No Notpetya, No Badrabbit, and No Wannacry
Total Page:16
File Type:pdf, Size:1020Kb
GLOBAL THREAT REPORT ADVERSARY TRADECRAFT 2019AND THE IMPORTANCE OF SPEED NO NOTPETYA, NO BADRABBIT, AND NO WANNACRY! DID ANYTHING HAPPEN IN CYBER LAST YEAR? CrowdStrike Services Cyber Intrusion WHAT IS THE GLOBAL Casebook Insights from reactive Incident response engagements involving THREAT REPORT CrowdStrike Services Falcon OverWatch Report Insights gained from A YEARLY REPORT GENERATED FROM A YEARS WORTH OF proactive threat hunting conducted in customer DATA FROM CROWDSTRIKE’SINTELLIGENCE, SERVICES, environments where Falcon is deployed FALCON OVERWATCH TEAMS AND CROWDSTRIKE’S CLOUD PLATFORM THREATGRAPH CROWDSTRIKE’S POWERFUL REPORTS ARE ENABLED BY POWERFUL INSIGHTS 3.8M PEAK EVENTS CrowdStrike Global PER SECOND Threat Report Global cyberthreat intelligence and insights 3.0M AVG EVENTS from the Falcon platform PER SECOND and OverWatch 240BILLION EVENTS A DAY SO… DID ANYTHING HAPPEN IN 2018? WE HAD: §NO NOTPETYA ☠ §NO WANNACRY " §NO BADRABBIT # 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SO… WHAT DID HAPPEN IN 2018? 2019 GLOBAL THREAT REPORT ADVERSARY TRADECRAFT AND THE IMPORTANCE OF SPEED 16 BEYOND MALWARE The 2018 CrowdStrike telemetry did not show a distinct shift in the balance between malware and malware-free threats compared to 2017. CrowdStrike analysis continues to identify malware as a dominant method used by various types of attackers for initial infiltration. The ultimate methods and objectives of malware can range from deploying basic bots for use in denial-of-service campaigns, to more directed objectives such as collecting cryptocurrencies through unauthorized mining. Other more nefarious malware, such as the TrickBot banking Trojan, is used to steal login credentials to banking sites. Figure 3 compares malware and malware-free attacks from the 2018 CrowdStrike telemetry. The attack types are defined as follows: Malware attacks: These are simple use cases where a malicious file is written to disk and Falcon detects the attempt to run that file, then identifies and/or blocks it. Malware-free attacks: CrowdStrike defines malware-free attacks as those in which the initial tactic did not result in a file or file fragment being written to disk. Examples of this include attacks where code executes from memory or where stolen credentials are leveraged for remote logins using known tools. Figure 3. Global Malware vs. Malware-Free Attacks Malware-Free 40% BEYOND MALWARE IN 2018 CROWDSTRIKEDID NOT SEE A DISTINCT CHANGE IN THE USE OF MALWARE VERSUS MALWARE—FREE ATTACKS, WHEN COMPARED TO THE YEAR EARLIER. GLOBAL MALWARE VS. MALWARE-FREE ATTACKS Malware 60% 2019 GLOBAL THREAT REPORT ADVERSARY TRADECRAFT AND THE IMPORTANCE OF SPEED 17 2019 GLOBAL THREAT REPORT ADVERSARY TRADECRAFT AND THE IMPORTANCE OF SPEED 17 MALWARE-FREE ATTACKS BY INDUSTRY Notable shifts in 2018 versus 2017: The media industry jumped to the top of the charts, with approximately 80 percent malware-free attacks, versus approximately 64 percent in 2017. In addition, the technology, academic and MALWARE-FREE ATTACKS BY INDUSTRY energy sectors all saw dramatic increases in malware-free attacks in 2018. Notable shifts in 2018 versus 2017: The media industry jumped to the top of the charts, with approximately 80 percent malware-free attacks, versus approximately 64 percent in 2017. In addition, the technology, academic Figureand 4. Malware-free vs. Malware Attacks by Industry energy sectors all saw dramatic increases in malware-free attacks in 2018. Media Figure 4. Technology Malware-free vs. Malware Attacks by Industry BEYONDAcademic MALWARE Energy Media Healthcare Technology BY INDUSTRY Entertainment Academic Retail Energy Hospitality Healthcare Manufacturing Entertainment Aviation Retail Automotive Hospitality Professional Services Manufacturing Aviation Telecommunications Automotive Goverment Professional Services Financial Telecommunications Insurance Goverment Pharmaceutical Financial Oil & Gas Insurance Conglomerate Pharmaceutical 0 10 20 30 40 50 60 70 80 90 100 Oil & Gas Conglomerate 0 10 20 30 40 50 60 70 80 90 100 Malware-Free Malware Figure 4 illustrates the percentage of malware versus malware-free attacks Malware-Free Malware by industry sector. Industries at the top of this list — including media, technology and academic — tend to be more heavily targeted by malware- Figure 4 illustrates the percentage of malware versus malware-free attacks free threats and will benefit from aggressively strengthening their defenses by industry sector. Industries at the top of this list — including media, to address these more sophisticated, modern attacks technology and academic — tend to be more heavily targeted by malware- free threats and will benefit from aggressively strengthening their defenses to address these more sophisticated, modern attacks ATT&CK TECHNIQUES & TRENDS ADVERSARIES HAVE A HUGE TOOLKIT TO ENSURE SUCCESSFUL ATTACKS 2019 GLOBAL THREAT REPORT ADVERSARY TRADECRAFT AND THE IMPORTANCE OF SPEED 20 REGIONAL ATT&CK TECHNIQUE TRENDS CrowdStrike observed significant variations in the attacks seen in diferent regions around the globe (Figure 5). The team believes this is important, because understanding the techniques most likely to be employed in attacks against your organization can help you prioritize investments in prevention and detection resources. 2. Includes MITRE ATT&CK techniques as well as supplementary CrowdStrike Figure 7. Falcon techniques. Based on Prevalence of Attack Technique by Region2 primary reported technique only. Other Other Data from Regsvr32 Local System Indicator of Compromise Process Injection PowerShell NORTH Hidden Files LATIN AMERICA & Directories AMERICA Masquerading Malware Accessibility Features Malware Command-Line Credential Interface Dumping PREVALENCE OF ATTACK TECHNIQUE BY REGION REGIONAL ATT&CK Other TECHNIQUES & TRENDS Registry Run Keys / Other Account Start Folder Discovery Credential Dumping CROWDSTRIKEOBSERVED HIGH USAGE OF SCRIPTING Credential TECHNIQUES USED BY THREAT ACTORS WHEN TARGETING Data from Dumping EUROPE, Local System INDO- ORGANISATIONS WITHIN THE EUROPE, MIDDLE EAST AND MIDDLE EAST AFRICA. Indicator PACIFIC Sensor-based ML Scripting Command-Line of Compromise & AFRICA Interface Process Command-Line Injection Interface Malware 2019 GLOBAL THREAT REPORT ADVERSARY TRADECRAFT AND THE IMPORTANCE OF SPEED 20 REGIONAL ATT&CK TECHNIQUE TRENDS CrowdStrike observed significant variations in the attacks seen in diferent regions around the globe (Figure 5). The team believes this is important, because understanding the techniques most likely to be employed in attacks against your organization can help you prioritize investments in prevention and detection resources. 2. Includes MITRE ATT&CK techniques as well as supplementary CrowdStrike Figure 7. Falcon techniques. Based on Prevalence of Attack Technique by Region2 primary reported technique only. 2019 GLOBAL THREAT REPORT 20 ADVERSARY TRADECRAFT AND THE IMPORTANCE OF SPEED Other Other Data from Regsvr32 Local System Indicator REGIONALof Compromise ATT&CK TECHNIQUE TRENDS Process Injection CrowdStrike observed significant variations in the attacks seen in diferent regionsPowerShell around the globe (Figure 5). The team believes this is important, because understanding the techniquesNORTH most likely to be employedHidden Files in LATIN & Directories attacks against your organization can help you prioritize investments in prevention and detection resources.AMERICA AMERICA Masquerading 2. Includes MITRE ATT&CK techniques as well as supplementary CrowdStrike Figure 7. Falcon techniques. Based on Prevalence of Attack Technique by Region2 Malware primary reported technique only. Accessibility Features Malware Command-Line CredentialOther Dumping REGIONAL ATT&CK Other Interface Data from Regsvr32 Local System PREVALENCE Indicator of Compromise Process OF ATTACK TECHNIQUES & TRENDS Injection PowerShell NORTH Hidden Files LATIN TECHNIQUE AMERICA & Directories AMERICA BY REGION Masquerading Malware Other Accessibility Features Registry Run Keys / Other Account Start FolderMalware Command-Line Credential Discovery Interface Dumping Credential PREVALENCE Dumping OF ATTACK TECHNIQUE BY REGION Credential Data from Dumping EUROPE, Local System INDO- Other Registry Run Keys / Other Account Start Folder MIDDLE EAST Discovery Indicator PACIFIC Sensor-based ML Scripting Credential Command-Line Dumping of Compromise & AFRICA Credential Interface Data from Dumping EUROPE, Local System INDO- MIDDLE EAST Indicator PACIFIC Sensor-based ML Scripting Command-LineProcess Command-Line of Compromise & AFRICA InterfaceInjection Interface Process Command-Line Injection InterfaceMalware Malware DID SOMEONE SAY NATION-STATE? ! " # ! 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. //IRAN HELIX KITTEN THE KITTEN TARGET + BAHRAIN FLASH KITTEN SAUDI ARABIA OP-TEMPO + TARGET + MEDIUM-HIGH MENA OP-TEMPO + STATIC KITTEN MEDIUM-LOW TARGET + EASTERN EUROPE MAGIC KITTEN CHARMING KITTEN MENA, PAKISTAN, INDIA OP-TEMPO + TARGET + TARGET + MEDIUM DISSIDENTS STRATEGIC WEB COMPROMISE OP-TEMPO + OP-TEMPO + UNKNOWN LOW 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. //NORTH KOREA(DPRK) THE CHOLLIMA 2017 2018 ed) t FINANCIAL SECTOR ATTACKS LATE FALL 2018c Banks in Nigeria Suspe ( tina s in Nigeria ALL 2018 LINKED TO STARDUST n (Suspected) k F ge r TE Ban CHOLLIMA , India A , A k Y 2018 L a SEPTEMBER 2018vices A , India r k e trusion Banco de Chile DECEMBER 2017 City Union Ban M s n Financial services y in Caribbean Y 2018 n company in Caribbeana R ed i ed) t t MAY 2018 p t Bancomext, Mexico A c DECEMBER 2017 p s TEMBER