Thursday 4 October 15:00 - 15:30, Green room
Joe Slowik (Dragos)
CRASHOVERRIDE was the first electric-grid-specific targeted malware attack observed in the wild, and only the third (as of its discovery) known destructive ICS malware attack. Since then, multiple discussions have taken place with respect to 'how' this malware (also known as Industroyer) functions, but essentially none have focused on how the entire attack unfolded and may have been detected - or even defeated.
This paper and presentation, leveraging new and previously unavailable information from the attack, will demonstrate that there were multiple stages at which the unfolding CRASHOVERRIDE attack could be detected - from initial access through ultimate ICS attack payload delivery - to emphasize even advanced attacker dependency on 'common' exploitation techniques. By examining the attack - essentially providing a dissection - defenders both within and outside of ICS environments can learn how to identify and mitigate even the most dedicated and advanced network attacks by focusing on adversary necessities and dependencies.
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Joe ran the incident response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defence, Joe has consistently worked to 'take the fight to the adversary' by applying forward-looking, active defence measures to constantly keep threat actors off balance.
Masashi Nishihata (Citizen Lab)
John Scott Railton (Citizen Lab)
Thais Moreira Hamasaki (F-Secure)
Peter Kalnai (ESET)
Michal Poslusny (ESET)