends defenses like backing up data, securing remote access points, and using PowerShell monitoring to help detect these threats.
Supersized Security Threats – Can You Stop 2016 from Repeating?
2016 was a year in which everything was bigger – bigger breaches, larger attacks, and bigger repercussions. Whether it was the evolution of DDoS attacks into the record-shattering Mirai botnet that disrupted large portions of the internet or insidious commercial banking Trojans available for sale as ready-made malware kits, the tone of cyberattacks darkened in 2016 while illuminating one key fact: many companies are not applying basic security fundamentals to their IT environments.
Attend this webinar to learn:
The top-level security trends from 2016, and what it could mean for 2017, including the political and intellectual property concerns stemming from large-scale data leaks
Why classic attack vectors continue to be a weapon of choice for those seeking to disrupt operations and steal data
Why a lower attack rate for the average security client may not be good news
What steps your organization can take to protect against these attacks
Moving Sucks. Making Secure Cloud Migration Painless
This document discusses considerations for securely migrating to the cloud. It notes that cloud migration can provide benefits like scalability, flexibility and reduced costs, but also introduces security challenges due to shared responsibility models. It emphasizes that the largest threat is unknown risks and that customers are responsible for 95% of cloud security failures. The document provides advice on planning migrations, addressing shared security responsibilities, and ensuring cloud security practices like logging, monitoring and access control. It promotes the services of Armor for managing cloud security risks and migrations.
Ransomware - Friend or Foe
The document discusses ransomware, including its definition, evolution, types, targets, top strains of 2016, trends of 2016-2017, a case study, and advice on protecting yourself. Ransomware is a type of malware that encrypts files on an infected device and demands ransom for the decryption key. The top ransomware strains of 2016 included Locky, TeslaCrypt, and HDDCryptor. Trends show ransomware growing significantly and targeting more organizations and individuals. Effective backups and awareness are key to protecting yourself.
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
This document discusses lessons learned from major cybersecurity incidents in 2017 and preparations for 2018. It begins with a review of major cyber attacks in 2017, including WannaCry, NotPetya, and data breaches at Equifax and Uber. It then discusses how these incidents could have been prevented through measures like patching systems, using up-to-date antivirus software, and implementing two-factor authentication. The document concludes by recommending best practices for operators to prevent future attacks, such as regular patching, disabling outdated protocols, and implementing awareness programs and security governance processes.
Analytical Driven Security - Chip Copper
This document discusses security challenges in an increasingly connected world and Brocade's approach to addressing them. It makes three key points:
1) Static security measures alone are no longer sufficient due to rising complexity, connectivity and evolving threats. Dynamic, data-driven security is needed.
2) Brocade is developing a platform approach to enable network-based security innovation through virtualization, software-defined networking, analytics and machine learning.
3) Brocade's strategy involves combining static security best practices with a "data fabric" and machine learning techniques to enable predictive, adaptive security behaviors like anomaly detection and threat prevention.
Zscaler ThreatLabz dissects the latest SSL security attacks
The occurrence of SSL-based threats are continuing to rise. Hackers are getting more and more creative in how they deliver threats, which creates new inspection challenges. Attend this webcast to discuss the latest attack trends, and best practices you can employ within your Zscaler installation to bolster your security.
Similar to An Inside Look At The WannaCry Ransomware Outbreak (20)
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
3 Reasons You Need Proactive Protection Against Malware
3 Reasons You Need Proactive Protection Against Malware
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
Nominum 2016 Fall Data Revelations Security Report
Nominum 2016 Fall Data Revelations Security Report
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Supersized Security Threats – Can You Stop 2016 from Repeating?
Supersized Security Threats – Can You Stop 2016 from Repeating?
Moving Sucks. Making Secure Cloud Migration Painless
Moving Sucks. Making Secure Cloud Migration Painless
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Zscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacks
More from CrowdStrike
State of Endpoint Security: The Buyers Mindset
Where is endpoint security headed? How do your priorities and capabilities compare to those of your peers?
As the battle against breaches rages on, many enterprises are focused on revamping their endpoint security strategy – from enhancing efficacy to reducing complexity and agent bloat. A new webcast, “State of the Endpoint: The Buyer Mindset,” discusses the current state of endpoint security and offers insights from an all-star panel of thought leaders, including Internationally recognized cybersecurity leader and CrowdStrike Co-founder Dmitri Alperovitch, VP of Product Marketing Dan Larson, and other experts as they discuss today’s most important security issues. Join them as they explore the findings from a new research report, “Trends in Endpoint Security: A State of Constant Change,” a study conducted by ESG and commissioned by CrowdStrike and other technology vendors. The panel will provide their impressions of the data in the survey and how the viewpoints revealed mesh with current technology trends, offering insights that can help inform your security strategy going forward.
Join this webcast to learn:
-The current state of Antivirus (AV) including how many organizations are choosing to change vendors and why
-Best of breed vs. comprehensive suites – which approach do your peers prefer and what are the advantages and challenges of each?
-How solutions are affecting endpoints and your IT Security peers, including the increase in agents installed and the impact of increased complexity
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches
Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection.
A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs.
Download the webcast slides to learn:
--How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security
--Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats
--How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches
Bear Hunting: History and Attribution of Russian Intelligence Operations
Learn about the history of Russian intelligence influence operations and the cyber actors implementing them today.
In June 2016, CrowdStrike exposed unprecedented efforts by Russian intelligence services to interfere in the U.S. election via the hacking and subsequent leaking of information from political organizations and individuals. Election manipulation was not a new activity for the Russians - they have engaged in these influence operations consistently for the better part of the last two decades inside and outside of Russia.
In this CrowdCast, CrowdStrike experts Adam Meyers, VP of Intelligence, and Dmitri Alperovitch, Co-Founder & CTO, will provide a detailed overview of the history of Russian intelligence influence operations going back decades and provide a deep dive overview of various BEAR (including FANCY BEAR AND COZY BEAR) intrusion sets and their tactics, techniques and procedures (TTPs). They will also discuss the considerable attribution evidence that CrowdStrike has collected from a variety of investigations into their operations and lay out the case for the Russian government connection to these hacks.
Battling Unknown Malware with Machine Learning
The document discusses how machine learning can be used to battle unknown malware. It provides examples of using machine learning techniques like feature selection, dimensionality reduction, and classification on military personnel data and malware samples. While machine learning is effective against most malware, it is not enough on its own as many attacks do not use malware. A comprehensive prevention approach is needed to address the full spectrum of threats.
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Despite the multitude of Java decompilers available, we often have the need to debug or trace malicious or obfuscated Java bytecode. Existing Java debuggers and tracers are mostly targeted towards Java developers, are closed-source, and are not meant to handle malicious or obfuscated targets. We present a new open-source cross-platform framework for debugging Java, written completely in Python, designed specifically for reverse engineering. We also present a Java method call tracer as a sample Python application that utilizes this framework.
Venom
Dive into to the fascinating journey of this year’s VENOM vulnerability discovery. Learn how hypervisors work and where researchers should look for critical vulnerabilities. Find out how the VENOM vulnerability was found and why it went unnoticed for so many years. At Ruxcon 2016, Jason Geffner discussed the challenges of a coordinated vendor disclosure process.
CrowdCasts Monthly: When Pandas Attack
This document summarizes a CrowdStrike webinar on detecting advanced malware-free intrusions. It describes three speakers from CrowdStrike - Dmitri Alperovitch, Chris Scott, and Adam Meyers. The webinar then discusses how adversaries like China and various state-sponsored and criminal groups are adapting their tactics to evade detection, and how security teams must also adapt detection methods to focus on real-time monitoring rather than indicators of compromise. The webinar includes a case study of detecting a webshell attack in near real-time using CrowdStrike Falcon Host and concludes with a demonstration of its endpoint protection capabilities.
CrowdCast Monthly: Operationalizing Intelligence
In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors.
While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy?
View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure.
Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.
CrowdCasts Monthly: Going Beyond the Indicator
Learn more about CrowdStrike Services. Request a free consultation on Proactive Response and Incident Response offerings: response.crowdstrike.com/services/
CrowdCasts Monthly: You Have an Adversary Problem
You Have an Adversary Problem. Who's Targeting You and Why?
Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy.
During this CrowdCast, you will learn how to:
Incorporate Actionable Intelligence into your existing enterprise security infrastructure
Quickly understand the capabilities and artifacts of targeted attacked tradecraft
Gain insight into the motivations and intentions of targeted attackers
Make informed decisions based off of specific threat intelligence
CrowdCasts Monthly: Mitigating Pass the Hash
Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.
End-to-End Analysis of a Domain Generating Algorithm Malware Family
This document summarizes the analysis of a domain generating algorithm (DGA) malware family. Key points include:
- The malware uses inline code obfuscation and encrypted strings to hide its functionality and communication domains. Researchers were able to deobfuscate the code and decrypt the strings to analyze the malware.
- Clues in decrypted strings suggest the malware author is Romani, including references to Romani singers in template strings.
- The malware generates domain names by concatenating two randomly selected words from a dictionary and appending ".net". This allows it to generate many domain variations to communicate with its command and control servers.
- The DGA algorithm uses a 15-bit seed value derived from the
TOR... ALL THE THINGS
The global Tor network and its routing protocols provide an excellent framework for online anonymity. However, the selection of Tor-friendly software for Windows is sub-par at best.
Want to anonymously browse the web? You’re stuck with Firefox, and don’t even think about trying to anonymously use Flash. Want to dynamically analyze malware without letting the C2 server know your home IP address? You’re outta luck. Want to anonymously use any program that doesn’t natively support SOCKS or HTTP proxying? Not gonna happen.
While some solutions currently exist for generically rerouting traffic through Tor, these solutions either don’t support Windows, or can be circumvented by malware, or require an additional network gateway device.
Missed the live session at Black Hat USA 2013? Check out the slides from Jason Geffner's standing room only presentation! Jason released a free new CrowdStrike community tool to securely, anonymously, and transparently route all TCP/IP and DNS traffic through Tor, regardless of the client software, and without relying on VPNs or additional hardware or virtual machines.
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
The document provides an overview of domain generating algorithms (DGAs) used by malware to dynamically determine remote server addresses and evade detection. It details the analysis performed on a malware family submitted to CrowdStrike, including deobfuscating the binary, analyzing its DGA and network functionality, sinkholing domains, and investigating the malware author. The family has been active for at least six years and infects thousands of devices.
TOR... ALL THE THINGS Whitepaper
This document introduces Tortilla, software designed to allow security researchers to safely and anonymously interact with hostile servers and actors online. It discusses how traditional malware research was more passive, but now requires actively monitoring adversary infrastructure. The Tor network and Tor Browser Bundle are described as existing solutions for anonymity, but they have limitations like only supporting the Firefox browser and not plugins. Tortilla aims to address these issues by providing a more robust anonymity solution.
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
This document discusses a technique for regaining control of a disk in the presence of a bootkit by leveraging the crash dump stack in Windows. It provides background on the crash dump stack and how it differs from the normal I/O path. It then describes how identifying and calling the crash dump port and miniport drivers allows sending I/O requests outside of the normal path to bypass bootkit filters and read/write directly to disk. The document concludes with an overview of how this technique can be demonstrated against the TDL4 bootkit.
Hacking Exposed Live: Mobile Targeted Threats
The document introduces CrowdStrike speakers George Kurtz, Georg Wicherski, and Alex Radocea. It then discusses the evolution of threats from commercial remote access tools (RATs) to targeted RATs and advanced threats. Examples of commercial RATs like FlexiSPY and targeted RATs like LuckyCat are analyzed. The feasibility of developing exploits and native Android RATs is also explored.
Be Social. Use CrowdRE.
CrowdRE is an IDA Pro plugin that enables collaborative reverse engineering by allowing analysts to share and synchronize analysis results for malware samples. It uses a version control-like system to manage annotations on functions and types, and features fuzzy matching to import relevant annotations from other analysts who have worked on similar code. The tool aims to improve efficiency of malware analysis by facilitating distributed and collaborative work between reverse engineers.
More from CrowdStrike (18)
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
Recently uploaded
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Video Streaming: Then, Now, and in the Future
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 6
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Communications Mining Series - Zero to Hero - Session 1
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Climate Impact of Software Testing at Nordic Testing Days
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Microsoft - Power Platform_G.Aspiotis.pdf
Revolutionizing Application Development
with AI-powered low-code, presentation by George Aspiotis, Sr. Partner Development Manager, Microsoft
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
ここ3000字までしか入らないけどタイトルの方がたくさん文字入ると思います。
Full-RAG: A modern architecture for hyper-personalization
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar
Artificial Intelligence for XMLDevelopment
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
National Security Agency - NSA mobile device best practices
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
20240609 QFM020 Irresponsible AI Reading List May 2024
Everything I found interesting about the irresponsible use of machine intelligence in May 2024
Recently uploaded (20)
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
An Inside Look At The WannaCry Ransomware Outbreak
- 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. AN INSIDE LOOK AT THE WANNACRY RANSOMWARE OUTBREAK ADAM MEYERS – VICE PRESIDENT, INTELLIGENCE CHRIS WITTER – SR. DIRECTOR, HUNTING OPERATIONS
- 2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Threat Intelligence Report on WannaCry WannaCry: The Analyst Perspective Stopping WannaCry Q&A
- 3. ADAM MEYERS § VP, Intelligence CrowdStrike § Security Researcher § Former DIB Contractor A LITTLE ABOUT ME:
- 4. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WE STOP BREACHES Next Generation Endpoint Intelligence Services
- 5. 2016: THE YEAR OF RANSOMWARE 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. § Over 175 new ransomware families introduced in 2016 § Method of choice for developing and new criminal operators § Growing popularity within the criminal community § FBI reports a 300% increase of ransomware cases compared to 2015
- 6. MAJOR RANSOMWARE FAMILIES 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SamasEarly 2016 Continues…CerberMarch 2016 CryptXXXApril 2016 October 2016 CryptoWall April 2016June 2014 TeslaCryptEarly 2015 May 2016 LockyJanuary 2016 CryptFile2March 2016 Petya/Mischa/GoldeneyeMarch 2016 TorrentLocker Continues…Early 2014 Continues… Continues… Continues… Continues… Continues…
- 7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WANNACRYSelf propagating ransomware leveraging ShadowBrokers exploit package § Trade Craft § AES-128 § Targets 177 file types for encryption § DNS Kill Switch § SMB exploit (MS-17010) § Complex Architecture § Unpacked 8 files plus directory with Ransom messages in various languages § Resource name XIA, a password- protected ZIP (WNcry@2ol7) § TOR C2 (contains Tor Package) § RSA 2048-bit key PKI § Multiple Bitcoin Addresses used for receipt of payment
- 8. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Wannacry Development Timeline Continuous Development 9 February 2017 WannaCry Variant #1 12 May 2017 WannaCry Variant #3 28 April 2017 WannaCry Variant #2 14 April 2017 “Lost in Translation” ShadowBrokers Release 14 March 2017 Microsoft issues numerous patches including MS- 17010 29 April 2017 Initial ETERNAL BLUE exploitation 13 May 2017 Modified WannaCry redistributed
- 9. Christopher Witter § Senior Manager Falcon OverWatch § 15 years DFIR experience. A LITTLE ABOUT ME:
- 10. FALCON OVERWATCH DATA & PROCESS FLOW CUSTOMER ENDPOINTS CONTINUOUS ENDPOINT DATA 1 FALCON UI • Detection details • EAM investigation • Intelligence/Actors 2 OVERWATCH ANALYTICS PLATFORM • Falcon data streams • Hunting triggers • Advanced analytics • Business logic 3 • Strategic analysis • Atomic + Behavioral + Anomaly detection • Rapid intrusion triage and scoping OVERWATCH HUNTERS 4 • Notification of intrusions/breaches • Expert operators <--> Support channel 5 CROWDSTRIKE CLOUD Patented Threat Graph ™
- 11. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT DO WE KNOW? § 4/14 The Shadow Brokers dump more goodness into the public domain both exploits and utilities, particularly SMB related.
- 12. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 4/18 FIRST OBSERVED
- 13. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ITEMS OF DISTINCTION § (5) Cases all identical in nature § Externally facing assets § LSASS Password Dumping detections § All shared an identical DLL written during the attack § No post exploit Action on Objectives § (3) Commands all run in succession § Net group /domain § Net group ”domain admins” /domain § Nltest /domain_trust
- 14. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 5/12 -> WANNACRY
- 15. STOPPING RANSOMWARE THE CROWDSTRIKE APPROACH 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 16. Machine Learning • Prevents the execution of the WannaCry executable • Our ML model in VirusTotal from January identified an early WannaCry variant on Feb 20 • That same ML model blocked the WannaCry that struck on May 12
- 18. WHAT HAPPENS IF YOU MISS? 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 19. Suspicious Process Blocking • If ML misses, we still catch WannaCry when Windows task scheduler tries to run it • This IOA is generic and can identify and block almost any malicious process
- 21. RANSOMWARE IOA
- 22. Ransomware IOA Blocking • I can’t show you an IOA block for WannaCry because it never made it this far
- 23. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DEMONSTRATION § WannaCry infection and propagation § Stop with machine learning § Stop variant while offline § What happens if ML misses? § Stop propagation § Visibility into everything
- 26. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: Falcon Test Drive Link in Resource List Website: crowdstrike.com Email: info@crowdstrike.com Number: 1.888.512.8902 (US)