Mandiant job order: item one ...
"Give us a get-out-of-jail explanation - no objections to exaggeration and making things up"
Criminals are picking through gigabytes of leaked personal information from Sony Pictures' ransacked computer network, triggering identity theft alerts, staff have told The Register. We're told crooks are, as is inevitable these days, mining files dumped online by hackers, who comprehensively compromised the movie studio's …
It's clear that Sony wants to paint this breach as being overpowering, overwhelming, and leading-edge. Better still if they can blame it on North Korea.
Of course, facts like Sony stored passwords unencrypted in a file called Passwords, and that only two IT people were assigned to oversee security (monitored by two managers, two directors, and one Vice President, the five of which should be held criminally liable) seems to indicate that Sony could have been hacked by someone armed with only a Speak-and-Spell...
If only we had a system that could detect funny looking network traffic with things like names, SSN's, email addresses, etc.... or, at least, one that could pick up on GB's of data heading to servers with IP addresses in countries that we don't do business with... Hmmm......
Yes, I'm saying an IPS/IDS would have done them some good. And to say otherwise is a suspicious claim, at least.
Sure, GBs of data all trying to leave at once, you'll notice… but what does an SSN, name or email address look like when it's been passed through AES256 or similar?
It looks just like a lack reasonable security precautions... exactly like that. I would be willing to bet they have commercial AV that auto-updates from the commercial web site, patching set up in much the same manner, a poorly set up firewall between internal and external domains, and perhaps a proxy server, no DMZs, no internal firewalls, no port security, no IPS/IDS, all machines running the same OS, plenty of BYOD, no reasonable password requirements anywhere...
A wide-eyed assessment of "there was nothing that you could have done" is just ridiculous. Commercial AV should be one security measure. Obviously, they
have had quite a bit data that others might want to exfiltrate. Why was there no mention of any sort of data loss protection? It's not as though AV was designed for that.
As near as I can tell, this is in the hundreds of GB's, I'd not be surprised to see it in the TB range.
But, it all depends on where you put an IDS/IPS. Compromise a DMZ box, then use it as a hop point inward, hang your exfil point from a media server and detection would be problematic.
C&C traffic is trivial to miss until you learn what IP the C&C lives on, having any sensors on the internal network is mixed in industry.
Case in point, my Fortune 200 company is a cloud services, data services and information security services company. Our network has taps all over the place to monitor for suspect traffic and pull pcaps for forensic investigation if there is a breach. Despite terabytes of storage being incessantly filled, we still find the odd gap that we're blind to. It's very much a game of whack a mole in that department, due to the complexity of the various business units and their networks, as well as client interconnection points.
I agree with your 1st statement (DLP), but:
"or, at least, one that could pick up on GB's of data heading to servers with IP addresses in countries that we don't do business with"
Interesting you use the word WE...I assume you mean THEY. I've heard so many different amounts of data, but if it is ONLY in the GB range, depending on the environment, a few dozen, or even hundreds of gigs over a standard protocol might not ever be noticed, or an indicator of anything abnormal. We have 600Gb/s, use 1/2 or more of it....a quarter Terrabyte is nothing....add to that malware which may rate limit itself and you'll never see it. And whose IPs? NK's? No, they only have a single /21. My small VPS provider gives me 5TB/month for each virtual instance, so for me, that's 15TB for $45/mo....5 in Atlanta, 5 in Oregon and 5 in NL. Spin up a few dozen AWS hosts and send it there, and that's regular traffic these days.
As for I[D|P]S, having used Snort and others since the 90s, they are not geared for this type of attack. A person has to look for little things that stand out, not big things. "Hey, why did that file server just try to perform a single DNS query directly to the internet, vice what's configured in networking?" Certainly you can have an IDS rule for !DNS_SERVERS ANY -> $EXTERNAL_NET 53, but that isn't a default rule.
Notice few vendors use the term "Anomaly Detection" in their product literature.......That's what is needed.
That 'expert' is spouting utter crap, of course companies can prepare for the 'unexpected' its called good security practice.
How about using one time ciphers for logins, keeping an active log of all logged in sessions & only allowing one session per user (unless said user can demonstrate a need for more)
How about not keeping passwords for accounts in an unencrypted file called passwords where they are all in clear text?
There are a whole host of things that Sony could have done, but didnt because they didnt want to spend the money on securing their network. They have now paid the price for it & paying an 'expert' to whitewash their failings is not a good enough response to the threat they have exposed their employees & their employees families too, many of whom I suspect cant afford the kind of home or personal security that Sony Pictures managing executives can afford
2 factor auth is not sufficient for this type of attack. Even Microsoft ranks 2 factor as ineffective in stopping APTs. The reason why is it only protects Interactive and Remote Interactive logons.....neither of which were used unless it is an inside job, and the insider is lazy and stupid. Logon Types (assuming Windows) 3, 4 and 5 do not and cannot use OTP, for operation reasons.
If they come in via a reverse shell over an encrypted connection, they will move through the network with Type 3 logons. They dump hashes with a version of, let's say WCE, which has been modified not to be detected by AV, until they find a set of cached domain admin credentials......and they will find them, and then use PtH to go where ever they want......who needs to crack these days.
That's day 1.
The security measures mentioned were not meant to be taken as an exhaustive list or bulletproof defence against such a hacking attempt. They were just the first examples of security procedures that popped into my head which it is clear from the post-mortem of the attack that Sony clearly havent heard of.
All it would have taken would have been some simple steps that ok would have cost Sony in a little money / time & user inconvenience. They choose not to take any steps at all, not even the equivalent of putting a lock on their virtual frontdoor it would appear in order to save money on infrastructure / IT spending & user training.
...stop repeating this nonsense; this was not in any way an APT. The term 'Absolute Sownage' was coined over 3 years ago for a reason (their networks have been pilfered time and time again since 1999). Mandiant has at least 2 fairly respected researchers on staff... I cannot believe that this response from their CEO will sit well with them. At the least, this type of whitewash should give potential customers and for sure their peers in the "industry" pause for concern. I'm not saying Mandiant as a company ever actually had some form of ethical standards (how many commercial entities can claim that they do?), but a few of their researchers definitely do (did?). I await their response and/or exodus.
Funny how people always know the Best Solution after Murphy has struck..
That said, something on this scale is pretty much unprecedented, it's a whole level up compared to the usual leaks/breaches. Almost an Ocean's [umpteen] job compared to your run-of-the-mill bank robbery. Certainly not the work of your average script kiddie, or even dedicated lulzcrew.
One of the funniest things I see in the comments is that people assume they pulled all the data at once.. This Is Stupid... If the attack was as sophisticated as it seems to be, the people behind it could easily have slowly bled the data out without triggering any alarms. Comprehensive breach with elevated rights and stuff, you can, y'know..., do things, at leisure, under the radar...
Leaking the data to the Wide Intarwebs is also a brilliant idea to confuse the trail. Whoever did this is obviously fully aware of the lulzcrowd and their habits, and the lovely smokescreen it can provide. Given the scale of this, a smart person would stay the hell away from stuff this hot, but script kiddies and bragging rights, eh? Good way to create several layers of subterfuge and misdirection as to who has really done It. And most beautiful of all: the suckers do it to themselves, of their own free will, without having to prod them into action.
Nation state or criminal group ( and unless people have been living under a rock, yes, there are a couple out there that are just as sophisticated as quite a few Intelligence Agencies...) , this has been a big one, and the current broohaha is only the first chapter in the book.
"Nation state or criminal group ( and unless people have been living under a rock, yes, there are a couple out there that are just as sophisticated as quite a few Intelligence Agencies...) , this has been a big one, and the current broohaha is only the first chapter in the book."
Interesting hypothesis. I hereby award you an up-vote and a Black Helicopter !
I'm going to see if I can find my copy of Burning Chrome. ;)
I like the intermediary path here spindling the data, or at some channels of data, through AWS. It's extremely likely that Sony has some traffic with AWS so who's going to twig to another instance. And you can take your sweet time in the extraction.
I wonder what the real extraction was all about? Corp espionage?
Certainly any criminal intrusion was criminal but was it not also sort of criminal if Sony failed to follow well known and readily available practice to secure their systems. The shareholders have reason not to be impressed with management.
There seems to be ample evidence that they failed rather badly to take adequate precautions and so increased their risk unnecessarily. The reported storing of passwords in a file named passwords is an absurd failure for starters.
...but that somebody should be in a C-level position for a change.
It's annoying how they are always the first to claim credit for things that go well, or come up with some spin-doctored explanation to render turds into muffins. They excel (pun intended) in being the last to actually take ownership and responsibility for what's going on in their company -- which often includes ruthless savings on IT costs, while topping up their own salary and bonus year by year.
Accountability should start at the top, not somewhere in the lower middle management.
After the hit Sony took on it's SOE division in 2011, you'd think there would have been some decent security in place, right?
Sony just has all the luck & evidently all the salaried placeholders they could ever want in critical systems. So Sony didn't learn a thing while I learned to have a separate protected account for my entertainment purchases after the SOE Everquest debacle...
In LawyerSpeak, that email don't mean doodoo. Sony has had ample precedence & break-ins prior to this egregious example & did not perform their due diligence. How much should the check be, your Honor?
*OT but.... 1st time in my 50 years on earth, I realized the word 'doesn't', only saves a single space. mind=blown. Have a great day.
... but I'm not sorry about Sony-the-company-itself. I still remember the PITA that was removing the Sony rootkit from client's machines back then. It seems that getting almost scott free from that
crime blunder gave management a sense of invincibility regarding security issues. "Why bother expending money in good security? If we could pull out of the rootkit scandal unscathed, we can do as we fucking please".
I hope the shareholders pull out their fingers and fix the situation, starting by removing several of the topmost management layers.
The only thing unprecedented here is the level of damage to the company's bottom line.
It's been decades since Wargames came out, and yet companies are not securing sensitive
systems from the internet. They do this for the convenience of their executives and managers
rather than make them do a bit more work.
The only way to prevent access to a computer system is to have it 100% isolated,
You have things attached to a discrete network that literally can't talk to any other network.
You can have remote servers dedicated to a single purpose. A system designed to back things
up does not need to necessarily be able to allow downloads by default of that data without human
Sony is a freaking hardware company. Make some damn computers, NOT by the lowest bidder in China, that have built in encryption by nature. You can easily have a hardware based key that is literally impossible to crack, you just need to have the two individual systems be given the keys.
Make a key longer than the message, using progression along the key and it becomes impossible to crack.
There are too many managers that demand sysop rights that just don't need it.
Users need to be limited to accessing information that they NEED and nothing more.
Stop using social security numbers as an ID.
You map an internal ID to it and use that instead, keeping the SS#'s only on those
systems that specifically need them, and even then you need to use good encryption.
You cut corners, you pay the price.
This might be as big a screw up as the oil spill in the Gulf Of Mexico because they wanted
it the cheapest way rather that the right way. That stupidity wiped out any of the savings
they achieved and cost them Billions more on top of it.
what is Sony doing for their employees who have had their personal data exposed?
Why did an employee have to sign up to a credit protection agency himself? Shouldn't Sony really have done this for every exposed person as a way of both buying goodwill and crisis management?
Sony, Home Depot, and all the rest do a simple calculus: "Can we, the board, get more back by spending a dollar here vs spending it over there?" No account of what the Reg commentariat thinks is the right/sensible/moral thing to do, what the external effects might be, etc.
So the (Sony) CIO who goes to the board and says, "I need $100m to secure us against attack" is immediately asked, "will it earn or save more than $100m? Billy Bob over there wants $100m to make the next Spider Man, and he says it'll make us $4bn."
Net-net, no change. The only way to get companies to proactively manage security is to increase the stakes such that a failure costs them real, stock-price-crushing money. Take a look at Sony's stock this week. Barely a dip (http://www.sony.net/SonyInfo/IR/stock/stockprice.html).
Biting the hand that feeds IT © 1998–2019