Treating the problem, not the symptoms
Having spent the better part of the last 10 years dealing with various cyber adversaries, it is frustrating to see so many organizations focus on the symptoms of what at CrowdStrike we like to call the adversary problem. An adversary is so much more than the most recent spearphish that drops a Remote Access Tool (RAT) such as Poison Ivy, or a new dynamic DNS hostname that is being used for Command and Control (C2). The adversary is a culmination of all his tools used for exploitation and post-exploitation, the techniques used to laterally propagate across the network, and the procedures that he runs through once he has a firm foothold on the enterprise. These components individually treated are the proverbial whack-a-mole that has frustrated so many of us in the cyber security space for years. Whack – mitigate a malware instance on a workstation on one side of the network. Whack – block a C2 IP or domain at the gateway. Whack – change all the users on a domains passwords because the adversary compromised a domain controller. You can play this game all day, and for years we have. This is a war – and taking a step back to view the battlefield the way a modern commander would engage an enemy can give us some interesting perspective.
Intelligence Enhanced Security
Breaking the vicious cycle of Whack-a-Mole requires changing the approach we use in combating adversaries – we must train ourselves to think proactively. Most organizations are focused on playing defense – and defense by nature tends to be a response driven approach. Something bad happens and we do something about it – if we are there in time. Proactively looking at security requires intelligence – using intelligence to understand not only where the adversary is today but where he has been and what his objectives are. Understanding the adversaries intent will allow us to determine where he wants to be, and we can use this information in creative ways. To this end CrowdStrike focuses on incorporating intelligence collection and analysis into every aspect of our work, the more intelligence we have, the better we are positioned to defend our clients today and those we will have tomorrow.
Today’s military commanders can step as far back as outer space, looking at the battlefield from the aerial or satellite based perspective to get a better understanding of their situation. The fog of war can confuse the situation on the ground in the cyber domain as in any other. Using the global intelligence team, CrowdStrike Services teams have the ability to utilize a view of the battlefield from 50,000 feet – this provides them with intelligence relative to other customers and incidents occurring across the globe. During proactive defense this intelligence allows various CrowdStrike service teams to coordinate across sectors and customers to take impactful actions to disrupt the adversaries ability to observe, orient, decide, and act.
In terms of the adversary being the sum of all of the malware, C2 infrastructure, tools, and techniques the CrowdStrike Intelligence team spends a lot of time focusing in on and differentiating the adversaries we see. We categorize the adversary by a term pretty commonly used in intelligence circles – Tactics, Techniques, and Procedures (TTPs). During extensive investigation and reverse engineering the CrowdStrike team focuses in on a very unique set of attributes that allow us an extremely granular view of an adversary. Minute differences in code flow and other proprietary indicators provide the team a wealth of intelligence to group into TTP’s. These TTP’s are additive to the intelligence provided to the CrowdStrike Services teams in the field allowing them an unprecedented ability to conduct proactive incident response.
In the coming months I look forward to unveiling some of the ongoing operations we are running right now to, as my colleague Shawn Henry likes to say, “bring pain to the adversary.” We have developed some innovative techniques to level the playing field and make the adversary earn every bit, nibble, and if he’s lucky byte. It is a supreme honor to lead Intelligence, one of the three gems along with Technology (lead by Dmitri Alperovitch) and Services (lead by Shawn Henry) in the CrowdStrike “Triple Crown”. Together the CrowdStrike team goes into battle every day against unremitting and unflinching adversaries who will stop at nothing to compromise the informational crown jewels of businesses, governments, and those who put their personal safety on the line to speak out against inhumane regimes. If you are motivated to do good and think you have what it takes to join the CrowdStrike Intelligence Team, we would love to hear from you at email@example.com.
Intelligence as a Service
The CrowdStrike Intelligence Team generates in-depth technical analysis that provide organizations with unprecedented insight of the adversary’s TTP’s. Our intelligence reports are geared towards all levels of an organization from the executive who needs to understand the threat, to the front line technician struggling to fight through an adversary attack against the enterprise. Our existing customers who are already part of the CrowdStrike mission and have access to our detailed intelligence reports reap immediate tactical and strategic benefits from the level of depth and perspective we provide regarding the adversary. For inquires regarding subscribing to the CrowdStrike Intelligence Service, please contact firstname.lastname@example.org.
If you are interested in more information about CrowdStrike’s Intelligence Team, please watch the Q&A video with me seen below