This article will focus on offensive weapons disclosed (June 2017) and linked to Industrial Controls Systems (ICS) security issues. These tools would be linked to previous cyberattacks against critical infrastructure in Ukraine (2016).
What to know about these malwares ?
- Family name : CrashOverride / Industroyer
- Type : enhanced cyber offensive platform targeting critical infrastructure sectors
- According to our security experts at TEHTRIS, the malwares from this offensive family are an enhanced platform with advanced features
We will explore some eGambit features that could be used to fight against this kind of stealth weapons and how our cyber robots and our Artificial Intelligence engines might be stronger than malwares.
Automatic Fight against unknown threats
The full eGambit arsenal is able to automatically work against unknown threats.
Here are some quick examples of scenarios about how to fight against a new threat (Ransomware, APT…)
1. An eGambit Endpoint Security agent detects an unknown program (unknown worldwide)
2. This program is analyzed and sent back to the nearest available connected appliance for further analysis
3. The eGambit Forensics portal with its API is used by multiple robots to fully analyze potential weapons
- Analyzed with Internal Antivirus engines > Unknown threat ? Signatures cannot always work with new stuff
- Requests into worldwide databases (VirusTotal, etc) > Unknown threat until someone would submit it
- eGambit Internal Sandboxes > DETECTION + Interesting IOC > eGambit Endpoint Security agent will know it in minutes
- eGambit Artificial Intelligence > DETECTION > Detection rate = 98.1% against Windows malwares (official certification)
eGambit can automatically detect & fight new threats like CrashOverride.
- Survival time : under a couple minutes for the malware worldwide
Network Behavior Analysis
CrashOverride Malwares against eGambit A.I.
Let’s share the results of the eGambit A.I. engine
- Latest version of the engine
- Currently deployed worldwide for our customers only
The files used for the “CrashOverride” attack were all flagged as “MALWARE”
- Everything is done by robots and artificial engine
- No human action required
- No signature updates
In conlusion, the detection rate of CrashOverride is reaching 100% for eGambit A.I.