The Shamoon malware has received considerable coverage in the past couple of months because of its destructive nature. Despite assertions that it is the work of amateurs, it has had a major impact on companies believed to have been affected. The basic functions of the malware are to infect, entrench, propagate, and wipe.
However because of the way the malware operates and how it is programmed to wipe, it can find itself being its own enemy. It will wipe data found in the Documents and Settings folder and the System32 folder, and then use a signed driver for disk access to start wiping at the disk level. Because the operating system needs certain files in the System32 folder to run, it was found that infected hosts will always restart before the malware can wipe completely at the disk level. Due to this it was possible to make a complete recovery of Shamoon-infected file systems to the state they were in before the wiping made the OS unbootable and unreadable. In fact the majority of files outside of the System32 and Document and Settings folder are recoverable as well; this provided the opportunity for a successful and fruitful analysis, investigation, and remediation effort.
Your adversary is not some random piece of self-replicating software. Your adversary is a human being who—like you—is staring at a screen, mashing on a keyboard and working on a project of great importance. Does your defensive posture reflect this new reality?
Remember the good old days of Slammer, Blaster, Nimda and Code Red? They were the headline-grabbers of a bygone age in information security. In those days, our interest in the actual humans behind those big, noisy, opportunistic infections was ancillary: occasionally, months after an outbreak, we might have come across a minor news story about a pimply-faced teenager appearing in a courtroom somewhere to answer for his mischief.
Now consider today’s headline-grabbers: Aurora, Stuxnet, Flame and Gauss. What makes this a new era is not that any given piece of malware may be more sophisticated; it’s the “who” behind the malware that gives us pause. Credit for Aurora, a 2009 attack on Google and other high-profile companies, is generally given to the Chinese government. Then there’s Stuxnet, a mid-2010 state-sponsored attack against Iran’s uranium enrichment facilities. And Gauss and Flame, two notable 2012 attacks that may also have been carried out by state actors. And in parallel with this excitement about state-sponsored activity, we’ve seen an increase in grassroots hacking as well, with loose collectives like Anonymous and Lulzsec regularly making the news.
Maybe breathless headlines about cyberweapons and hacktivism are overblown and maybe they’re not. But what’s clear is that if you have a network to defend, fixation on detecting the latest malware will get you nowhere if you overlook the focused, smart, dedicated human (or humans) on the other end of the line. They’re not casting a wide net, trying random doorknobs; they’re targeting you, your employees and your partners. If the stakes are high enough, they’re even targeting your employees’ family members for backdoor access into your network. It’s perfectly likely that your adversary is probing (or has already breached) your defenses.
Are you ready? How would you know if a stealthy, focused team of adversaries quietly slipped into your network? How would you respond if you knew? Are you counting on your technologies alone to save you from the reconnaissance that leads to infection, or the infection that leads to escalation of privilege and propagation, or the expanded foothold that leads to exfiltration and/or sabotage? They won’t. And they can’t. Not without you at the helm, persistently involved in the defense of your assets.
Some of the stages in this simplified threat life cycle (reconnaissance, breach, propagation, exfiltration) certainly involve malware of some kind, but usually malware is but a small part of a much bigger picture. And while it is the case that when malware is used, it is only as sophisticated as it needs to be to get the job done (it being prudent to save the juiciest techniques for the hardest targets), your father’s antivirus, firewall, and IPS no longer pose even an interesting challenge to a talented and well-equipped adversary.
Fortunately, an array of younger companies (I work for one myself) offer updated technologies that approach the problem in any number of clever and interesting ways. Some of these new technologies are promising and exciting, but in a climate where we’re battling other humans in what amounts to real time for control over our networks, no completely automated defense will work.
People and processes are essential to augment the technologies you’re considering for your networks, sine qua non. You need hunters, actively probing for anomalous traffic using the best available network visibility and correlation technologies. You need robust detection and mitigation processes that take modern threat actors' tools, tactics and procedures into account. You need a robust and effective incident response regime to break you out of the constant whack-a-mole infection cycle. In fact, the most effective defenders regularly conduct exercises and simulations to test and continuously improve their own people, processes and technologies.
This comprehensive approach to network defense doesn’t come easy or cheaply. But if your aim involves protecting things of value from risk or harm, then you need to make sure you’re allocating scarce resources wisely. After all, your adversaries know how to focus on people and process. And your adversaries know better than to overestimate the importance of technology alone in fulfilling their mission. See that you do as well.