Hunting the Adversary with Crowd Response

Presented at ToorCon San Diego 17 (2015), Oct. 25, 2015, 3 p.m. (20 minutes)

Adversaries are running rampant through small and large enterprises alike, going undetected for far too long. Internal discovery accounts for a small percentage of breach detections as advanced adversaries pivot around traditional security tools with ease and are decreasingly reliant on malware. Understanding your enterprise and being able to efficiently hunt across it is a must in today’s threat landscape. This presentation will cover how to efficiently hunt your enterprise and quickly respond to an incident. During the presentation we’ll introduce Crowd Response, CrowdStrike’s free investigative tool. Crowd Response is an efficient and powerful way to seamlessly gather forensic artifacts across a Windows enterprise in formats suitable for quick analysis. We will work with evidence collected from real nation-state attacks and illustrate techniques to accelerate analysis and differentiate good from evil. As part of this demonstration, we’ll review high-value forensic artifacts and common evidence left by nation-states and individuals alike. Attendees will be able to immediately leverage these techniques in their own environments to discover unknown intrusions or in response to a future incident.

Presenters:

• Danny Lungstrom
  Danny Lungstrom is a Principal Consultant at CrowdStrike with over a decade of information security experience. Danny has an extensive background in incident response, digital forensics, and information security that spans corporate, government, and academic environments, allowing him to manage a full docket of security and forensic casework at CrowdStrike. Danny regularly investigates cyber security compromises at some of the world’s largest companies.Prior to joining CrowdStrike, Danny was a Digital Forensic Examiner at Stroz Friedberg. At Stroz he supported investigations and legal proceedings involving incident response, security risk assessment, and forensic data acquisition and analysis. These investigations spanned global Fortune 100 companies, large botnet operations, and many high-profile individuals. Danny also brings past career experience in protecting highly critical Department of Defense networks and national corporate infrastructure, leading vulnerability investigations, and performing PCI and risk assessments. Additionally, he was a part of the Global Positioning System’s (GPS) Program Office, serving as an expert on information security and its state in current and future GPS satellite constellations. In addition, he led the development of remote forensic capabilities and wrote analysis and training material for early mobile device forensic tools. Danny received a Bachelor of Science degree in Computer Science at the University of Illinois at Chicago. He went on to receive a Master of Science degree, with highest honors, in Information Security Policy and Management from Carnegie Mellon University. Danny was elected to and served on the Board of Directors for the Los Angeles chapter of Information Systems Security Association (ISSA LA) for four years. He is a Certified Information Systems Security Professional (CISSP) and Payment Card Industry Qualified Security Assessor (PCI QSA).

Similar Presentations:

• BSidesLV 2016 / Don't Repeat Yourself: Automating Malware Incident Response for Fun and Profit
• Hackfest 2017 / NOAH: Uncover the Evil Within! Respond Immediately by Collecting All the Artifacts Agentlessly
• Black Hat USA 2014 / The State of Incident Response