Stealth is the operative word among successful bad guys, digital or otherwise. According to Verizon’s 2015 Data Breach Investigations Report, the best ways to be stealthy when penetrating a network is to steal or build an authenticated user’s credentials — more or less become an authorized insider. The authors of this white paper from CrowdStrike (PDF) agree:
“Insider detection has always been one of the hardest problems to solve in cyber security because the attacker, by definition, looks like someone who is supposed to be inside your network and doing things that are largely legitimate and expected. Thus, if the adversaries can emulate this behavior, they achieve their objective of stealth.”
Stealth continues to be the operative word for the ever-creative bad guys who, again according to the Verizon report and the CrowdStrike white paper, no longer use malware to breach their victim’s network perimeter in order to obtain authenticated user credentials.
“Malware, even if it’s unknown to AV, is still very noisy,” explains the CrowdStrike paper. “The presence of unknown and previously unseen binaries running in your environment; making file and registry changes to your system; and calling out to the network are all things that can be observed and trigger eventual suspicion on the part of a proactive SOC (security operations center) analyst or incident responder.”
An example of a malware-free attack
The authors of the CrowdStrike white paper state, “Theft of data can be accomplished without the use of malware by purely leveraging common and legitimate Windows administrative tools WMI or Powershell scripts.”
In the paper, the authors explain how one type of malware-free attack unfolds.
- Web server compromise: The intrusion begins with a compromise of an external-facing web server, often a Windows IIS server using SQL injection or a WebDAV exploit.
- Web shell installed: Next, attackers install a web shell on the server, with China Chopper being the most common choice.
- Windows credential theft: Using the web shell, adversaries then upload a credential theft tool to steal Windows passwords and hashes.
- Lateral movement: Once credentials are acquired, adversaries recon the network using WMI commands or RDP sessions.
- Sticky keys trick: Bad guys use this method to obtain and maintain malware-free persistence on the victim’s network.
- Data exfiltration: Once data of interest is located, it is usually encrypted to evade Data-Loss Prevention applications, and sent to the attackers’ command and control server using standard FTP commands.
What is CrowdStrike?
CrowdStrike, founded in 2011, is a provider of endpoint protection, threat intelligence, and pre- and post-incident response services. CrowdStrike as a Service, the company’s signature offering, is a subscription-based Software as a Service platform designed to fulfill the company’s mission: “To Keep the Bad Guys Out of Your Network.”
The two major components of CrowdStrike as a Service are:
- Falcon Host: A small (10 MB) sensor, with enough intelligence to detect and take preventative action as needed, is installed on every endpoint. Sensors transmit relevant data to CrowdStrike’s Advanced Threat Intelligence Cloud for analysis by personnel who are looking specifically for common events across the entire sensor network.
- CrowdStrike Security Operations Center (CSOC): This consists of CrowdStrike intrusion response experts who proactively hunt for adversaries and attacks 24/7 to ensure all attacks are detected in their client’s networks.
As is usually the case, details as to how it all works are relatively sparse. However, something positive must be going on, as business is good.
Investors are impressed
Smart people in successful companies are investing in CrowdStrike. Google Capital has invested $100 million USD. Rackspace, another investor, is also a client. “On the detection front, we need world-class, host-based detection; something that operates at the kernel level and detects the most sophisticated attacks,” mentions Brian Kelly, CSO for Rackspace. “That is where CrowdStrike shines.”
Aiming for the bad actors, not their malware
George Kurtz, president and CEO who founded CrowdStrike with CTO Dmitri Alperovitch, sums up the company’s goal:
“We are building software to defeat the human mind. They (attackers) are using their cunning and skill to get into every large company on the planet, and we have to build technology that we know they are trying to defeat. Ultimately, we have to stay ahead of them.”