CrowdStrike demonstrates how attackers wiped the data from the machines at Sony

1 2 Page 2
Page 2 of 2

TB: What can organizations do to protect themselves from targeted and destructive attacks?

DA: As a target, you must be prepared by assuming that your network is already compromised or that a sophisticated adversary will always be able to find a vulnerability in your systems or social engineer your users to find a way in. Thus, you must focus your efforts on hunting for potential adversaries on your network, leveraging intelligence about who is likely to target you and the tradecraft they may employ. Moreover, you can’t just focus on looking for or blocking of malware because an adversary doesn’t necessarily need to employ malware to achieve their objectives. Once they have stolen administrative credentials, they can leverage normal administrator tools such as WMI and powershell to do everything they need for lateral movement, data exfiltration or destruction of data. Remember, there are a million ways to destroy data. What you must do is change the game starting with how you look at securing your network. Here are three things that are necessary in making the shift to effective protection against today’s adversaries:

1. Threat intelligence. First, conduct a realistic threat assessment of who may come after you and what they would want. If you are a retailer, for example, and you think there are cybercriminals who will want to get to your point-of-sale (POS) devices and steal credit card information, you need to focus resources on protecting those assets against those types of attacks. The bottom line is that you must understand the threat landscape: who is out there, what are their capabilities, what are their motivations, how do they operate? Now, map that to your systems, your crown jewels, which are the assets that they may go after. Determine what you need to do to re-architect your network to include state-of-the-art endpoint detection technology to protect it.

2. Endpoint visibility. Do you actually have visibility inside your network to detect all types of activities, including endpoint visibility to understand every command that is executing across the servers, across the desktops, across the laptops, and across your remote employees who may be working from home? Can you understand every action that’s being performed inside your network? Do you have that reported to you in real-time? Do you have the analytics to understand what execution activities are taking place? Your threat can be internal or external, but if you cannot see what is taking place on your network you may never know the extent of damage that is taking place.

3. Action focus. Can your security team leverage the information gained from real-time endpoint visibility to detect adversaries? This is done by watching what the adversary is trying to do based on their indicators of attack (IOA), as opposed to looking for a specific piece of malware, exploit or command & control server—because those IOCs will change. Sometimes the adversary builds a specific exploit for a specific intrusion and attack and you may not have prior knowledge of those tools to detect them if your detection is only based on looking for known IOCs. If you are looking for execution actions instead of malware, you can see—in real-time—the adversary breaking in, trying to steal credentials, trying to maintain persistence on the network, moving laterally and so on, and you can stop them before they can steal credentials and data, or deploy wiper malware to delete your data. Focusing on the actions being taken on your network is imperative to effective security.

CrowdStrike is hosting a webcast titled New Era of Cyber Attacks: See Corporate Destruction in Action on Tuesday, February 17 to show an attack simulation using the wiper malware that was employed at Sony. For the first-time publicly you can join a live demonstration and see what Sony employees saw when they came to work on Monday, November 24th. It might give you some idea of what you may be up against.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies