Upload
seculert
View
450
Download
0
Tags:
Embed Size (px)
DESCRIPTION
In August of 2012, Shamoon, a new malware that was designed to attack Aramco, the Saudi Arabian national oil and natural gas company was discovered. In its wake, the Shamoon malware destroyed data on about 30,000 of Aramco’s computers and servers, and inflicted a massive amount of damage and chaos that is still reverberating today. From kill switch to wiper, join us for an in-depth exploration of this two stage targeted attack. -Explore the mechanics of the two stage targeted attack known as Shamoon -Understand why the attack was not prevented by traditional on-premises security solutions -Understand through the Shamoon attack that 100% prevention is not possible -Gain an introduction to the tools and solutions that detected Shamoon -Further comprehend APTs and other advanced malware and how to protect your company from attacks like Shamoon This presentation was given by Seculert Co-Founder and CEO Dudi Matot at Infosecurity Europe 2014.
Citation preview
Case Study: Shamoon, a two
stage targeted attack
Case Study: Shamoon, a two stage targeted attackDudi Matot, Co-Founder & CEO
29/04/14
Company logo
Agenda
• The Shamoon attack• Why the attack was not prevented • Attacks today• How Shamoon was identified• A holistic approach to threat protection• Q&A
Company logo
Shamoon Targeted Attack
• Shamoon is a 2-stage attack targeting Oil & Energy companies
• Comprised of 3 modules— Dropper— Reporter— Wiper
• Extracted data via an internal infected machine proxy
Company logo
Shamoon Targeted Attack
• Spread itself on the local network via Scheduled Tasks
• Abused a legitimate & signed RawDisk driver to wipe MBR
• Wiper module Time Bomb• Wiped drive and MBR at
specified dates and times• Risk of copycats
Company logo
Shamoon: Why wasn’t it prevented?
• Actual attack vector – still unknown— Insider— Physical access of a partner— Spear phishing
• Time based attack (time bomb)• Worm spreading in local network• Using local machine as a proxy• Targeted companies were using solutions which are focused on
prevention
Company logo
Attacks Today: The Kill Chain
• Describes the progression an attacker follows when planning and executing an attack against a target
• Based on “Intelligence Based Defense”• Presumes a rich threat intelligence capability leveraging
internal and/or external sourced visibility
ReconWeapon-
izationDelivery Exploit Install C&C Action
Predictive Proactive Reactive
Company logo
Why it wasn’t prevented• Traditional solutions are limited
AV
FW/IPS/IDS
ReconWeapon-
izationDelivery Exploit Install C&C Action
Sandbox/NGFW/Proxy
Company logo
100% Prevention is Not Possible• Only focused on part of the kill chain
ReconWeapon-ization
Delivery Exploit Install C&C Action
Neiman Marcus
Target PoS
French Aerospace
0 day
Company logo
How Seculert Identified Shamoon
• Take the accurate intelligence gathered during the late stages of the kill chain and push it back into existing systems
• Enhances your ability to recognize and stop attacks
ReconWeapon-
izationDelivery Exploit Install C&C Action
Malware behavioral profile
Actionable Data Crowdsourced threat data
Traffic log analysisElastic Sandbox
Company logo
A Holistic Approach
PREDICTIVE
Recon
Weaponization
PROACTIVE
Delivery
Exploit
Install
REACTIVE
C&C
Action
Risk
Intelligence
FW/IPS
Sandbox/NGFW/
Proxy
IR/Forensics
Threat Intel
SIEM
Inte
lligence V
ecto
rs
SeculertIntelligence Identification
Company logo
Q&A
Company logo
Thank You!www.seculert.com
Come visit us at stand M85!