Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Adapting to the post-Shamoon world

Phil Gardner | April 11, 2013
In my last column in CSO, we talked about how the Shamoon virus attack on Saudi oil firm Aramco signified the start of an insidious new wave of malware. Instead of quietly siphoning off data and intellectual property for financial gain, Shamoon and others like it aim to publicly cripple businesses in the name of geopolitical score-settling --an intent that makes them far more dangerous and difficult to thwart.

In my last column in CSO, we talked about how the Shamoon virus attack on Saudi oil firm Aramco signified the start of an insidious new wave of malware. Instead of quietly siphoning off data and intellectual property for financial gain, Shamoon and others like it aim to publicly cripple businesses in the name of geopolitical score-settling --an intent that makes them far more dangerous and difficult to thwart.

The good news? More than 98 percent of businesses today, thankfully, do not fall within the crosshairs of these politically-motivated attackers. If you aren't charged with running the main economic engine of your country (a high-profile bank, utility, defense contractor, etc.), chances are these types of attacks are not targeting you.

The bad news? Those businesses that fall within that targeted 2 percent face a difficult, time-consuming, expensive and risk-laden project as they work to harden their defenses and build practical survival strategies. Since the attackers simply seek to topple their targets in the fastest, most efficient manner possible, traditional crown jewel-focused defense mechanisms won't cut it. Instead, IANS clients are finding they must address the new threat both strategically and tactically.

[Next wave malware aims for mayhem, not money]

"Strategically, the first step is to find where the failure-resistant systems live," advises IANS Faculty Member Marcus Ranum. "Those are the processes and systems the organization has already deemed valuable and business-critical." From there, it's a process of discovering and ruling out any critical single points of failure. "Say you have a mirrored server in a redundant data center. Work your way forward and back within the system until you find the single point of failure. Does that data center run off a single generator? Do those redundant links flow through a single gateway?"

Ranum also recommends firms square off their different architecture teams against one another and charge them with uncovering design flaws. "True, that's a nightmare from an HR standpoint, but having your ops teams vet your network designs and vice versa is the fastest way to uncover these issues."

From a tactical standpoint, many IANS clients are focusing equally on preventing initial delivery of the malware (implementing whitelisting tools like Bit9 and reputation-based tools like ProofPoint) and eliminating lateral movement once an attack makes it inside (via DLP or sandboxing/malware analysis tools like FireEye and Damballa). Aligning these tools with Lockheeds Kill Chain Methodology is a primary strategy. Lockheeds methodology lists the six main steps (reconnaissance, weaponization, delivery, exploitation, installation and command/control) every attacker takes to infiltrate an environment. If you thwart just one step you may end an attack, but thwarting several makes you resilient.

Others are looking to augment their current signature-based toolset (AV, IDS/IPS) with flow-based tools. Monitoring packet flows across the network using a tool like Ciscos NetFlow not only alerts you to anomalies faster, it also signals an attack's scale, enabling security teams to identify these types of attacks before they wreak havoc.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.