How NOT To Be The Next Sony: Defending Against Destructive Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


How NOT To Be The Next Sony: Defending Against Destructive Attacks


When an attacker wants nothing more than to bring ruin upon your business, you cant treat them like just any other criminal.



You know to include the threat of financially motivated cybercriminals in your risk profile. Done. But what about the ones who dont want money? The ones who just want to hurt you. How do you defend against and recover from attackers whose sole goal is to destroy?
Destructive attacks -- like the one at Sony Pictures Entertainment -- are personal. Theyre done by someone with a grudge: a disgruntled insider, an outraged hacktivist, a nation that sees the target as an enemy of the state.
Destructive attacks are also, in many ways, easier to do.
If your only goal is to do damage, says Jonathan Sander, strategy and research officer for Stealthbits Technologies, you dont need a lot of access.
As some security experts have said, the Sony attackers could have compromised the company with just a humble phishing message, then planted the wiper malware and let it take it from there. Malware is quite good at proliferating itself, so the hackers could simply sit back and watch. Watch as the malware
deleted
all the companys data and turned its hardware into expensive paperweights.
The Sony hackers opted to first burrow deeper into the network to access and exflitrate huge amounts of data -- intellectual property, regulated personally identifiable information, incriminating emails, and the details of the companys entire IT infrastructure. Instead of selling it, the attackers simply uploaded the whole lot to Pastebin where anyone could see it, damaging the company in another way.
Why and who? Thats still up for debate. In the case of Sony, the US governments official word is that the attack was carried out by North Koreas cyberwar unit, in retaliation for Sonys production of
The Interview
, a comedy about assassinating North Korean leader Kim Jong-Un.
Yesterday
, FBI Director James Comey provided a bit of evidence supporting that assertion and Director of National Intelligence James Clapper went so far as to name a specific North Korean general. 
Others say that even if it was North Koreans, they might have worked with an insider. Last week, researchers at Norse Corp. asserted that a disgruntled insider was definitely involved. As Dark Readings
Kelly Jackson Higgins reported
:
Interestingly, however, the FBIs statement specifically calls out North Korea for theft and destruction of data. Missing from that attribution is the initial intrusion into Sonys network and servers -- the phase researchers from Norse think may have occurred with the assistance of a former Sony employee with an axe to grind.
The example of a nation-state administering digital punishment for a Seth Rogan / James Franco movie is not likely to repeat itself -- so rather than trying to defend against such an attack, an organization is better served planning how to respond to a mega-destructive incident.
The threat of malicious insiders looking to stick it to their current or former employers, on the other hand, is all too common. Security experts say there are plenty of ways organizations can protect themselves against that.
 
The Malicious IT Insider
Businesses now have all sorts of tech rigged to detect intrusions and strange behavior, and issue alerts when something is awry. But what if the person receiving those security alerts is the very person causing them? The disgruntled IT security staffer is perhaps the worst threat of all. 
Sander says that organizations may contain a threat by managing user access privileges and box someone in so that they can only do so much damage. Organizations are pretty good at doing that at the application level, but not at the data level, he says -- unstructured data in particular.
To do their jobs, IT staff do need administrator access to the IT systems / applications, but dont need to access the data, says Sander. Theres no reason an Exchange admin needs to read my email, he says. And why should IT ever touch HR files?
Companies think about prohibiting access to systems, but attackers dont want systems, they want  data. And attackers arent stopped by your hardened tech, because theyve got another way in.
Hackers are usually focused on the user, not the system, says Gaby Friedlander, co-founder and CTO of ObserveIT, but organizations are usually focused on the system, not the user. So hackers can go in through the front door.
Malicious IT staff have it even easier, because theyre already inside. Thats why Friedlander says that organizations need to protect themselves by constructing user profiles, and watching for behaviors that are suspicious for that user; not just relying on a list of static rules and red flags.
The IT guys know those rules, says Friedlander. They can easily bypass them.
The point, says Sander, is not to mistrust your employees. The point is to entrust them with all the access privileges they need to do their job, and no more.
John Gunn, vice-president of corporate communications at Vasco, adds that measures like behavioral analysis are important, because a happy insider today may not be happy tomorrow. Even the right person can become the wrong person, he says.
For all of these reasons, appropriate separation of duties is essential. An insider with all the keys to the castle is an enormous threat. An insider who only has a key to the castle datacenter is less of a threat.
Replication of duties is also important. If theres only one guy receiving security alerts, and he goes rogue, nobody finds out hes up to no good. If there are two or three people receiving those alerts, the chances of detection are much greater. Sander points out that a smaller company may not have the manpower to do that, but they should if they have the resources to do it. 
Compounding the problem, says Friedlander, is that incident alerts are not always provided with enough context or forensic evidence, so the department deals with it as an IT problem, not a security problem. The helpdesk may solve suspicious activity by simply resetting a password, without investigating why that password needs to be changed. 
Mind you, none of these measures necessarily prevent the destruction of hardware -- deploying wiper malware, shooting servers with a machine gun, or throwing all your back-ups onto a bonfire. However, they do make it more difficult for a malicious insider to damage a company by
deleting
or disclosing essential corporate data.
 
Respond and Rebuild
Incident response after a destructive cyber attack -- particularly one at the scale of the Sony super-mega-ultra-destructive one -- may need to be approached more like a physical disaster (flood, explosion, etc.) than a digital one.

When Hurricane Sandy (AKA Superstorm Sandy) hit New York City and New Jersey, buildings were destroyed, lives were lost, roads were closed, and power and telecom lines were down for weeks. During that period, government workers in New Jersey were communicating through an emergency radio system. They were sitting in their cars, updating emergency info on government websites via their personal mobile phones, plugged into car chargers.
Replication of duties were important too, so that essential functions could be still be conducted, even if the usual point person was without power, or in a hospital or evacuation center.
Although the Sony incident was not a disaster of that caliber, it did present some of the similar challenges. It left the company without client machines, email, VoIP, or any of the other usual communications technology.
Further, when a cyber incident occurs, fingers may be pointed, eyebrows raised, and questions asked about whether a malicious insider was involved. Was it a disgruntled ex-worker who has left more timebombs? Is that person still within the company? 
Thats a scary proposition. Sony really needs to rebuild from scratch, since every detail of their IT infrastructure was publicly exposed. If one of the culprits could still be working within the company, do you want to involve them in the rebuild process? Or should that all be outsourced to a third-party without a dog in the fight?
Frankly the only difference is a matter of culpability, says Sander. If theres another devastating destructive attack, do you sue the service provider or chop off heads inside the company? You can make a case for either.
As for the post-incident public relations, You can see the pattern, says Gunn. Were investigating a possible breach, which means they know theyve been hit. Then they confirm they were compromised, in a manner that was completely unprecedented. It wasnt our fault! It was like a meteor hitting!
 

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
How NOT To Be The Next Sony: Defending Against Destructive Attacks