S4 krotofil afternoon_sesh_2017
-
Upload
marina-krotofil -
Category
Internet
-
view
23 -
download
0
Transcript of S4 krotofil afternoon_sesh_2017
SECURITY ANALYSIS OF CYBER ATTACKS IN
UKRAINE
Marina KrotofilLead Security ResearcherHoneywell Industrial Cyber Security Lab
S4x17Miami, Dec 10 2017
Oleksii Yasynskyi Principal Researcher & Head of ISSP Labs
ISSP group
Recap: Dec 2016 Power failure in Ukraine
https://www.youtube.com/watch?v=AUoiKZBqIo0
Electrical transmission-level substation Pivnichna (330kV) suddenly cut off from main power grid
Dec 17th 2016, at 23:53 (11:53 pm)
My Collaboration with Ukraine- How it Began
Feb 24-26, 2016
Invited to Ukraine by ISACA Kyiv Chapter − Delivered 4 talks on ICS & Smart Cities security
Conference on Critical Infrastructure Protection− Government− Enterprises, financial sector, utilities− Researchers
Ongoing collaboration in several areas− Security governance and policies− Education and international collaboration− Research exchange
Alexey Yankovski PresidentISACA Kyiv Chapter
About ISSP ISSP – Information Systems Security Partners
− A group of companies, specialized in cybersecurity, data management solutions, managed security services, professional training and security research
Research Center & ISSP Lab − Specialization on malware analysis and advanced computer forensics. Provides
research facilities for cybersecurity students and scientists, est. 2015
Cyber Academy − Educational institution whose aim is to enhance quality of
cybersecurity and data science in academia, est. 2016
In this talk… We are not sharing the details about the power grid hack yet
− But we focus on steps leading to these kind of consequences, which are well studied and understood
Discovering KillDisk in your network is already too late− The attackers are already having a very reliable distributed foothold
in your network− Cleanup/eradication is almost impossible
It is critical to detect malicious invasion at early stages − The very subtle traces left behind by the attackers− Behavioral patterns
New wave of infection via spear fishing
July 14, 2016
Angry customer complains about email from Diamantbank. He supposedly has a large unpaid debt with the bank which is now threatening him with legal action.
Although the customer understood it was a scam, he OPENED the attachment.
Financial Portal
Don’t send me this scam again!
Anti-spam detection Malicious code is embedded into romantic lyrics to avoid detection by the spam detection algorithms (e.g. ratio of text to code)
Signature-based detection evasion
Nesting doll: code in the code
These pieces of code will eventually assemble into malicious line of code
https://eugenebicyclist.files.wordpress.com/2012/04/nestingdolls.jpg
Macros grows aware of its surroundings
SandBox and ISP detection routines
ISP detection
PowerShell start
Malicious URL
SandBox detection
HTTP request for detecting public IP of target
Obfuscation techniquesMaking code looking like a pure noise
VideoOleksii Yasynskyi
Customization: your computer is special!
And the attacker is interested to get to know it as intimately as possible
They put all their efforts to win system trust and use it maximum to its potential − 500 builds in just two weeks!
Hancitor
Detection challenges: permutations (1)
http://www.learnhowtosolvearubikscube.com/how-to-solve-a-rubiks-cube-solution-overview/
Is it still a Rubik's Cube? Are these parts of
Rubik’s Cube?
Rubik's Cube
http:
//ru
biks
.wik
ia.c
om/w
iki/D
isass
embl
ing_
a_Ru
bik'
s_cu
be
This element in the entire code
extracting main code
Detection challenges: permutations (2)
This is a KillDisk, malware with tiny task with multiple
faces
Fills in blank spaces after few operations
Register which points to the memory location in where to unfol d the virus
It is similar to a process of putting together a puzzle
Blank spaces which will be filled in the next iterations as the virus unfolds itself
Detection challenges: permutations (2)
Detection opportunities Devising signatures for the whole
malware sample is ineffective due to malware mutation
Instead Develop signatures for specific attack
techniques Hash-based function calls
− Approach proposed in ~ 2006− LoadLibraryA & GetProcAddress are
commonly used in malware code
Win32/Spy.Bebloh (banking trojan)Win32/PSW.Fareit (Trojan for stealing passwords)Win32/Rustock (Backdoor)Win32/TrojanDownloader.Carberp (Dropper of banking trojan Carberp)Win32/Kelihos (Spam sender)
Meanwhile, back at the ranch…SPEAR PHISHING ATTACK HITS INDUSTRIAL COMPANIES
~500 organizations from 50 countries (active campaign)− Vendors of industrial automation & field equipment− Integrators and support contractors
Very determined attacker − Appears to target smaller companies first so that it can send legitimate looking
emails to larger companies Old tools carefully packed into new container
− Earlier unseen crypter for delivery of initial payload− An array of tools for almost everything (remote administration, recon, data and
file collection, etc.)
Take aways (1) You will get hacked guests on your network
− E-commerce sector is already moving away from “end user host is taken” attacker model to “end user application is taken”
− Detection/defenses at the level of work-flows and business processes
thetoptenz.net/animal-camouflage/
https://bybio.wordpress.com/tag/batesian-mimicry/
YOU AGAIN?
Camouflage and mimicry− The adversary will blend into your infrastructure
as quickly as possible− Business process owners must be included for
defining known “good” and “not good”
Uncovering disguiseNumber of sessions under legitimate service account
Take aways (2)
http:
//hd
cdns
un2.
r.wor
ldss
l.net
/site
s/w
ww
.hyp
nosis
dow
nloa
ds.c
om/fi
les/
brok
en-h
eart
-imag
e.jp
g
Disjointed infrastructure monitoring approach is dead− Bird eye look: real-time holistic monitoring across
multiple security and performance tools/applications − And use their synergies
The most important take away In 1st investigation reconstructing
timeline took 4 months− No tools (had to be developed)− No previous similar experience
Reconstructing timeline now takes 2 weeks− With even greater detail− You spare time and gain
knowledge to work on defenses
http://cdn.quotesgram.com/img/99/0/1555958381-lemons.jpg
Acknowledgement Honeywell team for incredible work environment and support Roman Sologub, General Manager, ISSP Aleksey Baranovsky, Head of Cyber Academy, ISSP Vladimir Dashchenko, Kaspersky Lab & ICS-CERT
And dear hackers for securing our jobs ;-)
Thank you
Marina [email protected]@marmusha
Oleksii Yasynskyi [email protected]@Aleksey_yashttps://socprime.com/en/blog/