Case Study: Shamoon, a two
stage targeted attack
Case Study: Shamoon, a two stage targeted attackDudi Matot, Co-Founder & CEO
29/04/14
Company logo
Agenda
• The Shamoon attack• Why the attack was not prevented • Attacks today• How Shamoon was identified• A holistic approach to threat protection• Q&A
Company logo
Shamoon Targeted Attack
• Shamoon is a 2-stage attack targeting Oil & Energy companies
• Comprised of 3 modules— Dropper— Reporter— Wiper
• Extracted data via an internal infected machine proxy
Company logo
Shamoon Targeted Attack
• Spread itself on the local network via Scheduled Tasks
• Abused a legitimate & signed RawDisk driver to wipe MBR
• Wiper module Time Bomb• Wiped drive and MBR at
specified dates and times• Risk of copycats
Company logo
Shamoon: Why wasn’t it prevented?
• Actual attack vector – still unknown— Insider— Physical access of a partner— Spear phishing
• Time based attack (time bomb)• Worm spreading in local network• Using local machine as a proxy• Targeted companies were using solutions which are focused on
prevention
Company logo
Attacks Today: The Kill Chain
• Describes the progression an attacker follows when planning and executing an attack against a target
• Based on “Intelligence Based Defense”• Presumes a rich threat intelligence capability leveraging
internal and/or external sourced visibility
ReconWeapon-
izationDelivery Exploit Install C&C Action
Predictive Proactive Reactive
Company logo
Why it wasn’t prevented• Traditional solutions are limited
AV
FW/IPS/IDS
ReconWeapon-
izationDelivery Exploit Install C&C Action
Sandbox/NGFW/Proxy
Company logo
100% Prevention is Not Possible• Only focused on part of the kill chain
ReconWeapon-ization
Delivery Exploit Install C&C Action
Neiman Marcus
Target PoS
French Aerospace
0 day
Company logo
How Seculert Identified Shamoon
• Take the accurate intelligence gathered during the late stages of the kill chain and push it back into existing systems
• Enhances your ability to recognize and stop attacks
ReconWeapon-
izationDelivery Exploit Install C&C Action
Malware behavioral profile
Actionable Data Crowdsourced threat data
Traffic log analysisElastic Sandbox
Company logo
A Holistic Approach
PREDICTIVE
Recon
Weaponization
PROACTIVE
Delivery
Exploit
Install
REACTIVE
C&C
Action
Risk
Intelligence
FW/IPS
Sandbox/NGFW/
Proxy
IR/Forensics
Threat Intel
SIEM
Inte
lligence V
ecto
rs
SeculertIntelligence Identification
Company logo
Q&A
Company logo
Thank You!www.seculert.com
Come visit us at stand M85!
Recommended