Falcon for Security Operations

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

for this demonstration we are going to walk through a scenario to understand how crowd strikes products provide the security operations team with invaluable information to help improve their organization's security posture we will see how crowd strikes threat hunting EDR IT hygiene and vulnerability assessment tools work together to improve incident response and remediation times the crowd strike cloud delivered EDR solution provides unparalleled visibility into the events taking place on corporate endpoints well that gives us great insight we also gain the knowledge and experience of crowd strikes overwatch team as our EDR events are sent to the cloud overwatch is analyzing those events around-the-clock alongside the entire crowd strike threat graph to understand potentially new malicious behaviors having this force multiplier helps us detect smarter and really focus our efforts on the most important events here we see an email alert on some potentially malicious activity seen in our environment the alert indicates that one of our systems has been the victim of a Java exploit it includes the hostname of the impacted system as well as the initial indicators of compromised the link takes us directly to the UI to continue the investigation the critical alerting question is labeled as a new overwatch detection the process treeview helps us understand quicker and see that the suspicious activity seems to start with Outlook it appears that the user might have clicked on a link in a phishing email and was the victim of a Java exploit as we drill down we see the objective was follow through via exploitation for client execution the process tree also shows that the activities continued and upon inspection this appears to be an ongoing attack with that our priority is to network contain this system this will prevent any lateral movement or potential communicate out to the Internet in the bottom-left corner you can see a continuous ping out from the victim system this will help us understand the precise moment that the system loses network connectivity after entering a comment for the audit log the response is initiated the first ping failure shows us the exact moment that the system's communications are completely interrupted now that we have this specific system under control we want to confirm if there's anything unusual going on with the users account let's copy the username for the next phase of the investigation using the Falcon discover account search functionality we can quickly see if this user name has been leveraged on any other systems this helps us understand if the credentials might have been compromised which would be an immediate concern you can see from this report that CS user has only logged on to one system in the past 10 days given there are no unexpected logins on other or more critical systems we can continue our investigation now that this system is contained and we do not suspect that the users credentials have been stolen let's learn more about the attack that took place referring back to the process tree we see a few common reconnaissance commands along with drop Exe if we drill down on that executable we see additional details including prevalence and actor attribution - hurricane Panda the link takes us directly to the full actor profile with additional information including the country of origin and the frequently targeted industries including hours of great interest is this list of command and control domains we can use this to understand if any of our other systems tried to establish contact with hurricane Panda by switching over to the investigate application we see an option for bulk domain search we can paste the hurricane Panda domains into the search field and immediately see that one other machine TMM I am in - has tried to communicate with these known bad domains this is cause for concern and we will need to open a second investigation for that system so far we have found minimal evidence of this attack on any other systems however now that we know that hurricane Panda is targeting our organizations specifically we can use the CrowdStrike intelligence reports to get proactive and bolster our defenses we can share the known bad domains with the network team to prevent any further communications out also referring back to the actor profile we can reference the list of vulnerabilities hurricane Panda often leverages falcon spotlight crowd strikes vulnerability assessment tool can then check our environment in real time for hosts that are vulnerable to that CBE because it does not require a network scan we quickly see that non workstations are at risk we can hand this list of machines over to our patch management team to ensure that they are remediated as soon as possible now that we have finished our investigation we can report our findings and results back to management thanks to overwatch we were made aware of this malicious activity in our environment and given all the information needed to start the investigation we were able to research the hosts view details of the attack and immediately isolate the system from the network to mitigate further infections we verified that the victim user credentials had not been used to log on to any other or more critical systems with crowd strikes intelligence services we were able to go beyond that single system the intel details gave us additional information to understand our adversary and better protect the rest of our environment we were able to confirm that one other system had tried to establish communications with hurricane pandas commonly used command and control servers lastly based on the CVE that hurricane panda often uses we were able to determine that nine require immediate patching thanks to CrowdStrike we identified and contained the initial incident while also improving our company's overall security posture going forward all through one cloud-based interface in this view as five minutes

Info

Channel: CrowdStrike

Views: 19,650

Rating: 5 out of 5

Keywords: Cyber Security, Endpoing Security, Security Operations, SecOps, security, Cyber Intelligence, Intelligence, SOC

Id: mZG8HYj_lcM

Channel Id: undefined

Length: 7min 3sec (423 seconds)

Published: Wed Oct 31 2018