Anatomy of an attack: detecting and defeating CRASHOVERRIDE

Thursday 4 October 15:00 - 15:30, Green room

Joe Slowik (Dragos)

CRASHOVERRIDE was the first electric-grid-specific targeted malware attack observed in the wild, and only the third (as of its discovery) known destructive ICS malware attack. Since then, multiple discussions have taken place with respect to 'how' this malware (also known as Industroyer) functions, but essentially none have focused on how the entire attack unfolded and may have been detected - or even defeated.

This paper and presentation, leveraging new and previously unavailable information from the attack, will demonstrate that there were multiple stages at which the unfolding CRASHOVERRIDE attack could be detected - from initial access through ultimate ICS attack payload delivery - to emphasize even advanced attacker dependency on 'common' exploitation techniques. By examining the attack - essentially providing a dissection - defenders both within and outside of ICS environments can learn how to identify and mitigate even the most dedicated and advanced network attacks by focusing on adversary necessities and dependencies.