The document discusses the operationalization of threat intelligence in security operations, highlighting the experience of speakers Adam Meyers and Elia Zaitsev from CrowdStrike. It covers various strategies for utilizing actionable intelligence against potential cyber threats, particularly within the context of China's targeting of the oil sector. The text emphasizes the importance of timely and effective threat intelligence to prevent cyber incidents and mitigate the risks associated with emerging patterns of attacks.

1. OPERATIONALIZING THREAT INTELLIGENCE
Adam Meyers, Vice President Intelligence; CrowdStrike
Elia Zaitsev, Sales Engineer; CrowdStrike
USING ACTIONABLE THREAT INTELLIGENCE TO FOCUS
SECURITY OPERATIONS

2. TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 2
ADAM MEYERS |
VP, INTELLIGENCE
Recognized speaker, trainer, and intelligence expert with 15+ years
of cyber security industry experience
10 years in the DIB supporting US GOV customers on topics
ranging from wireless, pen testing, IR, and malware analysis
@ADAM_CYBER
@CROWDSTRIKE | #CROWDCASTS

3. 2014 CrowdStrike, Inc. All rights reserved. 3
ELIA ZAITSEV |
SALES ENGINEER
+7 years of IT security industry experience providing sales support
and technical implementation of enterprise security products
Currently supports sales of CrowdStrike’s Falcon Platform,
including endpoint threat detection & response, endpoint activity
monitoring, and threat intelligence
@CROWDSTRIKE | #CROWDCASTS
#TWITTERHATER

4. 2014 CrowdStrike, Inc. All rights reserved. 4
IN THE NEWS
@CROWDSTRIKE | #CROWDCASTS

5. RELEASE OF PUBLIC
INDICATORS AND
INTELLIGENCE
Operation Aurora
APT 1
Babar
Uroburos
2014 CrowdStrike, Inc. All rights reserved. 5
@CROWDSTRIKE | #CROWDCASTS

6. 2014 CrowdStrike, Inc. All rights reserved. 6
ACTIONABLE INTELLIGENCE
WHAT DO YOU DO WITH INDICATORS?
Enterprise Security Systems have basic
configurations out of the Box
Detection needs to be updated at line speed
No standard taxonomy to express threat intelligence
@CROWDSTRIKE | #CROWDCASTS

7. How do you
OPERATIONALIZE?
2014 CrowdStrike, Inc. All rights reserved. 7
@CROWDSTRIKE | #CROWDCASTS

8. 2014 CrowdStrike, Inc. All rights reserved. 8
Comment Panda: Commercial, Government, Non-profit
Deep Panda: Financial, Technology, Non-profit
Foxy Panda: Technology & Communications
Anchor Panda: Government organizations, Defense &
Aerospace, Industrial Engineering, NGOs
Impersonating Panda: Financial Sector
Karma Panda: Dissident groups
Keyhole Panda: Electronics & Communications
Poisonous Panda: Energy Technology, G20,
NGOs, Dissident Groups
Putter Panda: Governmental & Military
Toxic Panda: Dissident Groups
Union Panda: Industrial companies
Vixen Panda: Government
CHINA
IRAN
INDIA
Viceroy Tiger: Government, Legal,
Financial, Media, Telecom
RUSSIA
Energetic Bear: Oil and Gas
Companies
NORTH KOREA
Silent Chollima:
Government, Military,
Financial
Magic Kitten: Dissidents
Cutting Kitten: Energy Companies
Singing Spider: Commercial, Financial
Union Spider: Manufacturing
Andromeda Spider: Numerous
CRIMINAL
Deadeye Jackal: Commercial, Financial,
Media, Social Networking
Ghost Jackal: Commercial, Energy,
Financial
Corsair Jackal: Commercial, Technology,
Financial, Energy
Extreme Jackal: Military, Government
HACTIVIST/TERRORIST
UNCOVER THE ADVERSARY @CROWDSTRIKE | #CROWDCASTS

9. 2014 CrowdStrike, Inc. All rights reserved. 9
Don’t fear change
Not all behaviors change - good intel and pattern
analysis can identify the new TTPs
Consume and operationalize threat
intelligence quickly
Threat intelligence is of no help after an incident
or when consumed from a public release long
after the campaign finished
GET TO KNOW
THE ADVERSARY
@CROWDSTRIKE | #CROWDCASTS

10. INDICATIONS AND WARNINGS: Q1 ZERO DAY
14 FEB 2014
SWC campaign
affecting NGO/
think tank sites
leverages
CVE-2014-0502
3 FEB 2014
CVE-2014-0497
exploit used to
distribute
Tapaoux
malware
17 JAN 2014
Spoofed GIFAS
drive-by sites
lead to
CVE-2014-0322
exploit
11 FEB 2014
AURORA
PANDA uses
VFW website in
SWC activity
leverages
CVE-2014-0322
.
24 MAR 2014
Microsoft
identifies
CVE-2014-1761
and its limited
use in targeted
attacks
2014 CrowdStrike, Inc. All rights reserved. 10

11. 2014 CrowdStrike, Inc. All rights reserved. 11
CASE STUDY: CHINA TARGETING THE OIL SECTOR
STRATEGIC ASSESSMENT OF CHINA’S ENERGY
SECTOR, STATE CONTROL & NATIONAL AGENDA,
AND CHINA’S DOMESTIC OIL SECTOR
@CROWDSTRIKE | #CROWDCASTS

12. 2014 CrowdStrike, Inc. All rights reserved. 12
Goblin Panda
Wet Panda
Vixen Panda
Violin Panda
Temper Panda
Poisonous Panda
Comment Panda
Anchor Panda
CHINA IRAN
INDIA
Viceroy Tiger
RUSSIA
Energetic Bear
Clever Kitten
Flying Kitten
Corsair Jackal
Ghost Jackal
ACTIVIST
ENERGY SECTOR TARGETING @CROWDSTRIKE | #CROWDCASTS

13. Second-largest oil consuming country in
the world
Largest oil importer in the world
Investing in international oil assets
Declining domestic oil output
Reinvestment in China’s domestic oil
sector
2014 CrowdStrike, Inc. All rights reserved. 13
CHINA’S
ENERGY SECTOR
@CROWDSTRIKE | #CROWDCASTS

14. Hydroelectric
Power 6%
Natural Gas 4%
Nuclear
<1%
Other
Renewables
1%
2014 CrowdStrike, Inc. All rights reserved. 14
CHINA’S
ENERGY SECTOR
Total Energy Consumption
@CROWDSTRIKE | #CROWDCASTS

15. 2014 CrowdStrike, Inc. All rights reserved. 15
STATE CONTROL & NATIONAL AGENDA
383 Plan
863 Plan
Indigenous Innovation
Top Five National Oil Companies:
CNPC/Petro China, Sinopec,
CNOOC, Sinochem Group,
Zhuhai Zhen Rong Co.
2
3
4
1
@CROWDSTRIKE | #CROWDCASTS

16. 2014 CrowdStrike, Inc. All rights reserved. 16
DOMESTIC OIL SECTOR
PRESENT DAY
Mature Oil Basins
Drilling in the Western Provinces
Offshore Shallow-Water Drilling
Deep-Water Drilling
East and South China Seas
Territorial Disputes
FUTURE
@CROWDSTRIKE | #CROWDCASTS

17. TECHNOLOGICAL DEFICIENCIES
2014 Crowdstrike, Inc. All rights reserved. 17
Exploration Technologies
3D and 4d seismic imaging
Oil Spill Prevention Technologies
2010 and 2011 oil spills in Bohai Bay
Deep-Water Oil Drilling Technologies
300-3,000 meters deep
Resulting Cyber Espionage
@CROWDSTRIKE | #CROWDCASTS

18. 2014 CrowdStrike, Inc. All rights reserved. 18
Looming energy crisis
Declining domestic oil supply
Patent development is slow
Technological deficiencies
CHINA’S MOTIVATIONS
INTELLIGENCE ASSESSMENT
TARGETS
ASSESSMENT
Exploration technology:
3D and 4D seismic
Oil spill prevention technology
Deep-water oil drilling technology
Increasing cyber espionage
Increasing Chinese military
presence in the East and South
China Seas
Increasing corporate espionage
to outbid others for international
oil assets
@CROWDSTRIKE | #CROWDCASTS

19. 2014 CrowdStrike, Inc. All rights reserved. 19
ORGANIZATIONS WITH SUPERIOR INTELLIGENCE
CAPABILITIES ARE FAR MORE SUCCESSFUL AT
MITIGATING TARGETED ATTACKS
@CROWDSTRIKE | #CROWDCASTS

20. INCREASED SHARING OF INDICATORS AND INTELLIGENCE
2014 CrowdStrike, Inc. All rights reserved. 20
Organizations have access to far more
information than they have ever had
before
OSINT and managed intel threat feeds
Whitepapers
Malware dumps like VirusTotal, Contagio,
and VirusShare
Presentations by researchers
The private sector is now capable
of building government-level intel
capabilities
INCREASED SHARING OF INTELLIGENCE & INDICATORS

21. 2014 CrowdStrike, Inc. All rights reserved. 21
AN ORGANIZATION’S SUCCESS WILL BE
MEASURED BY THE ABILITY TO DETECT, RESPOND,
AND MITIGATE THESE PATTERNS OF ATTACK

22. 2014 CrowdStrike, Inc. All rights reserved. 22
@CROWDSTRIKE | #CROWDCASTS
DEMOS [ ]DATA VISUALIZATION
PACKET CAPTURE
LOG AGGREGRATION / SIEM
THREAT INTELLIGENCE

23. For additional information, please
contact crowdcasts@crowdstrike.com
- or – intel@crowdstrike.com
Q & A
2014 CrowdStrike, Inc. All rights reserved. 23
@CROWDSTRIKE | #CROWDCASTS
Q&A