The high-profile hack of the Democratic National Committee (DNC) was one of many damaging cyber attacks that plagued organizations in 2016. The CrowdStrike Services incident response (IR) team was instrumental in investigating several of these attacks, including the DNC breach. In each of these cases, a CrowdStrike team of cybersecurity experts provided in-depth digital forensics, IR and remediation.
Although each incident involves unique characteristics, the CrowdStrike Services team has observed several key trends revealed by the many cases they have worked over the last 12 months. To better protect against attacks, organizations should be aware of these trends as they assess their overall security efficacy in 2017. These trends and their effect on several prominent cases are covered in a new report, the CrowdStrike Cyber Intrusion Services Casebook 2016. The report explains how these exploits were carried out and ties each attack to one or more of the cyber intrusion trends summarized here:
Key Trend #1: The use of anti-forensic tools to cover the attacker’s tracks
Attackers are making greater efforts to hide their activities from traditional investigative tools and methodologies, highlighting the need for organizations to employ investigative digital forensics experience combined with the real-time monitoring and detection capabilities that a next-gen endpoint detection and response (EDR) solution provides. Specific anti-forensic tools, common to cases the incident response team worked, include SDelete, log clearing, time stamp alteration, and data encryption.
Key Trend #2: Third-party trust relationships introduce significant risks
Any organization with a distributed business model needs to assess the security processes they have in place at field offices to prevent unauthorized access. The franchise model, for example, is highly susceptible to intrusions since enterprise security is dependent on both the IT systems in place and the security practices (or lack thereof) at the franchisee level of operations. The team identified credit card data theft caused by compromises at the franchisee level of large operations that had significant negative impact on the IT infrastructure and business-critical operations of the parent company. Examples of the tactics used include compromised remote desktop software and point of sale (POS) malware.
Key Trend #3: Malware-free intrusions have become the norm
Attackers use trusted Windows processes to execute exploits because they will almost certainly evade traditional endpoint security measures. This includes both PowerShell and Windows Management Instrumentation (WMI). Increasingly, CrowdStrike’s Falcon OverWatch team observes threat actors using virtually no malware in their attacks, relying more and more on these trusted processes. The OverWatch team provides these new indicators of compromise to CrowdStrike Services consultants to accelerate their investigations. A variety of malicious activities, which are discussed in the casebook, have been quickly identified including:
- Using PowerShell as a staging tool to execute other scripts to compromise a system
- Using WMI to install backdoors that allow persistence by enabling the adversary to launch malicious code automatically, after a specified period of system uptime, or according to a specific schedule
- Propagating sophisticated commodity malware through network shares via polymorphism, or by changing hashes
For more information about these key trends and a deep dive into the cases where these exploits were detected, download the report CrowdStrike Cyber Intrusion Services Casebook 2016, and watch the on-demand CrowdCast.