Darkness in the Ukraine
Thomas Norlin, Account Executive – Denmark & Finland
1
The First of its Kind: Attackers Turn the Lights Off
KNOWN TARGET:
Three electric utility companies in
Ukraine
WHO
W H A T H A P P E N E D:
IMPACT
225,000 customers lost power
“The big lesson here is that…someone actually brought down a
power system through cyber means. That is an historic event, it
has never occurred before.“
- Robert M. Lee, Cyber Warfare Operations Officer for the US Air Force
2
Step 1: Perimeter Compromise
PERIMETER
******
******
1
Spear-phishing campaign
Targeting employees
3
2
3
4
Endpoints infected
Attackers gain access
Reconnaissance
Employees open email and
malicious attachment
Malware installs RATs to
establish backdoor access
Information and credentials
are collected
CyberArk Discovery & Audit (DNA)
4
Compromised Privileged Accounts – “Game Over”
• Lose control of the data
• Lose control of IT systems
• Lose control of the business
5
Cyber Attacks Typically Start with Phishing
“If an attacker sends out twenty to thirty phishing emails,
there’s a good chance he’ll penetrate your network.”
Verizon RISK Team (Threat Report: Privileged Account Exploits Shift the Front Lines of Cyber Security, November 2014)
6
An Attacker Must Obtain Insider Credentials
“…100% of breaches
involved stolen
credentials.”
Mandiant, M-Trends and APT1 Report
7
“APT intruders…prefer to
leverage privileged accounts
where possible, such as Domain
Administrators, service accounts
with Domain privileges, local
Administrator accounts, and
privileged user accounts.”
Step 2: Lateral movement and escalation
PERIMETER
Lateral
Movement
VPN
VPN
OT Environment
Using the credentials, attackers laterally move, learn the network and install KillDisk
Attackers VPN into the OT environment and gain access to the control systems
8
Privilege Escalation Enables Asset Escalation
9
Privilege escalation drives asset elevation
Domain
Controllers
Servers
Endpoints
10
Step 3: Executed attack against electric grid…
The Reality
Outside:
Attackers used their control to
disconnect electricity breakers and
cut power in regions across Ukraine
11
The Reality
Inside:
Attackers took control of the HMI
software and disconnected the
keyboard and mouse so that
operators could not interfere.
…and proactively prevented remediation
Attackers simultaneously launched a
DDoS attack against call centers
And activated KillDisk malware – wiping
all infected endpoints and servers
12
The Role of Privilege
Used privileged access to
launch a coordinated attack
3
Used credentials to laterally
move and elevate privileges in
IT and OT networks
2
Captured admin credentials
from infected machines
1
13
And the attack surface is huge
Privileged accounts are in every piece of
hardware and software
on the network
• Windows systems
• Unix systems
• Databases
14
• Network devices
• Hypervisors
• Applications
• SaaS applications
• Social media portals
• Industrial control systems
Privileged Account Security –
Now a Critical Security Layer
15
Comprehensive Controls on Privileged Activity
Lock Down
Credentials
Isolate & Control
Sessions
Continuously
Monitor
Protect privileged
passwords and SSH
keys
Prevent malware
attacks and control
privileged access
Implement continuous
monitoring across all
privileged accounts
Enterprise Password Vault
SSH Key Manager
Application Identity Manager
16
Privileged Session Manager
On-Demand Privileges Unix
and Windows
Privileged Threat Analytics
How Could CyberArk Help
Make a breach attempt
expensive, complexed
and challenging for the
attackers
Once breached,
Contain the breach
from moving Latterly
Detect anomalous
use of privileged
accounts
17
How could CyberArk help?
Proactively secure all privileged and ICS credentials
Rotate admin credentials after each use
Establish a single, controlled access point into ICS systems
Monitor privileged account use to detect anomalies
Control applications to reduce the risk of malware-based
attacks
18
Solution: CyberArk Discovery & Audit (DNA)
▪ Identifies all Privileged accounts and
Pass-the-Hash vulnerabilities
▪ Standalone, easy to use tool
▪ Powerful scanning with minimal
performance impact
￭
Requires no installation
￭
Consumes very low bandwidth
▪ Provides status and vulnerability of each
Privileged account
▪ Creates Pass-the-Hash Organizational
Vulnerability Map
19
Tak!!
20