MOVING FROM THE RIGHT OF BOOM IN CYBER SECURITY TO LEFT OF BOOM
CROWDSTRIKE SERVICES FORGE BRIEFING MARCH 18, 2021 § INCIDENT RESPONSE FROM THE FRONT LINES § INTELLIGENCE-LED RAPID RECOVERY: A NEW APPROACH CONTENTS § THE SHIFT TO CONTINUOUS MONITORING & RESPONSE § TRANSFORMING ENDPOINT & WORKLOAD SECURITY
2 OUR SPEAKERS TODAY
Tim Parisi is a Director of Eric Bodkin is a Director of John Beck is a Senior Incident Response Endpoint Recovery Federal and DOD Engineer services at CrowdStrike. services at CrowdStrike. at CrowdStrike.
Tim has more than 15 years of experience Eric has more than 15 years of experience John has more than 21 years of experience leading incident response investigations in incident response, forensic investigation, in engineering cybersecurity solutions for and advising clients on how to secure their cybersecurity operations, endpoint Federal and Department of Defense networks across the globe. recovery and remediation. agencies. Prior to joining CrowdStrike, Tim performed Prior to joining CrowdStrike, Eric’s career Prior to joining CrowdStrike, John supported incident response consulting at Mandiant focused heavily on OCO and DCO in federal agencies during his previous tenures where he led investigations, red/blue team support of U.S. Government and Military at Forcepoint and McAfee, and prior to exercises and compromise assessments for operations on the front-lines as active duty that acted as Security Lead as a contractor small and large enterprises around the Navy assigned to the National Security for a Federal Law enforcement agency world. Before entering the private sector, Agency, and as an subject matter expert and a Federal agency responsible for Tim performed computer forensics and equipping, enabling, and training Cyber diplomatic missions. insider threat investigations for various U.S. Protection Team’s (CPT) across all Federal Government agencies at ManTech branches of the service. and MITRE and has been an instructor teaching forensic analysis to private companies and law enforcement agencies.
3 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INCIDENT RESPONSE FROM THE FRONT LINES
Tim Parisi Director, Incident Response Services
4 THE ADVERSARIES 150+ active adversary groups tracked across the globe
CROWDSTRIKE FALCON PLATFORM 700+ BILLION SECURITY EVENTS PER DAY 140+ MILLION IOA DECISIONS PER SECOND 75,000+ BREACHES STOPPED PER YEAR
5 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INVESTIGATION: IRANIAN BASED GROUP HIJACKS DNS
• Iranian nexus adversary group THREAT ACTOR: SEA TURTLE • TwoFace webshell placed on vulnerable IIS servers HELIX KITTEN • RGDoor Internet Information Server (IIS) backdoor THREAT STATUS: ACTIVE • Network reconnaissance using native Windows tools MOTIVATION: • PowerShell and custom build of PLink SSH client to STATE SPONSORED establish reverse shells ORIGINS: • Moved to AWS space from credentials harvested via IRAN Mimikatz in non-cloud infrastructure MALWARE: TWOFACE • Goal was to re-route traffic to specific domains, MIMIKATZ largely unachievable due to fast detection and RGDOOR response PLINK
6 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INVESTIGATION: LABYRINTH CHOLLIMA “WANTS TO CONNECT” ON LINKEDIN
• North Korea based adversary group • Used LinkedIn to send unsolicited and THREAT ACTOR: targeted recruiting message as initial phishing LABYRINTH lure – did not target corporate email CHOLLIMA • THREAT STATUS: Lure instructed victim to access website only ACTIVE with Internet Explorer. Allowed attacker to exploit zero day exploit CVE-2020-0674 MOTIVATION: Criminal • Reconnaissance performed: net user, reg State-Sponsored query, netstat, reg export terminal server ORIGINS: clients North Korea • Unsuccessful lateral movement attempts due MALWARE: to misspelling of credentials NedDnLoader • Reconnaissance activities detected; system contained
7 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RANSOMWARE ATTACKS ARE ON THE RISE
• 10 million new virus signatures released every month
• Signature-based A/V only looks at one attribute of the file
• Polymorphic malware is able to easily bypass legacy A/V
• Companies can’t keep up with patching
• Adversaries lock down & control the environment with better tools
8 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INVESTIGATION: CARBON SPIDER TURNS UP THE HEAT ON RANSOM DEMANDS
• THREAT ACTOR: Affiliation with Pinchy Spider and REvil Ransomware CARBON SPIDER • UPS themed phishing email attack THREAT STATUS: • Links to a compromised sharepoint site deploying ACTIVE Harpy and Sekur malware MOTIVATION: CRIMINAL • Exfiltrated over 1TB of data ORIGINS: • Demanding increasingly higher ransoms ($4M) RUSSIAN FEDERATION • Countdown timers for the release of sensitive data MALWARE: DARKSIDE • Calls to employees to create additional pressure to HARPY pay ransom note SEKUR • Created a Ransomware-as-a-Service affiliate program for Darkside
9 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BIG GAME HUNTING Notorious ransomware threat actors actively engaged in attacks
• Low volume, high return ransomware
• Ransom demands usually exceed $250,000 and often reach over $5,000,000
• Penetration testing tooling and tactics used for lateral INDRIK SPIDER WIZARD SPIDER PINCHY SPIDER movement BitPaymer Ryuk GandCrab Ransomware Ransomware Ransomware • Administrator accounts used to deploy ransomware directly
10 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CROWDSTRIKE ACCELERATED APPROACH
TRADITIONAL IR APPROACH THREATS DEPLOY SCAN REMEDIATE
WEEKS / MONTHS DAYS WEEKS MONTHS
• BREACH NETWORK • SHIP SERVERS • RUN SYSTEM SCAN (SINGLE SNAPSHOT) • PLUG HOLES AS THEY ARE FOUND • ESCALATE PRIVILEGES • LOAD SOFTWARE • ANALYZE RESULTS • REIMAGE MACHINES (“DISRUPT USERS”) • ACHIEVE LATERAL MOVEMENT • FLY CONSULTANTS • REPEAT UNTIL ACTIVITY IS SEEN • RERUN SCANS TO LOOK FOR MORE ACTIVITY • UNDETECTED (SILENT FAILURE) • REPEAT UNTIL CONSULTANT FEELS THERE IS NO MORE ACTIVITY
BREACHES GO LONG DISCOVERY SLOW START & VERY COSTLY UNDETECTED PROCESS REMEDIATION & DISRUPTIVE
BREACH DISCOVERY IR START VISIBILITY IR FINISH
CROWDSTRIKE ACCELERATED IR CROWDSTRIKE VALUE GAIN CONTAIN RECOVER SECURE • Accelerate incident response VISIBILITY THREAT ENDPOINTS ENVIRONMENT
• DEPLOY MINS HOURS DAYS WEEKS • Minimize downtime CLOUD- BASED SENSORS • IMMEDIATE • TRIAGE • EJECT • THREAT • Reduce business interruption THREAT INTEL INCIDENTS ADVERSARIES HUNTING • PRESERVE • ISOLATE • RECOVER • FULL INCIDENT • Greater visibility for better decision making FORENSICS HOSTS ENDPOINTS INVESTIGATION • Lower cost investigation and remediation • Reduced adversary impact IMMEDIATE FAST START & QUICK & COST DISCOVERY REMEDIATION EFFECTIVE
11 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT MAKES CROWDSTRIKE STANDOUT? The Falcon Platform provides immediate visibility and threat actor information that informs our remediation efforts
FALCON FALCON SERVICES INSIGHT INTEL
TO GET YOU BACK TO NORMAL BUSINESS OPERATIONS FAST
12 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. QUESTIONS Q&A
13 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INTELLIGENCE- LED RAPID RECOVERY: A NEW APPROACH
Eric Bodkin Director, Endpoint Recovery Services
14 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. COMMON ATTACK CHAIN
Initial Lateral Execution Persistence Impact Access Movement 12 Account/RDP WMI Cobalt Strike Scheduled Tasks BitPaymer Brute Force Ransomware
Internet Exposed PSEXEC Powershell Empire Persistent Service Ryuk Vulnerabilities Creation Ransomware Phishing / Social Remote Service TA-Specific GPO GandCrab 11 Engineering Creation Loaders/Trojans Configuration Ransomware
10
MITRE ATT&CK PHASE 9 8 1 2 3 4 5 6 7
Initial Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command Impact Access Escalation Evasion Access Movement & Control
15 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECOVERY: CARBON SPIDER CROWDSTRIKE EXTINGUISHES RANSOMWARE ATTACKS
• THREAT ACTOR: Visibility of full threat context within minutes of CARBON SPIDER deploying the Falcon platform THREAT STATUS: • Active containment of infected hosts to stop further ACTIVE lateral movement and infection MOTIVATION: • Real time response to kill malicious processes and CRIMINAL delete infected files with speed & precision ORIGINS: RUSSIAN FEDERATION • No system reimaging and no system reboots MALWARE: required DARKSIDE • No disruption to the end users and no business HARPY interruption SEKUR • Get back to business faster
16 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TRADITIONAL RECOVEY APPROACH “Tear down and rebuild everything”
Identify infection, isolate the threat
Assess options for recovering systems and data
Recover systems and data
Identify and mitigate initial exploit/access vectors
Eliminate active malware; Prevent reoccurrence
Discover and remediate attacker persistence
Remediate impacted users, accounts, and access points
Monitor for re-entry and evaluate effectiveness of remediation
17 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TRADITIONAL RECOVERY Incomplete and costly
INEFFECTIVE INCOMPLETE TECHNOLOGY INSIGHTS
LACK OF PREVENTION UNINFORMED DECISIONS LACK OF VISIBLITY INEFFECTIVE ACTIONS “WHAT GOT YOU HERE” ROOT PROBLEM UNADDRESSED
ATTACK DOWNTIME AND REOCCURANCE INTERRUPTIONS
BACK TO SQUARE ONE INCREASED TIME WASTE OF TIME AND INCREASED COSTS RESOURCES CRITICAL OPERATIONS
18 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INTELLIGENCE-LED RAPID RECOVERY Endpoint recovery with zero business interruption
TECHNOLOGY INTELLIGENCE EXPERTISE
▪ Deployment and configuration ▪ Observed events + enriched data = ▪ TTP identification and analysis ▪ Attack prevention and visibility actionable insights ▪ Been there, done that ▪ Active response capabilities ▪ Threat Actor tracking and reporting ▪ Hands-on remediation
ENDPOINT RECOVERY
▪ Rapid ▪ Effective ▪ Complete ▪ Zero downtime ▪ Zero interruptions
19 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECOVERY PROCESS Begin active recovery of your environment quickly
CONTAINMENT & ACTIVE MONITORING REPORTING PREVENTION RECOVERY 30 DAYS END OF TERM < 24 HRS 72 – 96 HRS
OBJECTIVE: OBJECTIVE: OBJECTIVE: OBJECTIVE: Rapid delivery and Analyze Falcon Prevent and Monitor customer Service reporting , recovery configuration of Falcon in Insights data to actively environment for re- actions, and remediation high prevention policies to remediate (kill) memory emergence of previous stop the execution and resident malware, incident, and detection and lateral movement of active persistence, and other active remediation of new incidents attacks attack components
20 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTIVE RECOVERY Remediate endpoints to remove active malware and persistence
• Investigate and analyze endpoint data to understand full scope of incident
ACTIVE • Fully remediate endpoints to remove RECOVERY active malware, persistence, and 72 – 96 HRS related artifacts
At this point you’ve identified • Prevent/limit endpoint and user there is a previous / ongoing downtime and associated business security incident that has interruptions impacted a single, small, or large number of endpoints in your environment.
21 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ACTIVE RESPONSE Removing threats and persistence mechanisms with real time response
COLLECT INFO
Network Processes File System Registry Activities Memory OS Events
Kill Delete File Modify Network Custom Process Blacklist File Registry Quarantine Scripts TAKE ACTION
22 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INTELLIGENCE-LED RAPID RECOVERY RECOVERY Using Real Time Response
SOLUTION OUTCOMES • Access Real Time Response (RTR) via • Enables rapid analysis and a the Falcon Cloud UI from any complete investigation location • Surgical endpoint remediation REAL TIME • Direct endpoint access regardless of on 1 or 10,000 systems location RESPONSE • Users keep working and so do • Built-in commands, PowerShell critical systems scripting, playbook storage, upload • No need for system re-image or and execution of additional tools A built-in Falcon capability replacement that enables and empowers • Single system recovery or mass- rapid endpoint analysis, system recovery via the API recovery, and remediation • Zero interruption
23 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INTELLIGENCE-LED RAPID RECOVERY RECOVERY Surgically remove ransomware and other advanced persistent threats
REAL TIME RESPONSE
• Connect to hosts • Kill malicious processes • Delete infected files • Modify registry entries • Run recovery scripts
24 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INTELLIGENCE-LED RAPID RECOVERY SUCESSES
EMOTET / TRICKBOT COINMINER RANSOMWARE
• 900 endpoints/ 400+ infected with • 30k+ total endpoints/15k+ infected • 1k+ endpoints with large % Emotet and TrickBot invasive coin miner ransomed • Falcon detected/prevented ~14k • Pro-active endpoint inoculation • Removed related stale artifacts attacks in first 24 hours • Mass remediation of infected • Identified unknown instances of • Complete remediation of all endpoints within 1 week; restoring persistence and fully remediated systems within 72 hours critical services • Identified vulnerable VPN server • Zero recurring attacks • Zero recurring attacks • Zero recurring attacks • Zero system images or downtime • Zero system images or downtime • Zero system images or downtime • Prevented Ransomware outbreak • Prevented 2nd Ransomware attack
25 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INTELLIGENCE-LED RAPID RECOVERY Effective endpoint recovery
RECOVERY CHECKLIST: • Did you detect and prevent all ongoing and active attack components? • Did you identify and remediate persistence? • Have you ensured full visibility and effective response actions across your environment? • Did you identify and mitigate the initial attack vector? • Are you monitoring for re-entry and prepared for next time?
26 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. QUESTIONS Q&A
27 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THE SHIFT TO CONTINUOUS MONITORING & RESPONSE
28 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SURVIVAL OF THE FASTEST
DETECT IN INVESTIGATE IN RESPOND IN TO STAY AHEAD 12 YOU MUST: BREAKOUT TIME 1min 10min 60min 11
10
MITRE ATT&CK PHASE 9 8 1 2 3 4 5 6 7
Initial Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command Impact Access Escalation Evasion Access Movement & Control
29 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BUT…STOPPING RANSOMWARE Requires more than just technology
MANAGE PREVENT
IMPLEMENT BLOCK THREATS CONFIGURE TUNE
MONITOR RESPOND DETECT CONTAIN PRIORITIZE REMEDIATE INVESTIGATE
30 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. YOU NEED DEEP HUMAN EXPERTISE To stop todays sophisticated ransomware attacks
IR & REMEDIATION THREAT INTEL OVERWATCH TEAM TEAM TEAM
INCIDENT RESPONSE, THREAT INTELLIGENCE & 24/7 INVESTIGATION, AND RECOVERY MACHINE LEARNING THREAT HUNTING
CROWDSTRIKE FALCON PLATFORM
ENDPOINT AND CLOUD WORKLOAD PROTECTION
31 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CONTINUOUS MONITORING & RESPONSE CHANGES THE GAME
FALCON Continuous COMPLETE Industry Monitoring & 24X7 CONTINUOUS Average * MONITORING & Response RESPONSE
Time to 120 Hours 1 Minute Detect Time to 11 Hours 6 Minutes Investigate Time to 31 Hours 29 Minutes FALCON FALCON FALCON FALCON Remediate DISCOVER PREVENT INSIGHT OVERWATCH
* Source: CrowdStrike 2019 Global Security Attitude Survey IT HYGIENE NEXT GEN EDR 24X7 THREAT FALCON COMPLETE AV HUNTING EXCEEDS THE 1:10:60 GOAL
32 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FROM REACTIVE IR TO CONTINUOUS MONITORING & RESPONSE
• Become better equipped to stop incidents • Enhance your level of cybersecurity maturity • Respond more effectively when incidents do occur • Achieve continuous monitoring and response • Deliver the 1:10:60 goal
33 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. QUESTIONS Q&A
34 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TRANSFORMING ENDPOINT & CLOUD SECURITY
John Beck Senior Federal and DOD Engineer
35 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CLOUD SECURITY CHALLENGES
CUSTOMER
Cloud Security SecOps DevOps Architect
DATA & APPS
INFRASTRUCTURE CLOUD SERVICES PROVIDER
DYNAMIC MULTI-CLOUD SHARED RESPONSIBILITY
HARD TO UNCLEAR WHO IS COMPLEX KEEP UP RESPONSIBLE SECURITY COMPLEXITY
36 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CLOUD RUNTIME THREATS
BREACHES ARE ADVERSARIES TRADITIONAL AND HAPPENING INTEREST NEW ATTACKS
37 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADVERSARIES HAVE THEIR HEADS IN THE CLOUD
I use a lack of outbound restrictions and workload We target neglected cloud protection to exfiltrate your data We leverage common cloud infrastructure slated for services as a way to retirement that still contains obfuscate malicious activity sensitive data
38 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PROMINENT CLOUD ATTACKS
CAPITAL ONE IMPERVA CENTURYLINK
IAM ROLE WITH EXCESSIVE NETWORK MISCONFIGURATION NETWORK MISCONFIGURATION PERMISSIONS ALLOWING EXPOSED HARDCODED API KEYS EXPOSED MONGODB TO ROLE ACCESS TO UNENCRYPTED DATA USED TO ACCESS DATABASE WITH EXCESSIVE PERMISSIONS
IMPACTING 106M CONSUMERS DATABASE SNAPSHOT WITH 2.8M CUSTOMER RECORDS ACROSS US/CANADA LEADING CUSTOMER EMAILS, EXPOSED AND THE BREACH TO $80M PENALTY TO US BANK PASSWORDS, AND API KEYS WENT UNDETECTED FOR 10 REGULATORS EXPOSED MONTHS
SOURCE: ACCURICS SUMMER 2020 REPORT – THE STATE OF DEVSECOPS
39 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CROWDSTRIKE FALCON CLOUD-NATIVE PLATFORM
FALCON ENPOINT & THE FIRST CLOUD-NATIVE ENDPOINT AND WORKLOAD WORKLOAD PROTECTION PLATFORM: PROTECTION PLATFORM BUILT TO STOP BREACHES. • 15+ PETABYTES OF SECURITY TELEMETRY DATA IN THE CLOUD • 700B+ SECURITY EVENTS PROCESSED PER DAY • 140M+ IOA DECISIONS MADE PER SECOND • 75,000+ BREACHES STOPPED PER YEAR • 150+ ADVERSARIES TRACKED ACROSS THE GLOBE
• SINGLE LIGHT-WEIGHT AGENT FOR ALL PLATFORMS (INCL. CLOUD, VMs, CONTAINERS) • MARKET LEADING COMPREHENSIVE CYBERSECURITY SOLUTION
40 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ONE PLATFORM FOR HYBRID CLOUD AND CONTAINERS
DATACENTER
SERVERS VIRTUAL MULTI-CLOUD CONTAINERS
41 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. A RAPIDLY GROWING ECOSYSTEM OF PARTNERSHIPS
Cloud & Network Security
Threat Intelligence
Security & IT Operations
42 …and many more 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DEEP CLOUD EXPERTISE We built the worlds largest cybersecurity platform in the cloud, so we know what it WHY takes to operate a secure cloud architecture CROWDSTRIKE? SUPERIOR THREAT INTEL We use superior threat intelligence and threat hunting to quickly identify the most sophisticated types of threat activity
ADVANCED TECHNOLOGY We built the market leading cloud-native endpoint and cloud protection platform
FAST & EFFICIENT SERVICE We can deploy our solution within hours and gain immediate visibility to any threat activity in your cloud environment
43 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. LIVE DEMO: FALCON PLATFORM
44 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. QUESTIONS, CONTACT & ADDITIONAL RESOURCES
Additional resources: Q&A For more information after this briefing please contact: shank.koundinya@crowdstrike.com 240.205.2946 https://www.crowdstrike.com/resources/white-papers/intelligence-led-rapid-recovery/
https://www.crowdstrike.com/resources/data-sheets/crowdstrike-brochure/
45 2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THANKYOU