## PANDAS AND BEARSChris Scott, Director of Remediation, CrowdStrike ServicesWendi Whitmore, Global Partner, IBM Security Services2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ----- ###### Incident response and security breach investigations experienceWENDI WHITMORE Vice President, CrowdStrike Services Managing Director, Mandiant Special Agent, Air Force Office of Special Investigations LINKEDIN: Wendi Whitmore PARTNER, IBM SECURITY SERVICES TWITTER: @WendiLou2 wwhitmor@us.ibm.com ----- ###### Conducting security assessment, incident response, insider threat analysis, and security architecture.CHRISSCOTT Defended networks for the Defense Industrial Base LINKEDIN: Christopher Scott DIRECTOR OF REMEDIATIONPRIOR TO CROWDSTRIKECONNECT18+ YEARS TWITTER: @NetOpsGuru chris@crowdstrike.com ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |mment ep Pand xy Pand|Panda: a: Fina a: Tech|Commer ncial, Te nology &|cial, Go chnolog Comm|vernme y, Non-p unicatio|nt, Non- rofit ns|profit||||||Ene Com|rgetic B paniesT KEA|ear: Oil NORHOR|and Gas||||| |chor Pa rospace|nda: Go , Industr|vernme ial Engi|nt organ neering,|izations, NGOs|Defens|e &|||||||||||||| |persona rma Pan yhole P|ting Pan da: Dis anda: El|da: Fina sident gr ectronic|ncial Se oups s & Com|ctor munica|tions||||||||||||Sile Gov Fina|nt Cholli ernment ncial|ma: , Militar| |isonous Os, Dis|Panda: sident G|Energy roups|Technol|ogy, G2|0,||||Mag Cutti|ic Kitten ng Kitte|: Dissid n: Ener|ents gy Com|panies||||||| |tter Pan xic Pand ion Pan|da: Gov a: Dissi da: Indu|ernment dent Gr strial co|al & Mili oups mpanies|tary|||||||||||Dea Med|deye Ja ia, Soci|ckal: Co al Netwo|mmerci rking|al, Finan| |en Pan|da: Gov|ernment|CHINAIRANINDIA|||||||Viceroy Financi|Tiger: G al, Medi|overnm a, Telec|ent, Leg omRUSSIA|al,|Gho Fina|st Jacka ncial|l: Com|mercial,|Energy,| |||||Sin Uni|ging Spi on Spid|der: Co er: Man|mmercia ufacturin|l, Finan g|cial||||||Cor Fina|sair Jack ncial, E|al: Com nergy|mercial,|Techno| Comment Panda: Commercial, Government, Non-profit Energetic Bear: Oil and Gas Deep Panda: Financial, Technology, Non-profit CompaniesNORTH KOREA Foxy Panda: Technology & Communications Anchor Panda: Government organizations, Defense & Aerospace, Industrial Engineering, NGOs Impersonating Panda: Financial Sector Silent Chollima: Karma Panda: Dissident groups Government, Military, Keyhole Panda: Electronics & Communications Financial Magic Kitten: Dissidents Poisonous Panda: Energy Technology, G20, Cutting Kitten: Energy Companies NGOs, Dissident Groups Putter Panda: Governmental & Military Toxic Panda: Dissident Groups Deadeye Jackal: Commercial, Financial, Union Panda: Industrial companies Media, Social Networking Vixen Panda: GovernmentCHINAIRANINDIA Ghost Jackal: Commercial, Energy, Viceroy Tiger: Government, Legal, Financial Financial, Media, TelecomRUSSIA Corsair Jackal: Commercial, Technology, Singing Spider: Commercial, Financial Financial, Energy Union Spider: Manufacturing ----- ----- ###### Track attackers and actively hunt for them in real-time Search for indicators of attack Remove affected machine from Begin posturing for remediation network immediately on Day 1 of IR Collect data from one machine Contain the adversary quickly at a time Long Long Ago Not So Long Ago Today Automation! Search for indicators of compromise Clean entire network before beginning to remediate Conduct forensics for months before ----- ----- ###### IOAs IOCs PROCESS FLOW MALWARE SIGNATURES **VSTRACKING HUMAN ADVERSARIES REQUIRES NEW WAYS OF DETECTION** ACTION VS MALWARE LATERAL MOVEMENT ### IOCsEXPLOITS IOAs VULNERABILITIES IP ADDRESSESINDICATORS OF ATTACK ###### We need a shift in detection capabilities from indicators of compromise to Indicators of Attack ----- ----- #### Forces attackers to change behaviors ###### Not all behaviors change - good intel and pattern analysis can identify the new TTPs #### Analysts need the ability to tailor intel and extract relevance via tools and skillsets ###### Understanding your adversaries helps you gain focus and understand what intel is relevantGET TO KNOW THE ADVERSARY ----- ----- ----- #### TTPs are now rapidly changing ###### Some things must still remain #### What are adversaries adjusting to? ###### Better intelligence Hiding from forensics Better analysts Better technology ##### How many adversaries are attacking you?GET TO KNOW THE ADVERSARY ----- # BEARvs PANDAWHY ATTRIBUTION MATTERS ----- ###### Successful spear-phish in Jan 2015 Complete set of tools for lateral Attackers identified as “living off movement copied to network and the land” and largely using tools executed readily available on the system Forensic analysis identifies lateral movement and malware created BEFORE spear-phish Toolset attributed to China; use TTPs point to Russia; earliest went back several years, but activity occurred Jan 2015 recently inactive Two attacker profiles emerge Toolset #1: Toolset #2: - Sloppy coding - Professional and sanitized code - Compile time and debug info intact - Use of valid digital signatures - Chinese character set information present - Attempts to frustrate reverse engineering Attribution: Eloquent Panda Attribution: Cozy Bear ----- ###### Complete set of tools for lateral Attackers identified as “living off movement copied to network and the land” largely using tools executed readily available on the system Toolset attributed to China; use TTPs point to Russia; earliest went back several years, but activity occurred Jan 2015 recently inactive Toolset #1: Toolset #2: - Sloppy coding - Professional and sanitized code - Compile time and debug info intact - Use of valid digital signatures - Chinese character set information present - Attempts to frustrate reverse engineering Attribution: Eloquent Panda Attribution: Cozy Bear ----- ----- #### Multiple Adversaries? ###### Multiple Locations – Franchise Expansion Different POS Software and Vendors Different Support Vendors Different Concerns on Security #### Hunting and Responding ###### Understand the Environment Do You Have Access to the Endpoint? This is not a technical question ;-) Do You Have Tools to Respond? ----- ----- #### Multiple Adversaries? ###### Plans to purchase What adversaries would be interested? Understand the negotiation plans #### Hunting and Responding ###### Do you have access in multiple environments? Law firm? Other company? Targeted hunting on people key to the M & A …and their assistantsGET TO KNOW THE ADVERSARY ----- #### • Why would you care? ###### – Understand who is targeting your intellectual property – Plan to spend your security budget better – Employ more effective containment and mitigation strategies • What areas of the kill chain is the adversary targeting? • Where is the weakness? #### • What would better help you identify? ###### – Context of the incident • M & A, Franchises, Development Plans – Malware tools used – Sequencing of commands – Known C2 channels ----- #### • Why? ###### – Intellectual property leaving the building during the attack – What makes you unique is quickly being taken – Containment is not “Remediation” #### • How? ###### – Visibility, Visibility, Visibility – Isolate in real time – New technologies allow for this – Look at the IOAs • Where in the attack cycle? #### • When? ###### – As soon as possible ----- ## THE TAKEAWAYS ###### Not every adversary group is created equal. Groups have differing skills, resources, and capabilities. Do not fit data into your expectations – Look for anomalies in your findings focusing on timing, behavior, and tradecraft The likelihood of being targeted by multiple adversaries is high. In this example, remediation had to include both actors simultaneously!Intel-Driven Response ----- ----- #### • All Adversaries ###### – Privileged Account Control • Think outside of the box on ways to do this – Blacklisting known IOCs? • What is the effort vs the reward? – Service Accounts • Can you reset them? • Who has the source code? • How long to fix it? ----- #### • Where is the adversary in the kill chain? • The earlier in the kill chain, the more options at your disposal. ###### – Visibility, Visibility, Visibilty – If you can find them at: exploitation, installation, command and control • You can stop them quickly – If you understand the pattern of the attack you have additional options • Anticipate the next move • Use the intel you collected ----- ----- -----