A very sad day indeed. Keeping aside the Sony context, the motto of the West has always been to not give in to terrorists, but obviously it seems to be a different rule if those terrorists are cyber attackers. Is this the beginning of a trend where corporations are held hostage and then make decisions (in this case the cinemas appear to have overruled the US president’s wishes – where he, Obama, encouraged people to go to the cinemas) that impact the masses?
I believe this reflects a lack of sophistication on Sony’s side in terms of security policies and controls and less an indicator of the attackers sophistication. Indicators of compromise relating to this malware has been shared with businesses by the FBI including MD5 hash sums, file changes, remote IP addresses and other artifacts that they should be looking for. These elements should be visible in various threat intelligence tools as well.
I don’t find it a surprise that the malware was there for months going undetected. It says the malware was customized for the attack, meaning that if the malware went initially under the radar when it was introduced in to their network, it would be unlikely to suddenly get detected since shutting down anti-virus is usually the first step in malware. There are other ways to look for malware infections such as network anomalies but the difficulty in catching malware after a successful infection probably increases significantly on such a large network. Especially with a targeted attack.
Some AV companies mentioned in that their software could have prevented execution, but obviously there were some out there that did not detect it. This is where sharing the malware with the security community could help other vendors catch up and make sure they are blocking it. Even if they don’t want to release it publicly, it may be worth sharing with major AV companies to help prevent further infections (which is what seems to have happened/is happening since McAfee, Trend Micro, and Symantec have analyzed it). Eventually I’m sure samples will start to make their ways public for further analysis by researchers.
The degree of unnoticed access is an unsurprising testament to the need for automated incident response – and best practice in the current situation would suggest openly sharing the docs, malware, and attack vector to enable others to better secure and defend against similar attacks.
This may be news outside the information security community, but it’s really no surprise. In order to gather and copy the information they’ve published and to coordinate the simultaneous take down of systems within Sony, the attackers would have needed time inside the network.
There’s a lot of focus on the malware itself here, but it’s really the last step in the process. We should be more concerned than we are about the means and methods used to install that malware and expand their hold on the network. A good defense starts before the intruder gets inside the system.
Given the complete and total breach of the Sony networks, the attackers were present on the network for months, if not years. The number of compromised systems and malware needed to pull this off is astounding. It is unlikely that Sony will be able to remediate the affected systems in the near future. They will need to prioritize assets and networks then systematically clean them.
Brendan Rizzo, Technical Director, EMEA, Voltage Security
The events that continue to unfold related to this breach show a startling escalation of cyber attacks that are now becoming a worryingly effective tool for spreading fear and economic damage. The security world has been preparing for large-scale cyber terrorism attacks for years, with the state-sponsored variant proving the biggest risk due to the larger magnitude of resources that can be brought to bear. There have been several isolated incidents reported already, but the recent attack now further blurs the line between state-sponsored attacks (which are often seen as being politically or economically motivated) and cyber-protests (which are usually meant to raise awareness or disseminate information).
If attackers gain an upper hand and are able to wreak damage on companies at will without being traced, and if these attacks are able to achieve at least some of their objectives (such as the recent postponement of the movie release that we have just seen), then this could be a harbinger of an escalation in these types of attacks still to come. That is why it is so important that companies give their utmost attention to protecting their sensitive customer, employee, and company data in a best practice data centric manner to shield themselves from any such attacks. If the recent attack did not result in the theft of unencrypted personal information and digital property, it would have merely been a footnote in an article, instead of the continued lead story in the global media for several weeks running.