Moving from the Right of Boom in Cyber Security to Left of Boom

MOVING FROM THE RIGHT OF BOOM IN CYBER SECURITY TO LEFT OF BOOM

CROWDSTRIKE SERVICES FORGE BRIEFING MARCH 18, 2021 § INCIDENT RESPONSE FROM THE FRONT LINES § INTELLIGENCE-LED RAPID RECOVERY: A NEW APPROACH CONTENTS § THE SHIFT TO CONTINUOUS MONITORING & RESPONSE § TRANSFORMING ENDPOINT & WORKLOAD SECURITY

2 OUR SPEAKERS TODAY

Tim Parisi is a Director of Eric Bodkin is a Director of John Beck is a Senior Incident Response Endpoint Recovery Federal and DOD Engineer services at CrowdStrike. services at CrowdStrike. at CrowdStrike.

Tim has more than 15 years of experience Eric has more than 15 years of experience John has more than 21 years of experience leading incident response investigations in incident response, forensic investigation, in engineering cybersecurity solutions for and advising clients on how to secure their cybersecurity operations, endpoint Federal and Department of Defense networks across the globe. recovery and remediation. agencies. Prior to joining CrowdStrike, Tim performed Prior to joining CrowdStrike, Eric’s career Prior to joining CrowdStrike, John supported incident response consulting at Mandiant focused heavily on OCO and DCO in federal agencies during his previous tenures where he led investigations, red/blue team support of U.S. Government and Military at Forcepoint and McAfee, and prior to exercises and compromise assessments for operations on the front-lines as active duty that acted as Security Lead as a contractor small and large enterprises around the Navy assigned to the National Security for a Federal Law enforcement agency world. Before entering the private sector, Agency, and as an subject matter expert and a Federal agency responsible for Tim performed computer forensics and equipping, enabling, and training Cyber diplomatic missions. insider threat investigations for various U.S. Protection Team’s (CPT) across all Federal Government agencies at ManTech branches of the service. and MITRE and has been an instructor teaching forensic analysis to private companies and law enforcement agencies.

Tim Parisi Director, Incident Response Services

4 THE ADVERSARIES 150+ active adversary groups tracked across the globe

CROWDSTRIKE FALCON PLATFORM 700+ BILLION SECURITY EVENTS PER DAY 140+ MILLION IOA DECISIONS PER SECOND 75,000+ BREACHES STOPPED PER YEAR

• Iranian nexus adversary group THREAT ACTOR: SEA TURTLE • TwoFace webshell placed on vulnerable IIS servers HELIX KITTEN • RGDoor Internet Information Server (IIS) backdoor THREAT STATUS: ACTIVE • Network reconnaissance using native Windows tools MOTIVATION: • PowerShell and custom build of PLink SSH client to STATE SPONSORED establish reverse shells ORIGINS: • Moved to AWS space from credentials harvested via IRAN Mimikatz in non-cloud infrastructure MALWARE: TWOFACE • Goal was to re-route traffic to specific domains, MIMIKATZ largely unachievable due to fast detection and RGDOOR response PLINK

• North Korea based adversary group • Used LinkedIn to send unsolicited and THREAT ACTOR: targeted recruiting message as initial phishing LABYRINTH lure – did not target corporate email CHOLLIMA • THREAT STATUS: Lure instructed victim to access website only ACTIVE with Internet Explorer. Allowed attacker to exploit zero day exploit CVE-2020-0674 MOTIVATION: Criminal • Reconnaissance performed: net user, reg State-Sponsored query, netstat, reg export terminal server ORIGINS: clients North Korea • Unsuccessful lateral movement attempts due MALWARE: to misspelling of credentials NedDnLoader • Reconnaissance activities detected; system contained

• 10 million new virus signatures released every month

• Signature-based A/V only looks at one attribute of the file

• Polymorphic malware is able to easily bypass legacy A/V

• Companies can’t keep up with patching

• Adversaries lock down & control the environment with better tools

• THREAT ACTOR: Affiliation with Pinchy Spider and REvil Ransomware CARBON SPIDER • UPS themed phishing email attack THREAT STATUS: • Links to a compromised sharepoint site deploying ACTIVE Harpy and Sekur malware MOTIVATION: CRIMINAL • Exfiltrated over 1TB of data ORIGINS: • Demanding increasingly higher ransoms ($4M) RUSSIAN FEDERATION • Countdown timers for the release of sensitive data MALWARE: DARKSIDE • Calls to employees to create additional pressure to HARPY pay ransom note SEKUR • Created a Ransomware-as-a-Service affiliate program for Darkside

• Low volume, high return ransomware

• Ransom demands usually exceed $250,000 and often reach over $5,000,000

• Penetration testing tooling and tactics used for lateral INDRIK SPIDER WIZARD SPIDER PINCHY SPIDER movement BitPaymer Ryuk GandCrab Ransomware Ransomware Ransomware • Administrator accounts used to deploy ransomware directly

TRADITIONAL IR APPROACH THREATS DEPLOY SCAN REMEDIATE

WEEKS / MONTHS DAYS WEEKS MONTHS

• BREACH NETWORK • SHIP SERVERS • RUN SYSTEM SCAN (SINGLE SNAPSHOT) • PLUG HOLES AS THEY ARE FOUND • ESCALATE PRIVILEGES • LOAD SOFTWARE • ANALYZE RESULTS • REIMAGE MACHINES (“DISRUPT USERS”) • ACHIEVE LATERAL MOVEMENT • FLY CONSULTANTS • REPEAT UNTIL ACTIVITY IS SEEN • RERUN SCANS TO LOOK FOR MORE ACTIVITY • UNDETECTED (SILENT FAILURE) • REPEAT UNTIL CONSULTANT FEELS THERE IS NO MORE ACTIVITY

BREACHES GO LONG DISCOVERY SLOW START & VERY COSTLY UNDETECTED PROCESS REMEDIATION & DISRUPTIVE

BREACH DISCOVERY IR START VISIBILITY IR FINISH

CROWDSTRIKE ACCELERATED IR CROWDSTRIKE VALUE GAIN CONTAIN RECOVER SECURE • Accelerate incident response VISIBILITY THREAT ENDPOINTS ENVIRONMENT

• DEPLOY MINS HOURS DAYS WEEKS • Minimize downtime CLOUD- BASED SENSORS • IMMEDIATE • TRIAGE • EJECT • THREAT • Reduce business interruption THREAT INTEL INCIDENTS ADVERSARIES HUNTING • PRESERVE • ISOLATE • RECOVER • FULL INCIDENT • Greater visibility for better decision making FORENSICS HOSTS ENDPOINTS INVESTIGATION • Lower cost investigation and remediation • Reduced adversary impact IMMEDIATE FAST START & QUICK & COST DISCOVERY REMEDIATION EFFECTIVE

FALCON FALCON SERVICES INSIGHT INTEL

TO GET YOU BACK TO NORMAL BUSINESS OPERATIONS FAST

Eric Bodkin Director, Endpoint Recovery Services

Initial Lateral Execution Persistence Impact Access Movement 12 Account/RDP WMI Cobalt Strike Scheduled Tasks BitPaymer Brute Force Ransomware

Internet Exposed PSEXEC Powershell Empire Persistent Service Ryuk Vulnerabilities Creation Ransomware Phishing / Social Remote Service TA-Specific GPO GandCrab 11 Engineering Creation Loaders/Trojans Configuration Ransomware

MITRE ATT&CK PHASE 9 8 1 2 3 4 5 6 7

Initial Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command Impact Access Escalation Evasion Access Movement & Control

• THREAT ACTOR: Visibility of full threat context within minutes of CARBON SPIDER deploying the Falcon platform THREAT STATUS: • Active containment of infected hosts to stop further ACTIVE lateral movement and infection MOTIVATION: • Real time response to kill malicious processes and CRIMINAL delete infected files with speed & precision ORIGINS: RUSSIAN FEDERATION • No system reimaging and no system reboots MALWARE: required DARKSIDE • No disruption to the end users and no business HARPY interruption SEKUR • Get back to business faster

Identify infection, isolate the threat

Assess options for recovering systems and data

Recover systems and data

Identify and mitigate initial exploit/access vectors

Eliminate active malware; Prevent reoccurrence

Discover and remediate attacker persistence

Remediate impacted users, accounts, and access points

Monitor for re-entry and evaluate effectiveness of remediation

INEFFECTIVE INCOMPLETE TECHNOLOGY INSIGHTS

LACK OF PREVENTION UNINFORMED DECISIONS LACK OF VISIBLITY INEFFECTIVE ACTIONS “WHAT GOT YOU HERE” ROOT PROBLEM UNADDRESSED

ATTACK DOWNTIME AND REOCCURANCE INTERRUPTIONS

BACK TO SQUARE ONE INCREASED TIME WASTE OF TIME AND INCREASED COSTS RESOURCES CRITICAL OPERATIONS

TECHNOLOGY INTELLIGENCE EXPERTISE

▪ Deployment and configuration ▪ Observed events + enriched data = ▪ TTP identification and analysis ▪ Attack prevention and visibility actionable insights ▪ Been there, done that ▪ Active response capabilities ▪ Threat Actor tracking and reporting ▪ Hands-on remediation

ENDPOINT RECOVERY

▪ Rapid ▪ Effective ▪ Complete ▪ Zero downtime ▪ Zero interruptions

CONTAINMENT & ACTIVE MONITORING REPORTING PREVENTION RECOVERY 30 DAYS END OF TERM < 24 HRS 72 – 96 HRS

OBJECTIVE: OBJECTIVE: OBJECTIVE: OBJECTIVE: Rapid delivery and Analyze Falcon Prevent and Monitor customer Service reporting , recovery configuration of Falcon in Insights data to actively environment for re- actions, and remediation high prevention policies to remediate (kill) memory emergence of previous stop the execution and resident malware, incident, and detection and lateral movement of active persistence, and other active remediation of new incidents attacks attack components

• Investigate and analyze endpoint data to understand full scope of incident

ACTIVE • Fully remediate endpoints to remove RECOVERY active malware, persistence, and 72 – 96 HRS related artifacts

At this point you’ve identified • Prevent/limit endpoint and user there is a previous / ongoing downtime and associated business security incident that has interruptions impacted a single, small, or large number of endpoints in your environment.

COLLECT INFO

Network Processes File System Registry Activities Memory OS Events

Kill Delete File Modify Network Custom Process Blacklist File Registry Quarantine Scripts TAKE ACTION

SOLUTION OUTCOMES • Access Real Time Response (RTR) via • Enables rapid analysis and a the Falcon Cloud UI from any complete investigation location • Surgical endpoint remediation REAL TIME • Direct endpoint access regardless of on 1 or 10,000 systems location RESPONSE • Users keep working and so do • Built-in commands, PowerShell critical systems scripting, playbook storage, upload • No need for system re-image or and execution of additional tools A built-in Falcon capability replacement that enables and empowers • Single system recovery or mass- rapid endpoint analysis, system recovery via the API recovery, and remediation • Zero interruption

REAL TIME RESPONSE

• Connect to hosts • Kill malicious processes • Delete infected files • Modify registry entries • Run recovery scripts

EMOTET / TRICKBOT COINMINER RANSOMWARE

• 900 endpoints/ 400+ infected with • 30k+ total endpoints/15k+ infected • 1k+ endpoints with large % Emotet and TrickBot invasive coin miner ransomed • Falcon detected/prevented ~14k • Pro-active endpoint inoculation • Removed related stale artifacts attacks in first 24 hours • Mass remediation of infected • Identified unknown instances of • Complete remediation of all endpoints within 1 week; restoring persistence and fully remediated systems within 72 hours critical services • Identified vulnerable VPN server • Zero recurring attacks • Zero recurring attacks • Zero recurring attacks • Zero system images or downtime • Zero system images or downtime • Zero system images or downtime • Prevented Ransomware outbreak • Prevented 2nd Ransomware attack

RECOVERY CHECKLIST: • Did you detect and prevent all ongoing and active attack components? • Did you identify and remediate persistence? • Have you ensured full visibility and effective response actions across your environment? • Did you identify and mitigate the initial attack vector? • Are you monitoring for re-entry and prepared for next time?

DETECT IN INVESTIGATE IN RESPOND IN TO STAY AHEAD 12 YOU MUST: BREAKOUT TIME 1min 10min 60min 11

MITRE ATT&CK PHASE 9 8 1 2 3 4 5 6 7

Initial Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command Impact Access Escalation Evasion Access Movement & Control

MANAGE PREVENT

IMPLEMENT BLOCK THREATS CONFIGURE TUNE

MONITOR RESPOND DETECT CONTAIN PRIORITIZE REMEDIATE INVESTIGATE

IR & REMEDIATION THREAT INTEL OVERWATCH TEAM TEAM TEAM

INCIDENT RESPONSE, THREAT INTELLIGENCE & 24/7 INVESTIGATION, AND RECOVERY MACHINE LEARNING THREAT HUNTING

CROWDSTRIKE FALCON PLATFORM

ENDPOINT AND CLOUD WORKLOAD PROTECTION

FALCON Continuous COMPLETE Industry Monitoring & 24X7 CONTINUOUS Average * MONITORING & Response RESPONSE

Time to 120 Hours 1 Minute Detect Time to 11 Hours 6 Minutes Investigate Time to 31 Hours 29 Minutes FALCON FALCON FALCON FALCON Remediate DISCOVER PREVENT INSIGHT OVERWATCH

* Source: CrowdStrike 2019 Global Security Attitude Survey IT HYGIENE NEXT GEN EDR 24X7 THREAT FALCON COMPLETE AV HUNTING EXCEEDS THE 1:10:60 GOAL

• Become better equipped to stop incidents • Enhance your level of cybersecurity maturity • Respond more effectively when incidents do occur • Achieve continuous monitoring and response • Deliver the 1:10:60 goal

John Beck Senior Federal and DOD Engineer

CUSTOMER

Cloud Security SecOps DevOps Architect

DATA & APPS

INFRASTRUCTURE CLOUD SERVICES PROVIDER

DYNAMIC MULTI-CLOUD SHARED RESPONSIBILITY

HARD TO UNCLEAR WHO IS COMPLEX KEEP UP RESPONSIBLE SECURITY COMPLEXITY

BREACHES ARE ADVERSARIES TRADITIONAL AND HAPPENING INTEREST NEW ATTACKS

I use a lack of outbound restrictions and workload We target neglected cloud protection to exfiltrate your data We leverage common cloud infrastructure slated for services as a way to retirement that still contains obfuscate malicious activity sensitive data

CAPITAL ONE IMPERVA CENTURYLINK

IAM ROLE WITH EXCESSIVE NETWORK MISCONFIGURATION NETWORK MISCONFIGURATION PERMISSIONS ALLOWING EXPOSED HARDCODED API KEYS EXPOSED MONGODB TO ROLE ACCESS TO UNENCRYPTED DATA USED TO ACCESS DATABASE WITH EXCESSIVE PERMISSIONS

IMPACTING 106M CONSUMERS DATABASE SNAPSHOT WITH 2.8M CUSTOMER RECORDS ACROSS US/CANADA LEADING CUSTOMER EMAILS, EXPOSED AND THE BREACH TO $80M PENALTY TO US BANK PASSWORDS, AND API KEYS WENT UNDETECTED FOR 10 REGULATORS EXPOSED MONTHS

SOURCE: ACCURICS SUMMER 2020 REPORT – THE STATE OF DEVSECOPS

FALCON ENPOINT & THE FIRST CLOUD-NATIVE ENDPOINT AND WORKLOAD WORKLOAD PROTECTION PLATFORM: PROTECTION PLATFORM BUILT TO STOP BREACHES. • 15+ PETABYTES OF SECURITY TELEMETRY DATA IN THE CLOUD • 700B+ SECURITY EVENTS PROCESSED PER DAY • 140M+ IOA DECISIONS MADE PER SECOND • 75,000+ BREACHES STOPPED PER YEAR • 150+ ADVERSARIES TRACKED ACROSS THE GLOBE

• SINGLE LIGHT-WEIGHT AGENT FOR ALL PLATFORMS (INCL. CLOUD, VMs, CONTAINERS) • MARKET LEADING COMPREHENSIVE CYBERSECURITY SOLUTION

DATACENTER

SERVERS VIRTUAL MULTI-CLOUD CONTAINERS

Cloud & Network Security

Threat Intelligence

Security & IT Operations

42 …and many more 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DEEP CLOUD EXPERTISE We built the worlds largest cybersecurity platform in the cloud, so we know what it WHY takes to operate a secure cloud architecture CROWDSTRIKE? SUPERIOR THREAT INTEL We use superior threat intelligence and threat hunting to quickly identify the most sophisticated types of threat activity

ADVANCED TECHNOLOGY We built the market leading cloud-native endpoint and cloud protection platform

FAST & EFFICIENT SERVICE We can deploy our solution within hours and gain immediate visibility to any threat activity in your cloud environment

Additional resources: Q&A For more information after this briefing please contact: shank.koundinya@crowdstrike.com 240.205.2946 https://www.crowdstrike.com/resources/white-papers/intelligence-led-rapid-recovery/

https://www.crowdstrike.com/resources/data-sheets/crowdstrike-brochure/