2
“The big lesson here is that…someone actually brought down a
power system through cyber means. That is an historic event, it
has never occurred before.“
- Robert M. Lee, Cyber Warfare Operations Officer for the US Air Force
The First of its Kind: Attackers Turn the Lights Off
K N O W N T A R G E T :
WHOThree electric utility companies in
Ukraine
W H A T H A P P E N E D:
IMPACT 225,000 customers lost power
3
Step 1: Perimeter Compromise
Spear-phishing campaign
Targeting employees
1
Endpoints infected
Employees open email and
malicious attachment
2
Attackers gain access
Malware installs RATs to
establish backdoor access
3
Reconnaissance
Information and credentials
are collected
4
PERIMETER
****** ******
5
• Lose control of the data
• Lose control of IT systems
• Lose control of the business
Compromised Privileged Accounts – “Game Over”
6
Cyber Attacks Typically Start with Phishing
“If an attacker sends out twenty to thirty phishing emails,
there’s a good chance he’ll penetrate your network.”
Verizon RISK Team (Threat Report: Privileged Account Exploits Shift the Front Lines of Cyber Security, November 2014)
7
An Attacker Must Obtain Insider Credentials
Mandiant, M-Trends and APT1 Report
“…100% of breaches
involved stolen
credentials.”
“APT intruders…prefer to
leverage privileged accounts
where possible, such as Domain
Administrators, service accounts
with Domain privileges, local
Administrator accounts, and
privileged user accounts.”
8
Step 2: Lateral movement and escalation
PERIMETER
Attackers VPN into the OT environment and gain access to the control systems
Using the credentials, attackers laterally move, learn the network and install KillDiskLateral
Movement
VP
NOT Environment
VP
N
11
Step 3: Executed attack against electric grid…
The Reality
Outside:
The Reality
Inside:
Attackers used their control to
disconnect electricity breakers and
cut power in regions across Ukraine
Attackers took control of the HMI
software and disconnected the
keyboard and mouse so that
operators could not interfere.
12
…and proactively prevented remediation
Attackers simultaneously launched a
DDoS attack against call centers
And activated KillDisk malware – wiping
all infected endpoints and servers
13
The Role of Privilege
Captured admin credentials
from infected machines
Used credentials to laterally
move and elevate privileges in
IT and OT networks
Used privileged access to
launch a coordinated attack
1
2
3
14
And the attack surface is huge
Privileged accounts are in every piece of
hardware and softwareon the network
• Windows systems
• Unix systems
• Databases
• SaaS applications
• Social media portals
• Industrial control systems
• Network devices
• Hypervisors
• Applications
16
Comprehensive Controls on Privileged Activity
Protect privileged
passwords and SSH
keys
Lock Down
Credentials
Prevent malware
attacks and control
privileged access
Isolate & Control
Sessions
Implement continuous
monitoring across all
privileged accounts
Continuously
Monitor
Enterprise Password VaultSSH Key Manager
Application Identity Manager
Privileged Session ManagerOn-Demand Privileges Unix
and WindowsPrivileged Threat Analytics
17
How Could CyberArk Help
Once breached,
Contain the breach
from moving Latterly
Detect anomalous
use of privileged
accounts
Make a breach attempt
expensive, complexed
and challenging for the
attackers
18
How could CyberArk help?
Proactively secure all privileged and ICS credentials
Rotate admin credentials after each use
Establish a single, controlled access point into ICS systems
Monitor privileged account use to detect anomalies
Control applications to reduce the risk of malware-based
attacks
19
Solution: CyberArk Discovery & Audit (DNA)
▪ Identifies all Privileged accounts and
Pass-the-Hash vulnerabilities
▪ Standalone, easy to use tool
▪ Powerful scanning with minimal
performance impact
■ Requires no installation
■ Consumes very low bandwidth
▪ Provides status and vulnerability of each
Privileged account
▪ Creates Pass-the-Hash Organizational
Vulnerability Map