CrowdCasts Monthly: When Pandas Attack

WHEN PANDAS ATTACK
HOW TO DETECT, ATTRIBUTE, AND RESPOND TO
MALWARE-FREE INTRUSIONS
Dmitri Alperovitch - Chris Scott - Adam Meyers

TODAY’S SPEAKERS
2014 CrowdStrike, Inc. All rights reserved. 2
@DMITRICYBER
@CROWDSTRIKE | #CROWDCASTS
DMITRI ALPEROVITCH | CO-FOUNDER & CTO
Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike. A
renowned computer security researcher, he is a thought-leader on cybersecurity
policies and state tradecraft. Prior to founding CrowdStrike, Dmitri was a Vice
President of Threat Research at McAFee, where he led the company’s global
internet threat intelligence analysis and investigations. In 2010 and 2011,
Alperovitch led the global team that investigated and brought to light Operation
Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions,
and gave thoses incidents their names.

TODAY’S SPEAKERS
@NETOPSGURU
CHRIS SCOTT | DIRECTOR, SERVICES
Christoper Scott has over 15 years of Fortune 500/DoD/DIB
business proficiency, including more than 7 years of targeted threat detection
and prevention expertise. As a Director at CrowdStrike Services, Christopher
supports a variety of engagements that include: security reviews, incident
response, data loss prevention, insider threat analysis and engineering threat
detection systems, business continuity and disaster recovery processes. In
addition, Christopher assists in building risk recognition systems and advancing
the CrowdStrike Services practice.

TODAY’S SPEAKERS
@ADAM_CYBER
ADAM MEYERS | VP, INTELLIGENCE
Adam Meyers has over a decade of experience within the
information security industry. He has authored numerous papers that have
appeared at peer reviewed industry venues and has received awards for his
dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence.
Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s
intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global
Intelligence Team supports both the Product and Services divisions at CrowdStrike
and Adam manages these endeavors and expectations.

ADVANCED ATTACKERS EVADE
IOC-BASED DETECTION
HOW CAN YOU FIND AN ATTACK WHEN THERE
IS NO MALWARE, NO COMMAND AND CONTROL,
AND NO FILE-BASED ARTIFACTS?

REAL-WORLD CASE STUDIES

LET’S DIVE IN…
WHO’S BEHIND THE ATTACK?

UNCOVER THE ADVERSARY @CROWDSTRIKE | #CROWDCASTS
RUSSIA
Energetic Bear: Oil and Gas
Companies
HACTIVIST/TERRORIST
CHINA
Comment Panda: Commercial, Government, Non-profit
Deep Panda: Financial, Technology, Non-profit
Foxy Panda: Technology & Communications
Anchor Panda: Government organizations, Defense &
Aerospace, Industrial Engineering, NGOs
Impersonating Panda: Financial Sector
Karma Panda: Dissident groups
Keyhole Panda: Electronics & Communications
Poisonous Panda: Energy Technology, G20,
NGOs, Dissident Groups
Putter Panda: Governmental & Military
Toxic Panda: Dissident Groups
Union Panda: Industrial companies
Vixen Panda: Government
IRAN
INDIA
Viceroy Tiger: Government, Legal,
Financial, Media, Telecom
NORTH KOREA
Silent Chollima:
Government, Military,
Financial
Magic Kitten: Dissidents
Cutting Kitten: Energy Companies
CRIMINAL
Singing Spider: Commercial, Financial
Union Spider: Manufacturing
Andromeda Spider: Numerous
Deadeye Jackal: Commercial, Financial,
Media, Social Networking
Ghost Jackal: Commercial, Energy,
Financial
Corsair Jackal: Commercial, Technology,
Financial, Energy
Extreme Jackal: Military, Government

PARCEL ISLANDS
Disputed Territory
• 16°40′N 112°20′E
• Claimed by:
– Vietnam (Hoàng Sa Archipelago)
– Peoples Republic of China (Xisha Islands)
– Taiwan
• Originally occupied by French in 1938,
the islands were taken by Japan and
then China post World War II
• In 1974 armed conflict saw the
occupation of the islands by victorious
PLA forces over ARVN. Unified
Socialist Vietnam renewed claims

HAIYANG SHIYOU 981
May 2, 2014
• Owned by: CNOOC Group
– Displacement: 30,670 tons
– Length: 114 meters
– Beam: 90 meters
– Speed: 8 knots
– Crew: 160
• Mission: Evaluate potential for Oil
Reserves
• In theater 2 May – 16 Jul

CHINESE INTRUSION ACTIVITY
May/June
CHINESE INTRUSION ACTIVITY
Increasing activity as conflict escalates

Increasing tensions and intrigue
HD981 OPERATIONS MAY - JULY
2 May
HD981
deployed
near Parcel
Islands
26 May
Vietnamese
fishing boat
sinks after
confrontation
with Chinese
vessels
June tensions
continue to
rise as HD981
moves closer
to Parcel
Islands and
conducts
drilling
16 July
HD981 leaves
the Parcel
Islands in
advance of
typhoon
season and
to ‘review
data’ from
drilling
operations

Mid June 2014
• Sunni extremists from the ISIS begin
advance on key Iraqi industrial city Baiji
• 12 June, ISIS vehicles and personnel burn
down courthouse and police station, and
release prisoners from jail
• 18 June ISIS insurgents begin attacking Baiji
refinery the largest in Iraq, this has the
capability to refine over 300,000 barrels of oil
per day
ISLAMIC STATE OF IRAQ AND SYRIA (ISIS)
Baiji

Top Oil Imports
CHINA OIL AT RISK

WHAT HAPPENED?
THIS IS A STORY OF THE INCIDENT…

CASE STUDY: WEBSHELL ATTACK
• Suspicious Logins Detected within Environment
• Falcon Host Deployed to the Network with CSOC Monitoring
– Deployment Time is now Hours not Days
– The Cloud Allows Rapid Deployment and Increased Visibility
• Not Dependent on Hardware
• No Infrastructure to Standup
• Visibility on Adversary Actions
– Webshell Deployments and Usage
– Usage of Sticky Keys
– Usage of PowerShell with Custom Encryption

CASE STUDY: WEBSHELL ATTACK
• Watching the Adversary Change TTPs in Real-time
– Uploading New Tools, Monitoring for Logons
• Security Teams able to Respond within Minutes
– Removal of Infected Machines
– Memory Capture with Attacker Tools Running
• Reduction in Incident Response Timing
– Remediate Quicker
– Reduce the Need for Deep Dive Forensics
– Reduce the Cost of Incident Response
• Continued Visibility Going Forward
– Detections Allowing Security Teams to Prevent Attacker Foothold

ADVERSARIES
ADJUSTING TTPS
Changes to Persistence
• Moving from Workstations back to Servers
• Reducing Footprint
Forensic Evidence Reduction
• Utilizing Memory for Execution, Compression,
Exfiltration
• Automated Cleanup Processes
Simplified Toolsets and Communication
Webshells
• Compiled on the Fly, Direct to Memory
• Utilize SSL Certificates on External Accessible Sites
• Utilize Custom Encryption within Microsoft
PowerShell

SECURITY TEAMS
MUST ADJUST
New Detection Methods
• Must be Realtime or Near-Realtime, Sweeping for
IOCs is a Losing Proposition
• Must Detect Credential Theft as it Happens
• Must Capture Adversaries Commands as Forensics
are Being Reduced
Benefits of Detection Methods
• Able to Respond Quicker
• Reduce Exposure and Loss
• Allow Security Teams to Adjust to Adversary TTPs on
the Fly
• Increasing Costs to the Adversary

NOW WHAT?
HOW DID WE DETECT AND ATTRIBUTE
THIS MALWARE-FREE INTRUSION?

TECHNOLOGY COMPONENTS
FALCON HOST CORE COMPONENTS
FALCON HOST TECH OVERVIEW
CLOUD-BASED
APPLICATION
HOST-BASED
DETECTION SENSOR
DETECT:
STATEFUL EXECUTION INSPECTION
RECORD:
ENDPOINT ACTIVITY MONITORING
INTELLIGENCE: ATTRIBUTION ENGINE

REAL-TIME STATEFUL EXECUTION INSPECTION
Email
Received
Process Silently
Executed
Executable
Hides Itself From
Task Manager
Executable
Call Out to
the Internet
Email Attachment
Opened in
Acrobat Reader
Executable Saved in
Windows/System32
Folder
Executable
Modifies Windows
Registry to Autostart
1 2 3 4 5 6 7

LET’S TAKE A LOOK…
ENDPOINT PROTECTION
DEMO

Q&A @CROWDSTRIKE | #CROWDCASTS
Please enter all questions
in the Q&A panel of
GoToWebinar
For information on the CrowdStrike
Falcon Platform or CrowdStrike Services,
contact sales@crowdstrike.com
Q&A

CrowdCasts Monthly: When Pandas Attack

CrowdCasts Monthly: When Pandas Attack

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to CrowdCasts Monthly: When Pandas Attack (20)

Recently uploaded (20)

CrowdCasts Monthly: When Pandas Attack