Real world lessons from CrowdStrike Services experts investigating complex cyber extortion attacks
The criminal act of theft is as old as civilization itself, but in the cyber realm new ways to steal your organization's data or profit by holding it hostage, continue to evolve. With each advancement in security technology, adversaries work tirelessly on new techniques to bypass your defenses. This webcast, "Cyber Extortion: Digital Shakedowns and How to Stop Them" examines the evolution of cyber extortion techniques, including the latest "datanapping" exploits. Whether it's an attack on a major movie studio, a massive healthcare system, or a global entertainment platform, recent extortion attempts demonstrate how critical it is to understand today's threat landscape so you can ensure that your organization mounts the best defense possible.
Download this presentation to learn what security experts from the cyber defense frontlines are discussing. Learn about:
•The range of extortion techniques being used today, including commonalities and differences in approaches
•Commodity type ransomware/datanapping vs. hands-on attacks — how are they alike and what are their differences?
•Potential outcomes of paying vs. not paying when attempting to recover data after an attack
•Real world examples of successful attacks and those that were thwarted or mitigated
•Strategies for keeping your organization from being targeted and what to do if you become the victim of a cyber shakedown
4. ROBIN JACKSON
PRINCIPAL CONSULTANT
CROWDSTRIKE SERVICES
PROFESSIONAL HIGHLIGHTS
• Former U.S. Army Intelligence
• Expert in SCADA/Controls industry
• Founder of of the first ISPs in Montana
• Author and DEFCON Workshop instructor
• CompTIA Security+, WetStone Certified
Hacking Investigator, WetStone Certified
Steganography Investigator
• More than 20 years experience in malware
and incident response
5. BRENDON MACARAEG
SR. PRODUCT MARKETING MANAGER
CROWDSTRIKE
PROFESSIONAL HIGHLIGHTS
• Former PC Magazine editorial staff member
• Extensive background in product management
and e-commerce application development
• Prior to CrowdStrike, led GTM and product
marketing efforts at Symantec for both Enterprise
and Consumer security solutions
• Currently leads product marketing for CrowdStrike
Services and Falcon Intelligence
7. A NOTE BEFORE WE BEGIN…
Both internet extortion and ransomware attacks are crimes.
If your company is a victim of either activity, we recommended you
report the crime to the nearest FBI field office.
8. TWO DISTINCT APPROACHES
Both have the same goal:
Extract money from the victim
ATTACK AFFECTS
REAL-WORLD
PARADIGM
Extortion
Ransomware
Confidentiality
Integrity
Availability
Extortion
Blackmail
Kidnapping
9. COMMONALITIES IN APPROACHES
§ Pay up or something dire will happen:
- Your data will be published (extortion)
- You won’t be able to recover your data (ransomware)
§ Payment required in digital currency
§ Payment does not guarantee desired result
§ Communications obfuscated
- TOR
- Proton mail
10. DIFFERENCES IN APPROACHES
§ CYBER EXTORTION
§ Data in the wild (extortion)
§ Overt threat
§ Media component
§ RANSOMWARE
§ Small transaction
commodity
§ Damage inflicted
§ Results noticeable
13. INTERNET EXTORTION
Internet extortion involves hacking into and controlling various
industry databases, promising to release control back to the
company if funds are received, or the subjects are given web
administrator jobs. Similarly, the subject will threaten to
compromise information about consumers in the industry
database unless funds are received.
https://www.ic3.gov/crimeschemes.aspx#item-10
15. § Under reported (less than 1/3 of victims contact FBI)
§ 29% of reported incidents targeted an individual
in the organization
§ Sensitive data
§ Shareholder/Customer/Supplier sensitivities
§ May attempt to “shop” data w/ threat of exposure
- Darknet
- Security blog writers
- Competitors
§ No “tools” required
EXTORTION
16. Data Theft Intellectual
Property Theft
Denial of Service /
Distributed Denial of
Service / Quality
of Service
EXTORTION
ENCOMPASSES MANY THREATS
1 2 3
Website
Defacement
4
Illicit materials
placement
5
18. NOKIA INTERNET EXTORTION
§ 2007 Hackers stole source
code for Symbian OS
§ Nokia reportedly paid
“multi-million” ransom
§ Cash delivered in a
parking lot
§ Finnish National Bureau
of Investigation /
Police lost the criminals
19. RANSOMWARE
§ A category of malware
that uses encryption to
block access to select
files on a compromised
endpoint.
§ In most cases, the only
way to retrieve the
encrypted files is to
restore from a pre-
existing backup, or pay
a ransom.
21. RANSOMWARE TYPES OF THREATS
§ Small ransoms are associated with commodity versions which
are delivered via automatic means (Locky, Cryptolocker, etc.)
§ Large ransoms are demanded by hackers who manually
penetrate systems, discover key systems and then encrypt
those systems. (Samas, Dharma)
22. HOLLYWOOD PRESBYTERIAN HOSPITAL
§ 16,175 Patients
§ Public reports still attribute Locky, but security
researchers watching Samas portals saw the ransom
demand for the exact amount paid in BTC.
§ Large ransom size ($17,000 US) also aligns with a
targeted Samas attack
§ Services restored ten days after the attack
24. PRIOR TO AN EVENT
§ User Training: raise awareness of threat environment, including “after
hours” personal internet activity
§ Tabletop exercises
§ Penetration testing
§ Rigorous backups
§ Media/Communications plan
§ Sensitive data encrypted, both at rest and in motion
§ Proper instrumentation: Falcon Platform
25. DURING AN EVENT
§ Early detection
§ Immediate interruption
§ Standard IR procedures
26. SUCCESSFUL EXFILTRATION
§ Contact Law Enforcement
§ Control media as best as possible
§ Interruption of attempts to disperse information
§ Monitor dark net activity
§ Don’t feed the “trolls”
27.
28. CROWDSTRIKE SERVICES
DEFENDS AGAINST & RESPONDS TO SECURITY INCIDENTS
HELPING YOU DEFEAT THE ADVERSARY
SERVICE
PORTFOLIO:
Thorough investigation
and accelerated
recovery time enable
remediation on day one
INCIDENT RESPONSE
Anticipate threats,
prepare your network,
improve your team’s
ability to prevent
damage from attacks
PROACTIVE SERVICES
29. INCIDENT RESPONSE SERVICES
With an immediate and comprehensive understanding
of attacker activity, we stop breaches fast.
Identify attacker activity,
scope and impact on your
organization
Engage the attackers’
tactics and actions with
appropriate methods
Determine how best to
detect and manage
future attacker activity
END GOAL Get our clients back to normal business operations quickly
30. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?
Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
Join Weekly Demos
crowdstrike.com/productdemos
Featured Asset:
Falcon Test Drive
Website: crowdstrike.com
Email: crowdcasts@crowdstrike.com
Number: 1.888.512.8902 (US)