SlideShare a Scribd company logo

CrowdCasts Monthly: You Have an Adversary Problem

CrowdStrike
CrowdStrike

You Have an Adversary Problem. Who's Targeting You and Why? Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy. During this CrowdCast, you will learn how to: Incorporate Actionable Intelligence into your existing enterprise security infrastructure Quickly understand the capabilities and artifacts of targeted attacked tradecraft Gain insight into the motivations and intentions of targeted attackers Make informed decisions based off of specific threat intelligence

TechnologyBusiness
1 of 35
Download to read offline
You Have an ADVERSARY PROBLEM. Who’s Targeting You and Why?
@CROWDSTRIKE | #CROWDCASTS AGENDA YOU HAVE AN ADVERSARY PROBLEM. 1.  INTELLIGENCE-DRIVEN SECURITY 2.  ADVERSARY CATEGORIZATION 3.  ADVERSARY GROUPS - OVERVIEW 4.  NOTABLE ACTIVITY – Q3 5.  NEW ACTORS 6.  ACTIONALIZING INTELLIGENCE 2013 CrowdStrike, Inc. All rights reserved. 2
@CROWDSTRIKE | #CROWDCASTS Today’s Speakers ADAM MEYERS | VP, INTELLIGENCE Recognized speaker, trainer, and intelligence expert with 15+ years of cyber security industry experience 10 years in the DIB supporting US GOV customers on topics ranging from wireless, pen testing, IR, and malware analysis @ADAM_CYBER 2013 Crowdstrike, Inc. All rights reserved. 3
@CROWDSTRIKE | #CROWDCASTS Today’s Speakers MATT DAHL | SENIOR ANALYST/ LEGAL COUNSEL Cyber threat analyst focused on targeted intrusion activity Focused on investigating indicators of compromise to identify specific adversary activity Legal liaison to the CrowdStrike Intelligence Team @CROWDSTRIKE 2013 Crowdstrike, Inc. All rights reserved. 4
@CROWDSTRIKE | #CROWDCASTS Adversaries are humans Targeted Attackers: WHO ARE THE ADVERSARIES? Motivation can range from disruption, theft, to even destruction They need to get in They will likely need to move laterally Spray and Pray (Prey): They don’t care who they target (sometimes what) The more they compromise the more they win Motivation can range from disruption, theft, to even destruction 2013 Crowdstrike, Inc. All rights reserved. 5
INTELLIGENCE-DRIVEN SECURITY 2013 CrowdStrike, Inc. All rights reserved. 6
@CROWDSTRIKE | #CROWDCASTS Adversary Categorization CATEGORIZATION| Adversary Groups 1 Tactics, Techniques, and Practices 2 Never assume relationships exist Between indicators 3 Recognize adversaries are constantly changing 4 But RECOGNIZE they are HUMAN CATEGORIZATION 2013 Crowdstrike, Inc. All rights reserved. 7
Intelligence: Adversary Groups @CROWDSTRIKE | #CROWDCASTS CHINA Anchor Panda Comment Panda Impersonating Panda Temper Panda Keyhole Panda Aurora Panda Stone Panda Vixen Panda Union Panda Poisonous Panda Pirate Panda Dagger Panda Violin Panda Putter Panda Test Panda Gibberish Panda Electric Panda Wet Panda Karma Panda Dynamite Panda Radio Panda Samurai Panda Toxic Panda Numbered Panda Pitty Panda Foxy Panda Deep Panda 2013 CrowdStrike, Inc. All rights reserved. 8
Intelligence @CROWDSTRIKE | #CROWDCASTS Adversary Groups IRAN Clever Kitten: Energy Companies Cutting Kitten: For Hire NORTH KOREA Silent Chollima: Energy Companies RUSSIA Energetic Bear: Oil and Gas Companies INDIA Viceroy Tiger Government, Legal, Financial, Media, Telecom 2013 CrowdStrike, Inc. All rights reserved. 9
Intelligence @CROWDSTRIKE | #CROWDCASTS Adversary Groups HACKTIVIST/ACTIVIST/ TERRORIST CRIMINAL Deadeye Jackal Commercial, Singing Spider Commercial, Financial Financial, Media, Social Networking Union Spider Manufacturing Ghost Jackal Commercial, Energy, Andromeda Spider Numerous Financial Corsair Jackal Commercial, Technology, Financial, Energy Extreme Jackal Military, Government 2013 CrowdStrike, Inc. All rights reserved. 10
@CROWDSTRIKE | #CROWDCASTS Notable Activity – Q3 NEW ADVERSARIES STONE PANDA | NIGHTSHADE PANDA | GOBLIN PANDA | CORSAIR JACKAL NOTABLE ACTIVITY DEADEYE JACKAL | NUMBERED PANDA | SILENT CHOLLIMA 2013 Crowdstrike, Inc. All rights reserved. 11
NEW ACTORS 2013 CrowdStrike, Inc. All rights reserved. 12
Intelligence: STONE PANDA OPERATIONAL WINDOW May 2010 to Present @CROWDSTRIKE | #CROWDCASTS TARGETING Healthcare Defense Aerospace OBJECTIVES Recon Lateral movement Data exfiltration Government TOOLS Poison Ivy RAT IEChecker/EvilGrab 2013 CrowdStrike, Inc. All rights reserved. 13
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Healthcare, Defense, Aerospace, Government Delivery: Likely spearphishing WHO IS STONE PANDA? Malware: Poison Ivy and EvilGrab/ IEChecker Known Poison Ivy passwords: menuPass, happyyongzi, Thankss, Xgstone, keaidestone, and admin C2 Indicators: fbi.sexxxy.biz; u1.FartIT.com; jj.mysecondarydns.com; 54.241.13.219; 184.169.176.71; 114.80.96.8 2013 Crowdstrike, Inc. All rights reserved. 14
Intelligence: NIGHTSHADE PANDA OPERATIONAL WINDOW Feb 2008 to Present OBJECTIVES Recon Lateral movement Data exfiltration @CROWDSTRIKE | #CROWDCASTS TARGETING Media NGO/Int’l Relations Universities TOOLS Poison Ivy PlugX 2013 CrowdStrike, Inc. All rights reserved. 15
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Media; NGO/Int’l Relations; Universities WHO IS NIGHTSHADE PANDA? Delivery: Likely spearphishing Malware: PlugX and Poison Ivy Known Poison Ivy passwords: synnia C2 Indicators: www.adv138mail.com; pu.flowershow.org; tech.network-sec.net; 184.105.178.83; 199.59.243.106; 112.137.162.151 2013 Crowdstrike, Inc. All rights reserved. 16
Intelligence: GOBLIN PANDA OPERATIONAL WINDOW July 2012 to July 2013 OBJECTIVES Recon Lateral movement Data exfiltration @CROWDSTRIKE | #CROWDCASTS TARGETING Aerospace Defense Energy Government Shipping TOOLS Technology Spearphishing using office doc ZeGhost specific mutexes 2013 CrowdStrike, Inc. All rights reserved. 17
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Aerospace; Defense; Energy; Government; Shipping; Technology; Telecommunications WHO IS GOBLIN PANDA? Delivery: Spearphishing Malware: HttpTunnel (AV detection = Zegost) Mutexes: HttpTunnel@@ or Http@@@ C2 Indicators: vnpt.conimes.com; mofa.conimes.com; pvep.scvhosts.com; 112.175.79.55; 223.26.55.122; 198.100.97.245 2013 Crowdstrike, Inc. All rights reserved. 18
@CROWDSTRIKE | #CROWDCASTS Intelligence: CORSAIR JACKAL OPERATIONAL WINDOW February 2013 to May 2013 OBJECTIVES Information Disclosure TARGETING Energy Financial Government Shipping Telecom TOOLS Cross Site Scripting (XSS) 2013 CrowdStrike, Inc. All rights reserved. 19
@CROWDSTRIKE | #CROWDCASTS Timeline: CORSAIR JACKAL 2012 XTnR3v0LT colludes with Anonymous group XL3gi0n January 25, 2013 New members added January 22, 2013 XTnR3v0LT announce formation of TCA March 1 2013 Announced compromise of US financial February 2013 Announced participation in #opblacksummer July 29 2013 Ben Khlifa announces new personal page May 7, 2013 XTnR3v0LT arrested by Tunisian Authorities September 2, 2013 Tweets XSS vulnerability on Sourceforge 2013 CrowdStrike, Inc. All rights reserved. 20
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Energy; Financial; Government; Shipping; Telecommunications WHO IS CORSAIR JACKAL? Primarily One Individual: Fahmi Ben Khlifa (XTnR3v0LT) Professed nationalistic motivations for malicious activity, but also white hat activity. Cross-site scripting attacks used to compromise databases at target organizations. 2013 Crowdstrike, Inc. All rights reserved. 21
NOTABLE ACTIVITY 2013 CrowdStrike, Inc. All rights reserved. 22
@CROWDSTRIKE | #CROWDCASTS Intelligence: DEADEYE JACKAL OPERATIONAL WINDOW TARGETING May 2011 to Present Financial Institution Media/News Social Network Platforms OBJECTIVES Propaganda Disinformation Disruption TOOLS Spearphishing Web Exploitation Facebook Spamming 2013 CrowdStrike, Inc. All rights reserved. 23
@CROWDSTRIKE | #CROWDCASTS Timeline: DEADEYE JACKAL August 26, 2011 May 5, 2011 SEA Mohammad Ahmad Fall 2011 – Spring 2013 Officially Formed Kabbani Killed Web Defacements Facebook Spamming September 2011 Harvard Defacement July 2013 3rd Party Provider Breaches February 2013 Twitter Account Takeovers August 2013 Domain Hijacking 2013 CrowdStrike, Inc. All rights reserved. 24
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Financial Institutions; Media/News; Social Network Platforms WHO IS DEADEYE JACKAL? Delivery: Spearphishing Nationalistic, pro-Syrian regime motivations Defacement, account takeover, third-party provider attacks, credential collection 2013 Crowdstrike, Inc. All rights reserved. 25
Intelligence: NUMBERED PANDA OPERATIONAL WINDOW 2009 - Present OBJECTIVES Recon Lateral movement Data exfiltration @CROWDSTRIKE | #CROWDCASTS TARGETING Government Financial Telecom Technology Media TOOLS Spearphishing Dynamic Calculation 2013 CrowdStrike, Inc. All rights reserved. 26
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Government; Financial; Telecommunications; Media WHO IS NUMBERED PANDA? Delivery: Spearphishing Malware: Ixeshe, Mswab, Gh0st, ShowNews, 3001 C2 Indicators: getfresh.dnsrd.com; serial.ddns.ms; gfans.onmypc.us; 23.19.122.202; 192.154.108.10; 192.154.111.200 2013 Crowdstrike, Inc. All rights reserved. 27
Intelligence: SILENT CHOLLIMA OPERATIONAL WINDOW 2007 to Present @CROWDSTRIKE | #CROWDCASTS TARGETING Multiple targets in ROK Global Targets of Opportunity OBJECTIVES Recon Criminal Monetization Lateral movement Data Destruction TOOLS Custom Malware 2013 CrowdStrike, Inc. All rights reserved. 28
@CROWDSTRIKE | #CROWDCASTS Target Sectors: Media WHO IS SILENT CHOLLIMA? Delivery: Spearphishing Malware: HTTP/IRC-based; Tdrop; Concealment Troy; LSG C2 indicators: www.designface.net; www.sdmp.kr; www.socrates.tw; 202.172.28.111; 63.115.31.15; 209.137.232.3 2013 Crowdstrike, Inc. All rights reserved. 29
@CROWDSTRIKE | #CROWDCASTS INTELLIGENCE-DRIVEN SECURITY INTELLIGENCE| Adversary-Centric 1 INTELLIGENCE Understand the adversaries targeting your Vertical | Company | Geo-Location | Customers 2 Build appropriate defenses to counter/detect these adversaries 3 Perform other security practices from an Adversary-centric perspective Pen Testing (Red Team) Security Operations Briefings Log Review 2013 Crowdstrike, Inc. All rights reserved. 30
@CROWDSTRIKE | #CROWDCASTS INTELLIGENCE-DRIVEN SECURITY INTELLIGENCE| Making it Actionable 1 ACTIONALIZING INTELLIGENCE Intelligence is difficult to consume Lots of information to keep straight New data constantly flowing in (possibly unvetted) 2 Security Operations need to change shis & people 3 Actionable Intelligence Pass down can’t possibly occur with all indicators 2013 Crowdstrike, Inc. All rights reserved. 31
@CROWDSTRIKE | #CROWDCASTS Adversary Microsite COMING SOON TRACK: Track current Adversaries against other Industry nomenclature OVERVIEW: Gain insight Into adversary – new groups Added weekly 2013 Crowdstrike, Inc. All rights reserved. 32
@CROWDSTRIKE | #CROWDCASTS RESOURCES Next up: Enterprise Activity Monitoring The Power to HUNT November 5th | 2PM ET/11AM PT Download a Sample Adversary Intelligence Report http://www.crowdstrike.com/ sites/default/files/deeppanda.pdf For additional information, CONTACT SALES@CROWDSTRIKE.COM *NEW* Videos Every Thursday | 1PM ET http://www.crowdstrike.com/crowdcasts/index.html 2013 Crowdstrike, Inc. All rights reserved. 33
Q&A Q&A @CROWDSTRIKE | #CROWDCASTS Please type all questions into the Q&A section of the GoToWebinar Control Panel If you have additional ?’s, contact us At crowdcasts@crowdstrike.com 2013 CrowdStrike, Inc. All rights reserved. 34
CrowdCasts Monthly: You Have an Adversary Problem

Recommended

Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
THREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIA
THREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIATHREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIA
THREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIAETDAofficialRegist
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 

Recommended

Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
THREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIA
THREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIATHREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIA
THREAT GROUP CARDS: A THREAT ACTOR ENCYCLOPEDIAETDAofficialRegist
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixFrode Hommedal
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013Kappa Data
 

More Related Content

What's hot

When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixFrode Hommedal
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 

What's hot (20)

When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 

Similar to CrowdCasts Monthly: You Have an Adversary Problem

CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013Kappa Data
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
wp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industrywp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industryNumaan Huq
 
Cybersecurity A Community Approach - 20151109
Cybersecurity A Community Approach - 20151109Cybersecurity A Community Approach - 20151109
Cybersecurity A Community Approach - 20151109Frank Backes
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Alisha Deboer
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
RSA Monthly Online Fraud Report -- May 2013
RSA Monthly Online Fraud Report -- May 2013RSA Monthly Online Fraud Report -- May 2013
RSA Monthly Online Fraud Report -- May 2013EMC
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
Proactive Counterespionage as a Part of Business Continuity and Resiliency
Proactive Counterespionage as a Part of Business Continuity and ResiliencyProactive Counterespionage as a Part of Business Continuity and Resiliency
Proactive Counterespionage as a Part of Business Continuity and ResiliencyDr. Lydia Kostopoulos
 
2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_masterbodaceacat
 
Data science unit introduction
Data science unit introductionData science unit introduction
Data science unit introductionGregg Barrett
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelCristian Garcia G.
 
Is Your Organization in Crisis?
Is Your Organization in Crisis?Is Your Organization in Crisis?
Is Your Organization in Crisis?BlackBerry
 
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...Charles Mok
 
Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Qrator Labs
 
DDoS Cyber Attacks Against Global Markets | Prolexic
DDoS Cyber Attacks Against Global Markets | ProlexicDDoS Cyber Attacks Against Global Markets | Prolexic
DDoS Cyber Attacks Against Global Markets | ProlexicProlexic
 
ASIS NYC InT Presentation
ASIS NYC InT PresentationASIS NYC InT Presentation
ASIS NYC InT PresentationDaniel McGarvey
 

Similar to CrowdCasts Monthly: You Have an Adversary Problem (20)

CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
wp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industrywp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industry
 
Cybersecurity A Community Approach - 20151109
Cybersecurity A Community Approach - 20151109Cybersecurity A Community Approach - 20151109
Cybersecurity A Community Approach - 20151109
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
RSA Monthly Online Fraud Report -- May 2013
RSA Monthly Online Fraud Report -- May 2013RSA Monthly Online Fraud Report -- May 2013
RSA Monthly Online Fraud Report -- May 2013
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
Proactive Counterespionage as a Part of Business Continuity and Resiliency
Proactive Counterespionage as a Part of Business Continuity and ResiliencyProactive Counterespionage as a Part of Business Continuity and Resiliency
Proactive Counterespionage as a Part of Business Continuity and Resiliency
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORK
 
2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master
 
Data science unit introduction
Data science unit introductionData science unit introduction
Data science unit introduction
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
 
Is Your Organization in Crisis?
Is Your Organization in Crisis?Is Your Organization in Crisis?
Is Your Organization in Crisis?
 
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
 
Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015Russian and Worldwide Internet Security Trends 2015
Russian and Worldwide Internet Security Trends 2015
 
DDoS Cyber Attacks Against Global Markets | Prolexic
DDoS Cyber Attacks Against Global Markets | ProlexicDDoS Cyber Attacks Against Global Markets | Prolexic
DDoS Cyber Attacks Against Global Markets | Prolexic
 
ASIS NYC InT Presentation
ASIS NYC InT PresentationASIS NYC InT Presentation
ASIS NYC InT Presentation
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 

More from CrowdStrike

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperCrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 

More from CrowdStrike (20)

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 

Recently uploaded

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

CrowdCasts Monthly: You Have an Adversary Problem

  • 1. You Have an ADVERSARY PROBLEM. Who’s Targeting You and Why?
  • 2. @CROWDSTRIKE | #CROWDCASTS AGENDA YOU HAVE AN ADVERSARY PROBLEM. 1.  INTELLIGENCE-DRIVEN SECURITY 2.  ADVERSARY CATEGORIZATION 3.  ADVERSARY GROUPS - OVERVIEW 4.  NOTABLE ACTIVITY – Q3 5.  NEW ACTORS 6.  ACTIONALIZING INTELLIGENCE 2013 CrowdStrike, Inc. All rights reserved. 2
  • 3. @CROWDSTRIKE | #CROWDCASTS Today’s Speakers ADAM MEYERS | VP, INTELLIGENCE Recognized speaker, trainer, and intelligence expert with 15+ years of cyber security industry experience 10 years in the DIB supporting US GOV customers on topics ranging from wireless, pen testing, IR, and malware analysis @ADAM_CYBER 2013 Crowdstrike, Inc. All rights reserved. 3
  • 4. @CROWDSTRIKE | #CROWDCASTS Today’s Speakers MATT DAHL | SENIOR ANALYST/ LEGAL COUNSEL Cyber threat analyst focused on targeted intrusion activity Focused on investigating indicators of compromise to identify specific adversary activity Legal liaison to the CrowdStrike Intelligence Team @CROWDSTRIKE 2013 Crowdstrike, Inc. All rights reserved. 4
  • 5. @CROWDSTRIKE | #CROWDCASTS Adversaries are humans Targeted Attackers: WHO ARE THE ADVERSARIES? Motivation can range from disruption, theft, to even destruction They need to get in They will likely need to move laterally Spray and Pray (Prey): They don’t care who they target (sometimes what) The more they compromise the more they win Motivation can range from disruption, theft, to even destruction 2013 Crowdstrike, Inc. All rights reserved. 5
  • 7. @CROWDSTRIKE | #CROWDCASTS Adversary Categorization CATEGORIZATION| Adversary Groups 1 Tactics, Techniques, and Practices 2 Never assume relationships exist Between indicators 3 Recognize adversaries are constantly changing 4 But RECOGNIZE they are HUMAN CATEGORIZATION 2013 Crowdstrike, Inc. All rights reserved. 7
  • 8. Intelligence: Adversary Groups @CROWDSTRIKE | #CROWDCASTS CHINA Anchor Panda Comment Panda Impersonating Panda Temper Panda Keyhole Panda Aurora Panda Stone Panda Vixen Panda Union Panda Poisonous Panda Pirate Panda Dagger Panda Violin Panda Putter Panda Test Panda Gibberish Panda Electric Panda Wet Panda Karma Panda Dynamite Panda Radio Panda Samurai Panda Toxic Panda Numbered Panda Pitty Panda Foxy Panda Deep Panda 2013 CrowdStrike, Inc. All rights reserved. 8
  • 9. Intelligence @CROWDSTRIKE | #CROWDCASTS Adversary Groups IRAN Clever Kitten: Energy Companies Cutting Kitten: For Hire NORTH KOREA Silent Chollima: Energy Companies RUSSIA Energetic Bear: Oil and Gas Companies INDIA Viceroy Tiger Government, Legal, Financial, Media, Telecom 2013 CrowdStrike, Inc. All rights reserved. 9
  • 10. Intelligence @CROWDSTRIKE | #CROWDCASTS Adversary Groups HACKTIVIST/ACTIVIST/ TERRORIST CRIMINAL Deadeye Jackal Commercial, Singing Spider Commercial, Financial Financial, Media, Social Networking Union Spider Manufacturing Ghost Jackal Commercial, Energy, Andromeda Spider Numerous Financial Corsair Jackal Commercial, Technology, Financial, Energy Extreme Jackal Military, Government 2013 CrowdStrike, Inc. All rights reserved. 10
  • 11. @CROWDSTRIKE | #CROWDCASTS Notable Activity – Q3 NEW ADVERSARIES STONE PANDA | NIGHTSHADE PANDA | GOBLIN PANDA | CORSAIR JACKAL NOTABLE ACTIVITY DEADEYE JACKAL | NUMBERED PANDA | SILENT CHOLLIMA 2013 Crowdstrike, Inc. All rights reserved. 11
  • 12. NEW ACTORS 2013 CrowdStrike, Inc. All rights reserved. 12
  • 13. Intelligence: STONE PANDA OPERATIONAL WINDOW May 2010 to Present @CROWDSTRIKE | #CROWDCASTS TARGETING Healthcare Defense Aerospace OBJECTIVES Recon Lateral movement Data exfiltration Government TOOLS Poison Ivy RAT IEChecker/EvilGrab 2013 CrowdStrike, Inc. All rights reserved. 13
  • 14. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Healthcare, Defense, Aerospace, Government Delivery: Likely spearphishing WHO IS STONE PANDA? Malware: Poison Ivy and EvilGrab/ IEChecker Known Poison Ivy passwords: menuPass, happyyongzi, Thankss, Xgstone, keaidestone, and admin C2 Indicators: fbi.sexxxy.biz; u1.FartIT.com; jj.mysecondarydns.com; 54.241.13.219; 184.169.176.71; 114.80.96.8 2013 Crowdstrike, Inc. All rights reserved. 14
  • 15. Intelligence: NIGHTSHADE PANDA OPERATIONAL WINDOW Feb 2008 to Present OBJECTIVES Recon Lateral movement Data exfiltration @CROWDSTRIKE | #CROWDCASTS TARGETING Media NGO/Int’l Relations Universities TOOLS Poison Ivy PlugX 2013 CrowdStrike, Inc. All rights reserved. 15
  • 16. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Media; NGO/Int’l Relations; Universities WHO IS NIGHTSHADE PANDA? Delivery: Likely spearphishing Malware: PlugX and Poison Ivy Known Poison Ivy passwords: synnia C2 Indicators: www.adv138mail.com; pu.flowershow.org; tech.network-sec.net; 184.105.178.83; 199.59.243.106; 112.137.162.151 2013 Crowdstrike, Inc. All rights reserved. 16
  • 17. Intelligence: GOBLIN PANDA OPERATIONAL WINDOW July 2012 to July 2013 OBJECTIVES Recon Lateral movement Data exfiltration @CROWDSTRIKE | #CROWDCASTS TARGETING Aerospace Defense Energy Government Shipping TOOLS Technology Spearphishing using office doc ZeGhost specific mutexes 2013 CrowdStrike, Inc. All rights reserved. 17
  • 18. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Aerospace; Defense; Energy; Government; Shipping; Technology; Telecommunications WHO IS GOBLIN PANDA? Delivery: Spearphishing Malware: HttpTunnel (AV detection = Zegost) Mutexes: HttpTunnel@@ or Http@@@ C2 Indicators: vnpt.conimes.com; mofa.conimes.com; pvep.scvhosts.com; 112.175.79.55; 223.26.55.122; 198.100.97.245 2013 Crowdstrike, Inc. All rights reserved. 18
  • 19. @CROWDSTRIKE | #CROWDCASTS Intelligence: CORSAIR JACKAL OPERATIONAL WINDOW February 2013 to May 2013 OBJECTIVES Information Disclosure TARGETING Energy Financial Government Shipping Telecom TOOLS Cross Site Scripting (XSS) 2013 CrowdStrike, Inc. All rights reserved. 19
  • 20. @CROWDSTRIKE | #CROWDCASTS Timeline: CORSAIR JACKAL 2012 XTnR3v0LT colludes with Anonymous group XL3gi0n January 25, 2013 New members added January 22, 2013 XTnR3v0LT announce formation of TCA March 1 2013 Announced compromise of US financial February 2013 Announced participation in #opblacksummer July 29 2013 Ben Khlifa announces new personal page May 7, 2013 XTnR3v0LT arrested by Tunisian Authorities September 2, 2013 Tweets XSS vulnerability on Sourceforge 2013 CrowdStrike, Inc. All rights reserved. 20
  • 21. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Energy; Financial; Government; Shipping; Telecommunications WHO IS CORSAIR JACKAL? Primarily One Individual: Fahmi Ben Khlifa (XTnR3v0LT) Professed nationalistic motivations for malicious activity, but also white hat activity. Cross-site scripting attacks used to compromise databases at target organizations. 2013 Crowdstrike, Inc. All rights reserved. 21
  • 22. NOTABLE ACTIVITY 2013 CrowdStrike, Inc. All rights reserved. 22
  • 23. @CROWDSTRIKE | #CROWDCASTS Intelligence: DEADEYE JACKAL OPERATIONAL WINDOW TARGETING May 2011 to Present Financial Institution Media/News Social Network Platforms OBJECTIVES Propaganda Disinformation Disruption TOOLS Spearphishing Web Exploitation Facebook Spamming 2013 CrowdStrike, Inc. All rights reserved. 23
  • 24. @CROWDSTRIKE | #CROWDCASTS Timeline: DEADEYE JACKAL August 26, 2011 May 5, 2011 SEA Mohammad Ahmad Fall 2011 – Spring 2013 Officially Formed Kabbani Killed Web Defacements Facebook Spamming September 2011 Harvard Defacement July 2013 3rd Party Provider Breaches February 2013 Twitter Account Takeovers August 2013 Domain Hijacking 2013 CrowdStrike, Inc. All rights reserved. 24
  • 25. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Financial Institutions; Media/News; Social Network Platforms WHO IS DEADEYE JACKAL? Delivery: Spearphishing Nationalistic, pro-Syrian regime motivations Defacement, account takeover, third-party provider attacks, credential collection 2013 Crowdstrike, Inc. All rights reserved. 25
  • 26. Intelligence: NUMBERED PANDA OPERATIONAL WINDOW 2009 - Present OBJECTIVES Recon Lateral movement Data exfiltration @CROWDSTRIKE | #CROWDCASTS TARGETING Government Financial Telecom Technology Media TOOLS Spearphishing Dynamic Calculation 2013 CrowdStrike, Inc. All rights reserved. 26
  • 27. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Government; Financial; Telecommunications; Media WHO IS NUMBERED PANDA? Delivery: Spearphishing Malware: Ixeshe, Mswab, Gh0st, ShowNews, 3001 C2 Indicators: getfresh.dnsrd.com; serial.ddns.ms; gfans.onmypc.us; 23.19.122.202; 192.154.108.10; 192.154.111.200 2013 Crowdstrike, Inc. All rights reserved. 27
  • 28. Intelligence: SILENT CHOLLIMA OPERATIONAL WINDOW 2007 to Present @CROWDSTRIKE | #CROWDCASTS TARGETING Multiple targets in ROK Global Targets of Opportunity OBJECTIVES Recon Criminal Monetization Lateral movement Data Destruction TOOLS Custom Malware 2013 CrowdStrike, Inc. All rights reserved. 28
  • 29. @CROWDSTRIKE | #CROWDCASTS Target Sectors: Media WHO IS SILENT CHOLLIMA? Delivery: Spearphishing Malware: HTTP/IRC-based; Tdrop; Concealment Troy; LSG C2 indicators: www.designface.net; www.sdmp.kr; www.socrates.tw; 202.172.28.111; 63.115.31.15; 209.137.232.3 2013 Crowdstrike, Inc. All rights reserved. 29
  • 30. @CROWDSTRIKE | #CROWDCASTS INTELLIGENCE-DRIVEN SECURITY INTELLIGENCE| Adversary-Centric 1 INTELLIGENCE Understand the adversaries targeting your Vertical | Company | Geo-Location | Customers 2 Build appropriate defenses to counter/detect these adversaries 3 Perform other security practices from an Adversary-centric perspective Pen Testing (Red Team) Security Operations Briefings Log Review 2013 Crowdstrike, Inc. All rights reserved. 30
  • 31. @CROWDSTRIKE | #CROWDCASTS INTELLIGENCE-DRIVEN SECURITY INTELLIGENCE| Making it Actionable 1 ACTIONALIZING INTELLIGENCE Intelligence is difficult to consume Lots of information to keep straight New data constantly flowing in (possibly unvetted) 2 Security Operations need to change shis & people 3 Actionable Intelligence Pass down can’t possibly occur with all indicators 2013 Crowdstrike, Inc. All rights reserved. 31
  • 32. @CROWDSTRIKE | #CROWDCASTS Adversary Microsite COMING SOON TRACK: Track current Adversaries against other Industry nomenclature OVERVIEW: Gain insight Into adversary – new groups Added weekly 2013 Crowdstrike, Inc. All rights reserved. 32
  • 33. @CROWDSTRIKE | #CROWDCASTS RESOURCES Next up: Enterprise Activity Monitoring The Power to HUNT November 5th | 2PM ET/11AM PT Download a Sample Adversary Intelligence Report http://www.crowdstrike.com/ sites/default/files/deeppanda.pdf For additional information, CONTACT SALES@CROWDSTRIKE.COM *NEW* Videos Every Thursday | 1PM ET http://www.crowdstrike.com/crowdcasts/index.html 2013 Crowdstrike, Inc. All rights reserved. 33
  • 34. Q&A Q&A @CROWDSTRIKE | #CROWDCASTS Please type all questions into the Q&A section of the GoToWebinar Control Panel If you have additional ?’s, contact us At crowdcasts@crowdstrike.com 2013 CrowdStrike, Inc. All rights reserved. 34