Practical learnings from the attack on Sony Pictures Entertainment
In the wake of the recent aftermath of the cyber-attack on
Sony Pictures Entertainment, it is fairly easy to get caught up in the
sensational headlines calling this an “unprecedented attack” due to the
destructive nature. The truth is, it
actually isn’t entirely uncommon. We
have seen similar destructive attacks on The Sands Casino in 2014, HBGary in
2011, and Saudi Aramco in 2012 to name a few.
In each of these attacks the apparent motive was to disrupt or destroy
critical operations at the victim company.
This is really anything but new in the world of Cyber-attacks.
The critical lessons we need to take from the attack on Sony
Pictures comes in the form of addressing commonly found weakness in security
practices at many organizations around the world. The need for strong user account auditing and control and file level monitoring are a more practical lessons for most
companies in the wake of this attack.
Let’s walk through some possibilities…
Infiltration of the
Sony network:
Was it an evil
insider? YES… someone with malicious intent was on the inside of their network. That does NOT mean it was a disgruntled
associate or ex-associate. What it does
mean is someone had attained valid credentials that allowed them to move freely
through the Sony network undetected and that they had access to the actual
internal network. The criticality of User Account management
and life-cycle controls are a key takeaway from this incident. Common security practices such as the
Principal of least privilege, the
Possible scenarios for attaining Credentials.
(most to least likely)
Got Phished and credentials
were harvested.
Had commercial
malware harvest credentials
Found Sony
credentials in publicly available credential dumps
Bruteforced the
credentials of a Sony User
Possible scenarios for gaining access to the
Network:
Remote Access Trojan malware on a
compromised internal system. Most likely
the attackers performed a phishing or watering-hole campaign. Otherwise it is also entirely likely the
attackers may have attained access to a compromised endpoint from the underground
black market where these systems are a commoditized.
VPN or Gateway technology allowing
remote access was improperly configured or not configured for multi-factor
authentication. We know Sony had two
factor authentication with RSA SecureID tokens (Details of these products were
in some of the attacker’s public releases) However, perhaps there was a Citrix
Server or other Access Gateway solution that was missing the 2nd
factor. External SharePoint or file
sharing technology may have been available without multi-factor authentication. These types of collaborative portal sites
often fail to implement multifactor authentication and may have a public internet
face
A 3rd party connection
into their network may have lacked necessary security controls. This has become a reoccurring theme in nearly
all the major security breaches and attacks in recent years. An attacker only needs to compromise the
weakest link, and often times 3rd Party vendors may have direct
access to company’s network with little to know scrutiny on the vendor’s
security posture.
Data Inventory and
Collection
Once they attained access to the network it likely that the
attacker performed internal reconnaissance of the Sony network. We know it was a Windows network, and every
Windows machines has built in tools that allow for quick inventorying of all
the User accounts (net user /domain) and the Windows machines (net view). It is also trivial to locate shared folders
and file share servers. Once located a
simple recursive find for the word “Password” was used to locate all files and
folders containing the word password.
Judging by the publications they were successful
Data Exfiltration
Moving data out of the network may have occurred a numerous
ways. Most likely would be a FTP via
standard or non-standard port to an offsite location. The interesting part is that there is a rumor
that they have found evidence suggesting the speed at which the data was moved
is consistent with USB 2.0 speeds. This
would lead you to believe it was possibly copied directly to a USB device, but
it could also be a decoy/diversion technique.
Hopefully, more details will come out over time.
It is very worth noting that if multiple terabytes of data
are being exfiltrated over the network, there should have been measures in
place to attempt to detect the increased traffic. It is rumored that SPE moved massive files
(large High Definition Movie Files) quite regularly which may have made this particular
exfiltration difficult to detect by purely volumetric means. However, discrete firewall rules and
intrusion detection thresholds might be something to explore for future
protection.
Releasing destructive
malware
“Now you are just
being mean” The attackers (note some
question if it was even the same attackers) then used some fairly commonly used
malicious code and compiled it in to a specific piece of malware with a common
privileged Sony credential and a list of Sony systems and deployed it into the
network. Essentially lighting a slow
burning fuse as the attackers left the network.
Again, we have seen this type of behavior in other attacks, but none
that have caught the US Media’s attention so greatly.
Extortion / Demands
Originally it was reported that the attackers attempt to
extort money from the executives at Sony by threatening them with the
forthcoming destruction of their systems and public release of their data. We know that Sony did not give into the
demands initially.
At some point the demand changed from monetary extortion to
demands to halt the release of “The Interview”. Curiously, this seemed to occur after the
media picked up on the fact that North Korea was a possible source for the
attack. This has sparked an
extraordinary amount of media attention to this case, as well as an
overwhelming amount of skepticism around attribution in cyber-attacks. However,
knowing your adversary is not the main concern when studying this attack. We know that defeating a strong willed and
well-funded Nation State level adversary is not likely to happen. However, we also know that understanding how
the attackers gained access, assessed the environment, swiped the data, and
ultimately released destructive malware allow us to focus on mitigation
techniques.
Taking proper steps to ensure appropriate levels of security
are in place at each step of the attack would help to increase the burden (time,
money, complexity) on an attacker; which is a primary goal when dealing with deeply
motivated attacks.
