1、2024 CrowdStrike,Inc.All rights reserved.Cristian RodriguezField CTO,Americas,CrowdStrikeElevate Your Game with CrowdStrike and Bring AI Innovation to Your Cloud Detection and Response2024 CrowdStrike,Inc.All rights reserved.20+years in CyberCrowdStrike -10 YearsMSSPGlobal EnterprisePublic Sector He
2、althcareFIELD CTO|AMERICASCRISTIAN RODRIGUEZ22-AU-006 Adversary Universe World Tour_v1|2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.3 3 3CLOUD RESOURCESAccess to DataFor data extortion or destruction,IP theft,espionageAcce
3、ss to Compute ResourcesFor resource hijacking,crypto-mining operationsAccess to Other TargetsFor moving laterally,maintaining stealth,identifying resources(including access to other organizations)Compromised Identities/Theft of Valid CredentialsCredential ResetMFA BypassAbuse of Public-Facing Applic
4、ationsExploitation of MisconfigurationsCloud Threat LandscapeCloud Attacks Are Leveraging:To Achieve:2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.Adversaries are learning cloud to better monetize their access 2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStr
5、ike,Inc.All rights reserved.CRYPTOResource Hijacking forOpportunistic2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.They are exploring new TTPs to achieve their objectives2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.We can learn
6、 the most from what has already happened in IR.2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.If you think your cloud security is a disaster today,just wait until you have to do Incident Response.-Sun Tzu(probably)“2024 CrowdStrike,Inc.All rights reserved.2024 Crow
7、dStrike,Inc.All rights reserved.CLOUD-AGNOSTIC ACTORTreats a Cloud Workload simply as another computerPlaybooks are primarily ransomware focused on the host and network layer.2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.CLOUD-CONSCIOUS ACTORUnderstands the relati
8、onship between the CSPs control plane,services,and workload.Actively attempts to abuse the services of the Cloud Service Provider while having the victim pay for it2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.SSRF In the CloudIMDSAttacker exploits SSRF tricking t
9、he EC2 instance into requesting credentials from IMDSIMDS returns credentialsEC2 instance forwards credentials to attackerSSRF Repeatedly observed as initial access vectorIn 2022,exploiting public facing applications almost as common as having valid credentials for initial access2024 CrowdStrike,Inc
10、.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.Scattered Spider Cloud TTPs Data Staging for Exfiltration Deployment of Cloud Virtual Machines Cloud Native Persistence Mechanisms Discovery of connections between cloud environment and on premises2024 CrowdStrike,Inc.All rights reserved.
11、2024 CrowdStrike,Inc.All rights reserved.1313Attack Case:SSRF Exploitation Leads to Data Exfil&RansomDay 1Exploit SSRF CVE-2021-40438 IN APACHE WEBSERVER RUNNING IN AWSDay 1DiscoveryS3,AWS SECRETS MANAGEMENT,DATABASE,INSTANCESDay 1ExfiltrationEXFILTRATED S3 DATAUnknownRansom Note DeliveredData Leake
12、d on Underground Forum90 Days 2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.1414Attack Case:SCATTERED SPIDERs Lateral Movement between Cloud and On-PremiseSource:CSA-230990 SCATTERED SPIDER Moves Laterally Between and Within Cloud Environments and from Cloud to On
13、-Premise;Establishes Persistence via Additional Cloud Credentials and EC2 Instances;Escalates Privileges via User PolicyCSA-230967 SCATTERED SPIDER Evades Cloud Security Measures;Deactivates CloudTrail and GuardDutySmishing Message Logs into Microsoft MyAppsAdded MFA to compromised Entra ID users202
14、4 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.1515Accesses SharePointFound VPN Setup documentationLogs into VPNMoves laterally to on-prem VMs2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.1616Case 3:SCATTERED SPIDERs Lateral Movemen
15、t between Cloud and On-PremiseSource:CSA-230990 SCATTERED SPIDER Moves Laterally Between and Within Cloud Environments and from Cloud to On-Premise;Establishes Persistence via Additional Cloud Credentials and EC2 Instances;Escalates Privileges via User PolicyCSA-230967 SCATTERED SPIDER Evades Cloud
16、Security Measures;Deactivates CloudTrail and GuardDutySmishing Message Logs into Microsoft MyAppsAdded MFA to compromised Entra ID usersLogs into MyApps with 2nd Entra ID identity2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.1717Accesses SharePointFound VPN Setup
17、documentationLogs into VPNMoves laterally to on-prem VMsLateral Movement to AWSCreated New Public EC2 InstanceAdd Backdoor Access Key and Change Login CredentialsAttach instance-profile escalating privilegesLateral Movement to InstanceDisabled Cloud Security Tools2024 CrowdStrike,Inc.All rights rese
18、rved.2024 CrowdStrike,Inc.All rights reserved.75%Increase in Cloud Exploitation in 2023110%Increase in Cloud-Conscious Threat ActorsSource:CrowdStrike 2024 Global Threat Report84%Of Adversary-Attributed Cloud-Conscious Intrusions Were Focused on eCrimeADVERSARIES CONTINUE TO DEVELOP CLOUD-CONSCIOUSN
19、ESS2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.HOW DOES AI FIT INPAIN Effective email phishing attacks Deep Fakes|Video&Voice Autonomous vulnerability exploitation Recursive attack cycle enforcement What would the AI Augmented SOC look like?TRADITIONAL SOC VS.AI
20、-AUGMENTED SOC2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.HOW DOES AI FIT INInvestigation Assistance Intelligence Summarization Query Translation Documentation and Executive Reporting Training and OnboardingGAIN2024 CrowdStrike,Inc.All rights reserved.2024 Crowd
21、Strike,Inc.All rights reserved.HOW DOES AI FIT INYour exposure to vulnerabilities used by threat actors who target the industry technology is represented by 85 unique vulnerabilities.The majority of these vulnerabilities are rated as critical,with a count of 3031,while only two are rated as high.Som
22、e key findings included.CHARLOTTE AI19s query time8 API calls30min comparable analyst time for the same queryWhat is my exposure to vulnerabilities used by threat actors who target my industry?USER2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.A DATA-CENTRIC PLATFO
23、RM APPROACHData-centricAI-native Platform Security and IT Automation Threat Intel1st and 3rd Party DataGenerative,Cloud and Sensor AIThank you2024 CrowdStrike,Inc.All rights reserved.2024 CrowdStrike,Inc.All rights reserved.CROWDSTRIKES FALCON XDR PLATFORM STOPS BREACHES 2024 CrowdStrike,Inc.All rig
24、hts reserved.2024 CrowdStrike,Inc.All rights reserved.Scattered Spider TTPs Targeted social-engineering Bypasses MFA via vishing,MFA notification fatigue,and likely SIM swapping Access to victims is primarily used for lateral movement to companies that are customers of the victim Changed monetization strategy in January 2023:First allegedly exfiltrating data for ransom,now BGH using the ransomware AlphV Novel cloud TTPs