Working in information security for the past 20 years, I have seen a lot. Though there have been many multi-million dollar impact breaches, the recent Sony Pictures hack and subsequent data exposure and extortion is probably the most impactful to a company out of the previous breaches this year.
Recent articles revealed that some employees thought that the hack was, “a long time coming,” and stolen information that was released indicated “passwords were easy to find.” There are other articles disclosing various technology issues and outages shortly before the information was released. Though blamed on employee carelessness and technology failure, these outages could have been intentional sabotage to cause material impact, or possibly created as smoke screens to draw attention away from the attacker’s data gathering activities by flooding logs and misdirecting personnel with flashing lights and screaming employees.
It is conceivable that the recent breach was the result of a target phishing campaign that at least one employee succumbed to. It could have been initiated a Trojan horse program that an employee downloaded. There are a number of other options, but the scariest thought is that the attackers may have been in Sony’s systems since the 2011 hack of the PlayStation network working their way through to all of the data they wanted. Recent reports from Mandiant, who Sony hired to perform post-breach forensic analysis, and others indicate that the median time for an attacker to reside in a network is around 8 months. Yes, this situation would be quite long, but not impossible—especially if security was as lax as it is beginning to seem.
That is a lot of backdrop, but I think it’s appropriate. I am briefed by a lot of companies, and it just so happens that one of the most recent is an automated threat detection/ threat intelligence company named Vectra Networks. More specifically, Vectra focuses on automated breach detection. They are not the only player in this space, but since they are the freshest in my mind as I ponder over what Sony could have or should have done differently, I am going to use their X-series solution as a basis for discussion.
With everything that has gone on leading up to this nightmare, many say it is hard to believe that no one noticed any of the malicious activities before the situation exploded. To that I say, yes and no. I would have hoped with the kind of resources that Sony had at its disposal that they would have invested in the right tools to protect their intellectual property, private data, and employees’ personal data. If that was not done, then it is easily conceivable that the information security and IT staff never saw the breach-related activities.
Being an organization of Sony’s size and without proper tools, the volume of logs they received would be like drinking from a fire hose. The key log information indicating potentially malicious activity would have been buried, and in fact, may not have been created at all. If insider identities were compromised to gather the data, no high priority alarms and few, if any, logs would have been generated. Logs are generally only created when authentication occurs, which is perfectly normal, when specifically desired activities occur, or when abnormal activities occur. This is where Vectra comes in. Vectra is one of those “right tools” for the job that would have significantly helped Sony in early detection of this issue.
The key for Vectra is their use of machine learning and data science to identify patient attackers as they spy, spread, and steal inside a network. Once an attacker compromises the first victim, the goal then becomes to expand that compromise across the network, laterally moving from one system to the next to both establish persistence and to locate and ultimately steal or destroy key information. Vectra not only detects the many malicious steps of a long-term attack, but does so in the context of user behavior and the location of key assets in the network.
If the Sony Entertainment scenario was one of long-term infestation from the PlayStation hack and Vectra’s X-series solution had been installed, it would have identified and significantly aided IT security in early detection. Given the activities of everyone in the network, Vectra would have been able to identify the user(s) and system(s) that were not acting like the others. In the case of the malicious activities starting post installation of malware, Vectra would have seen the change in behavior of the user/system in question and raised a flag because of the change in behavior. In the case where the activities were going on before it was installed, it would have used a comparison between the users/systems and others in their assigned [Active Directory, LDAP, etc.] groups to understand that not all personnel in the group were behaving the same and thus would have still red flagged the behavioral divergence. Ultimately, to get the data out of Sony’s network it would have to be moved from its normal repositories to a server that had connection to the internet so it could be transferred. If Sony had been perpetrated by an insider, it would need to have been collected to a computer where it could be copied to a mass storage device or sent out. Using the Community Threat Analysis, the user or system activities required for creating a connection to or from the data source systems that don’t normally communicate would have raised an alert.
What other dirty little secrets will be revealed and how many people will lose their jobs? At this point only time will tell what else the hackers have in store for Sony. However, I believe that the attackers most likely still have a foothold in Sony’s network and Sony has some time before they will be out of the woods. They need to engage some serious resources to exterminate the attacker presence and fortify their prevention, detection, and response capabilities or this will happen again. Other organizations should consider the same.
 A trojan is a program that beyond its intended or identified purpose has a hidden code to perform other actions without the user’s knowledge.