13
Case Study: Shamoon, a two stage targeted attack

Infosecurity Europe 2014 Case Study: Shamoon, a two stage targeted attack

Embed Size (px)

DESCRIPTION

In August of 2012, Shamoon, a new malware that was designed to attack Aramco, the Saudi Arabian national oil and natural gas company was discovered. In its wake, the Shamoon malware destroyed data on about 30,000 of Aramco’s computers and servers, and inflicted a massive amount of damage and chaos that is still reverberating today. From kill switch to wiper, join us for an in-depth exploration of this two stage targeted attack. -Explore the mechanics of the two stage targeted attack known as Shamoon -Understand why the attack was not prevented by traditional on-premises security solutions -Understand through the Shamoon attack that 100% prevention is not possible -Gain an introduction to the tools and solutions that detected Shamoon -Further comprehend APTs and other advanced malware and how to protect your company from attacks like Shamoon This presentation was given by Seculert Co-Founder and CEO Dudi Matot at Infosecurity Europe 2014.

Citation preview

Page 1: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Case Study: Shamoon, a two

stage targeted attack

Page 2: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Case Study: Shamoon, a two stage targeted attackDudi Matot, Co-Founder & CEO

29/04/14

Page 3: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Agenda

• The Shamoon attack• Why the attack was not prevented • Attacks today• How Shamoon was identified• A holistic approach to threat protection• Q&A

Page 4: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Shamoon Targeted Attack

• Shamoon is a 2-stage attack targeting Oil & Energy companies

• Comprised of 3 modules— Dropper— Reporter— Wiper

• Extracted data via an internal infected machine proxy

Page 5: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Shamoon Targeted Attack

• Spread itself on the local network via Scheduled Tasks

• Abused a legitimate & signed RawDisk driver to wipe MBR

• Wiper module Time Bomb• Wiped drive and MBR at

specified dates and times• Risk of copycats

Page 6: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Shamoon: Why wasn’t it prevented?

• Actual attack vector – still unknown— Insider— Physical access of a partner— Spear phishing

• Time based attack (time bomb)• Worm spreading in local network• Using local machine as a proxy• Targeted companies were using solutions which are focused on

prevention

Page 7: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Attacks Today: The Kill Chain

• Describes the progression an attacker follows when planning and executing an attack against a target

• Based on “Intelligence Based Defense”• Presumes a rich threat intelligence capability leveraging

internal and/or external sourced visibility

ReconWeapon-

izationDelivery Exploit Install C&C Action

Predictive Proactive Reactive

Page 8: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Why it wasn’t prevented• Traditional solutions are limited

AV

FW/IPS/IDS

ReconWeapon-

izationDelivery Exploit Install C&C Action

Sandbox/NGFW/Proxy

Page 9: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

100% Prevention is Not Possible• Only focused on part of the kill chain

ReconWeapon-ization

Delivery Exploit Install C&C Action

Neiman Marcus

Target PoS

French Aerospace

0 day

Page 10: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

How Seculert Identified Shamoon

• Take the accurate intelligence gathered during the late stages of the kill chain and push it back into existing systems

• Enhances your ability to recognize and stop attacks

ReconWeapon-

izationDelivery Exploit Install C&C Action

Malware behavioral profile

Actionable Data Crowdsourced threat data

Traffic log analysisElastic Sandbox

Page 11: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

A Holistic Approach

PREDICTIVE

Recon

Weaponization

PROACTIVE

Delivery

Exploit

Install

REACTIVE

C&C

Action

Risk

Intelligence

FW/IPS

Sandbox/NGFW/

Proxy

IR/Forensics

Threat Intel

SIEM

Inte

lligence V

ecto

rs

SeculertIntelligence Identification

Page 12: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Q&A

Page 13: Infosecurity Europe 2014 Case Study:  Shamoon, a two stage targeted attack

Company logo

Thank You!www.seculert.com

Come visit us at stand M85!