《Crowdstrike-2017网络入侵报告(网络安全)(英文版)》由会员分享,可在线阅读,更多相关《Crowdstrike-2017网络入侵报告(网络安全)(英文版)(31页珍藏版)》请在金锄头文库上搜索。
1、CYBER INTRUSION SERVICES CASEBOOK 2017Security Resilience in the Face of Evolving Attacker TradecraftCROWDSTRIKE.COM | 1.888.512.8906 15440 LAGUNA CANYON ROAD, SUITE 250, IRVINE, CALIFORNIA 9261802CROWDSTRIKE.COM | 1.888.512.8906 CONTENTSFOREWORDEXECUTIVE SUMMARYKEY FINDINGSKEY TRENDSCASE STUDIES AN
2、D RECOMMENDATIONS CONCLUSION02030407082801CROWDSTRIKE.COM | 1.888.512.8906 Cyberattacks and the resulting breaches are a fact of life now. The impact left in the wake of a successful intrusion can be massive when customer data or other confidential information is stolen, exposed, changed, or deleted
3、. Its an inescapable certainty: Where valuable digital assets exist, aggressive threat actors follow.These actors continuously develop and adopt new means to achieve their objectives, from the destructive NotPetya malware using stealth propagation techniques, to ransomware extortion, to the use of v
4、alid operating system processes to exploit the network. Likewise, security stakeholders from CISOs to incident responders to the board of directors must evolve their security planning to ensure resilience in the face of an attack. This document provides guideposts to further you along that path.Draw
5、n from real-life client engagements, the annual CrowdStrike Cyber Intrusion Services Casebook provides valuable insights into ever-evolving attacker tactics, techniques and procedures (TTPs). It also reveals the strategies the CrowdStrike Services team devised to effectively and quickly investigate
6、and remove threats from victims networks. Additionally, the report reveals emerging trends observed in attack behaviors, including the preferred tactics used by threat actors to gain entry to the targeted environment.Based on CrowdStrike Services extensive experience in the field, this casebook prov
7、ides key takeaways that can inform both executive stakeholders and security professionals how to respond to intrusions more effectively. Most importantly, it offers recommendations that organizations can implement proactively right now to improve their ability to prevent, detect and respond to attac
8、ks. The threat is real, the risk is high, and CrowdStrike Services stands shoulder-to-shoulder with our clients to secure their data and their infrastructure: “One Team, One Fight.“ Shawn HenryCrowdStrike CSO and President of ServicesFOREWORD02Several key trends emerged from the incident response (I
9、R) cases the CrowdStrike Services team handled on behalf of clients this past year. The teams case summaries and statistics show vividly how resourceful and relentless sophisticated attackers can be as they continually look for gaps in clients IT infrastructure. Organizations should realize:1) The l
10、ines between nation-state sponsored attack groups and eCrime threat actors continue to blur. 2) Self-propagation techniques have added a new twist to ransomware attacks and their ability to paralyze clients operations.These trends make it clear that any organization relying primarily on traditional
11、security measures and tools, such as signature-based antivirus or firewalls, will not be able to detect or fend off determined, sophisticated threat actors. As attackers become more brazen and their attack techniques continue to evolve, organizations must likewise evolve their security strategies to
12、 proactively prepare for the next attack.EXECUTIVE SUMMARY03Surveying the data points across the many cases CrowdStrike Services worked on the past twelve months revealed the following statistics and key trends. In-depth case studies illustrating each trend follow in this casebook.KEY FINDINGS Organ
13、izations continue to improve their ability to self-detect breachesThe average attacker dwell time is 86 daysThe most prevalent attack objectivesThe ability to detect an incident soon after it occurs is critical: Of the clients CrowdStrike Services worked with during the past year, 68 percent were ab
14、le to internally detect a breach this was an 11 percent increase over the prior year. It reflects organizations overall efforts to continue maturing their security postures while investing in security tools and resources to detect attacks, including endpoint detection and response (EDR) tools such a
15、s CrowdStrike Falcon Insight.This statistic reflects the number of days between the first evidence of a compromise and its initial detection. The longer an attacker can dwell in the environment, the more opportunity he has to find, exfiltrate or destroy valuable data or disrupt business operations.
16、In some outlier cases, the team saw dwell times as high as 800 to 1,000 days, but these were exceptions and not the norm. Regardless of dwell time duration, automated systems may eventually detect an intrusion, but by the time human staff is alerted and aware its often too late: the attackers must be stopped before they can achieve their objectives.Of the incident response cases where the CrowdStrike team identified a breach type, those listed belo
