Our client Crowdstrike, and good friend George Kurtz, speaks to the issues related to today’s security issues for countries and companies alike. This interview gives insights into the changing world of cyber security. Crowdstrike is one of the top new companies approaching cyber security from a new point of view. The old model of looking for known attacks does not work today, and you need to be looking for behavior and patterns that identify that someone is trying to find a new way into your platform to stop them before they even get inside…then you need to control their behavior and learn from it. Its a cyber crime world, and we need to define and build new technologies that attach cyber Security aggressively before the hack has happened.
The hacking of Sony Pictures Entertainment is pretty epic cyber, but several corporations have suffered major security breaches in the last year, including Target and Home Depot.
To understand how the hacks work, we turned to George Kurtz, the CEO of CrowdStrike. He has been in the online security business since the 1990s, helping to develop different anti-virus software, but he started up CrowdStrike to help go after the hackers who are using those viruses to get into company systems to steal information.
Take Two host A Martinez recently spoke with Kurtz about his company, the sorts of hackers who are trying to infiltrate companies and what they’re doing about it.
While Kurtz wouldn’t talk about the exact methods that they use to track down hackers, or what they do once they find them, earlier stories have detailed the companies sometimes controversial methods here and here.
You can read excerpts from the full interview below, which has been edited for brevity and clarity.
What is the difference between anti-virus software and CrowdStrike?
“Anti-virus software uses something known as signatures. And this technique has been around for probably the last 25 years. Essentially it’s a blacklist, a list of known bad. And, unfortunately, there’s about 200,000 or more pieces of new malware that are created every day by the bad guys. So, it’s very difficult for traditional anti-virus vendors to keep up with that blacklist. Our technology doesn’t use signatures. It looks for behaviors and what the bad guys are trying to do. So, we’re able to identify their behavior and their malware without using these signatures so we can basically get in front of the bad guys when they’re trying to do something that’s not good.”
Can you give us an example of a big company that you’ve helped?
“We’ve helped some online large internet cloud providers, if you will, helped them identify the bad guys actually trying to get in and stopping them. It’s almost like a movie, you know, we would actually see where other technologies were blinded, the adversary trying to get in. Typically what will happen is the adversary will get in. They’ll try to steal username and passwords and credentials from the system they’re on. And then they’ll try to reuse those username and passwords throughout the organization. So we were able to see and stop that in real time, but it was almost like having a camera surfing over the shoulder of the bad guy as they were literally typing the commands. And in many cases we would see almost a shift change where there would be a first level attacker with moderate skill, and when they were stymied trying to get in, we would see another adversary on the same team actually be brought in with much greater skill and trying to get into those systems.”
So, what exactly are you watching? Are you watching numbers come over the computer screen? How does it look?
“We can actually see what they’re trying to do on the system. So, in many cases, we’ll actually allow them onto a system so that we can watch what they’re doing and what their intent is. And then we have a very robust incident response and intelligence group that basically tracks, I would say, probably 70 to 80 of the largest adversary groups, nation state and cybercrime groups around the country. So, a lot of times what we’re trying to do is look at the tactics, the techniques and the procedures that they’re implementing in their tools, so that we can identify them back to one of our known groups to better understand what they’re after. Are they after sensitive credit card information? Or are they after the latest chip design for the next processor? You need to understand who the group is to be able to combat them effectively.”
Where are these attacks coming from?
“There’s a range [of hackers]. You have everything from a 13 year old kid in a basement to nation state and everything in between. Really, the group that we’re… focused on are either nation state actors, say from China or Russia, or cyber crime groups, many are out of Russia. The nation state actors out of china have been very focused on getting intellectual property out of the United States, as well as other countries. And really, there’s only two types of large companies: those that have been hacked and those that haven’t figured it out yet. They’re very skilled, very persistent, and they have the ability to get into almost any major corporation. Then you kind of move into the cyber crime groups. And these are the groups that are really focused on getting into a company and getting data and then monetizing that data. And data really is the currency of the 21st century. There is a value for every credit card number. There’s a value for every social security number and here’s a value for any other piece of personably identifiable information and they will monetize that through a very efficient and anonymous black market system.”
In terms of the debit card and credit card information breaches, typically, where are the people that are stealing this information? Where in the world does this information go?
“A lot of the cyber crime that we see, the folks that are really focused on getting credit card information and personal information, a lot of it stems out of Russia and sort of Eastern Block countries. The laws there are such that it’s very hard to bring anyone to justice. They have many tools and many smart folks available to them and when they steal that information, then they basically have a complete underground forum system. It’s really called the dark web, where you need to know people and have access. But if you have that level of access, you can get into these forums and you could buy and sell all of this information, anonymously.”
Once you track them down, what do you do at that point? Do you hack them back? What do you do from there?
“We’re focused on protecting our customers. So, really the only reason why we’re interested in understanding who it is is to better understand how to protect them. Each group has different tactics… and you want to marshall the limited resources you have as a company to protect against that threat actor. In some cases we’ll work with law enforcement and turn that information over to law enforcement, and then we’ll let law enforcement handle it if they can. Many times if it’s out of the country… it’s very difficult to bring those adversaries to justice.”