4. TODAY’S SPEAKERS
Amir Kaushansky, VP Product
• +15 years of experience in Cyber Security
& Product management
• 3 years cloud, containers and serverless
experience:
• Head of cloud network security (Check
Point)
• VP Product management (ARMO)
Leonid Sandler, CTO, Co-Founder,
• +20 years software security experience
• Ex NDS CTO Software Security
• Designed Cloud Security products serving
the world largest content providers.
• Built & managed Product and Development
team of over 130 people
5. BREAKING THE SOLARWINDS ATTACK TO PIECES
HOW THE ATTACK IS MAPPED TO THE CYBERSECURITY KILL CHAIN
1. The Backdoor
2. The Malware 3. The Actual Attack
Break into SolarWinds & learn the SDLC
Insert malicious code into the source Fileless Droppers Dropper payload
6. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
• SUNSPOT – the malware that compromised SolarWinds
• SUNBURST – the backdoor code
SOLARWINDS ATTACK CHAIN
7. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
Several types were spotted: TEARDROP and RAINDROP
• TEARDROP is a second stage loader
• Cobalt Strike BEACON – loaded by TEARDROP hidden in a jpeg file
SOLARWINDS ATTACK CHAIN
8. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
SOLARWINDS ATTACK CHAIN
Cobalt Strike BEACON (or similar)
• Lateral movements
• Keys & Data exfiltration
9. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
SOLARWINDS ATTACK CHAIN – TO SUMMARIZE
• Malicious actors will get in. The only question is when.
• Attackers will use all kinds of stealth techniques
• Complexity of target environments will require additional code drops
17. ISSUE 2: GRANULARITY OF IDENTITY
NGNIX SQL
Web DB
Policy: Web –DB (Allow)
Malware
18. ISSUE 3: FILELESS MALWARE
Where should I be looking?
Host
Operating System
Container
Engine
K8s
POD
OS
Proc
A
Proc
B
OS
Proc
A
Proc
B
OS
Proc
A
Proc
B
OS
Proc
A
Side
car
POD
19. ARMO
The next generation architecture for observability, security and
control in K8s and Cloud Native environments
• ARMO FABRIC is the only solution that brings
together workload and data protection under a single
Zero Trust model
• ARMO FABRIC is the only solution that
automatically protects data in all stages without
change to existing workloads and architecture
• ARMO FABRIC is the only solution that
automatically establishes inherently secure
environments
20. DEMO TIME: IN-MEMORY FILELESS ATTACK BY EZURI
• Ezuri acts as a malware memory
loader and executes its payload in
memory, without writing the file to
disk
• Over the past few months, several
malware authors used the Ezuri loader,
including TeamTNT
• The TeamTNT botnet is a crypto-mining
malware - named Black-T - targets
Docker installs, designed to install
network scanners and retrieve
credentials from memory
• Recently the TeamTNT botnet started to
target also misconfigured Kubernetes
installations.
21. KEY TAKEAWAYS
Security is a cat and mouse game
Attackers are more sophisticated
Vulnerability scanning is everlasting process and can't find all the holes
Posture and shift-left is great, runtime protection must be added as
well!
1
2
3