Transcript
Page 1: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Case Study: Shamoon, a two

stage targeted attack

Page 2: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Case Study: Shamoon, a two stage targeted attackDudi Matot, Co-Founder & CEO

29/04/14

Page 3: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Agenda

• The Shamoon attack• Why the attack was not prevented • Attacks today• How Shamoon was identified• A holistic approach to threat protection• Q&A

Page 4: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Shamoon Targeted Attack

• Shamoon is a 2-stage attack targeting Oil & Energy companies

• Comprised of 3 modules— Dropper— Reporter— Wiper

• Extracted data via an internal infected machine proxy

Page 5: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Shamoon Targeted Attack

• Spread itself on the local network via Scheduled Tasks

• Abused a legitimate & signed RawDisk driver to wipe MBR

• Wiper module Time Bomb• Wiped drive and MBR at

specified dates and times• Risk of copycats

Page 6: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Shamoon: Why wasn’t it prevented?

• Actual attack vector – still unknown— Insider— Physical access of a partner— Spear phishing

• Time based attack (time bomb)• Worm spreading in local network• Using local machine as a proxy• Targeted companies were using solutions which are focused on

prevention

Page 7: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Attacks Today: The Kill Chain

• Describes the progression an attacker follows when planning and executing an attack against a target

• Based on “Intelligence Based Defense”• Presumes a rich threat intelligence capability leveraging

internal and/or external sourced visibility

ReconWeapon-

izationDelivery Exploit Install C&C Action

Predictive Proactive Reactive

Page 8: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Why it wasn’t prevented• Traditional solutions are limited

AV

FW/IPS/IDS

ReconWeapon-

izationDelivery Exploit Install C&C Action

Sandbox/NGFW/Proxy

Page 9: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

100% Prevention is Not Possible• Only focused on part of the kill chain

ReconWeapon-ization

Delivery Exploit Install C&C Action

Neiman Marcus

Target PoS

French Aerospace

0 day

Page 10: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

How Seculert Identified Shamoon

• Take the accurate intelligence gathered during the late stages of the kill chain and push it back into existing systems

• Enhances your ability to recognize and stop attacks

ReconWeapon-

izationDelivery Exploit Install C&C Action

Malware behavioral profile

Actionable Data Crowdsourced threat data

Traffic log analysisElastic Sandbox

Page 11: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

A Holistic Approach

PREDICTIVE

Recon

Weaponization

PROACTIVE

Delivery

Exploit

Install

REACTIVE

C&C

Action

Risk

Intelligence

FW/IPS

Sandbox/NGFW/

Proxy

IR/Forensics

Threat Intel

SIEM

Inte

lligence V

ecto

rs

SeculertIntelligence Identification

Page 12: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Q&A

Page 13: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Thank You!www.seculert.com

Come visit us at stand M85!