ARE YOU A VICTIM OF SHAMOON? WE’RE HERE TO HELP
Since the Shamoon attack took place on the 21st of January 2017, the Help AG Managed Security Services (MSS) team has been working extensively with organizations across Saudi Arabia on their digital forensics and clean-up activities.
In this blog, we shall highlight the technologies that could have protected organizations, and present the solutions that we at Help AG offer to help secure our customers.
Privileged Identity Management:
As the effectiveness of Shamoon was made possible because of its use of admin credentials, Privileged Identify Management (PIM) and Privileged Access Management (PAM) are technology areas worth considering.
A PIM solution creates an interface between the administrative user in the organization and the system that is being managed. The general idea is that the administrator no longer knows the admin password, but that he is “granted” admin access from the PIM/PAM system. It is therefore the PIM/PAM system that has administrative rights and not the user.
Help AG works together with Beyond Trust on PIM/PAM solutions and will be happy to discuss this area with you: https://www.beyondtrust.com/products/powerbroker/
It is believed that Shamoon’s initial phases were delivered by a spear-phishing email- simply, an email with an attachment which executed the malware on the user’s machine. The major issue here is that seemingly harmless attachments can create a lot of damage within an organization, aiding in everything from credential thefts to crypto-malware
Today, there are technologies available which can look at inbound e-mails and deconstruct attachments- basically breaking up the attachments into their functional elements and then reconstruct the, without the potentially harmful parts. An example could be a word-file being sent to you with a macro embedded in it. With the correct technology, that word file can still be delivered to the user, but only after the macro has been removed from the file.
Help AG works with OPSWAT on data sanitization. The solution is installed as a mail transfer agent after your existing e-mail defenses and therefore does not require any change to user behavior. We also integrate OPSWAT with sandbox solutions, which means you can perform behavioral based analysis on e-mail attachments. For more information on OPSWAT please get in touch with us and visit: https://www.opswat.com/products/metadefender/email-security
Threat Intelligence for Existing Security Platforms
In case you have existing Next Generation Security Platforms, it can be beneficial to look at enabling Threat Intelligence Feeds. As an example, with Palo Alto Networks, the Wildfire feature set is interesting to investigate. Or if you have Cisco, the AMP feature set, and in Fortinet the Advanced Intelligence Subscriptions.
Help AG MSS provides a dedicated Threat Intelligence service which can also be subscribed to and ingested directly into your security infrastructure.
Threat Isolation of Privileged and Sensitive users
Threat isolation is a new technology which has recently started to appear. The technology works by executing websites in an isolated centralized platform and then delivering the rendered webpage to the user utilizing the solution.
The benefit of the solution is that your privileged user’s machine never executes any client side components, and therefore is also isolated from attacks from websites or potential URL phishing. Help AG work with Menlo Security on these technologies https://www.menlosecurity.com/
Client Application Whitelisting
Application whitelisting can be a very efficient way of dealing with Shamoon, as it can stop untrusted executables from running on user machines.
Help AG works with a number of vendors, which have application whitelisting solutions. These include Carbon Black Protect and Symantec Endpoint Protection. Palo Alto Networks recently added signing certificate validation to the TRAPS platform, which also can add value.
It should be noted that there are of course big differences in the capabilities of each platform, but if you have any of them deployed. you should investigate how you can harden your environment.
Managed Security Services
Shamoon executed at 4 am on the 21st of January. Were you monitoring your environment at that time?
Customers subscribed to our Managed Security Services are already covered by a number of use-cases specifically focusing on suspicious account behavior. Furthermore, we have enabled inspection for Shamoon’s indicators of compromise for our MSS customers.
Should you need any technical assistance or guidance in managing this or any other cyber threats, contact the Help AG Cyber Security Operation Center (CSOC).
Help AG Managed Security Services Team