Magazine Button
Saudi hacks and the case for endpoint detection & response

Saudi hacks and the case for endpoint detection & response

Editor's ChoiceEnterprise SecurityGovernmentInsightsKSARegional News

As reported by Bloomberg and others on Thursday, hackers successfully launched an attack against Saudi Arabian government agencies, including the General Authority of Civil Aviation, the government agency that manages Saudi airports. The attackers, believed to be affiliated with the Iranian government, used the destructive malware Shamoon to wipe data and damage equipment. Shamoon was previously  used in a 2012 attack that wiped 35,000 computers at Saudi Aramco, the world’s largest oil company, writes Anthony Di Bello, Senior Director and Security Strategist, Guidance Software.

The Saudi Aramco breach was a watershed moment in the cybersecurity world that generated ripples across the globe. So how, four years later, could a known threat like Shamoon be leveraged again to such an effect?

This attack is the latest to highlight the critical need for Endpoint Detection and Response (EDR) solutions.

Preventing known threats is the bread-and-butter for the myriad of next-gen AV and Endpoint Protection Platform (EPP) tools on the market today. Virtually every organisation has some form of perimeter-based security designed to stop known threats. But as this attack shows us, 100% prevention is not possible, even with well-known malware like Shamoon. However, there are ways to reduce the chance of a successful breach and to prevent malware from quickly spreading across the network should a breach occur. The following diagram illustrates how EPP and EDR work together to create a holistic approach to defence.

Figure 1: EPP and EDR work in conjunction to prevent, detect, and respond to threat of all kinds


On Nov 16, Gartner predicted (or foreshadowed) the new cybersecurity reality, recommending that organisations, “communicate the importance of a ‘continuous response’ security mindset, wherein systems are assumed to be compromised, necessitating monitoring and remediation.[1]

“Continuous Response” demands an EDR tool like EnCase Endpoint Security. With an EDR solution, Shamoon or other malicious threats can be detected proactively, and if necessary an EDR solution can perform the required triage and remediation, before the malicious binary is executed. EnCase Endpoint security provides a single platform to mitigate exactly this type of threat and completely remove it from the network to possibly prevent, or at least limit, data loss or damage.

This attack also highlights the need for better information sharing in the cybersecurity community to ensure security teams are prepared for similar threats. When information is shared more openly, security teams can use EDR solutions to proactively scan and hunt for similar threats on endpoints. When armed with the right information and a proactive approach, an organisation has a better chance to detect and neutralise a threat before it can cause any real damage.

To learn more about how EnCase Endpoint Security can ensure you are prepared for a breach, please visit: or contact us at [email protected].

Anthony Di Bello is a Senior Director and Security Strategist at Guidance Software. Anthony is responsible for the voice of the customer, go-to-market strategy and product roadmaps across Guidance Software forensic security, data risk management and digital investigations products.  An 11-year veteran of Guidance, Anthony previously served as director of Strategic partnerships.


[1] Gartner, “Predicts 2017: Information Security management”

Click below to share this article