Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
S4 krotofil afternoon_sesh_2017
1. SECURITY ANALYSIS OF CYBER
ATTACKS IN
UKRAINE
Marina Krotofil
Lead Security Researcher
Honeywell Industrial Cyber Security Lab
S4x17
Miami, Dec 10 2017
Oleksii Yasynskyi
Principal Researcher & Head of ISSP Labs
ISSP group
2. Recap: Dec 2016 Power failure in Ukraine
https://www.youtube.com/watch?v=AUoiKZBqIo0
Electrical transmission-level substation Pivnichna
(330kV) suddenly cut off from main power grid
Dec 17th 2016, at 23:53 (11:53 pm)
3. My Collaboration with Ukraine- How it Began
Feb 24-26, 2016
Invited to Ukraine by ISACA Kyiv Chapter
− Delivered 4 talks on ICS & Smart Cities security
Conference on Critical Infrastructure Protection
− Government
− Enterprises, financial sector, utilities
− Researchers
Ongoing collaboration in several areas
− Security governance and policies
− Education and international collaboration
− Research exchange
Alexey Yankovski
President
ISACA Kyiv Chapter
4. About ISSP
ISSP – Information Systems Security Partners
− A group of companies, specialized in cybersecurity, data management solutions,
managed security services, professional training and security research
Research Center & ISSP Lab
− Specialization on malware analysis and advanced computer forensics. Provides
research facilities for cybersecurity students and scientists, est. 2015
Cyber Academy
− Educational institution whose aim is to enhance quality of
cybersecurity and data science in academia, est. 2016
5. In this talk…
We are not sharing the details about the power grid hack yet
− But we focus on steps leading to these kind of consequences, which
are well studied and understood
Discovering KillDisk in your network is already too late
− The attackers are already having a very reliable distributed foothold
in your network
− Cleanup/eradication is almost impossible
It is critical to detect malicious invasion at early stages
− The very subtle traces left behind by the attackers
− Behavioral patterns
6. New wave of infection via spear fishing
July 14, 2016
Angry customer complains
about email from Diamantbank.
He supposedly has a large unpaid
debt with the bank which is now
threatening him with legal action.
Although the customer
understood it was a scam, he
OPENED the attachment.
Financial Portal
Don’t send me
this scam again!
7. Anti-spam detection
Malicious code is embedded into
romantic lyrics to avoid detection
by the spam detection algorithms
(e.g. ratio of text to code)
8. Signature-based detection evasion
Nesting doll: code
in the code
These pieces of code will eventually
assemble into malicious line of code
https://eugenebicyclist.files.wordpress.com/2012/04/nestingdolls.jpg
9. Macros grows aware of its surroundings
SandBox and ISP
detection routines
ISP detection
PowerShell start
Malicious URL
SandBox
detection
HTTP request for detecting
public IP of target
12. Customization: your computer is special!
And the attacker is interested to get
to know it as intimately as possible
They put all their efforts to win system trust and
use it maximum to its potential
− 500 builds in just two weeks!
Hancitor
13. Detection challenges: permutations (1)
http://www.learnhowtosolvearubikscube.com/how-to-solve-a-rubiks-cube-solution-overview/
Is it still a
Rubik's Cube?
Are these parts of
Rubik’s Cube?
Rubik's Cube
http://rubiks.wikia.com/wiki/Disassembling_a_Rubik's_cube
14. This element in
the entire code
extracting
main code
Detection challenges: permutations (2)
This is a KillDisk,
malware with tiny
task with multiple
faces
15. Fills in blank
spaces after
few operations
Register which points to the memory location in where to unfol d the
virus
It is similar to a process of
putting together a puzzle
Blank spaces which will be
filled in the next iterations
as the virus unfolds itself
Detection challenges: permutations (2)
16. Detection opportunities
Devising signatures for the whole
malware sample is ineffective due to
malware mutation
Instead
Develop signatures for specific attack
techniques
Hash-based function calls
− Approach proposed in ~ 2006
− LoadLibraryA & GetProcAddress are
commonly used in malware code
Win32/Spy.Bebloh (banking trojan)
Win32/PSW.Fareit (Trojan for stealing passwords)
Win32/Rustock (Backdoor)
Win32/TrojanDownloader.Carberp (Dropper of banking trojan Carberp)
Win32/Kelihos (Spam sender)
17. Meanwhile, back at the ranch…
SPEAR PHISHING ATTACK HITS
INDUSTRIAL COMPANIES
~500 organizations from 50 countries (active campaign)
− Vendors of industrial automation & field equipment
− Integrators and support contractors
Very determined attacker
− Appears to target smaller companies first so that it can send legitimate looking
emails to larger companies
Old tools carefully packed into new container
− Earlier unseen crypter for delivery of initial payload
− An array of tools for almost everything (remote administration, recon, data and
file collection, etc.)
18. Take aways (1)
You will get hacked guests on your network
− E-commerce sector is already moving away from “end user host is
taken” attacker model to “end user application is taken”
− Detection/defenses at the level of work-flows and business processes
thetoptenz.net/animal-camouflage/
https://bybio.wordpress.com/tag/batesian-mimicry/
YOU
AGAIN?
Camouflage and mimicry
− The adversary will blend into your infrastructure
as quickly as possible
− Business process owners must be included for
defining known “good” and “not good”
21. The most important take away
In 1st investigation reconstructing
timeline took 4 months
− No tools (had to be developed)
− No previous similar experience
Reconstructing timeline now takes
2 weeks
− With even greater detail
− You spare time and gain
knowledge to work on defenses
http://cdn.quotesgram.com/img/99/0/1555958381-lemons.jpg
22. Acknowledgement
Honeywell team for incredible work environment and support
Roman Sologub, General Manager, ISSP
Aleksey Baranovsky, Head of Cyber Academy, ISSP
Vladimir Dashchenko, Kaspersky Lab & ICS-CERT
And dear hackers for securing our jobs ;-)