crowdstrike crowdcast: is ransomware morphing beyond the ability of standard approaches to stop it?

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RANSOMWARE

DAN BROWN

DETECTION ARCHITECT

Continuous Breach Prevention

MANAGEDHUNTING

ENDPOINT DETECTION AND RESPONSE

NEXT-GEN ANTIVIRUS

Cloud Delivered2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT WE DO

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

What is Ransomware?

How Bad is it?

What can we do about it?

What will Tomorrow’s Ransomware Look Like?

RANSOMWAREWHAT IS IT?

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

TREND

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

TYPES OF CYBER RANSOM ATTACKS

IaaVInfrastructure-as-a-Victim

DataEncrypting

Scareware

FILE ENCRYPTING RANSOMWARE

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

A YEAR IN RANSOMWARE

TopFamilies

• Locky• Cerber

InfectionTrend

• LargeIncreasein2016over2015• Currentlylowervolumethan2016

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

COMMON ACTIONS

DirectoryTraversal

• Localdirectories• Mappedshares

FileEncryption

• VictimFiles:Whitelistvs.Blacklist• Encryption:Strongvs.Weak• Fileaccessmethods

NotificationofRansom

• BrowserinvokedwithWebPage• Textfilecreated

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

FILE ENCRYPTION

File-basedvsFile-less

• Useofknowngood(Powershell,cmd.exe,javascript)• NSISInstallers

NarrowvsBroad

• Targetedpaths• Victimfiletype

CryptoLibraries

• Customlibrariesmorestealthy• Systemlibrariesstronger,morereliable

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

OTHER ACTIONS

DeletingBackups

• VolumeShadowSnapshots• Accessibleonlinebackupdeletion

BootConfigData

• DisablingWindowsrecoverysequence• DisablingWindowsstartuprepair

MaliciousBehaviors

• Datatheft• Passwordtheft(e.g.RAA/PonyStealer)

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RANSOMWAREHOW BAD IS IT?

RANSOMWARE TRENDS

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

NOTABLE ATTACKS IN PAST YEAR

§ SFC rail system

§ U.K. National Health Services

§ Indiana county gov

§ Apple ransom demand§ “Turkish Crime Family”§ Questionable credibility§ Threatening to wipe data§ Ostensible deadline of April 7

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

VOLUME BREAKDOWN

1H/2016 2H/2016

Worldwide Locky Cerber

U.S. Locky Locky*

* Mostly new Locky variants: Zepto, Osiris, etc.

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHO?

Perpetrators

• ~75%DevelopedbyEasternEuropeanCriminalGroups

Targets

• EuropeandAsiamoretargeted• U.S.relativelylesstargeted

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

HOW?

Locky

• WidespreadNecurs botnet• DominatedLocky disseminationin2016• Nowdisseminating“pump&dump”schemeemailspam

Cerber

• RIG• Magnitude• PseudoDarkleech• Neutrino

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RECENT LULL

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

NSIS EVASION

§ New NSIS installer based ransomware

§ Scripting and “in memory” techniques

§ Intended to evade AV

§ IOA approach unaffected by obfuscation

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RANSOMWAREWHAT CAN WE DO ABOUT IT?

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

BACKUPS

§ A secure, robust backup strategy is the single most important factor

§ Ensure that backups are not susceptible to malicious encryption/deletion§ Avoid using mapped drives, Windows shares, or similar mechanisms for backups

§ Offline and/or rolling

§ Backup restoration has its own cost

§ Previous Versions feature in Windows

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

IF YOU ARE ATTACKED

§ Ransom – to pay or not to pay?

§ Data recovery§ Volume Shadow Snapshots (Previous Versions feature)

§ www.NoMoreRansom.org/decryption-tools.html

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

PARALLEL APPROACHES

Prevention

Next-GenAV(NGAV)

PEFile-based

Pre-execution

PEFiles(exe,dll,ocx,…) Signatureless

IndicatorsofAttack(IOA)

Behavioral

PEFiles

Exploitation

TargetedTTP

Fileless

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

BENEFITS OF PARALLEL APPROACH

§ Each approach has its own strengths:§ NGAV: volume of coverage for known and some unknown malware

§ IOA: unknown malware by behavior and prevents malicious use of e.g. powershell

§ When only one approach identifies malware§ Opportunity to improve IOA coverage of a class of malware

§ Opportunity to train ML on new/unknown samples

§ “Virtuous cycles”

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

EXPLOIT MITIGATION

§ Heap Spray blocking

§ Force DEP enforcement

§ Force ASLR enforcement

§ Coming soon:§ Null page blocking

§ Structured Exception Handling Overwrite Protection (SEHOP)

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

EXPLOIT IOA

§ Targeting a class of post-exploit actions in commonly exploited contexts

§ Browsers / plugins

§ Document handling applications

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

INDICATORS OF ATTACK

IOA IOC

Information Behaviors Artifacts

Timeliness Realtime After-the-fact

Preventability Almostalways Seldom

Effort Req’d toEvade High Low

Relevance Indefinite Typically short

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT GOES INTO FALCON IOA

§ High performance, high-efficiency on-sensor correlation

§ Quality of event data

§ Rapid development and deployment

§ High quality cloud data supporting analysis

§ Tools supporting IOA analysis and development

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

EVENT STREAM PROCESSING (ESP)

§ Category of techniques used to efficiently process streams of data

§ Naïve approach§ Centralize all data required for correlation§ Perform retrospective queries periodically over centralized data§ Result: Bottleneck

§ Slightly Less naïve approach:§ Centralize all data required for correlation§ Event Stream Processing on centralized data§ Result: Slightly smaller bottleneck

§ Best approach*:§ Perform correlation efficiently on endpoints when possible§ Use cloud for correlation where necessary, e.g.: prevalence, first-seen, etc.§ Result: Highly efficient behavioral detection and prevention

* For more information, see:https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT MAKES A USEFUL IOA?

§ Identifies behaviors that are uniquely malicious

§ Identifies behaviors that can be blocked§ Credential theft

§ Backdoors

§ Post-exploit behaviors

§ Web shells

§ Document droppers

§ Process migration / hollowing

…

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT GOES INTO FALCON IOA

§ Quality of event data§ Beyond procmon, filenames, command-lines, etc.

§ Code injection

§ Evidence of ROP

§ What process scheduled this task?

§ What process installed this service?

§ What process caused WMI to create a process?

§ What commands were executed from this shell?

Among many others …

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT GOES INTO FALCON IOA

§ Rapid Development and Deployment§ Frictionless delivery of new IOAs from the cloud

§ Rapid low friction development and revision cycle

§ Analysis tools that make IOA development broadly accessible to analysts

§ Data, data, data…

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

DEVELOPING IOAS

§ Research areas:§ Behavioral machine learning

§ New sources of event data§ Network

§ Inter-process and intra-system communication

§ Script engines

§ Experimental pattern-matching graph query language

§ Behavioral fingerprinting

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

EXAMPLE: DROPPERS VS INSTALLERS

§ Question: Is this process an installer or a dropper?

§ IOA:1. Process A creates executable E

2. Process A launches executable E à child Process B

3. Wait for exit of processes A and B

§ If process A exits first à Dropper

§ If process B exits first à Installer

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RANSOMWARE IOA

§ What behavior is universal and unique to file-encrypting ransomware?

§ More than one behavior = IOA correlation

§ Filesystem scanning

§ Patterns of file access

§ File modification / Encryption

§ Ransomware note dropping

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

FALCON CLOUD DATA

§ Falcon provides cloud data to CrowdStrike analysts and customers

§ Indexed data (Endpoint Activity Monitor)§ Fast query results

§ Large, rich event data set

§ Graph database (ThreatGraph™)§ Links related data

§ Substantial speed improvement compared to “join” style queries

§ Contains “linking” events that represent relationships beyond just process/child

RANSOMWAREWHAT WILL TOMORROW’SRANSOMWARE LOOK LIKE?

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RANSOMWARE’S FUTURE

§ Larger targets = larger payoff

§ One-time attacks

§ Infrastructure-as-a-Victim§ SCADA / ICS / DCS§ Public transportation§ Connected cars§ IoT

§ File encrypting ransomware§ Unlikely to go away any time soon§ Possibility of increases in other platforms such as Mac, Linux

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Questions?Please submit all questions in the Q&A chat

right below the presentation slides

Contact Us

Additional Information

JoinWeeklyDemos

crowdstrike.com/productdemos

UpcomingCrowdCast Topics

Mac Prevention – April 12th

Proactive Hunting – April 26th

Website: crowdstrike.comEmail: info@crowdstrike.comNumber: 1.888.512.8902 (US)