In August of 2012, Shamoon, a new malware that was designed to attack Aramco, the Saudi Arabian national oil and natural gas company was discovered. In its wake, the Shamoon malware destroyed data on about 30,000 of Aramco’s computers and servers, and inflicted a massive amount of damage and chaos that is still reverberating today. From kill switch to wiper, join us for an in-depth exploration of this two stage targeted attack. -Explore the mechanics of the two stage targeted attack known as Shamoon -Understand why the attack was not prevented by traditional on-premises security solutions -Understand through the Shamoon attack that 100% prevention is not possible -Gain an introduction to the tools and solutions that detected Shamoon -Further comprehend APTs and other advanced malware and how to protect your company from attacks like Shamoon This presentation was given by Seculert Co-Founder and CEO Dudi Matot at Infosecurity Europe 2014.
Text of Infosecurity Europe 2014 Case Study: Shamoon, a two stage targeted attack
1. Case Study: Shamoon, a two stage targeted attack
2. Case Study: Shamoon, a two stage targeted attack Dudi Matot, Co-Founder & CEO 29/04/14 3. Company logo Agenda The Shamoon attack Why the attack was not prevented Attacks today How Shamoon was identified A holistic approach to threat protection Q&A 4. Company logo Shamoon Targeted Attack Shamoon is a 2-stage attack targeting Oil & Energy companies Comprised of 3 modules Dropper Reporter Wiper Extracted data via an internal infected machine proxy 5. Company logo Shamoon Targeted Attack Spread itself on the local network via Scheduled Tasks Abused a legitimate & signed RawDisk driver to wipe MBR Wiper module Time Bomb Wiped drive and MBR at specified dates and times Risk of copycats 6. Company logo Shamoon: Why wasnt it prevented? Actual attack vector still unknown Insider Physical access of a partner Spear phishing Time based attack (time bomb) Worm spreading in local network Using local machine as a proxy Targeted companies were using solutions which are focused on prevention 7. Company logo Attacks Today: The Kill Chain Describes the progression an attacker follows when planning and executing an attack against a target Based on Intelligence Based Defense Presumes a rich threat intelligence capability leveraging internal and/or external sourced visibility Recon Weapon -ization Delivery Exploit Install C&C Action Predictive Proactive Reactive 8. Company logo Why it wasnt prevented Traditional solutions are limited Recon Weapon -ization Delivery Exploit Install C&C Action AV Recon Weapon -ization Delivery Exploit Install C&C Action FW/IPS/IDS Recon Weapon -ization Delivery Exploit Install C&C Action Sandbox/NGFW/Proxy 9. Company logo 100% Prevention is Not Possible Only focused on part of the kill chain Recon Weapon -ization Delivery Exploit Install C&C Action Neiman Marcus Target PoS French Aerospace 0 day 10. Company logo How Seculert Identified Shamoon Take the accurate intelligence gathered during the late stages of the kill chain and push it back into existing systems Enhances your ability to recognize and stop attacks Recon Weapon -ization Delivery Exploit Install C&C Action Malware behavioral profile Actionable Data Crowdsourced threat data Traffic log analysisElastic Sandbox 11. Company logo A Holistic Approach PREDICTIVE Recon Weaponization PROACTIVE Delivery Exploit Install REACTIVE C&C Action Risk Intelligence FW/IPS Sandbox/NGFW/ Proxy IR/Forensics Threat Intel SIEM IntelligenceVectors Seculert Intelligence Identification 12. Company logo Q&A 13. Company logo Thank You! www.seculert.com Come visit us at stand M85!