40 John Titmus-Crowdstrike.Pdf

4th Annual Information Security Conference for the Financial Sector

ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING, HOW IT CAN HELP YOU WITH THE LATEST THREATS

JOHN TITMUS, DIRECTOR & STRATEGY ADVISOR - CROWDSTRIKE

- Director and Strategy Advisor at CrowdStrike

- Provides strategic advise as a trusted advisor

- Helps prevents organisations from being breached WE SEE 2 INTRUSIONS EVERY HOUR… 24 hours a day, 7 days a week! Around 1440 Intrusions a month! CURRENT LANDSCAPE

. We have tracked reduced level of targeted intrusion activity by China- CHINESE TARGETED based actors against private sector in INTRUSION G20 . “Traditional espionage” targets that did OPERATIONS not violate the 2015 agreement were unaffected by this reduction.

China's newest warplane, the J‐20 stealth fighter US military's F‐22 Raptor

Attacks VOODOO BEAR

- Avoid detection by antivirus, IDS, next-gen firewalls, etc. - Avoid exploiting vulnerabilities or installing malware - Look like a typical IT admin - Leverage legitimate processes - More stealthy, more effective

- Ransomware and ETERNALBLUE impact eCrime ecosystem - SPAMBots lead in malware distribution over exploit kits - CrowdStrike supports takedown of Kelihos botnet - CVE-2017-0199 exploit spreads rapidly

- Ransomware as a Service: $20-$100 (USD) - Dragon ~$20 - Brickr ~$80 - Jigsaw ~$90

- Trojan prices: $15-$5,000 - Ovidiy = 15$ - Z = $50-$100 (depends on options) - KINS = $5,000

- Exploit Kits: - Several thousand dollars/month

- BPS: - Hundreds of dollars /month

IRAN CHINA Charming Kitten Magic Kitten RUSSIA Cutting Kitten Rocket Kitten Berserk Bear Fancy Bear Anchor Panda Numbered Panda Aurora Panda Override Panda Boulder Bear Team Bear Comment Panda Pale Panda Cozy Bear Venomous Bear Dagger Panda Pirate Panda PAKISTAN Energetic Bear Voodoo Bear Deep Panda Pitty Panda Dizzy Panda Putter Panda Mythic Leopard Dynamite Panda Predator Panda Eloquent Panda Putter Panda Emissary Panda Radio Panda NORTH KOREA Foxy Panda Sabre Panda CRIMINAL Gibberish Panda Samurai Panda Silent Chollima Goblin Panda Spicy Panda Boson Spider Gothic Panda Stalker Panda Carbon Spider Hammer Panda Stone Panda Hound Spider ACTIVIST Hurricane Panda Temper Panda Indrik Spider Curious Jackal Impersonating Toxic Panda Magnetic Spider Panda Turbine Panda Mimic Spider Deadeye Jackal Karma Panda Union Panda Pizzo Spider Extreme Jackal Keyhole Panda Violin Panda Shark Spider INDIA Lotus Panda Vixen Panda Static Spider Gekko Jackal Viceroy Tiger Maverick Panda Wet Panda Wicked Spider Ghost Jackal Nightshade Panda Wicked Panda Wold Spider Zombie Spider Shifty Jackal DATA AS A WEAPON What’s already happened has happened

Billions/Day Peak Events Average Events 60 Per Second Per Second >1.04M >593K 50 40 Data Processed Per Day Events Per Day 30 >50 TB >58.7B 20 10 Stored in Stored in TG Apollo/Hadoop 0 CrowdStrike WhatsApp Apple SnapChat Facebook Twitter 1.79 PB 3.57 PB (Events) (Messages) (Messages) (Video (Likes) (Tweets) Views)

PROCESS DELETES BACKUPS

PROCESS CALLS ENCRYPTION ROUTINE

PROCESS ENUMERATES FILE SYSTEM

PERSON PERSON OPENS THE PERSON PERSON WALKS OPERATES VAULT LEAVES THE AROUND THE OUTSIDE STEALTHILY BANK WITH OF THE BANK – DISGUISES THE MONEY CHECKING ENTRY/EXIT THEMSELVES

PERSON GETS INTO CAR AND PERSON DRIVES OFF ENTERS PERSON THE BANK EVADES/DISABLE PERSON CARRIES S THE CAMERAS MONEY OUT FROM THE VAULT THE THIRD WAVE OF AI THE POWER OF AI IS PREDICTIVE

REALITY CAN BE DECEIVING

EXTERNAL FEEDS PROCESS PEOPLE

IDS SNORT / LOGS SURICATA YARA COMMON EVENT MALWARE PACKET FORMAT DETECTION CAPTURE

rd DATA 3 PARTY 3rd PARTY VT VISUALIZATION TOOLS FEED 1 FEED 2 PROXY PLUS SIEM MANY

OPEN SOCIAL OTHERS SOURCE APIs MEDIA ... FEEDS SOURCES INTERNAL FEEDS

• Does ‘X’ effect our environment?

• What is the RISK to us?

• What is the IMPACT?

• What ACTION needs to be taken?

• Could our BRAND RECOVER from this incident…

• Provide ACTIONABLE information

• CONTEXT

• RISK to the business

• EVIDENCE

• APPROPRIATE PROCESS

• TIMELINE

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. . Identified attack vectors have included spear phishing for credentials theft and computer network exploitation, physical insertion of surveillance hardware, and others.

. In both the espionage and the criminal spaces, various sectors are assessed to be ALL SECTORS ARE uniquely exposed on two technical fronts: hardware and software. VULNERABLE TO . IoT devices, controller, terminals etc. CYBER ATTACKS potentially vulnerable to physical or remote attack across the supply chain.

. Systems dependency - single point of failure SUCCESS FOR CYBER in most situations. ESPIONAGE AGREEMENTS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. USE (REAL) INTELLIGENCE THE TAKEAWAYS Not every adversary group is created equal. Intel‐Driven Response Groups have differing skills, resources, and capabilities. Must be real-time or near real-time focused on IOAs

GOOD PROCESS Sweeping just for IOCs is a losing proposition. Hunt – based on your intelligence Visibility – DVR for the endpoint Information not data mountains

TECHNOLOGY Use forward looking technology and don’t operate in the rear view mirror Integrated layers of defense

FUNDING CEO and Boards tend to fund projects where attribution is clear. Use intelligence to create an actionable programe