Adapting to the post-Shamoon world

IANS Phil Gardner taps the expertise of IANS faculty on how businesses should respond and prepare for targeted, geopolitical cyberattacks

In my last column in CSO, we talked about how the Shamoon virus attack on Saudi oil firm Aramco signified the start of an insidious new wave of malware. Instead of quietly siphoning off data and intellectual property for financial gain, Shamoon and others like it aim to publicly cripple businesses in the name of geopolitical score-settling --an intent that makes them far more dangerous and difficult to thwart.

The good news? More than 98 percent of businesses today, thankfully, do not fall within the crosshairs of these politically-motivated attackers. If you aren't charged with running the main economic engine of your country (a high-profile bank, utility, defense contractor, etc.), chances are these types of attacks are not targeting you.

The bad news? Those businesses that fall within that targeted 2 percent face a difficult, time-consuming, expensive and risk-laden project as they work to harden their defenses and build practical survival strategies. Since the attackers simply seek to topple their targets in the fastest, most efficient manner possible, traditional crown jewel-focused defense mechanisms won't cut it. Instead, IANS clients are finding they must address the new threat both strategically and tactically.

[Next wave malware aims for mayhem, not money]

"Strategically, the first step is to find where the failure-resistant systems live," advises IANS Faculty Member Marcus Ranum. "Those are the processes and systems the organization has already deemed valuable and business-critical." From there, it's a process of discovering and ruling out any critical single points of failure. "Say you have a mirrored server in a redundant data center. Work your way forward and back within the system until you find the single point of failure. Does that data center run off a single generator? Do those redundant links flow through a single gateway?"

Ranum also recommends firms square off their different architecture teams against one another and charge them with uncovering design flaws. "True, that's a nightmare from an HR standpoint, but having your ops teams vet your network designs and vice versa is the fastest way to uncover these issues."

From a tactical standpoint, many IANS clients are focusing equally on preventing initial delivery of the malware (implementing whitelisting tools like Bit9 and reputation-based tools like ProofPoint) and eliminating lateral movement once an attack makes it inside (via DLP or sandboxing/malware analysis tools like FireEye and Damballa). Aligning these tools with Lockheeds Kill Chain Methodology is a primary strategy. Lockheeds methodology lists the six main steps (reconnaissance, weaponization, delivery, exploitation, installation and command/control) every attacker takes to infiltrate an environment. If you thwart just one step you may end an attack, but thwarting several makes you resilient.

Others are looking to augment their current signature-based toolset (AV, IDS/IPS) with flow-based tools. Monitoring packet flows across the network using a tool like Ciscos NetFlow not only alerts you to anomalies faster, it also signals an attack's scale, enabling security teams to identify these types of attacks before they wreak havoc.

Still others are reconsidering their flat network architectures.

"Network segmentation is another major component of locking down the environment effectively," says IANS Lead Faculty Dave Shackleford. "Creating effective quarantine zones that only offer specific services and allow very limited communications inbound and outbound can more readily make anomalous traffic stand out."

Unfortunately, traditional tactics like implementing vulnerability scanning techniques may not prove as helpful in detecting systems susceptible to these sophisticated attacks.

"The threat of zero-day exploits is real, and there's no prescribed way to prepare for and prevent them entirely," Shackleford says. "One technique that is getting some attention today is virtualization isolation and encapsulation of endpoints, with vendors like Bromium leading the charge. However, many industrial control systems may not have the proper hardware [primarily chipset], OS level or stability, for that matter, to support this."

In other words, preparing for the post-Shamoon world is no easy feat. It requires a major defense strategy rethink as well as smart reallocation of tactical security resources and investments.

Before embarking on this set of arduous tasks, enterprises must first gauge their overall public profile to determine the likelihood that such an attack will target them. For most organizations today, the answer will be no and they can continue to pursue more traditional defense strategies. But for those that fall into the unlucky 2 percent, now is the time to take the threat seriously and get to work.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityAramcomalware

More about CSODLPFireEyeIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Phil Gardner

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place