If you force yourself to forget the attribution argument over the recent attack on Sony Pictures Entertainment, you need to recognize that too little effort has been made to learn from the technical details of the attack, and while the technology was not as sophisticated as some believe, there are definitely important lessons here for those charged with protecting their organization.
Prevention and detection are universally too focused on the perimeter
Getting in may be the hardest part for an attacker, but only because the subsequent actions are so easy for someone with a moderate amount of technical skills. A contributing reason to the debate around attributing this breach to the right attacker group is just how many individuals are capable worldwide. A detailed timeline of the Sony attack has not been released, and likely never will be, but it is widely agreed that the initial compromise occurred when "Targeted Destructive Malware" was opened from one to many email attachments. Email attachments as an attack vector are no new invention, as their involvement in the 2011 RSA breach was widely publicized. A few experts have examined the malware and determined it to be riddled with bugs and built by amateurs, but it was still effective at getting the malicious group passed Sony's perimeter defenses, so no debate over code quality is necessary.
Whether or not you consider the malware sophisticated is irrelevant when trying to learn from its traits to properly defend your organization. The US-CERT analysis of the malware reveals that has five specific components:
- a listening implant
- a lightweight backdoor
- a proxy tool
- a destructive hard drive tool
- a destructive target cleaning tool
Possibly the most interesting part of this description is that these five parts do nothing to explain the significant action that simulates a proven human approach to compromising a network: lateral movement. Also known as propagation, the "SMB Worm Tool" scans ports 445 and 139 and uses built-in Windows shares to test stolen passwords and password hashes to move from discovered system to discovered system. This is especially noteworthy because the automation of this technique is starting to gray the line between malware and manual human-at-keyboard attacks. The human element has not been completely replaced, however, because the malicious actors needed to use established command and control (C&C) connections to pivot to other assets, steal more credentials, and escalate privileges, as the malware would not do this alone. If Sony's defenses were all focused on the perimeter, as details indicate, the attackers had no reason to rush after the C&C servers were created; they could take their time exploring the network, siphoning emails, and exfiltrating thousands of documents to be slowly perused from the safety of their lairs.
Credentials are a weapon and all types of attackers now know how to use them
The FBI has stated that "90% of the net defenses that are out there today in private industry" would have failed to detect the malware used in this attack, but what about the hours to days after this initial compromise necessary to move through the network and obtain the broad range of information that was successfully exfiltrated and is now being continually released to the public? As with almost every breach examined by Verizon in 2013 and publicly scrutinized in 2014, the attackers extracted passwords and password hashes from the systems they compromised and used them to impersonate legitimate users undetected while they confidently explored the network. This may have started with the "SMB Worm Tool" successfully burrowing into some Windows SMB shares, but it continued with the attackers performing similar actions through the backdoors initially created through the malware. Given these kinds of access points, attackers simply need to keep moving until they locate a system to which a domain administrator has authenticated and then they have unfettered (and privileged) access across the network for a significant period of time.
While credentials were used to expand across the network undetected, this is not shocking news because that is the case in nearly all attacks. One of the more shocking revelations was that a total of 139 files, containing thousands of passwords, were found within the data the Guardians of Peace managed to extract under complicated names like "passwords.xlsx" and "password list.xls". These passwords could allegedly be used to access almost any system, social media account, or web service belonging to Sony and its employees. This is exactly the kind of real world example that security professionals need to explain why their organizations should be seeking out employees with poor security awareness and enforcing better password care. That is, unless you believe no one will ever get in or no damage could ever be done with unencrypted documents labeled "passwords". The attackers' backdoors may have already been blocked when this information was discovered in the mounds of files they managed to copy to their servers, but even so, it could escalate the breadth of the corporate takedown to anything related to a Sony movie currently scheduled for release in the future. We might think it is over and then see messages injected into a movie's Facebook page twelve months from now.
This attack reminds us that every organization can be targeted and needs a continuity plan
Many attackers look to evade detection while inside and cover their tracks, when possible, but their main goal is to impact as few systems as possible on the way to their goal. Whatever the reason for this attack, these attackers reached a point where they were satisfied with the extracted data, announced to the entire company that they were inside and essentially set fire to a great deal of what they had touched, as evidenced by their choice of malware. The most shocking difference in this attack from the many previously under public scrutiny is the motive. Anyone that has previously depicted an attacker group as evil is changing their classification process:
- Breaches that leak passwords have a significant impact on consumers' level of security, but it is indirect, as they need to be used before we are hurt
- Attacks that siphon highly regulated data to monetize, such as PCI, PII, and PHI, have a more direct impact on consumers and force us to think twice about trusting our information with any given company, but they are not carried out as an act of retaliation, just parties with questionable morals willing to steal information for financial gain
- State-sponsored attacks have been acts of surgical precision to enable long-term spying on the target
- Hacktivists have historically defaced websites and leaked small amounts of information that fingers an organization as having lied or deceived the public
The varying types of attackers out there make it essential for every organization to know what information is fundamental to its business continuity. Not everyone processes financial information or stores health records, but there is something that is at the core of what you do and you need highly detailed plans to both protect and collect the necessary data to closely monitor on a continuous basis. All organizations should be adding the indicators of compromise (IOCs) for the targeted destructive malware to their detection solutions, but more proactively, you should be focused on ways to prevent and detect the many threat actions that frequently occur no matter which malware may be used in conjunction.