The US is planning economic sanctions against North Korea as a rebuke against the attacks on Sony. This follows reports of Internet blackouts in North Korea.
Regardless, one thing is certain: 2014 will be remembered as the dawn of cyber-terrorism. So far, nation state sponsored attacks such as FLAME, Stuxnet, Duqu, Regin, Ghostnet were all shrouded in secrecy and used highly sophisticated and targeted malware. This put them in the realm of cyber-espionage rather than cyber-terrorism. The attacks on Sony squarely fall in the latter category. A nation-state sponsored covert attack, guerrilla tactics, propaganda, physical threats to individuals and businesses – this is classical terrorism, albeit via the Internet.
While full extent of the attack is still unraveling, here is a short summary of damages inflicted on Sony and it’s employees:
- 47,000 social security numbers, including those of famous actors Bank statements, tax forms, HIPAA and 401K information leaked Sensitive business documents including celebrity contracts, revenue data leaked Server and workstation data completely wiped out, failing to restart Treasure trove of password data leaked Unreleased movies and scripts posted on file sharing sites Embarrassing company emails leaked, including risqué comments on the Hollywood stars, US president and romantic dalliances involving an executive.
- Physical threats to theaters against screening of “The Interview”
- Physical threats to Sony employees
While cyber-espionage attacks are highly focused, sophisticated, and stealthy, the attacks on Sony do not appear to be highly sophisticated (and clearly not stealthy).
As CNN reports, U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get initial access into Sony’s computer systems, allowing them broad access inside Sony.
The US-CERT has also released a detailed advisory that provides detailed descriptions of the malware (nicknamed Destover Wiper by the media) used post the initial infiltration. The malware is described as a Windows Server Message Block (SMB) worm which has five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool. It propagates in an infected network via brute-force authentication attacks, and connects to a an external command and control (C2) server infrastructure. The C2 issues commands to the infected machines and acts as a store for the stolen data.
Based on these, following is an ad-hoc list of weaknesses and missing controls exposed by the breach:
|The attack exploited multiple weaknesses across Sony’s infrastructure||lack of an integrated security architecture, more on this below|
|Privileged user’s password were stolen and abused||lack of two factor authentication for interactive logons|
|Malware reused from earlier attacks against South Korea and Saudi Arabia and employed commercially available modules||failure to detect variations of known malware|
|Malware infected the breadth of Sony’s network without detection, wiping out Windows and Linux systems that fail to start up||lack of advanced malware detection and/or application whitelisting|
|Infected workstations and servers could communicate with the Command and Control Servers||lack of proxies for servers and workstations that perform content filtering and deny suspicious Internet access|
|Ex-filtration of sensitive data to attacker’s command and control servers||failure to implement data leak prevention, identify suspicious domains, etc|
|The malware propagated laterally via network shares throughout Sony’s network||lack of network segmentation and layered access controls to prevent the spread of malware|
|Attackers stole critical passwords in a password-protected file which had the password ‘password‘||lack of strong encryption of sensitive data|
|Complete data loss from enterprise servers and shares||no off-premise backup of data|
|Sony failed to contain and respond to the breach quickly||lack of adequate monitoring of failed logon attempts, network flows|
In fact, the US-CERT publishes a detailed advisory to plan against exactly such destructive malware. Tips include proper controls for communication flow, access control, monitoring, file distribution, application hardening, containment and recovery planning. Sony failed on several of these fronts. As Bruce Schneier points out: Sony made it very easy, but it could have happened to anyone.
Hardening your Security Posture with Total Threat Protection
In all probability, some signals would have been picked up during the ongoing attacks at Sony. However, security teams in a large organization often exist in silos. Different buying and operational centers for different infrastructure elements, business units and geography misses the forest for the trees. Acquisitions, mergers, spin-ins, rapid growth contribute to the chaos. A compliance checklist mentality brushes aside real security issues, as evidenced in interviews of Sony’s security chief.
An empowered CISO can streamline organizational efficiency, however the key technology enabler is having integrated security solutions, rather than uncoordinated, single-vector point products from disparate vendors. Distributed policy enforcement across security solutions via centralised management dashboards and integration with monitoring systems is a basic requirement to achieve this model.
Understaffed InfoSec team is another common challenge. Some reports indicate that Sony’s roster has just 11 employees tasked with information security (out of 7,000 total employees), not counting any outside contractors. This is not a one-off, but a common reality in several large organizations we work with.
Best-of-breed, yet easy to use security solutions is the only way out for a multiplexed and over-tasked infosec team. Complex solutions with steep learning curves and operational overhead are more likely to be misconfigured or worse, just left alone to gather dust, opening up the very weaknesses they were supposed to prevent.
We, at Barracuda have been evangelizing exactly this integrated security architecture with our Total Threat Protection. To learn more, click here to visit our Total Threat Protection website.