Industrial Cyber Warfare Already Here

All rights reserved to Security Art Ltd. 2002 - 2010 www.security-art.com

I t z i k K o t l e r | A p r i l 2 0 1 1

Industrial Cyber Warfare Already Here

I t z ik Kot le r

CTO, Secur i t y Ar t

All rights reserved to Security Art Ltd. 2002 - 2011

www.security-art.com


Cyber Warfare

• C y b e r W a r f a r e i s t h e u s e o f e l e c t r o n i c c o m m u n i c a ti o n s a n d t h e I n t e r n e t t o d i s r u p t a c o u n t r y ' s t e l e c o m m u n i c a ti o n s , p o w e r s u p p l y, t r a n s p o r t s y s t e m , e t c .

• C y b e r W a r f a r e a r s e n a l i n c l u d e s : L o g i c B o m b s , P e r m a n e n t D e n i a l - o f - S e r v i c e , A d v a n c e d P e r s i s t e n t T h r e a t s a n d m o r e .




Let Me Stuxnet You!

• To d a y i t ’s a c o u n t r y t h a t s e e k s t o d e s t r o y a n o t h e r n a ti o n a n d t o m o r r o w i t ’s a c o m m e r c i a l c o m p a n y t h a t s e e k s t o m a k e a r i v a l c o m p a n y g o o u t o f b u s i n e s s . A n a c t o f I n d u s t r i a l C y b e r W a r f a r e .

• A s u c c e s s f u l l y d e l i v e r e d I n d u s t r i a l C y b e r Wa r f a r e a tt a c k c a u s e s fi n a n c i a l l o s s , o p e r a ti o n l o s s , o r b o t h t o t h e a tt a c k e d c o m p a n y !




Industrial Cyber Warfare: Why & Who?

• I n d u s t r i a l E s p i o n a g e

– R i v a l C o m p a n i e s

– F o r e i g n C o u n t r i e s

• Te r r o r i s m

– P o l i ti c a l / S o c i a l A g e n d a

– R e v e n g e

• B l a c k m a i l i n g

– G r e e d , P o w e r a n d e t c .




1st Step: Getting In

• G e tti n g i n f e c t e d w i t h m a l w a r e i s u s u a l l y m u c h e a s i e r t h a n d e t e c ti n g i t , o r g e tti n g r i d o f i t .

• D e l i v e r y v e c t o r s :

– C l i e n t - s i d e V u l n e r a b i l i ti e s

– S o c i a l N e t w o r k s

– S o c i a l E n g i n e e r i n g




Permanent Denial-of-Service

• P e r m a n e n t D e n i a l - o f - S e r v i c e i s a n a tt a c k t h a t d a m a g e s h a r d w a r e s o b a d l y t h a t i t r e q u i r e s r e p l a c e m e n t o r r e i n s t a l l a ti o n o f h a r d w a r e .

• T h e d a m a g e p o t e n ti a l i s o n a g r a n d s c a l e , a l m o s t a n y t h i n g a n d e v e r y t h i n g i s c o n t r o l l e d b y s o ft w a r e t h a t c a n b e m o d i fi e d o r a tt a c k e d




How Permanent Denial-of-Service Works?

• P u s h i n g h a r d w a r e t o i t s e x t r e m e , o r c o r r u p t i t s i n t e r n a l p r o g r a m / d a t a s t r u c t u r e s

• P e r m a n e n t D e n i a l - o f - S e r v i c e A tt a c k s :

– O v e r v o l ti n g

– O v e r c l o c k i n g

– O v e r u s i n g

– P o w e r C y c l i n g

– P h l a s h i n g




2nd Step: Attacking Hardware

• P e r m a n e n t D e n i a l - o f - S e r v i c e a tt a c k s a r e r a n g i n g f r o m r e n d e r i n g d e v i c e s s u c h a s i P h o n e s , i P o d a n d i P a d s u s e l e s s t o c r a s h i n g h a r d d r i v e s , a n d t o i n c r e a s i n g t h e v o l t a g e w i t h i n C P U ’s .

• P e r m a n e n t D e n i a l - o f - S e r v i c e a tt a c k s c a n b e i n d e p e n d e n t , o r c h e s t r a t e d , r e m o t e l y t r i g g e r e d a n d e t c .




Scenario #1: Attacking the CEO’s iPad

Attacker is using Spear Phishing/Whaling to

infected the CEO with a Malware

The Malware contains a Permanent Denial-of-Service payload that renders iPad useless

The CEO connects his iPad to his laptop for

syncing purposes

The Malware overwrites the iPad

Firmware with a corrupted one and renders it useless




Scenario #2: Attacking the CRM/ERP

Attacker is using Social Network to get to an employee and infect him with a Malware

The Malware contains a Permanent Denial-of-Service payload that

overvolts the CRM/ERP servers CPU

The Malware s exploits remote vulnerabilities

to gain access to CRM/ERP servers

Malware copies itself to CRM/ERP servers and

Overvolts the CPU beyond it’s limits




Scenario #3: Taking down the Company

Attacker is using a Client-side Vulnerability to infect an Employee

with a Worm

Employee connects his infected Laptop to

Cooperate Network and the Worm spreads

The Worm contains a Permanent Denial-of-Service payload that

crashes the hard drive

Two weeks later, all the hard drives in the

company’s computers and laptops crashed on

the same day




Industrial Cyber Warfare Already Here

• C y b e r W a r f a r e i s e x p e c t e d t o h i t t h e c o m m e r c i a l m a r k e t i n t h e n e x t f e w y e a r s a n d w e w i l l s e e m o r e a n d m o r e c o m p a n i e s b e e n a tt a c k e d b y A P T t h a t w i l l “ b l o w u p ” i n t h e i r f a c e .

• T h e r e i s n o s i l v e r b u l l e t f o r i t , t h i s t h r e a t r e q u i r e s a t h r e a t m o d e l i n g t h a t r e fl e c t s n o t o n l y t e c h n o l o g i c a l u n d e r s t a n d i n g b u t a l s o b u s i n e s s u n d e r s t a n d i n g o f t h e c o m p a n y a n d i t ’s a s s e t s .




Thanks!

Questions are guaranteed in life; Answers aren't.

mai l to : i t z i k . ko t le r@secur i t y -a r t . com

mailto:[email protected]

Industrial Cyber Warfare Already Here

Documents

Transcript of Industrial Cyber Warfare Already Here