© 2013 Seculert Company, All Rights Reserved

Why Depending On Malware Prevention Alone Is No Longer An Option

WEBINAR

July 18, 2013

Welcome

Aviv RaffChief Technology Officer

2© 2013 Seculert Company, All Rights Reserved

Debbie Cohen-AbravanelVP Online Marketing

Are you on Twitter? Use #seculertjuly2013 to connect with us during and after the presentation.

Advanced Threats in the News

3#seculertjuly2013© 2013 Seculert Company, All Rights Reserved

Define Target

Create/Acquire Malware

Researchthe Target

"QA" for Detection

Infect the Target"Call ..Home"

ExpandAccess

ExtractData

EnhancePresence

Stay Undetected .

How Advanced Threats Work

4

1. Preparation

2. Infection

3. Deployment

4. Persistence

AdvancedPersistent

Threat

1

23

4

#seculertjuly2013© 2013 Seculert Company, All Rights Reserved

Define Target

Create/Acquire Malware

Researchthe Target

"QA" for Detection

Infect the Target"Call ..Home"

ExpandAccess

ExtractData

EnhancePresence

Stay Undetected .

Traditional Defenses

5

• Focus on prevention:– Endpoint products– Firewalls– IPS / IDS

• Is 100% prevention really feasible?– 0-day exploits– Spear-phishing– Remote access (VPN)

– BYOD– Partners– Physical access

AdvancedPersistent

Threat

1

23

4

#seculertjuly2013© 2013 Seculert Company, All Rights Reserved

• Shamoon is a 2-stage attack targeting Oil & Energy companies

• Comprised of 3 modules– Dropper– Reporter– Wiper

• Extracting data via an internal infected machine proxy

6

Shamoon Targeted Attack

#seculertjuly2013© 2013 Seculert Company, All Rights Reserved

• Spreading itself on the local network via Scheduled Tasks

• Abuse a legitimate & signed RawDisk driver to wipe MBR

• Wiper module Time Bomb– Wipe drive and MBR at

specified dates and times– Others copycat this capability

Shamoon Targeted Attack

#seculertjuly2013© 2013 Seculert Company, All Rights Reserved 7

• Initial attack vector is still unknown– Physical access / Insider– Partner– Spear phishing

• Time based attack (time bomb)• Worm spreading in local network• Using local machine as a proxy• Most of the victim companies were using

solutions which are focused on prevention

Shamoon – Why It Wasn’t Prevented?

#seculertjuly2013 8© 2013 Seculert Company, All Rights Reserved

• A customer uploaded a suspicious file to the Seculert Elastic Sandbox

• Malware behavioral profile was automatically created

• Shamoon was detected on another customer using Big Data analysis of their gateway traffic logs

• Customers use Seculert API to enhance their on-premises security devices to protect against Shamoon

How Seculert Identified Shamoon?

#seculertjuly2013 9© 2013 Seculert Company, All Rights Reserved

From Prevention to Protection

Persistent attacks require a new approach

Big Data analytics

Long-term analysis

Advanced malware profiling

Automated expertise

#seculertjuly2013 10© 2013 Seculert Company, All Rights Reserved

11 © 2013 Seculert Company Confidential, All Rights Reserved

Don’t forget to use

#seculertjuly2013 on Twitter!

Visit us at: TT17

Q & A

#seculertjuly2013 12© 2013 Seculert Company, All Rights Reserved

Thank Youseculert.com/signup

13© 2013 Seculert Company, All Rights Reserved

Don’t forget to use

#seculertjuly2013 on Twitter!