2015 Global Threat Report

2015 Global Threat Report

2015 GLOBAL THREAT REPORT INSIDE: ■ Targeted Intrusions ■ Criminal and Hacktivist Activity ■ 2016 Predictions PROVIDED BY THE CROWDSTRIKE INTELLIGENCE TEAM LETTER FROM THE CEO If there’s one thing that businesses, boards of directors and C-level execs can take from CrowdStrike’s 2015 Threat Report, it is that the paradigm has broadened beyond people, processes, and technology to now include integrated, crowdsourced, and enriched threat intelligence. Our Global Threat Report highlights that today’s threats, more than ever before, are driven by geopolitical and eco- nomic events around the world. The primary motivation behind global cyber activity has now shifted from disparate activities carried out by individuals, groups and criminal gangs pursuing short-term financial gain, to skilled adversaries driven by strategic global conflicts. The economic downturn and new Five Year Plan in China will continue to drive their state-sponsored cyber espionage activities. The situation in the Ukraine and falling oil prices will continue to fuel targeted intrusions from Russia. The conflict in the Middle East between Saudi Arabia and Iran over Yemen will continue to generate hacktivism from that region. CEOs and boards of directors who ignore or disregard the ramifications of global events such as these will pay for it in the loss of revenue, jobs, intellectual property, and shareholder value. This shift underscores the importance for an effective intelligence program about the motivations of your adversary. The mantra “people, processes and technology” is no longer enough for cyber se- curity. In today’s threat environment, it takes people, processes, technology AND intelligence. Intelligence is no longer a “nice-to-have.” It is a mandatory element of stopping breaches. How can you expect to win if you do not have a solid understanding of how your adversary operates, what their tendencies are, what their goals are, and what motivates them? Recognize why they would want to come after you and your company. If you don’t know the game plan of your adversary, you will fail to defend your corporation. It sounds like common sense, but it is something that is lost in the outdated discussion of people, processes and technology. Companies must have intelligence, either home-grown or provided by third-party sources who have the trained personnel to monitor, capture and analyze threat data effectively. Emphasizing intelligence has been a cornerstone for CrowdStrike’s approach to security since the foun- dation of the company five years ago: Providing cloud-based security powered by comprehensive, in-house threat intelligence. With our Falcon Platform and Threat Intelligence team, we have a unique bird’s-eye view by having our endpoint sensors deployed in more than 170 different countries, handling more than ten billion events per day, as well as providing incident response services in response to some of the largest breaches. The “brains” behind our Falcon Platform is our Threat Graph engine, which constantly collects and analyzes billions of events, both in real time and retrospectively. As a result, on a weekly basis, we are identifying and mitigating hundreds of breaches for which traditional defenses silently fail. The CrowdStrike team has put tremendous effort into capturing this real attack telemetry, analyzing it, distilling how adversaries operate, and more importantly, what motivates them. We hope our experiences and the lessons learned that are manifested in the 2015 Threat Report will provide companies a sampling of the intelligence they need to protect themselves in 2016 and beyond. George Kurtz. President, CEO & Co-Founder 2015 GLOBAL HACKTIVIST | 57-68 59 The Rise of Hacktivism in the Middle East THREAT 59 Iran-Related Groups 59 Parastoo, Remember EMAD, and SOBH Cyber Jihad REPORT 60 Yemen Cyber Army 61 Pro-/Anti-ISIS Activity 63 Intrusion Capabilities of ISIS 63 GEKKO JACKAL Demonstrates Resilience RUSSIA 23 and a Criminal Motivation in 2015 25 Resurgence of Russian Power CON- & Expansion of Intel Gathering LOOKING FORWARD TO 2016 | 69-91 28 The Fifth Domain - The Information Battlespace in Ukraine 69 Review of 2014 Predictions 29 CyberBerkut 71 Adversary Operational Security 30 BERSERK BEAR 71 Increased Targeting of Embedded Devices 71 China Will Continue Conducting Espionage NORTH KOREA 31 71 Joint Plan of Action as a Catalyst 31 North Korean Cyber Espionage in 2015 71 Cyber Spillover from Regional Conflict 33 Milmanbag 72 Point-of-Sale Attacks in the Wake of EMV 33 Hawup 72 Destructive and Disruptive Attacks 33 AIMRAT TENTS 35 72 R&D 73 x86 System and Firmware Security IRAN 35 74 State of the TLS Ecosystem 35 Iranian Control of Western Influence 74 Attacks and Incidents INTRODUCTION | 3-4 37 Black Spider and the 75 New Developments Arrests of Iranians 75 Changes to the Protocol TARGETED INTRUSION | 5-46 38 Supreme Leader Streamlines & 76 Container and Virtualization Security Obtains Further Control 76 Containers Over the Internet 77 Virtual Machines CHINA 5 39 Iran Prioritizes its National 78 Targeted Intrusion 07 PII Breaches Internet, Network Infrastructure, 78 China 10 Legal and Regulatory Challenges and Cyber Capabilities 78 Chinese Intentions in Cyberspace Posed by PII-Focused Targeted 42 ROCKET KITTEN 79 The Shifting Dynamics of China’s Cyber Operators Intrusion Operations 43 INDIA 80 China’s 13th Five-Year Plan 12 Hacking Team Campaigns 45 SOUTH AMERICA 12 Possible Timeline 81 Russia 13 Censorship, Corruption, and E-CRIME | 47-56 82 Iran China’s “Cyber Sovereignty” 88 North Korea 14 Rise of the MPS 88 Criminal 49 Trends in eCrime Activity - 2015 18 Corruption Crackdown and 88 Targeted Criminal Intrusion 51 Emergence of Extortion-Based Military Reorganization 88 Commodity Malware Criminal Operations 19 Island-Building in the South China Sea 89 Extortion 52 I ntelligence-Powered Social 21 TURBINE PANDA 89 Hacktivism Engineering Scams 89 Motivation 54 Blurring Lines Between 89 DDoS Criminal and Espionage Activity 31 92 Conclusion INTRODUCTION At CrowdStrike, a fundamental belief is that intelligence powers everything we do. It drives our next-generation endpoint protection, it fuels our incident response teams so they can resolve incidents faster, and it is consumed by our customers and their enterprise tools, allowing them to detect and stop attacks. well-known proverb captures the This year’s CrowdStrike Intelligence Global governments, and individuals deemed to be essence of intelligence: In the land Threat Report contains a wealth of intelligence dangerous to the aggressor. Electronic crime of the blind, the one-eyed man is regarding adversary behavior, capabilities, and (eCrime) is financially motivated activity by king. One who is better informed intentions. More importantly, it ties it back to threat actors targeting any number of victims thanA his adversaries will have the advantage. the events that influenced those activities. By ranging from individuals to corporations. Tar- Intelligence helps remove uncertainty from understanding the events that shape the beliefs geted eCrime is an issue that is emergent and decision making; businesses around the world and motivations of threat actors—regardless if covered in the report as well. Hacktivism can use various types of intelligence to ascertain they are criminal, nation-state, or hacktivist—it pop up at any time, for any reason, anywhere; what markets they should focus on, and how they is possible to comprehend what drove the hacktivist actors may be nationalists, social should enter those markets. Intelligence about adversaries to behave as they did, and perhaps activists, terrorist supporters, or pranksters. what personnel, which business units, or what to understand what this will mean for the future. products are being targeted by malicious threat The hope is that this report will provide a lens This report is organized differently from our actors can similarly aid in the decision-making by which the reader can begin to view the world previous Global Threat Reports. In years past, the process for the business. This transcends the through the eyes of the attacker and use that reports contained a review of notable activity security operations center and incident response information to stay ahead of the adversary—or followed by adversary-specific information, and measures. This information can help the business as some might say, “to the left of boom”. they culminated in a looking forward section. make more informed decisions, from the IT team, These reports were contiguous and meant to be the C-suite, and even the board of directors. CrowdStrike buckets more than 70 designated read from start to finish. This report is designed adversaries into three different motivations. to flow more like a magazine; there are feature Increasingly, organizations around the globe are These motivations—Targeted Intrusion, eCrime, reports on various topics, smaller pieces meant using threat intelligence to make their enterprises and Hacktivism—can be influenced by a wide to augment those topics, and profiles of select smarter and more resilient. These organizations range of external factors. Targeted intrusion adversaries. The basic structure covers the three use threat intelligence to stay ahead of the adver- is most frequently executed by nation-states adversary motivations tracked by CrowdStrike: sary. As more and more organizations begin to seeking to collect intelligence to facilitate Targeted Intrusion, eCrime, and Hacktivism. This utilize threat intelligence, the value in understand- public

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us