1 / 26

THE UKRAINE BLACKOUT Analyzing a Real World Attack - CyberArk

THE UKRAINE BLACKOUT Analyzing a Real World Attack - CyberArk. Jithin J Abraham Cyberark Middle East. THE UKRAINE BLACKOUT : Analyzing a Real World Attack - CyberArk. Breach lifecycle Perimeter compromise Attacker’s contingency plan Privilege elevation

rhoads
Download Presentation

THE UKRAINE BLACKOUT Analyzing a Real World Attack - CyberArk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. THE UKRAINE BLACKOUTAnalyzing a Real World Attack - CyberArk Jithin J Abraham Cyberark Middle East

  2. THE UKRAINE BLACKOUT:Analyzing a Real World Attack - CyberArk • Breach lifecycle • Perimeter compromise • Attacker’s contingency plan • Privilege elevation • Confiscating controls of IT & OT environment • Attack execution • Proactively block remediation efforts • Key takeaways • How CyberArk can secure your organization

  3. The First of its Kind: Attackers Turn the Lights Off K N O W N T A R G E T : W H A T H A P P E N E D: “The big lesson here is that…someone actually brought down a power system through cyber means. That is an historic event, it has never occurred before.“ - Robert M. Lee, Cyber Warfare Operations Officer for the US Air Force

  4. Privileged Accounts are Targeted in All Advanced Attacks “Anything that involvesserious intellectual propertywill be contained in highly secure systems and privileged accountsare the only way hackers canget in.” Avivah Litan, Vice President and Distinguished Analyst at Gartner

  5. Step 1: Perimeter Compromise PERIMETER ****** ****** 1 2 3 4 Spear-phishing campaign Targeting employees Endpoints infected Employees open email and malicious attachment Attackers gain access Malware installs RATs to establish backdoor access Reconnaissance Information and credentials are collected

  6. Step 2: Lateral movement and escalation PERIMETER OT Environment VPN VPN Using the credentials, attackers laterally move, learn the network and install KillDisk • LateralMovement Attackers VPN into the OT environment and gain access to the control systems

  7. Step 3: Executed attack against electric grid… The RealityOutside: The RealityInside: Attackers used their control to disconnect electricity breakers and cut power in regions across Ukraine Attackers took control of the HMI software and disconnected the keyboard and mouse so that operators could not interfere.

  8. …and proactively prevented remediation Attackers simultaneously launched a DDoS attack against call centers And activated KillDisk malware – wiping all infected endpoints and servers

  9. The Role of Privilege Used privileged access to launch a coordinated attack 3 Used credentials to laterally move and elevate privileges in IT and OT networks 2 Captured admin credentials from infected machines 1

  10. Step 1: How Cyberark Would help during Perimeter Compromise Phase PERIMETER ****** ****** 1 2 3 4 Spear-phishing campaign Targeting employees Endpoints infected Employees open email and malicious attachment Attackers gain access Malware installs RATs to establish backdoor access Reconnaissance Information and credentials are collected

  11. Step 2: Lateral movement and escalation PERIMETER OT Environment VPN VPN Using the credentials, attackers laterally move, learn the network and install KillDisk • LateralMovement Attackers VPN into the OT environment and gain access to the control systems

  12. Application Identity Manager:A high level perspective Application Identity Management Application Servers (WebSphere, Weblogic, etc.) Secure Storage ***** Databases CyberArk Vault Password and SSH Key Rotation Unix Servers grid systems via a firmware update Network Devices Applications Applications Applications Applications Applications Username = GetUserName() Password = GetPassword() Host = GetHost() ConnectDatabase(Host, Username, Password) Username = Password = Host = ConnectDatabase(Host, Username, Password) “app” Security Appliances “y7qeF$1” Windows Servers “10.10.3.56” Mainframe Servers Desktops

  13. How could CyberArk help? Proactively secure all privileged and ICS credentials Rotate admin credentials after each use Establish a single, controlled access point into ICS systems Monitor privileged account use to detect anomalies Control applications to reduce the risk of malware-based attacks

  14. Utilizing Golden Ticket – with database access privileges Lateral Movement – Compromising machines and credentials Reconnaissance – Collecting information about the network Phishing campaign – targeting several employees Persistence – The attackers deploy specially crafted malware Endpoints infected – some employees open the attachments Domain Compromise – Compromising domain controller and krbtgt key Exfiltrating Data to staging servers and outside the network Real Cyber Attack Case Study: Attacker conducts lateral movement, privilege escalation, executes a Golden Ticket attack, and successfully exfiltrates sensitive data DC

  15. Case Study Takeaways Privilege was the pathway • Via lateral movement and privilege escalation Domain controller was a valuable stepping stone • Golden Ticket attack provided omnipotent control and access to the entire domain Attackers accomplished their mission • Attackers successfully stole millions of records containing PII

  16. CyberArk Privileged Threat Analytics Collect A better way to protect against: Collect and analyze the right data Stolen Privileged Credentials Detect Kerberos Attacks Identify suspicious activities and behaviors Malicious Insiders Alert Golden Ticket Attacks Notify security teams with detailed incident information Pass-the-Hash Attacks Respond Enable speedy response and automated containment

  17. Collect and Analyze the Right Data SIEM Network Tap CyberArk Vault Collect endpoint access logs for behavior analysis on devices and correlation with privileged user information Collect network traffic for analysis and detection of damaging Kerberos attacks Collect fine-grained information on individual privileged users for User and Entity Behavior Analysis Privileged Threat Analytics Actionable Privileged Threat Intelligence

  18. Alert On Suspicious Activity and Behavior Enabling security teams to prioritize and respond the most critical incidents, alerts: • Are assigned risk scores based on severity of the detected anomaly • Contain granular details related to the suspected attack • Can easily be reviewed in the CyberArk dashboard, via email notification, and/or in a SIEM dashboard

  19. Privileged Threat Analytics Improves Incident Response Respond automatically to contain detected incidents Automatically contain in-progress attacks • Automatically invalidate stolen credentials and stop an attacker from continuing their attack • Minimize damage and limit an attacker’s window of opportunity • Streamline incident response with automatic containment Compromised Privileged Credential RESPOND DETECT AND ALERT COLLECT

  20. Privileged Threat Analytics Key Benefits Shorten an attacker’s window of opportunity and reduce potential damage Rapidly detect attacks with analytics based on a combination of built-in algorithms Accelerate remediation with immediate access to detailed information about an attack Immediately respond to in-progress attacks by automatically invalidating stolen credentials Receive quick time-to-value by leveraging existing infrastructure

  21. Privileged Session Manager & Privileged Threat Analytics: Better Together This integration enables: Automatic Threat Detection • Automatic insider threat detection through established high-risk commands Session Termination • Session termination during high-risk user activity minimizes potential damage to the business Audit Prioritization • Audit teams have the ability to prioritize and deprioritize workloads based on the risk score Define high-risk activity Continuously record user sessions Automatically identify high-risk activity Alert security teams to potential insider attacks Provide risk insight into recorded sessions Detect and responds to insider threats faster to limit potential damage Prioritize session reviews to make audits faster and easier Privileged Threat Analytics Privileged Session Manager

  22. An Attacker Must Obtain Insider Credentials “APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.” “…100% of breaches involved stolen credentials.” Mandiant, M-Trends and APT1 Report

  23. CyberArk Overview • Trusted experts in privileged account security • 2,000+ privileged account security customers • 50% + of Fortune 100 30% GROWTH 40% GROWTH 56% GROWTH • Approach privileged accounts as a security challenge • Designed and built from the ground up for security 20% of Global 200020% of Global 2000 • Twelve years of innovation in privileged account controls, monitoring and analytics • Only comprehensive privileged account security solution • One solution, focused exclusively on privileged accounts • Enterprise-proven • First with vault, first with monitoring, first with analytics • HeadQuarters in US, Middle East Operation from Dubai and part of UK operations, Support Locally and support centre in UK backed by US support team

  24. Our Offerings Application Identity Manager Conjur Application Identity Manager - Conjur Conjur Enterprise Central Credential Provider Conjur Community Edition Application Server Credential Provider Credential Provider Secrets management for static server environments Secrets management for DevOps & cloud

  25. Trusted by Customers Worldwide Over 2,000 Global Customers +50% of Fortune 100 20% of Global 2000

  26. Thank you

More Related