In the recent blog, “Stuxnet Targeting Specific SCADA Configurations,” Danny Lieberman provides a nice, thorough analysis of the high-profiled Superworm in its current state. From what we know, the virus targets plants with a specific configuration, is activated whenever WinCC or PCS7 software from Siemens is installed, and can influence the processing of operations in the control system under certain boundary conditions. And for the time being, Stuxnet can be removed from affected systems by standard antivirus programs with updated signatures as of August 2010.
This is what we know, but unfortunately, it’s what we don’t know that poses the real threat.
As I mentioned when Stuxnet was first discovered, it’s not the actual worm itself that poses the greatest threat, it’s copycat attacks that use the Stuxnet blueprint to take cyberweaponry to the next level. Much like Zeus, Aurora, and other successful viruses, the initial incarnations are just the beginning. As the malware evolves and more sophisticated variations are created, antivirus becomes a reactive solution that can only stop what is known at any given time. This is where, I believe, straightforward antivirus solutions are missing the point.
While signatures can remove viruses in their current forms, they are ineffective at stopping new malware or malware variants they don’t know about. Organizations today can’t afford to sit back and wait until the next incarnation surfaces to figure out how to stop it. They need a way to prevent targeted attacks from exploiting systems despite what is known and not known. Application whitelisting technology does this.
By proactively stopping any unauthorized applications from running on a system, leading application whitelisting solutions like CoreTrace’s Bouncer application whitelisting solution leverages both whitelisting and blacklist-based defenses to stop all malicious code from executing on a network.
As the security industry faces challenges around combating multi-pronged attacks like Stuxnet and Night Dragon, CoreTrace has consistently been asked to help security pros undertand the attacks and how proactive solutions like Bouncer can help combat them. As a part of that effort, we are co-hosting an upcoming webinar with the Amor Group, “Night Dragon: How to Slay the Beast (and the Others Like It).” Joel Langill, president of SCADAhacker, and CoreTrace founder and CTO, Dan Teal, will discuss how organizations can kickstart their IT readiness efforts to combat such blended attacks. Register now to attend the webinar, which takes place Tuesday, April 19th, beginning at 2:00 p.m. EDT / 11:00 a.m. PDT.