4th Annual Information Security Conference for the Financial Sector
ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING, HOW IT CAN HELP YOU WITH THE LATEST THREATS
JOHN TITMUS, DIRECTOR & STRATEGY ADVISOR - CROWDSTRIKE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. John Titmus - In security for over 16 years with strategic security knowledge gained in both global industry and government agencies.
- Director and Strategy Advisor at CrowdStrike
- Provides strategic advise as a trusted advisor
- Helps prevents organisations from being breached WE SEE 2 INTRUSIONS EVERY HOUR… 24 hours a day, 7 days a week! Around 1440 Intrusions a month! CURRENT LANDSCAPE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. . Sept 2015 agreement reached with China and US, UK, Germany & members of G20 agree to stop malicious cyber operations for commercial gain.
. We have tracked reduced level of targeted intrusion activity by China- CHINESE TARGETED based actors against private sector in INTRUSION G20 . “Traditional espionage” targets that did OPERATIONS not violate the 2015 agreement were unaffected by this reduction.
SUCCESS FOR CYBER . Greater reliance on contractors for ESPIONAGE China’s offensive cyber ecosystem AGREEMENTS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHICH ONE IS THE ORIGINAL
China's newest warplane, the J‐20 stealth fighter US military's F‐22 Raptor
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THE TRICKLE DOWN EFFECT
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WANNACRY RANSOMWARE The Move to Malware-Free
Attacks VOODOO BEAR
- Avoid detection by antivirus, IDS, next-gen firewalls, etc. - Avoid exploiting vulnerabilities or installing malware - Look like a typical IT admin - Leverage legitimate processes - More stealthy, more effective
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ECRIME GOES CORPORATE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECENT ECRIME TRENDS
- Ransomware and ETERNALBLUE impact eCrime ecosystem - SPAMBots lead in malware distribution over exploit kits - CrowdStrike supports takedown of Kelihos botnet - CVE-2017-0199 exploit spreads rapidly
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MARKET PRICING
- Ransomware as a Service: $20-$100 (USD) - Dragon ~$20 - Brickr ~$80 - Jigsaw ~$90
- Trojan prices: $15-$5,000 - Ovidiy = 15$ - Z = $50-$100 (depends on options) - KINS = $5,000
- Exploit Kits: - Several thousand dollars/month
- BPS: - Hundreds of dollars /month
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARY WORLD MAP
IRAN CHINA Charming Kitten Magic Kitten RUSSIA Cutting Kitten Rocket Kitten Berserk Bear Fancy Bear Anchor Panda Numbered Panda Aurora Panda Override Panda Boulder Bear Team Bear Comment Panda Pale Panda Cozy Bear Venomous Bear Dagger Panda Pirate Panda PAKISTAN Energetic Bear Voodoo Bear Deep Panda Pitty Panda Dizzy Panda Putter Panda Mythic Leopard Dynamite Panda Predator Panda Eloquent Panda Putter Panda Emissary Panda Radio Panda NORTH KOREA Foxy Panda Sabre Panda CRIMINAL Gibberish Panda Samurai Panda Silent Chollima Goblin Panda Spicy Panda Boson Spider Gothic Panda Stalker Panda Carbon Spider Hammer Panda Stone Panda Hound Spider ACTIVIST Hurricane Panda Temper Panda Indrik Spider Curious Jackal Impersonating Toxic Panda Magnetic Spider Panda Turbine Panda Mimic Spider Deadeye Jackal Karma Panda Union Panda Pizzo Spider Extreme Jackal Keyhole Panda Violin Panda Shark Spider INDIA Lotus Panda Vixen Panda Static Spider Gekko Jackal Viceroy Tiger Maverick Panda Wet Panda Wicked Spider Ghost Jackal Nightshade Panda Wicked Panda Wold Spider Zombie Spider Shifty Jackal DATA AS A WEAPON What’s already happened has happened
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CHANGING THE GAME IN CYBERSECURITY
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. HOW DO WE KNOW THIS?
Billions/Day Peak Events Average Events 60 Per Second Per Second >1.04M >593K 50 40 Data Processed Per Day Events Per Day 30 >50 TB >58.7B 20 10 Stored in Stored in TG Apollo/Hadoop 0 CrowdStrike WhatsApp Apple SnapChat Facebook Twitter 1.79 PB 3.57 PB (Events) (Messages) (Messages) (Video (Likes) (Tweets) Views)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 2 GAME CHANGERS: GRAPH AND ARTIFICIAL INTELLIGENCE PROCESS EXECUTES
PROCESS DELETES BACKUPS
PROCESS CALLS ENCRYPTION ROUTINE
PROCESS ENUMERATES FILE SYSTEM
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. The Future of Security Is Graph
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IS THE BANK BEING ROBBED?
PERSON PERSON OPENS THE PERSON PERSON WALKS OPERATES VAULT LEAVES THE AROUND THE OUTSIDE STEALTHILY BANK WITH OF THE BANK – DISGUISES THE MONEY CHECKING ENTRY/EXIT THEMSELVES
PERSON GETS INTO CAR AND PERSON DRIVES OFF ENTERS PERSON THE BANK EVADES/DISABLE PERSON CARRIES S THE CAMERAS MONEY OUT FROM THE VAULT THE THIRD WAVE OF AI THE POWER OF AI IS PREDICTIVE
2014 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. NEXT STEPS: PUTTING THE PIECES TOGETHER
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. YOUR VIEW OF THE WORLD MAY SEEM CHAOS FREE
REALITY CAN BE DECEIVING
2017 CROWDSTRIKE,2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INC. ALL RIGHTS RESERVED. CYBER THREAT INTELLIGENCE IS CRUCIAL IN HELPING STOP BREACHES
EXTERNAL FEEDS PROCESS PEOPLE
IDS SNORT / LOGS SURICATA YARA COMMON EVENT MALWARE PACKET FORMAT DETECTION CAPTURE
rd DATA 3 PARTY 3rd PARTY VT VISUALIZATION TOOLS FEED 1 FEED 2 PROXY PLUS SIEM MANY
OPEN SOCIAL OTHERS SOURCE APIs MEDIA ... FEEDS SOURCES INTERNAL FEEDS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. YOUR TEAMS NEED TO ANSWER THE QUESTION
• Does ‘X’ effect our environment?
• What is the RISK to us?
• What is the IMPACT?
• What ACTION needs to be taken?
• Could our BRAND RECOVER from this incident…
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CONFIDENTLY AND ACCURATELY
• Provide ACTIONABLE information
• CONTEXT
• RISK to the business
• EVIDENCE
• APPROPRIATE PROCESS
• TIMELINE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. . Identified attack vectors have included spear phishing for credentials theft and computer network exploitation, physical insertion of surveillance hardware, and others.
. In both the espionage and the criminal spaces, various sectors are assessed to be ALL SECTORS ARE uniquely exposed on two technical fronts: hardware and software. VULNERABLE TO . IoT devices, controller, terminals etc. CYBER ATTACKS potentially vulnerable to physical or remote attack across the supply chain.
. Systems dependency - single point of failure SUCCESS FOR CYBER in most situations. ESPIONAGE AGREEMENTS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. USE (REAL) INTELLIGENCE THE TAKEAWAYS Not every adversary group is created equal. Intel‐Driven Response Groups have differing skills, resources, and capabilities. Must be real-time or near real-time focused on IOAs
GOOD PROCESS Sweeping just for IOCs is a losing proposition. Hunt – based on your intelligence Visibility – DVR for the endpoint Information not data mountains
TECHNOLOGY Use forward looking technology and don’t operate in the rear view mirror Integrated layers of defense
FUNDING CEO and Boards tend to fund projects where attribution is clear. Use intelligence to create an actionable programe
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.