Adapting to the post-Shamoon world

In my last column in CSO, we talked about how the Shamoon virus attack on Saudi oil firm Aramco signified the start of an insidious new wave of malware. Instead of quietly siphoning off data and intellectual property for financial gain, Shamoon and others like it aim to publicly cripple businesses in the name of geopolitical score-settling —an intent that makes them far more dangerous and difficult to thwart.

The good news? More than 98 percent of businesses today, thankfully, do not fall within the crosshairs of these politically-motivated attackers. If you aren’t charged with running the main economic engine of your country (a high-profile bank, utility, defense contractor, etc.), chances are these types of attacks are not targeting you.

The bad news? Those businesses that fall within that targeted 2 percent face a difficult, time-consuming, expensive and risk-laden project as they work to harden their defenses and build practical survival strategies. Since the attackers simply seek to topple their targets in the fastest, most efficient manner possible, traditional crown jewel-focused defense mechanisms won’t cut it. Instead, IANS clients are finding they must address the new threat both strategically and tactically.

[Next wave malware aims for mayhem, not money]

“Strategically, the first step is to find where the failure-resistant systems live,” advises IANS Faculty Member Marcus Ranum. “Those are the processes and systems the organization has already deemed valuable and business-critical.” From there, it’s a process of discovering and ruling out any critical single points of failure. “Say you have a mirrored server in a redundant data center. Work your way forward and back within the system until you find the single point of failure. Does that data center run off a single generator? Do those redundant links flow through a single gateway?”

Ranum also recommends firms square off their different architecture teams against one another and charge them with uncovering design flaws. “True, that’s a nightmare from an HR standpoint, but having your ops teams vet your network designs and vice versa is the fastest way to uncover these issues.”

From a tactical standpoint, many IANS clients are focusing equally on preventing initial delivery of the malware (implementing whitelisting tools like Bit9 and reputation-based tools like ProofPoint) and eliminating lateral movement once an attack makes it inside (via DLP or sandboxing/malware analysis tools like FireEye and Damballa). Aligning these tools with Lockheeds Kill Chain Methodology is a primary strategy. Lockheeds methodology lists the six main steps (reconnaissance, weaponization, delivery, exploitation, installation and command/control) every attacker takes to infiltrate an environment. If you thwart just one step you may end an attack, but thwarting several makes you resilient.

Others are looking to augment their current signature-based toolset (AV, IDS/IPS) with flow-based tools. Monitoring packet flows across the network using a tool like Ciscos NetFlow not only alerts you to anomalies faster, it also signals an attack’s scale, enabling security teams to identify these types of attacks before they wreak havoc.

Still others are reconsidering their flat network architectures.

“Network segmentation is another major component of locking down the environment effectively,” says IANS Lead Faculty Dave Shackleford. “Creating effective quarantine zones that only offer specific services and allow very limited communications inbound and outbound can more readily make anomalous traffic stand out.”

Unfortunately, traditional tactics like implementing vulnerability scanning techniques may not prove as helpful in detecting systems susceptible to these sophisticated attacks.

“The threat of zero-day exploits is real, and there’s no prescribed way to prepare for and prevent them entirely,” Shackleford says. “One technique that is getting some attention today is virtualization isolation and encapsulation of endpoints, with vendors like Bromium leading the charge. However, many industrial control systems may not have the proper hardware [primarily chipset], OS level or stability, for that matter, to support this.”

In other words, preparing for the post-Shamoon world is no easy feat. It requires a major defense strategy rethink as well as smart reallocation of tactical security resources and investments.

Before embarking on this set of arduous tasks, enterprises must first gauge their overall public profile to determine the likelihood that such an attack will target them. For most organizations today, the answer will be no and they can continue to pursue more traditional defense strategies. But for those that fall into the unlucky 2 percent, now is the time to take the threat seriously and get to work.