CrowdStrike Holdings, Inc. (CRWD) Earnings Call Transcript & Summary

Hello. My name is Jason Rivera. And today, I will be presenting on exposing the ransomware ecosystem and how to use threat intelligence to get ahead of ransomware attacks. So like I said, my name is Jason, and I'm a Director of CrowdStrike that leads the team called the Strategic Threat Advisory Group. Basically, what we do is we help our customers operationalize their intelligence capabilities. Prior to CrowdStrike, I used to work for a Big 4 consulting firm, where I built threat intelligence programs for Fortune 500 customers and government agencies. Prior to that, I used to be in the Army for approximately 7 years where as an intelligence officer at places like the NSA and Cyber Command. So before I go to this brief, I'm going to talk a little bit about where we get our intelligence and where it comes from, that way you understand the kind of the merits of the data I'm going to be presenting you today. In general, our intelligence collection focal points can be divided into the 2 sides. On the left side, you have technical cyber intelligence, which is basically kind of like the adversary TTPs, their malware, their infrastructure and the things that they're actually doing when they engage in actions on objective. Whereas the right side is digital risk monitoring and basically with digital risk monitoring that tracks adversarial threats from the Internet to include deep dark web, social media, encrypted chat channels, get hub, paste in, all that kind of stuff. So basically, from a technical cyber intelligence perspective, what we are doing is we're using a lot of endpoint telemetry and a lot of data from what the adversaries are doing against different workloads and different targets in order to inform our intelligence capability. So obviously, we're a huge endpoint service provider, providing service to tens of millions of endpoints all throughout the world, over 180 countries, 5 trillion events per week and so on and so forth, right? We're able to take a lot of this data put it into threat graph and then see a single location, how the adversary operates, particularly in an unencrypted manner, which is a big key to how we actually engage in collection. Our ability to see what the adversary is doing in an unencrypted manner allows us a pretty significant advantage in terms of what the advisory is actually doing. And then on the other side of the spectrum, we have our digital risk monitoring capability, which, like I said earlier, collects from the deep dark web, social media, messaging apps, open web, criminal forms, marketplaces, adversary infrastructure. Basically anything that the adversary might do on the Internet and the locations contained within, that's what this collection source would mainly help us really kind of gain information on. So on that note, here's our agenda. We're going to talk a little bit about the ransomware ecosystem. And then we're going to think of that ransomware ecosystem as a function of 3 areas to include services, distribution and monetization. We'll go into those areas, and then I'll provide some brief recommendations at the very end on what we can do to best understand this threat and subsequently combat the threat. So let's go ahead and jump in, and let's talk about kind of the big details as it pertains to the ransomware ecosystem. And when you think about the areas for ecosystem, you kind of got to think of it as sort of like literally an economy; it comes and goes, it fluctuates. And those fluctuations tend to be based on a variety of different factors. So what you're looking at is CrowdStrike's eCrime index, and you can actually look at this yourself at the CrowdStrike adversary universe. You just Google that term, and it will take you there. You'll be able to see our perspective on large eCrime trends, nation-state actors, different types of active groups and also different threat assessments against different sectors. So you can get all that data but CrowdStrike adversary universe. And basically, what we have observed is that the eCrime and the way that it's conducted tends to be a function of things like the price of digital currency, what ransom demands are going for these days, activity in the dark web, different types of monetization schemes, different wines that the adversary markets, their capabilities, all of these things tend to make the economy fluctuate. And our goal during this session is to analyze that eCrime economy and then see how it influences the execution of ransomware attacks. So probably the best way to articulate what's been happening over the last 2 years is that we've seen a huge boom in eCrime. And what you were looking at is our -- our statistics pertaining to interactive intrusions against target entities. The light gray is eCrime, the dark gray is unattributed and the red here is nation state. As you can see in the beginning of quarter 1 2019, eCrime attacks and nation-state attacks, they're about the same amount. And then as you can see, slowly throughout 2019, this number raises, right? And we see eCrime dominate the year. So really, that was due to the big game hunting epidemic that we're seeing within the ransomware space. And big game hunting is a term that we use for enterprise-wide ransomware attacks. Now the -- now if you look at early in 2020, you see this huge spike in kind of quarter 1, right? And that was likely due to COVID-19 and the impact that COVID-19 had on our tax service. And when you think about what COVID-19, allow was one of the first things it did, made everybody work from home. Working from home is definitely harder from a cybersecurity perspective, especially for those organizations that had physical appliances and relied on these in office connections, that was a difficult time, and the adversary was able to take advantage of that. And then, of course, the adversary then continued to capitalize on these advantages all throughout the rest of the year using different monetization capabilities such as ransomware as a service, data extortion, things like that, and we'll cover those during the brief. But again, long story short, point of this slide is to really articulate how much eCrime is now dominating the total intrusion landscape, what we're seeing. Let's take a more micro view in terms of what we're seeing this most recent quarter and what you are looking at are the top 10 big game hunting victim sectors. So again, top 10 like ransomware victim sectors. And what we're looking at here is we're seeing a lot of industrial and engineering, a lot of manufacturing. We also see like NDs like professional services, technology, health care and so on and so forth, right? And what you will notice is that with these -- associated in the segments that are targeted a lot, the adversary tends to target these sectors based off criticality. So when you think about criticality -- criticality is basically the need for that sector to keep operating in order to actually profit and make money and to continue to be a viable business. And you might be thinking, well, yes, every sector needs to keep operating. But think of it, for example, like with manufacturing, right? Every second that a manufacturer is not manufacturing, they're just bleeding money. So it's the same logic, right? Like for technology, let's say a technology service provider is failing to provide technology services. Every single day that they aren't doing that, they're losing money and they're losing reputation so things like that, right? And hackers, especially the ransomware variety, they like to target those types of entities because they know that those entities will have a higher propensity to want to actually pay the ransom. In this slide, what you're looking at here, the most active ransomware variance in quarter 1 of 2021. By far, Conti kind of took the lead this quarter. Conti is used by an actor at CrowdStrike that we refer to as Wizard Spider. Wizard Spider actually possesses 2 ransomware types, one being Conti, and the other being [ Riu ] all the way down here. So you can see that we use [ Riu ] a lot less. Some other very popular ones include REevil, which is a ransomware as a service capability. DoppelPaymer, which is used by Doppel Spider and DarkSide ransomware, which is used by the Carbon Spider as well as the [ Avedon ]. So again, seeing a pretty decent distribution of ransomware attacks not so different from last year. But again, it seems like these different actors, with their different capabilities tend to ebb and flow in terms of the total amount of ransomware attacks that they're executing. So like I said, we're going to think of this as an ecosystem. And one of the best ways to think of this ecosystem is as a function of services, distribution and monetization. Service are the things that literally enable eCrime activity. So things like the Trojans, the ransomware, the malware, the capability itself is the service. And then that service or capability needed to somehow be distributed from -- to the victims. So it needs to get from point A to point B. And then lastly, crime actor is going to want to monetize that attack. So they're going to want to collect the ransom sum. They're going to want to sell PII. They're going to want to do something that allows them to financially capitalize on the operation. So that was a simple view. Now here's kind of the more complex view that gives a little more insight into the various areas of the eCrime's ecosystem. So like I said, services consist of a lot of things. It can be, like, access brokers, it could be ransomware, it could be the loaders. Again, think of these as the capabilities that the adversary leverages. And those capabilities have to be distributed. It could be through social networking, spam e-mails, exploit kit developments. It could be -- the traffic could be purchased. There's a lot of different options here. And then again, you want to monetize, ultimately, right? Which requires things like money laundering and these are dub shops. The ransom payout, ransom wallets and crypto currency services, things like that, right? And basically, those are the things that we want to understand as it pertains to these threat actor groups. So let's start off with the services. And again, we're going to analyze this portion right here. Really going to focus on the services aspects during this portion of the brief. And we're going to start off by talking about access brokers access brokers are one of the more prevalent threats that we are seeing these days. And basically, an access broker is exactly as it sounds. It is an entity that will intrude into a target environment, exfiltrate key information and then monetize that key information on various underground forums. So let's think of the access broker process as also sort of a mini life cycle -- and that is a trend that you're going to notice, there's lots of different cycles here and different cycles that are embedded in larger cycles, and our ability to understand that is intelligence professionals is what will allow us to get ahead of these attacks. So like I said, this is a common tactic that's used to commandeer accounts and perform fraudulent transactions. It will typically start with a bot herder that will distribute malware via bot net to infected business, so you have the initial infection. And then upon the initial infection, the malware will attempt to credential harvest as well as collected device configuration and these 2 areas are critical, right? Because if they collect the credentials, they can then sell that access to another entity who can then use those credentials to engage in a legitimate login into the target environment. Alternatively, if they collect good device configuration information, then they can use that information, determine what the vulnerabilities are and then monetize that access in terms of the vulnerabilities that allow, again, another threat actor to get into that environment. So really, these are the 2 key areas that they're seeking to collect. Once they collect those areas, they're going to assemble that back into a bot herder, which is then subsequently sent through -- via a log to the underground marketplaces. And then in the marketplaces, they are sold to a secondary criminal or nation-state actor who then engages in a secondary intrusion. So that is kind of the challenge here, right? You have these actors that are basically specializing in just the access portion as opposed to trying to do everything on their own. And that increased specialization allows them to get very good at what they do and therefore, allows a greater ability to execute the successful attacks. So moving on, let's talk about one of the big actors that we're seeing in the space. And that's actually referred to as Percussion Spider. Percussion Spider goes by several names to include Drummer Lu, 3LD4N, I'm not sure what that stands for and then Eldan Tarek, and this is an actor that is -- whose origins, we believe, to be out of Turkey. So with this particular actor, they are also a cross-industry threat. As you can see with this chart here, it might be a little bit small, but they're very heavily focused on government also heavily focused on oil and gas and technology. And with this particular actor, what we've observed and do is actually develop relationships with ransomware actors. In this case, the fan-us developer, which is kind of like a do-it-yourself for ransomware type. And each of these threat acted groups basically provide each other positive reviews. One group supports the other. And then eventually, what that allows them to do is build their reputation which, of course, then increases their propensity and capability to grow and engage in illegal business. So that's kind of the threat that we're looking at here. And let's see a little blow-up view here just so we can see these sectors more specifically that are affected. So again, lots of government, right? And think of it like this, like having access into a government target would be very valuable. So obviously, there will be a high premium on these government type access targets. Again, lots of technology. And then as you can see, academic, oil and gas and then pretty much a mixture throughout the other sectors. So there are many forms of access broker threats, like, for the example, on this slide, what we're going to be looking at is the sale of basically access into hidden remote desktop protocol access to victim of machines. So again, it's not necessarily always just credentials. It's not necessarily all gist and vulnerabilities. In this case, we're looking at HRVP access into various target environments. And what happened in this case is that once the access is purchased, a user can then access the victim's machine at their discretion. What is not known at the time of this briefing is whether the user can actually -- or whether the seller can sell HRVP access to multiple buyers and thereby allow multiple criminal entities to access the same victims. So again, a very significant issue because it allows lots of different types of criminal entities or nation's entities to have a variety of different access points into the different target environments. And then again, once the actor gets in, they're able to access a variety of valuable data to include unique IP addresses, device fingerprints, saved cookies and passes on the victim machine, all of which can be used to facilitate further criminal operations. Here's another example of how an access broker can use manage engine in order to engage in access broker activities. And whether we saw the -- what we observed them doing was selling access to remote monitoring and management software. This allowed the buyer to do a variety of things to include engaging in file transfer and using command line commands on different -- on the systems, deploying files, running files on installing antivirus and of course, accessing the domain controller, which is then, of course, a key aspect of executing an enterprise-wide ransomware attack. So as you can see, these access broker capabilities basically serve to enable other types of malicious malware and malicious TTP services. So we saw a variety of different entities being targeted by this to include health and services entities, food and beverage companies, manufacturing, oil and gas, agricultural, financial and what you're beginning to see, I hope, by this point, is that this is really a cross-industry threat. Access brokers are going after a wide variety of entities, that's because they have a wide variety of customers. So this particular threat is certainly not limited to one sector or the other. Here's a more recent report that we released on Profit Spider, an actor we call Profit Spider, who is basically exploiting Oracle weblogic servers to deploy different types of persistence capabilities. And with this actor, like the title says, they're exploiting vulnerable web logic capabilities or weblogic vulnerabilities rather and basically, once they're in, they're kind of doing the same thing, right? And they're kind of collecting that device configuration information and collecting other data that they can monetize. And they use a variety of lightweight reverse shells and proxy tools in order to maintain that access. So again, once the adversary is in, they're basically trying to obtain things that they can sell to include credentials for domain controllers, active directory databases and other types of credential stores. We do have information to suggest that this particular actor, one of their breaches was followed by a twisted slider breach who used the Egregor ransomware. So it is possible that this access broker Profit Spider has a relationship with Twisted Spider. So moving on from access brokers. We're not going to talk about ransomware, right? So when you think about kind of like how these things work in terms of the ecosystem. Again, one thing leads to the other. It might start with the access broker, and then it gets sold to a ransomware actor, who then subsequently uses that access. So on the last slide, we suggested that Profit Spider might be working with Twisted Spider. And on this slide, we're going to talk a little bit about Twisted Spider. They're the user of the maze and the Egregor ransomware. And this particular actor, pioneer, in many ways, pioneered the data extortion technique. And with data extortion, what you're basically looking at is kind of like it sort like a normal ransomware attack, where they'll do reconnaissance, find a domain controller. And then execute a enterprise-wide ransomware attack. But then what they're doing on the back end is they're taking data that they stole during the reconnaissance process, and then they're basically extorting the victim with that. And they're saying to the victim, hey, by the way, I locked up all your environment, and unfortunately, I also took your data, and I'm going to sell that too unless you pay me. So now it's a situation where it's not only just -- you're losing the data from an encryption standpoint, but now that data is held at risk of being monetized in the criminal underground, if you don't pay the ransomware actor. So for that reason, the actor was very successful last year and was one more prevalent ransomware operators. But beyond data extortion, this actor actually pioneered a variety of ransomware evolutions to include complex anti-analysis techniques, such as obfuscation within the ransomware. The ransomware was also designed to be paired with a variety of different banking Trojans, which allowed it to have a very wide targeting apparatus. And then it also -- this actor was also observed hosting data leaks from other ransomware operations so in addition to the technical aspect, they are also very intelligent from the business point of view as well. I would certainly advise following the developments of Twisted Spider. If you're interested in kind of seeing how ransomware evolves. Especially last year, we saw that a lot of what Twisted Spider did, a lot of other actors would follow. So that might be your best practice in this case. Moving on. We're going to talk a little bit more about this possible relationship between Profit Spider and Twisted Spider. And like I said, Profit Spider is that access broker that targets Oracle Weblogic service and then you have Twisted Spider, which is the user of the maze and the Egregor ransomware. And so some key notes on this. We definitely saw Profit Spider engage in opportunistic targeting of web server components and that subsequently led to compromises. We saw them leverage a variety of different tools, most of which were designed to maintain access and then exfiltrate important data. We saw them attempt to compromise domain controllers. So again, this is what allows them to obtain critical data to then sell to a ransomware actor who can easily use their ransomware on that domain controller. And then basically, we saw -- we observed Profit Spider and Twisted Spider, engaging in a joint operation. So that's why we do think there is a linkage. And so here's some hypotheses around the potential relationship between these 2 entities. The first is that maybe they're the same group, right, especially within the realm of cyber threats, we can't actually see our adversary. We can only kind of see the observables of the adversary. So it is very possible that these are, in fact, the same group and/or entity, it could be that one or more individuals belong to both groups. There's no rules, right? Maybe in the land of criminals, yes, sure, you can belong to multiple teams, and that will be perhaps an efficient way to operate. It could be that Twisted Spider granted Profit Spider access to the Egregor ransomware. And then it can also be that Profit Spider is functioning as an access broker, which we do believe to be kind of the most likely assessment here. But again, lots of different possibilities on how these actions are related. But what this slide really serves to illustrate is that the notion of that ecosystem and how these actors and operations are subsequently connected.? So this slide, we're going to talk about an actor called Carbon Spider. Carbon Spider is the user of the DarkSide ransomware. And in addition to the DarkSide ransomware, they have a variety of capabilities at their disposal to include stagers, downloaders, back doors, promote access tools and, of course, the DarkSide ransomware itself. And having all these tools at their disposal allows them to operate in a very efficient manner. When you have all of these tools at your fingertips, what it allows you to do is operate with speed and efficiency. Once you are on a target instead of having to wait and pause and go to another guy or find another tool, you kind of have everything at your disposal. So especially in this day and age, the ability to operate quickly matters, both from an offensive standpoint and as well as for us as defenders. So that is something that we want to keep in mind. This particular ransomware variant is also compatible as a ransomware as a service business model. And basically, what that means is that in addition to the core active group, they then allow affiliates to also leverage the ransomware. Typically, there will be some type of payment splitting model that is associated with that, such that like maybe the affiliate keeps 70% of the proceeds, and then the other 30% goes back to the core Carbon Spider Group. But like I said earlier, we saw ransomware as a service be highly prevalent last year, and it was one of the key themes that we saw in terms of kind of just the evolution of how these ransomware actors were able to increase the volume of their attacks. So as kind of the slide title suggests, we're now looking at 2 point -- version 2.0 of DarkSide, which has a variety of different improvements. The first of which includes an automated call in system, which is basically designed to harass the victims in the event of a successful ransomware attack and to coerce the victims into having a higher probability of paying the ransom. There's also the planned development of a power shell version of DarkSide 2.0. Any time you see adversaries leverage power shell or command line type capabilities, what that does, especially from a detection standpoint, is it makes it harder to detect that capability, power shell, [indiscernible] both are hands-on keyboard techniques, which obviously, from a legacy AV provider standpoint, creates quite a few challenges. So we are seeing adversaries, in general, kind of migrate towards the use of more hands-on keyboard techniques as opposed to the use of executables, which are much easier to detect from a defensive standpoint. And then we also observed this adversary suggest that DarkSide 2.0 will be a great update for Linux. And given that most -- a lot of server environments are of the Linux operating system, now that means that DarkSide has an expanded targeting scope and especially if they're able to successfully target our server environments that could potentially have grave consequences for the different victims of these attacks. I think it's interesting how the Carbon Spider actor group actually correlates the -- kind of, like, their demands for the victim revenue. And what you are looking at is a chart of where we actually charted out the x-axis being the kind of the annual revenue of the company, the y-axis being the demand. And as you can see, the demand of the victim when it comes to the ransom payment is actually directly correlated with the amount of revenue that the company makes. So these actors are doing their homework. They are intelligent. They're thinking about the attack. They're thinking about how much they're going to ask. They have thought about their negotiation strategy, and they're doing a lot of planning in advance, right? So I think one of the big themes that we've been seeing over these last couple of years is these aren't like your average every day ransomware actors anymore, right? They're not industry off the street criminals. They are trained. They are very professional. In many cases, they aren't millionaires. They are making millions of dollars, so they are also highly incentivized. So when you think of it from that perspective, we really have a very professional, very skilled adversary on the other side, and they're thinking about the problem from a variety of different ways. Even before they engage in the attack, they're being very methodical on who they choose to attack. And what we're noticing is that even when it comes to the revenue of the company, also being very methodical there. So I thought that was an interesting observation. Moving on, let's talk about Pinchy Spider, which is also a very -- another prevalent ransomware as a service actor. So this actor has gone through a couple of brands or iterations. They started off with GandCrab, which was their first ransomware as a service iteration. That they kind of evolved towards REevil. So as you can see here, GandCrab first use that around January 2018. Then they stopped using it once REevil took its place. My understanding was the reason they stopped using it was they kind of lost the ability to control it. They lost the ability to actually ensure that the affiliates were using it correctly. So they got rid of GandCrab and then retooled it such that now they have REevil, and it's a much tighter command and control structure under REevil. So like I said, we're -- like the title of this slide suggests, we're now looking at a version 2.04 of the ransomware, which has a variety of improvements, the first of which being the ability to operate -- to operate in safe mode and basically boot machines up in safe mode once the ransomware attack takes place. Booting machine up in safe mode, makes it much harder from an incident response perspective to actually engage in successful intent response because it limits the network connectivity of that machine. There's also an asynchronous windows management interface, a WMI process that allows for service enumeration and termination using this WMI process also allows for more hands-on keyboard techniques and less executables. So therefore, it kind of lowers the chances of being caught there's also a change to the version of Google Chrome user agent in terms of the command and control. So again, a variety of improvements have been made by this ransomware actor in order to continue to facilitate successful operations. So like all of the ransomware actors, they continue to evolve their capabilities. In general, ransomware actors are kind of like we are. We buy new tools we hire more people, we evolve our capabilities, and they kind of do the same thing. They make new tools. They add on different affiliates, and they evolve their capabilities. So it's sort of like this never-ending chess match, and that's one of the things that we really want to focus on from an intelligence perspective is how well do you understand how this chess match is evolving? And how well are you positioning your organization to be able to combat against these threats as they evolve? So next, we're going to talk about the second phase of the criminal ecosystem life cycle, and that is the distribution phase, which is really represented right up here, right? So the services is the bad thing that they're going to do to you. And then they're going to somehow distribute that bad thing to use. So that's what we're really focused on in this section. So honestly, probably the biggest phishing scheme that we saw all of last year that's still kind of happening a lot this year as well is this COVID-19 related situational phishing. And when I say situational phishing, I mean exactly as the name implies, it is phishing designed to take advantage of a highly global, highly -- high notoriety type situation like COVID-19, for example, right? So as you can see here, we have this e-mail address that appears to be spoofing the CDC and we've seen lots of spoofing, whether it's the CDC or the World Health Organization. We've seen the IRS from a tax rebate spoofing perspective, lots of government authorities being spoofed, lots of hospitals. And in general, what the threat actor is doing is they're taking advantage of the hype or the fear factor. People tend to be much more fixated and much more hyped up about things they are afraid of. So obviously, COVID-19 is a very deadly pandemic with global implications. Lots of people are, of course, afraid of it, and they're trying to keep track of what's happening, somebody like the CDC sends them something or what appears to be the CDC. And they're like, oh, no, wow, I've got to open that, I better find out more, right? So the threat actors are very aware of this, and we certainly saw a lot of this when it comes to disputing these different malicious capabilities. So like I'm saying up here, spoofing authority figures tend to be a big one, like, whenever you can ramp up your credibility, whenever you can create that sense of urgency like, oh, no, the authority figures reaching out to me, and they want me to respond right away. I guess, I better do it. We see a lot of that type of thing, right? So that's kind of one thing we watch out for. Another thing that we're looking for here is these messages, they always contain a sense of urgency, right? So you have to act now, you have to do this. Otherwise, you might want to -- you might encounter potential hazards or whatever it might be, right? But there's always a sense of urgency element that tends to be a part of these spoofing messages. So we really want to think of this from an awareness standpoint, like what is your counter phishing strategy? How do you promote awareness amongst the population? How do you analyze phishing messages? Have you responded, there's an interaction. How do you even know if you're being targeted in the first place? Like I know, for example, CrowdStrike possesses capabilities that allow you to enter your e-mail domains to understand if you are being -- being targeted by malicious actors, right? So we want to think through that kind of stuff. We want to think how we can get ahead of this. And ideally, we understand and are aware that we're being targeted before the users in our environments are aware that they're being targeted. That's kind of the point we want to get to as a cyber security team. So next up, we have Labyrinth Chollima, which is a nation-state actor, and you might be wondering to yourself, why are we talking about nation states in this criminal brief? Well, North Korea actually uses a lot of criminal techniques to include ATM cash out schemes, they've used ransomware. They use all sorts of fraudulent related techniques. And what we've observed them doing is leveraging another distribution vehicle, specifically the use of social media and messaging apps. So what we observed in 2020 was that they relied very heavily in LinkedIn, to engage in targeting. And when they engage in that targeting, they would typically disguise themselves as human resources professionals, recruiters, sales associates, and in almost all cases, they appear to have an opportunity of some sort, a job they are offering you, some type of thing that, oh, wow, that's an amazing opportunity, I better hop on that one. And that was kind of like the premise of it, right? And then once they kind of lured you in via LinkedIn, they then suggested to the victim that, hey, we should take this to WhatsApp, so we can have a more private conversation. I can send you the job description. I can send you more details or whatever it may be, right? So that's where we're kind of seeing that kind of stuff happen on a regular basis. And the reason the actor prefers to go over to What's App is because they can operate there more with impunity. So it's end-to-end encryption, which means that there is no security check of the things that are being sent. Whereas if you were to send malware over linked in, then there's, in that case, a higher probability that the attack might get caught. So I think this is a pretty clever use of social media and messaging apps by Labyrinth Chollima, which I think is very representative of the types of attacks that we can potentially see criminal actors use against our environments. So next up, we have an adversary referred to as Mallard Spider. Mallard Spider is the user of the quack bot banking TroJan, which is a very popular banking Trojan that subsequently leads to a lot of ransomware attacks. So when you think about kind of the ransomware ecosystem, a lot of times, the thing that precedes the ransomware attack is a banking Trojan within the environment. That banking Trojan is used to gain access to the domain controller. And then once they gain access to the domain controller, the main Trojan then download the ransomware, which that allows for the facilitation of an enterprise-wide ransomware attack. So again, like I said, sophisticated bank Trojan is one of the longer running active criminal operations. Literally, we first saw this thing in mid-2009. So they definitely had a long time to get very good at this. And here is some of the default form grabber capture filter examples, so basically, it is capturing a lot of forms on your web browsers and your URLs, capturing data that allows them to get credentials and understand kind of like how you operate, right? And the more data they can capture the better their ability to set up and facilitate a ransomware attack. So when you think about kind of like this actor, we've observed them being able to successfully steal e-mails, user credentials, deploy additional malware. Quiet bot we've observed to have a very modular design, which basically means that they can alter the functionality to kind of fit into the place of where it needs to be. And that is very characteristic of a lot of your more advanced banking Trojans. A lot of your advanced banking Trojans are sort of like a Swiss Army knife, they have a lot of different capabilities, whether it's lateral movement or credential collection or reconnaissance, a lot of different things that they can do in order to best facilitate the attack. So again, kind of like the ransomware, we also see actors continue to update their versions of bank Trojans in order to make them harder to detect, easier to distribute and more compatible with other ransomware types. So over the last portion of the brief, we're going to talk a little bit about monetization. So again, thinking about how we got here. First, you have the services. The services is the bad thing that they're going to do against us. They're going to distribute that bad thing to us via spam or phishing or social networking or whatever it may be, right, and then once that bad thing happens to us and once they execute the attack, now they have to monetize it. So now we're going to kind of talk about this piece here and really think about how we can better understand this from an Intel perspective. So the first area we're going to go over is dump shops and sale of payment card information. So one thing to kind of keep in mind is that all this stuff is related, right? Like, for example, what you're looking at here is a report around Form Jacking link to an actor that has identified themselves as Fall's House. And basically, what this individual is doing is obviously selling Falls, and they're using Form Jacking to leverage a malicious Java script inject and harness payment or personal information from a web page. They then take that information and subsequently sell it. So a lot of these things are connected, right? Like in the same way that this actor is selling this data using that kind of Java script and inject capability, we also see a lot of actors selling data from things that they stole their ransomware operation. Like let's take this one, for example. This is Wizard Spider. Wizard Spider is best known for engaging in ransomware attacks. On the side, however, Wizard Spider also engages in Form Jacking techniques as well, and they use that to harvest payment card information. So it's a relatively new tactic for Wizard Spider. And this is likely -- part of the reason they probably did this is because of COVID-19. And so when you think about the decline of personal retail, obviously, that would imply less of a focus on point-of-sale devices and much more focus on these form jacking type techniques. So this is a big use case because what it does is it illustrates how adaptable these actors are. You can have an actor that specializes in ransomware one day and they see an opportunity, such as the one presented by COVID-19 and what that did to online retail. And now you see this actor pivoting so, again, these actors tend to be very flexible. And for them, it's all kind of about the money, right? So where is the money at? Where is the biggest opportunity at and based off that opportunity, that is sort of how you see these actors evolve and how you see them kind of really kind of build their techniques and grow their techniques. Let's talk a little bit about data leak sites. So again, when you think about data leak sites, part of it is your ability to understand data extortion itself. So we briefly reviewed this earlier, but basically, think like a ransomware attack, right? The ransomware attack starts off with reconnaissance. They've got to find that domain to core, once they do that, they can engage in the enterprise-wide ransomware attack. During that process, ideally, they will exfiltrate sensitive data, things like PII or intellectual property, your sensitive e-mail conversations, things like that. And then they'll execute their ransomware attack. Ideally, it will be enterprise-wide for them -- not an ideal for us, but ideal for them -- it will be enterprise-wide, and it will include endpoints, networks, drives and shares in the base, we kind of get throughout the entire environment. And there's the extortion piece. And basically, what they're seeking to do is export you with that data. So for example, if they stole a lot of PII -- we've even seen a case where they'll kind of do the math in front of you. They'll be like, hey, victim, sorry about I locked up your environment. And by the way, I stole this amount of PII, I think it will cost you this much in identity theft insurance. So how about this, I'll cut you a deal. You only have to pay me half as much and now you don't have to pay all that money out in identity theft insurance. So we've even seen them go that far to where they like kind of do the math in front of the victim, which is very, again, very much so within that extortion technique. And of course, if you don't pay, then you suffer the consequences, the consequences being the sale of that data on a data link site. So when you think about the entities that are affected by data leak sites, what you will notice is the entities that are primarily affected by data leak sites are in many ways the same entities that are affected by ransomware. So here we go again, right? Industrial is engineering, manufacturing, technology, health care, retail, financial services. Again, a lot of your big ones that were already being affected by ransomware are also affected by data leak sites. And the reason for that is because during the ransomware operation, they're also stealing the data, so these things are related, right? And that's why we keep on going back to this notion of the ecosystem. You cannot look at these things as individual discrete occurrences. You have to see them as part of a much larger life cycle. And your ability to see that life cycle will allow you to interdict them in the earlier stages of the life cycle. That's ideally the kind of the point we want to get to. So what you're looking at here is kind of the most active big game hunting adversaries that use data leak sites. So the most active ones that we saw last year, Twisted Spider, which is the user of the Egregor ransomware, by far, the most active. Like I said earlier, they're kind of like the pioneer of the data extortion technique. So therefore, of course, they're going to be one of the most active ones. But we also saw a lot of activity out of Wizard Spider, which, again, is the user of the Riu, you can the Conti ransomware types and Pinchy Spider, which is the user of REevil. So moving on, I think this is interesting what we saw Graceful Spider do. And basically, what we saw them do was we saw them leverage -- we saw them leverage like a capability to allow third-party partners of their victims to buy the data. So basically, my understanding of what they're doing is that they're reaching victim A, but then they're allowing entities associated with victim A to buy that data back because if the entities are associated with them, that data might also -- the breach of that data might also hurt them. So we're seeing that in a lot of cases. We also saw it recently with a major super semiconductor manufacturer as well. So again, we're seeing kind of like this basically victims -- or rather actors reaching one victim, but then having other entities pay on that victim's behalf. So again, I think it's interesting. We're seeing added options for them to monetize and these actors are very clever, right? They think of the different ways that they can monetize the data, they think of the different victims that they can extort and then they use that to their advantage. Next up, we have a kind of a real-world scenario, something that we saw a REevil Pinchy Spider actor do. Basically, what we observed them attempt to sell was approximately 13.6 gigabytes of documents and videos from Uruguay and Negi. And the activity was observed on a Russian language forum, and they were requesting about $500,000. They even posted confidential shots of screens, right? And what they were doing basically is extorting the victim. They were trying to we were trying to get that -- get the victim to pay to get the data back. And the victim did not pay, and therefore, the data might be listed, right? So, like, the seller stated that the data can be made available on the data site at the time of the report, it was not yet done. But I think what this really speaks to is the magnitude of what the possibilities are. So if, in fact, this attack did occur and if, in fact, it was successful, than a criminal actor, stole something from a national military entity and found a way to sell them online. I think that has pretty broad sweeping implications. And it's not just these military entities. It's a variety of different entities. So for example, here's a pool that we did from our newest capability called Dakonet Recon of the different victims of Pinchy Spider. And again, all sorts of victims of different listings. So this is very much a cross sector threat. Yes, the manufacturers and the technology companies, the financial companies, professional services, health care, they are the ones that tend to be held at risk the most. But it is certainly a universal threat that we are seeing across the board and, therefore, is one that we should take very seriously. So we're going to talk a little bit about the way forward, and then we'll conclude this brief. And basically, in this brief, we talked about the criminal ecosystem, right? And remember, the criminal ecosystem consists of 3 parts. There's the services piece. So remember, that was the first part, right? So like the Access brokers and the ransomware and the loaders and the banking Trojans, all the capabilities themselves that allow the attack to succeed. And then there's the distribution of those capabilities. So think of that as the vehicles of how the capabilities get there, how do they get delivered to the victims? And then lastly, the monetization piece. So how will the criminal actor capitalize. In the ideal world, we understand that the interconnectivity between these things -- it's not enough just to understand ransomware. It's not enough to just combat phishing or to worry about the listings on the dark web, right? We need to understand the whole thing. And that is what intelligence allows us to do, which leads me to my next slide, recommendations. So here are my key recommendations for kind of right now, right? The first 3 are intelligence focused in the second are hunting -- the next one is hunting and the last one is services. So the first one is around intelligence automation. So think of it like this, there is more of the adversary, more and more and more and more volume. They are engaging in a higher amount of volume attacks, yet there is not more of you. The amount of you from a cybersecurity perspective is staying the exact same, but the amount of attacks is increasing, therefore, we need to focus on leveraging intelligence automation to combat that threat and think about how you can effectively use indicators -- yard rules, snort rules and other types of content to effectively push defensive capabilities to your endpoint devices, your firewalls, your SIEM, XDR, EDR, so on and so forth. The next capability we need to think through is intelligence monitoring, so we talked very much so about access brokers today. You need to monitor for these access brokers and monitor for them potentially targeting your environment You want to know the second they are potentially making a listing relative to you so you can do something about it. What you don't want to happen is an access broker list your information and then have another active buy it, all without you being aware. So we want to use intelligence monitoring, things like Falcon X Recon, our new monitoring capability to get ahead of that. We also want to leverage intelligence reporting. Intelligence reporting is how we understand the cognitive aspects of the threat actor. It's how we understand their motive, intent, capability, infrastructure and TTPs and our ability to understand these things in advance allows us to be proactive in our operations because in the absence of intelligence, we are basically reacting. Without intelligence, you are responding to alerts. You are responding to incidents. You are responding to things constantly, but you're never proactively understanding the things unless you have intelligence. So that's one of my stronger recommendations is the use of intelligence reporting to proactively understand threats. And then using threat hunting to proactively engage those threats. So there is a term I'm using with a lot of my customers these days. It's called intelligence-driven hunting. Intelligence-driven hunting is the answer to many of the major attack types that we are seeing, especially the more significant and more complex attacks such as supply chain attacks. And the actor is taking advantage of these zero-day vulnerabilities, the problem with supply chain attacks and zero-day vulnerabilities is they are the perfect storm. They are actors, they're getting in, using capabilities that are, in many cases, not going to be detected by your security software. Therefore, the use of human based threat hunting is really the only answer. Anybody that says they're going to automate threat hunting, they're -- it's just not true. It's not possible. If threat hunting could be automated, then it would be built in a security software. So that's the thing, right? We need to really focus on this. How do we use intelligence to engage in the threat hunting so we can proactively look for this malicious behavior that's being missed by the security software. And then lastly, in the event of emergencies, you want to have a service partner who's there for you, whether it's having a retainer or having a maturity assessment to understand and kind of proactively gauge out your capabilities. These are things you want to be prepared for. You don't want to have to figure this out when something bad happens. You want to figure this kind of stuff out before it happens. So again, these are my 5 recommendations. And then lastly, I will close with this. Here's the question that I closed a lot with lately. And ultimately, if you can answer this question, then you will win, it is a very simple question yet it is nearly impossible to answer. And the truth is you never quite get there, but the goal is that we want to get closer and closer. And that question is, how exactly is the adversary going to attack you? And how exactly are you going to stop them? What I would propose today during this brief is that you use threat intelligence to understand how the adversary is going to attack you. And I would propose that you use the information that you gained during threat intelligence to determine how you're going to stop them, to tell the threat hunters what to hunt for, to tell the vulnerability management team how to prioritize, to help the staff build better use cases, to help put better indicators into the SIEM in your AV and EDR solutions, so on and so forth, right? We need to stop waiting. We need to stop waiting for bad things to happen to us. And we need to start being more proactive in how we engage these threats. And ultimately, what it comes down to is this, your ability to defeat advanced cyber threats rests almost entirely on your understanding of the problem. The better you understand the problem, the better the decisions you will make. The less you understand the problem, the more you will be surprised by the consequences of your decisions. So I would urge you today to really think about this. How are you going to enhance and maximize your understanding of the problems that your organization is facing. All right. Thank you, everyone, for your time, and I hope you enjoy the rest of OptivCon. Thanks.