Antivirus software didn't help utility with malware attack

When the zero-day attack known as the "Here You Have" virus hit about 500 PCs at the Salt River Project, a large public power utility and water supplier for Arizona, it turned out that the antivirus software in use provided no defense.

"It wasn't any help ," saiys Ty Moser, network and smart grid analyst for Salt River Project. The virus, arriving in mid-September as e-mail with a fake PDF, burrowed past the McAfee and Symantec anti-malware software when the e-mailed victim clicked on the attachment, which appeared to be from someone known.

In fact, the security and information event management (SIEM) equipment being used since last May at Salt River Project to monitor events, trouble-shoot the network and provide log management, turned out to be the best weapon available to go into hand-to-hand combat against the virus.

While the anti-virus software was knocked out of commission by "Here You Have," the SIEM gear called QRadar from Q1 Labs was able to detect the PCs at Salt River Project that had been hit by analyzing the abnormal behavior the PC started to display.

That's because each infected PC was suddenly detected trying to "call home" to an unknown command-and-control system on the Internet and spreading as spam via Microsoft Outlook. Moser said the QRadar SIEM gave IT staff a way to track down infections and go through the process manually cleaning them up, while it took about a day for McAfee and Symantec to provide the needed security updates, with McAfee slightly faster, Moser says.

Some analysts think the "Here You Have" mass e-mail virus -- which is also known to have hit Comcast, Google, Coca-Cola and NASA, among others -- may have been a targeted attack to hit specific enterprises and federal agencies, even an attack on critical infrastructure, rather than just a more random blanket e-mail blast. Moser also shares those suspicions. The FBI is investigating. An anti-U.S. hacker, apparently angry about Iraq and a threat made by a pastor in the United States to burn the Koran, claims credit for unleashing "Here You Have," though no arrests have yet been made.

Finding help in beating back a zero-day attack wasn't the main purpose when Salt River Project last year started looking into acquiring SIEM gear. Rather, the primary goal was ensuring compliance with the Critical Infrastructure Protection (CIP) rules for utilities that are set down by the North American Electric Reliability Corp.

One CIP rule requires retaining logs for considerable time. And In general, it's necessary to be able to send out alerts related to failed long-in attempts. As part of this regulatory requirement, "NERC sends out teams to audit -- they pick a random date and say, "I want to see the logs,'" Moser says, noting NERC wants to know how the power plant detect and respond to anomalies.

Salt River Project narrowed down its search related to SIEM and log-management gear to vendors that include RSA with its enVision product, Splunk, LogLogic, ArcSight and Q1 Labs. After a production-level test period, Q1 Labs was selected since it "did a good job" in holding down the number of false positives. "There's not a lot of bogus stuff," Moser says.

Today, the Q1 Labs' QRadar can take feeds from a variety of IDS/IPS, firewalls, routers, switches, Web proxies, and Windows and AIX servers, with Salt River Project is expanding use of SIEM with monitoring application-system logs.

QRadar has been helpful in many trouble-shooting scenarios, Moser says, noting "if a cluster fails over, and the primary is down, it sends an alert." But he adds takes some work to set up a SIEM like QRadar to get the most from it. "If you want to get value out of it, it's time-consuming."

Read more about security in Network World's Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityExploits / vulnerabilities

More about ArcSightASAComcast CableFBIGoogleIPSLogLogicMcAfee AustraliaMicrosoftNASARSASplunkSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place