© 2013 Seculert Company, All Rights Reserved
Why Depending On Malware Prevention Alone Is No Longer An Option
WEBINAR
July 18, 2013
Welcome
Aviv RaffChief Technology Officer
2© 2013 Seculert Company, All Rights Reserved
Debbie Cohen-AbravanelVP Online Marketing
Are you on Twitter? Use #seculertjuly2013 to connect with us during and after the presentation.
Advanced Threats in the News
3#seculertjuly2013© 2013 Seculert Company, All Rights Reserved
Define Target
Create/Acquire Malware
Researchthe Target
"QA" for Detection
Infect the Target"Call ..Home"
ExpandAccess
ExtractData
EnhancePresence
Stay Undetected .
How Advanced Threats Work
4
1. Preparation
2. Infection
3. Deployment
4. Persistence
AdvancedPersistent
Threat
1
23
4
#seculertjuly2013© 2013 Seculert Company, All Rights Reserved
Define Target
Create/Acquire Malware
Researchthe Target
"QA" for Detection
Infect the Target"Call ..Home"
ExpandAccess
ExtractData
EnhancePresence
Stay Undetected .
Traditional Defenses
5
• Focus on prevention:– Endpoint products– Firewalls– IPS / IDS
• Is 100% prevention really feasible?– 0-day exploits– Spear-phishing– Remote access (VPN)
– BYOD– Partners– Physical access
AdvancedPersistent
Threat
1
23
4
#seculertjuly2013© 2013 Seculert Company, All Rights Reserved
• Shamoon is a 2-stage attack targeting Oil & Energy companies
• Comprised of 3 modules– Dropper– Reporter– Wiper
• Extracting data via an internal infected machine proxy
6
Shamoon Targeted Attack
#seculertjuly2013© 2013 Seculert Company, All Rights Reserved
• Spreading itself on the local network via Scheduled Tasks
• Abuse a legitimate & signed RawDisk driver to wipe MBR
• Wiper module Time Bomb– Wipe drive and MBR at
specified dates and times– Others copycat this capability
Shamoon Targeted Attack
#seculertjuly2013© 2013 Seculert Company, All Rights Reserved 7
• Initial attack vector is still unknown– Physical access / Insider– Partner– Spear phishing
• Time based attack (time bomb)• Worm spreading in local network• Using local machine as a proxy• Most of the victim companies were using
solutions which are focused on prevention
Shamoon – Why It Wasn’t Prevented?
#seculertjuly2013 8© 2013 Seculert Company, All Rights Reserved
• A customer uploaded a suspicious file to the Seculert Elastic Sandbox
• Malware behavioral profile was automatically created
• Shamoon was detected on another customer using Big Data analysis of their gateway traffic logs
• Customers use Seculert API to enhance their on-premises security devices to protect against Shamoon
How Seculert Identified Shamoon?
#seculertjuly2013 9© 2013 Seculert Company, All Rights Reserved
From Prevention to Protection
Persistent attacks require a new approach
Big Data analytics
Long-term analysis
Advanced malware profiling
Automated expertise
#seculertjuly2013 10© 2013 Seculert Company, All Rights Reserved
11 © 2013 Seculert Company Confidential, All Rights Reserved
Don’t forget to use
#seculertjuly2013 on Twitter!
Visit us at: TT17
Q & A
#seculertjuly2013 12© 2013 Seculert Company, All Rights Reserved
Thank Youseculert.com/signup
13© 2013 Seculert Company, All Rights Reserved
Don’t forget to use
#seculertjuly2013 on Twitter!
