Understanding the Modern Attack: A Review of the Adversary’s Operational Lifecycle - Jason Rivera

talk in a bit awesome thanks appreciate it and thank you for everyone for attending this uh the basic premise of what i'm talking about today is some of the more advanced capabilities that we're observing the adversary leverage and this goes beyond like your classic criminal extortion ransomware nation state espionage and really what my goal in my goal in making this presentation was to create and give some ideas around some of the commonalities that we're seeing around a lot of the more advanced attacks so that's kind of what we're shooting for today as a quick introduction my name is jason and i lead a team at crowdstrike called the strategic threat advisory group basically what our team does is we help

our customers understand adversarial threats to their environment prior to crowdstrike i used to work for a big four consulting firm where i used to build threat intelligence programs for fortune 500 companies and government agencies and prior to that i was in the us army for approximately seven years as an intelligence officer places like the nsa and cyber command so enough about me let's talk a little bit about the agenda and we'll be going over this thing called the offense the adversary offensive operations model and then we're going to give various examples from this operational model on the different things that we're seeing adversaries do again not only from a criminal perspective not only from a

nation-state perspective but really across the board and when we think about who those adversaries are they typically manifest manifest across three motivation types nation-state e-crime and hacktivist and the basic difference between what we see is around motive so for example a nation-state actor might be motivated by espionage and national security economic well-being geopolitics whereas an e-crime adversary one might be financially motivated and therefore engages in financially motivated attacks hacktivists are ideologically motivated and of course accordingly engage in these ideologically motivated attacks uh normally you really only see like nation-states and e-crime kind of playing those bigger roles but lately especially with the outbreak of the russia ukraine conflict we have seen a lot more hacktivists on both

sides of the equation so very much so all three actor types are a very prevalent part of today's modern threat so let's take a look at kind of the overarching issue we'll talk about like why why is this such a challenge right why are these different attacks and these more advanced procedures why do they present such a challenge for us as defenders and one way to kind of think of this is to think about how the threat landscape has evolved over time and what you will find is that the more this landscape evolves the faster it requires us to respond so if we go all the way back in the day back to viruses and worms and

the amount of time it took for things to respond basically the adversary used to operate at a much slower rate and then slowly but surely as they leverage these automated threats they were able to quickly ramp up their their the speed of their attacks not only by using these automated capabilities but by working together as business units and that's sort of what we're seeing nowadays it's like a lot of these adversary groups they're not just doing operations autonomously rather they're specializing in different areas and then they're partnering with other criminal entities and other espionage entities who specialize in other areas that they're not good at and by by combining their efforts they're able to create a much more holistic much more

threatening issue and that's kind of what leads us to where we're at today it's where we're literally in a place where we have minutes to respond and this isn't just like a theory like no this is the reality of what you're seeing and what you are looking at on this slide is something called the the uh kind of well obviously the miter attack framework but i'm going to introduce a term called the breakout time the breakout time is a critical area that i think we need to pay attention to as we are dissecting this modern attack and basically the breakout time is how long it takes the adversary once they gain access to move laterally

because once they gain access you still have a lot of opportunities to stop them especially during that post exploitation phase but once they move laterally and once they're able to achieve a broader series of objectives that's when we really get into trouble and that's when you have this thing called the breakout time right because once they have that lateral movement it's much easier for them to achieve their objectives so at crowdstrike we created something called the 11060 rule and although this sounds good from obviously like a marketing standpoint you know like oh yeah one 1060. this is actually the reality of what we are seeing and this is why we recommend this so that is one

minute to detect 10 minutes to investigate 60 minutes to respond and again this is not a theory this is a fact uh one of the best well-known examples that we've seen in this is the breakout time of the modern e-crime adversary so again i think one of the things that really illustrates this is just looking at the difference in breakout time between 2018 to where it was at in 2021 so in 2018 what we were saying is that it took the average e-crime adversary 9 hours and 42 minutes to break out which again is to move laterally elevate privileges really get that elevated level of access whereas in 2021 it took those same adversary types one hour and 38 minutes

so again think about this right they went from nine hours and 42 minutes three years ago down to one hour and 38 minutes within a simply a three year time span that is a very intense rate of evolution and if you take that and you compare it against the 2021 infosec team remediation timeline yeah 162 hours uh it's not gonna cut it and that's why we're talking about this conversation that's why we're doing this today is because the adversary is moving at lightning fast speeds and our goal as intelligence and cyber security professionals is to not only understand how and why they're moving at these speeds but what can we do to stop them and you know another area that's really

complicating things is the use of malware versus malware free attacks as you can see in 2021 according to crowdstrike collections only 38 of what we saw was malware based the other 62 being malware free and when i say malware freedom i mean living off the land these hands-on keyboard techniques i mean powershell command line ps exec rdp brute forcing there's lots of things that the adversary can do that do not require the use of signatures and when they avoid using signatures and when they avoid using executables that makes it much harder for you as a defender to actually find their activities and that's why the adversary is adapting in the way that they do so this gets me to my next slide which

is the adversary offensive operations model and what i am encouraging my customers to do to the greatest degree that they can is to start conceiving of their adversary as a complex operation not necessarily just as a piece of malware but rather a much more holistic operation particularly across three phases and you will notice that every single adversary whether they are of the espionage variety the e-crime variety or even the hacktivist they will all operate in this three-phased manner phase one being access operations so how are they going to get in are they going to use valid credentials will be supply chain multi-factor authentication bypass zero day exploitation so on and so forth and then once they're in how are they

going to move laterally how are they going to remain stealthy how are they going to use these hands-on keyboard techniques in order to escalate privileges adequately explore their environment which of course sets them up for the third stage which is objective execution this is what we want to prevent the adversary from getting from getting to of course we want to prevent ransomware in our environments of course we want to prevent valuable data from being exfiltrated whether it be by nation states or e-crime actors but again that's why this is a three-phase model because if we're putting all of our eggs in the prevention basket well the challenge is one day we are going to get surprised so the goal is to

not put all of our eggs in the prevention basket and to really think from an adversarial standpoint what are the different areas across access post exploitation and objective execution that we as defenders can help ideally preempt our adversary's actions in so let's talk about that first phase which is you know the how are the adversaries getting in which is access operations so i'm going to present i i like to be very data driven whenever i can and you know you've probably been hearing a lot lately like oh yeah identity big part of the problem identity you know leaked identities whether it's brute force credentials or access brokers or an improperly configured password uh lack of multi-factor authentication

you've probably heard a lot lately that identity is a large source of the problem and i am here to say this not only qualitatively but quantitatively like yes val valid credentials identity is in fact the primary problem and what you are looking at is crowdstrike intrusion telemetry from the year 2021 and what we have done is we took every single technique that we detected across the miter attack framework and we superimposed it on a heat map the heat map is very self-explanatory white means we didn't see it green means we saw it less red mean we saw it a lot so what are we saying here well certainly we're saying we saw a lot of use of valid accounts which kind of

makes sense you know you think about like well what has happened over the last couple years well i'll tell you two things have happened too very well a lot lots of things have happened but two big things have happened that have fundamentally altered the cyber threat landscape the first thing is covet 19 and when you think about what code 19 did well yeah it kind of sent all of us home and despite the fact that it sent us home work didn't stop no we just kind of logged in remotely we rdp vpn used software as a service used infrastructure service which brings me to my next point these as a service type alliances not only by large corporations

but large government entities so not only are many of us now working from home but now we have this greatly expanded cloud attack surface all of these things which favor an adversary who is seeking to exploit identities because to get into any of these areas all you simply have to do especially if there's no multi-fact authentication is have a valid username and password which can be achieved in many numbers of ways and which of course are also a core part of how adversaries move laterally find active directory in terms of your ransomware adversaries so again identity is a huge part of the problem and like i said i wanted to show this quantitatively not just qualitatively

and then the question is well if identity the big part of the problem then like well how what are the methods how are the adversaries actually doing this and some of it's pretty basic you know like yeah spam fishing like a lot a lot of the common stuff that we've always known about for a very long time continues to be a very prevalent way of getting in uh and what we have noticed lately is a lot more investment by adversaries and really thinking about like what is the best way to fish what are the best themes what are the best campaigns the best emails um you know i saw one i think it was like last week or

the week before that it was done by the uh by the indian government and what they were doing was they were falsifying an official document relating to the russia ukraine conflict and they passed that document over to a pakistani target and their intent in passing that over was to take advantage of the situation situation in russia and ukraine create this very real looking document but then fish that in order to gain that initial access so that's what i mean when i say that the adversary is really thinking about what they're doing right they're thinking about what's going on in the world they're thinking about the target they're going after and they're tailoring everything to be highly

tactical and highly specified to the target that they're getting in sometimes the adversary is just using brute force and this is very very common with some of these insecure cloud environments especially these open kubernetes clusters are temporary open image containers where cloud developers are opening temporary environments that yes are defended by a username and password but oftentimes a very hastily created username and password or one that's not being properly enforced which of course begs for the opportunity of the adversary to engage in these brute forcing tactics another big one that we've seen is a significant elevation in access broker activity an access broker being an individual that specializes in gaining and maintaining access into a target

environment up until the point until where they can sell that access so an access broker is one of those examples of that specialization that i was talking about again groups aren't trying to do everything themselves they're kind of specializing in one area or the other and then working together to form a more collaborative more dangerous criminal and enterprise again i love data and going back to kind of this data driven approach you know let's talk about access brokers and what you are looking at is the geographic uh extent of access broker targeting that we saw between january to march 2021 and january to march 2022 and what we're basically doing is we're comparing kind of the beginning of this year to the

beginning of last year and i think there's been some very notable shifts the blue is 2021 the orange is 2022. the most obvious thing and again i'm not a statistician i'm not a math genius but i can kind of look at the graphs and be like yep that's a statistically bigger number you know that's a 600 percent increase in europe that's a 200 increase in north america a 300 increase in south america so on and so forth like these are massive it's not just like a 50 60 increase like no multiple hundreds of percentage points increase across the board across the world so that's the geographic perspective of access brokers and unfortunately it's kind of more of

the same when it comes to the sector perspective again massive increases just look at look at academic for example like i i can't even count that high that's like a thousand percent increase or something bigger than that but again really across the board you know agriculture automotive energy financial services especially financial services and what this is really illustrating is that the technique is working whenever you see criminals do more of something what that's indicating is like yeah that thing that we're doing more of it's working so we're going to continue to do more of it like if you ever wonder why ransomware keeps getting worse well yeah ransomware keeps getting worse because it's working amazingly and they're

getting all sorts of ransom payments and all sorts of funds and it's kind of the same thing with access broker activities you will notice that the adversary will continue to favor techniques that work and help them progress across that adversary operational timeline so again access brokers that's a huge one i would certainly be focused on dark web monitoring and certainly monitoring for these keywords and these indications of how you can catch these access brokers uh if you want more information on exactly how to do that dark web monitoring uh you know feel free to reach out to your i don't know local intelligence professional if you don't got one of those talk to crowdstrike or

whoever other your whoever else your vendors are but in general i would certainly invest in your understanding of access brokers but more importantly how to stop them supply chain you know no surprise uh last year especially during the beginning of the year we were dealing with the fallout of the solar winds event and really the challenge here is kind of the trusted relationship nature of this and i think you know as we're doing business to do business these days it requires trust we trust our software providers our hardware providers we trust our vendors yet it is this same exact trust that is being manipulated by the adversary in order for them to gain access to our environments

um in terms of what to do about this this is a tough one because we can't just like not trust but what we can do is trust but verify i am going to provide you a three-part solution to a supply chain compromise attack and by implementing this three-part solution you will be that much more defended against these types of attacks part one collect intelligence on previous supply chain attacks my logic is very simple future supply chain attacks are likely to resemble previous supply chain attacks your knowledge of previous supply chain attacks will help you know what to look for in future supply chain attacks which begs the question what do we look for and what i would contend the

number one thing that you could possibly look for would be in the software realm but specifically within the software realm i would contend that you are looking at the before and after of these software updates and you are monitoring the performance of the application specifically two things how is the application communicating and how is the application modifying files within my environment because if it's communicating and modifying files in a similar manner before the update as it was after the update okay you're probably good to go but if it's suddenly communicating all sorts of data and then modifying files in very weird ways after the update okay maybe we want to investigate that one further which leads me to my last

method which is threat hunting so again we need something to look at right we need to actually go at it look at it and see what's going on so again this is a three-part solution part one intelligence on previous supply chain attacks part two log the updates and the performance of the software as it does updates part three that hunt against those updates to seek for anomalies that's one of the best things that you can do to mitigate those types of attacks um let's do another one let's do a cloud one and what we're noticing here is that particularly for your more sophisticated adversaries they've excelled at gaining access to one area of the network but

then using different types of procedures and capabilities to bypass access into other areas so in this specific example what we observed was an adversary that crowdstrike refers to as cozy bear cozy bear is a russian adversary that focuses on access enablement operations not only is this adversary heavily involved in the cloud but they are also the same ones that perpetrated the solarwinds attack and with this particular event what we observed them do was gain access to a microsoft 365 email environment once they gained access and they did this through a cloud entry node they were able to bypass multi-factor authentication policies on other accounts associated within this email enterprise and then what they did was

they reused the authentication cookies held within the credential store of the chrome browser to again just bypass the mfa requirement so here's what we're looking at here we're looking at an adversary that got in by brute forcing in one area of a cloud environment they then gained access to the multi-factor authentication policies of the microsoft 365 environment shut those down and then allowed other secondary and tertiary access points in other areas so what this really speaks to is the need to kind of like treat cloud like it's your stuff but somewhere else so yeah let me say that one again the cloud is your stuff but somewhere else and just like you would protect your stuff if your stuff

is somewhere else whether it's infrastructure as a service platform as a service software as a service uh yeah we still need to protect it right which gets me back to my identity point because how are you accessing these software as a services how are you accessing infrastructure as a service my guess is you are logging in with an identity i hope that identity has multi-factor authentication i hope your cloud infrastructure is properly protected because these are the things that our adversaries are taking advantage of they're looking for the low-hanging fruit they're taking advantage of the chaos whether it's cloud compromise or identity based compromise zero-day vulnerability compromise which is one that we didn't talk about our adversary is watching us

and they're looking at the rapidly expanding attack surface and what they're doing is they're focusing their efforts in any areas where we're not paying attention or any areas where we seem overwhelmed like the cloud like with these different vulnerabilities are popping up that is where they're really applying their efforts so our capacity to be aware of this and to preemptively issue measures that stop them is critical in order to combat that let's move on to the next phase which is the post-exploitation area so you know i think post-exploitation is important right because like here's the thing you're not always going to stop the adversary from getting in and i think this is a reality that we need to be

better at accepting you are not going to stop every phishing attack you are not going to stop every zero-day vulnerability attack you are not going to stop every supply chain attack there are a million initial access attacks that you are not going to stop and when we come to this realization when we say to ourselves you know what yeah it is possible for them to get in that leads to the next and very most obvious question which is if they're going to get in how am i going to stop them well i think one area we're thinking through is well do we know what they're going to do when they're going to get in and what i'm showing you is a series of

techniques that have been observed by crowdstrike hunting capability called overwatch and what we did was we looked at the most popular techniques being used by the adversary the fileless ones specifically and we're really focusing on those and when it comes to the use of these techniques for post exploitation we see the use of compromised credentials so oftentimes they'll gain access use compromised credentials to move laterally again which speaks to that identity-based solution they're using ps exec in order to do a light telemate telnet kind of a lateral movement into other areas throughout the network native binaries that's a big one oftentimes we'll see the adversary just kind of manipulate native binaries manipulate file shares manipulate

registry keys and the reason they're doing this is kind of like i said earlier they don't want to set off any red flags they don't want to set off your signature-based defenses so they're going to do things they're going to avoid that power shell that's a big one you know hands on keyboard command line uh using capabilities that can they can call down the effects that you want as opposed to having to use malware to achieve the effects and then the last one being the abuse of legitimate network administration tools uh again thematically our adversaries want to take advantage of the environment in front of them they want to live off the land which is the term that crowdstrike

will often use to describe this and if they're going to live off the land well then we need capabilities that detect that living off the land capabilities like next generation av and edr but more importantly threat hunting because here's the thing it's kind of like i said earlier you are not going to stop all of them from getting in but surely we can put people on the ground and we can employ professionals who understand this environment to engage in this critical threat hunting activities that are designed to stop the adversary by the way when i say threat hunting i mean the 24 7 365 variety not the part-time one that you do when you want

to do from nine to five but again the 24 7 365 variety why do i say 24 7 365 well that's how your adversary operates your adversary knows when your weekends are they know when your holidays are in fact their favorite thing to do is to attack you on your weekends and your holidays if you want the best example of that go back to the cassaya ransomware attack that occurred last year 1800 different victims between united states and europe and other locations all hit simultaneously all over the fourth of july weekend a very very intentional attack and for reasons such as that that is why i recommend 24 7 365 threat hunting so again just some more observations

around what we're seeing from a living off the land perspective here's a more recent update of the stuff we're seeing you know again a lot a lot of these a lot of these things where where you use it where we're using native tools the environment processdom powershell windows management instrumentation ps exec as well as some non-native tools that they're leveraging in order to again use these tools to move laterally and achieve those post-exploitation objectives and while though this is broad guidance around what the adversary is doing this is why consuming intelligence around what they are specifically doing is important because i can show you a slide all day long but for you to take action on this slide

requires you to have a greater degree of specificity around what exactly to look for so what we're looking in this case is an example kind of like a hybrid example so in the last section i talked about how cozy bear was gaining access uh via cloud environments and then using that to open up additional initial access vectors what we're talking about here is something very similar but instead of using it to open up additional access vectors they're using it to facilitate lateral movement so the interesting thing is that the adversary can sometimes do the same thing but achieve two different objectives sometimes an initial access objective sometimes more of a post exploitation objective again it's one of

those things where you kind of have to have the awareness like the overarching awareness of how are they using it what is what is common for them in terms of how they use it and then your ability to actually detect it which is why i'm such a huge proponent of intelligence because intelligence is what helps you understand what has happened in the past again something i always tell my customers is the thing that's most likely to happen to you tomorrow is whatever happened to your buddy that looks like you yesterday so here's an example of you know native tooling and again this is uh i'm showing you several different views of the same thing and my purpose here in showing you

these different views is to give you the different perspectives of how the adversary might approach and treat your environment so specifically when it comes to post exploitation the goal is really to stop them in these phases here whether it's lateral movement defensive agent persistence and these are things that you're going to see the adversary do time and time again perhaps using slightly different mechanisms different commands different ttps and protocols but again with the overarching and the same purpose and especially when you can get to the point to where you are used to specific adversary types that's when you can really get to the realm of predictability because especially with your criminal actors and some of your nation state

actors it's not like they're going to reinvent the wheel every time they do these these things in fact they're going to kind of do whatever has worked in the past that's how they become efficient that's how they scale in the same way that we want to be efficient and scale the adversary also wants to be efficient in scale so that's why having that understanding of how they're likely to engage in these attacks is so critical to stopping them let's go into the last portion of the brief which is around objective execution so like this is the end state right we want to prevent the bad stuff from happening to us but remember what i said earlier to prevent the end state to

prevent all the bad stuff from happening to the end you kind of want to act to the left as well so what i always tell my customers is you know go go as far to the left as possible you know if you can stop them at sorry i know i'm flipping slides all crazy but if you can stop them from gaining access if you can't stop them from gaining access stop them from post exploitation and then only after you've exhausted that then yes we must prevent but again ideally we are moving to the left as far as we possibly can so let's talk about objective execution here and this is really you know quote unquote the bad stuff that's

happening right and i'm going to provide several different examples of this across several different current conflicts uh the first and probably most center to a lot of people's minds is what's going on in russia and ukraine and basically what it boils down to is russia is doing all sorts of stuff but you can kind of categorize all of it into three broad categories uh the first is information disruption which is exactly as it sounds it's ddos it's but it's not just ddos it's also like cutting telecommunication lines and doing some of those physical attacks too like i read something like it was like maybe two weeks ago or week ago there was some like communication lines cut in both

france and moldova the french one could potentially be vandalism uh the moldova one given the proximity to ukraine feels a little bit more like a russian-based attack but then again i do want a perfectly caveat that we do not have any existing information to suggest that it was for sure the russians but certainly from a motive standpoint the moldova one does stand out uh but yeah that's kind of what we want to think of when we think of information disruption it's like the ability the ability to deny access to certain types of cyber resources information destruction is another big one and this is manifesting in several different forms uh well really three different forms there's ransomware

there's wiper destruction like data destruction and then there's literally like physical destruction and the russian adversary types that we are tracking are certainly capable of all three and have recently demonstrated all three even during the course of this current conflict it started off with ransomware and then it sort of evolved into more of these wipers and physically destructive attacks uh but again very much so it is something that is happening uh there is some concern of seeing like kind of like a not petya 2.0 type thing happen because some of the wipers have worm-like functionality built into them and i'm sure most of us are familiar with what that means but for those of us who are not

basically when i say worm-like functionality i mean the ability to self-propagate uh which is a feature that we've seen not only in this current course of attacks but also of course in previous russian attacks like not petya and then lastly there's information operations which again is exactly as it sounds it is the ability to control information not only internally with their own population but externally so for example in the internal world of russia uh they're living in a parallel universe where uh trying to think of how to say this uh basically i'll just kind of say it like this uh they are working on controlling information to a very extreme degree they're limiting social media limiting

uh official news newscasting channels distorting the message and they're doing this not only internally to control their own population but also externally uh they are directing these external campaigns of course towards western governments like the united states and european governments but also towards the ukrainians themselves towards eastern european entities uh a lot of it for the purpose of demoralizing uh creating chaos trying to cause internal infighting so again when we talk about this objective execution this is what this last phase looks like it's when you get all the way there you've done all the initial access you've done all the post exploitation and now you're achieving the objective and again this is kind of what we want to stop the

adversary from achieving um another one of the more notable areas that where we've seen is a risk to different types of american power providers uh we have recently received reporting from sensitive sources aka honey pots and other types of capabilities that we don't talk too much about that basically we are observing russian based actors targeting uninterruptible power supply within different substations in terms of why they would do this they would do this for retaliatory purposes they would do this for escalation purposes and the way that they would do this is one through using default credentials which might blow your mind but yeah there are a lot of default credentials to where administrators are just kind of logging in remotely

bridging the air gap with default credentials which sounds like pure madness but yes that is happening all the time and they're also using high profile vulnerabilities these vulnerabilities are designed to achieve remote code execution so again i'm showing this example because i want to show what the full spectrum looks like the initial access might be the vulnerability exploitation or the use of default credentials and then as they're moving laterally they're trying to find out where these switches are how do i actually affect you know this electrical power enterprise right because it's one thing to gain access to the environment but it's another thing to actually know where you're going within these ot environments to successfully shut down

power i do want to caveat that this was not a successful attack but rather we are seeing these attempted compromise attempts but again i did want to show this example because it's a nice full spectrum example of the realm of the possible so with this next one we're looking at is a uh again one of those full spectrum examples this one is a chinese adversary set where we're looking at an adversary that goes after uh pretty much like easter eastern uh east asian entities focusing on taiwan india thailand hong kong nepal and this one's really focused on using the full spectrum of their capabilities to engage in economic espionage so with this one what you're

seeing is a variety of different types of capabilities that are designed to get it get them in so you see them focusing on initial access going after internet facing appliances deploying web shells they then uh oops sorry let's go back one they then maintain that access to the opening of a persistent web shell so again the entry point would be these uh you know internet facing appliances these vulnerabilities phishing in many cases the lateral movement consists of understanding the environment and opening up a persistence capability that allows them to maintain that access and then the objective execution is the collection of sensitive data particularly economic data that allows them to fulfill their target objectives and as you can see with the

types of data they're collecting healthcare telecommunications media energy aerospace military and government so again this is another full spectrum example i do think these full spectrum examples are important because what they do is they allow us to understand from start to finish you know how are they getting in how are they achieving post exploitation and then what are they doing once they get there and again the reason i really love this three-step model is that every single step is an opportunity for us as defenders to stop them and the more that we understand the adversary as a function of these steps and the more that we're able to calculate their steps and preempt those steps the better our ability to

proactively combat what they're doing because otherwise we're sort of just waiting for the prevention phase which is like the opposite of what we want to do we want to avoid waiting for the prevention phase and ideally get to a place to where we can you know mitigate them in some of the earlier phases of the attack life cycle here's another example of an adversary that has a full spectrum of capabilities to achieve their objectives with this is an adversary that we refer to as wizard spider you might better know them as the user of the ryu ransomware kanti ransomware trick bopping your trojan i think between those three terms i'm probably i've probably connected to most

of the people out there in terms of who this adversary is uh but yeah i like this example because they're they're what i call a full spectrum uh criminal enterprise and when i say full spectrum i mean like they do everything which is actually very atypical of most criminals most criminals these days are kind of like specialists kind of like what i was saying earlier you got your ransomware specialists and your access brokers and different people that are kind of doing different things whereas this actor does it all and they have a lot they have a very large operation that they autonomously run and there are several objective execution several impact related items here that are causing harm

so for example the obvious ones are the kanti and the ryuk ransomware obviously we want to stop those but they even have you know information collecting capabilities like saido and anchor framework which are designed to collect data which again is another form of objective execution they have magnetic scraper which is designed to collect credit card data which again is another form of objective execution so like i said i like this adversary example because there's a lot of different means through which they can achieve their objectives and this adversary like many of the other types that we talked about today are also capable of operating across the full spectrum of all three areas so in terms

of initial access and what that might look like it might look like something like a phishing email where they use bazaar loader to gain that initial access and then once they have that access they'll either engage in living off the land or perhaps they'll use trick bot in order to trick about their banking trojan in order to again move laterally find the domain controller maximize their objectives and then of course we talked about the objective execution capabilities that they possess those being anchor framework cyto magnetic scraper conti and ryu so again uh i like this example because it really goes across all three phases and it helps us understand as defenders okay what are we going to really focus

on how do we kind of like apply our efforts in the best way possible which i guess speaking of that kind of leads me to my you know final i'm going to get closer to kind of the finish here and again the premise of this is really to kind of focus on the adversary operations model right like how do advanced adversaries operate how can i apply my resources my scarce resources i might add in ways that are going to be effective in stopping the adversary uh the preview to what i will say is to think kind of like this right like if the majority of what the adversary is doing is using valid accounts well that

applause implies that we need to focus a lot on this identity piece and another thing we're thinking through is even what we're seeing from over here with the lateral movement perspective remote services so if i were to guess and this isn't really much of a guess because i kind of know the answer on this one in terms of how they're moving laterally within these remote services i can almost guarantee you that most of the time yeah they're using identities so moral of the story here is like it seems like a large portion of the problem is identity based which means a large portion of the solution and how we think about this also needs to be

identity based which brings me lastly to my call to action and basically it kind of goes like something like this you know we need to be proactive in how we understand the adversary if i could give you one thing today i would urge you to stop perceiving of the adversary as this reactive thing as a piece of malware you're going to hear me say the word adversary over and over and over again and you are going to always hear me whenever you hear me brief talk about the human element of the adversary you are fighting an opponent you are not fighting a machine you are not fighting a botnet you are not fighting a malware

or malicious infrastructure all of those things are merely weapons merely tools being used by a human adversary to hold you at risk and the more you treat that adversary like a real opponent like a chess match the more the answer becomes exceedingly obvious because the exceedingly obvious answer that i'm sure we are all slowly coming to the conclusion of is that prevention and of itself waiting for the adversary to hold us at risk waiting for them to attack us is no longer going to be sufficient therefore we must think of the proactive disciplines and engage in those proactive disciplines things like threat hunting you heard me say earlier 24 7 365 this is not a part-time job either

you do it we do it another vendor does it or somebody's going to do it and if it's not one of us then it's going to be your adversary so somebody does need to do this the question is do you want to be you your trusted vendors or your adversary it is going to happen one way or the other we talked about identity protection again that's a big one right if 80 of the problem is identity based yeah it's not going to solve everything you still got 20 left but yeah you know let's take a giant problem-solving hammer and let's go smack that one and really kind of go after the identity portion of it

uh adversary profiling is one that is becoming very important to me and the reason that i believe we need to engage in adversary profiling is as a function of prioritization you as a cyber security shop are not capable of focusing on every single problem that exists if you are focused on everything if everything is a priority well then in fact nothing is a priority and what adversary profile allows you to do with intelligence is it allows you to focus on who actually matters who is likely to hold me at risk who is capable of holding me at risk who is likely to go after the critical assets that i am seeking to defend and once you have that information what it

allows you to do is really narrow your focus your ability to narrow your focus allows you to narrow your problem solving capability it allows you to become much more tactical and much more concise in terms of exactly what you do and for that reason i strongly recommend adversary profiling cloud workload protection you heard me say earlier the cloud is your stuff it is simply somewhere else i'll say it again the cloud is your stuff it's just somewhere else so in the same manner that you would protect your stuff in your house well then yes we should protect your stuff in other people's houses other organizations houses and i know this house metaphor may not make

sense but more of the story yeah your stuff somewhere else so the same prevention the same visibility the same hunting the same identity and access management the same vulnerability management all the normal things that you would do apply to cloud environments so i do urge us to think about that how are you protecting your cloud environments what is your plan to do that and then lastly there's intelligence monitoring so you heard me talk earlier about access brokers and the threat of the dark web and i know the dark web it's like this big buzzword but no in real life like there are access brokers who are actively listing companies right now if you are not

looking for your company being listed well then what you're basically doing is you're kind of just waiting and hoping that they don't do it uh hope is not a method so for that reason i do encourage you to have a monitoring capability again whether you do it or someone else does it whether you automate it this isn't really a vendor thing and i'm not trying to say which vendor should kind of do what but in general yeah it's kind of like the same way i feel about monitoring is the same way i feel about hunting somebody is going to do it either you're going to do it we're going to do it or your adversaries are going to do it so

somebody's going to do it and it may well be us and we may as well find them before something bad happens to us so again those are my five recommendations i will close this with one of my favorite little catch phrases which is this your ability to defeat advanced cyber threats rests almost entirely on your understanding of the problem here's what this really boils down to if you know who the bad guy is if you know what they're capable of if you know what they're going to use and if you know how they're going to use it well then your chances of stopping them are astronomically higher than if you do not know any of those things and i'll leave

you with this imagine if you will that you are a general of a military and you are about to go to war and imagine if right before you went to that war your top officer came and said to you hey sir hey ma'am sorry but i have no idea what you're about to face i don't know how many tanks they have i don't know how many aircraft they have i don't even know how many troops they have or what they're going to do so you know good luck tomorrow when you go to that battle and as crazy as that example i gave sounds that is what that's that's how most of us operate most of us are operating in this place

where we have no idea who the adversary is and then we get surprised by breaches and we're like oh wow wow what happened well no yeah it kind of comes back to what i'm showing you on the screen like if you understand them and you know them in advance then your ability to solve the problem is going to be much more enhanced so that is all i got i did want to save about 15 minutes or so for questions at this time i'll go ahead and stop presenting my screen and then we'll uh go to see if any we have any questions from the from the crowd

hey jason nice talk i'm just going to take a look here and see if we got another question and answer and you see there's been a bunch of people talking all the the whole talk there's been all kinds of uh people talking about things how about tlps and i just want to see if we got any other q and a over here i don't see any actual questions in the q a i'm just going to look through can you hear me yeah i just want to check that i have that turned up let's turn my mic up some marketing better now yeah okay so i know people have been talking non-stop over here let's see here

so let's see if any of you guys got any more questions for jason uh huh let's see lots of talk about tlp and uh and lots of lots of kudos exactly thanks jared i thought that was a great talk it's very interesting thanks uh jason i don't know who does your slides your artwork but uh they need to get her they just watch it the artwork's amazing too man yeah our team actually builds it as well yeah i'm sure eh yeah a nice looking uh yeah definitely how does the cs search uh dark web how they're from justin so we we do it both in using automated as well as manual capabilities so the automated capability is think of

it as like a scraper so we have a list of websites whether they're forums or malicious content hosting sites or it could be like data leak sites and we are constantly trying to scrape those but sometimes we can't get in right because we have an automated capability but the adversary is interested in stopping that automated capability which gets us to the human piece we have a team and basically this is a 25 person team and their job is to gain and maintain access to these different locations so if we cannot get in and using automated means then we will use a human get that human in and basically that human will do what it takes to

maintain the access and then allow the automated mechanism to come back in and collect so that's kind of the gist of what we do it's a kind of like a game of cat and malice it's like we gain access we lose access we gain it again and then we have to use a different persona to come back in uh but that's kind of the general process right uh thanks justin i mean sorry thanks jason uh thanks for the question justin uh chris just a quick comment i'm not sure if we've been given permission to actually publish uh jason's slides or not and so um i'll let you know but um yes you're coming about tlp amber and his slides being marked

that i'm not sure if we've even been given permission to release uh yeah let me review let me review with my marketing team yeah i i sort of put tlp amber on all my stuff by default yeah uh i should probably stop doing that but i guess the reason i do that though is some people don't inadvertently like do that publish my stuff so yeah let me let me check that i don't think there's anything like two sentences person yeah we'll check with you before we publish anything we definitely several of our talks are not going to be published and that's uh you know that's totally fine with us till the end thanks chris for

bringing it up got another question from elite um um do you see an increase in an industry sector that you find particularly interesting um kind of to some degree yes i don't know if it's interesting per se but i will give you an observation from what i'm seeing from the russia ukraine conflict uh there appears to be six sectors that in a government-on-government conflict tend to be kind of more at risk than others and these sectors all have the thing in common like they are critical to a nation's warfighting capability so obviously the government slash military is one of them uh but financial has been another big one telecommunications energy water and health those six uh whether it be with the

russia ukraine conflict or even some of the stuff that's gotten a little heated with iran before as well as china as well it's like those six over and over and over again seem to be very much so targeted during times of conflict a lot of what crowdstrike is releasing from like a sensitive source reporting standpoint is actually also talking about uh attacks against these specific sectors so my best understanding of this is that basically those sectors contribute to a nation's warfighting effort so like power yeah finance if you can't give money to soldiers then they can't they're not paid uh water telecommunications it's like they're going after these core areas if that makes sense so i will say that is in

terms of like what we're seeing actually happen and you know and like we're relating to sector observations great got another question for you here um in your experience are some identity brokers more commonly targeted than others uh some sectors are more targeted than others so like an identity by identity broker i'm assuming we're talking about kind of like these access brokers and what the access brokers are doing is they are stealing identity data and then selling it but they're also stealing vulnerability data and selling that too so they're like basically they're selling the way in it's not just identity it is primarily identity but it's not just identity and in terms of like more activity than others i mean

certainly north america is always kind of pummeled i do think it's very interesting the the i don't know if i well yeah i showed it earlier this the european 600 increase in european targeting uh that that threw me for a bit uh when i saw that because i didn't expect it to increase by that much um certain sectors are being pummeled more than others but it kind of looks uh it looks opportunistic to be blunt uh lots of academic lots of healthcare lots of manufacturing uh lots of state and local government certainly lots of entities that are less well able to defend themselves due to funding and tooling and whatnot those seem to be what's getting hit the most but i don't

think it's intentional in terms of like yeah we really want these i think those are more function of opportunity great good answer there thanks um let's see if we got any more questions here for you jason one sec um

um okay i don't see any other questions right there right now so i'm gonna yeah um unless going once going twice well thanks jason i really appreciate that that was a really interesting talk actually and i uh yeah i actually liked it lots very much thank you very much for presenting today and um if you guys have any questions uh you can uh dm jason or uh get a hold of crowdstrike at their expo booth um they do have an xbooth please uh go check them on there um this wasn't a crowdstick talk uh this was a talk from jason that jason submitted uh individually and was submitted uh and was yeah we picked out of uh our cfp

submissions so just y'all know i did call it a crowdstrike talk but it's it's not actually he works for crowdstick but it's a talk by jason that we found very very interesting so thanks jason again and uh yeah we'll uh we're gonna take a little a couple minutes break there and get our next person set up here for our next talk okay have a good day jason

you