Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/6/2015
01:19 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Deconstructing The Sony Hack: What I Know From Inside The Military

Don't get caught up in the guessing game on attribution. The critical task is to understand the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.

The heightened tensions in cyberspace over the Sony cyberattack and the subsequent DDOS in North Korea have all network security professionals around the globe on high alert. Some sensationalists will want to equate this to the cyber equivalent of the Cuban Missile Crisis. I believe that is an overreach based on the facts that we know and my experience working in government and incident response.

Many folks are fixated on trying to figure out who is behind this attack. In my opinion, the public cannot draw any clear conclusions on the attribution of the actors behind the Sony attack based on the information that has been released to date. Connecting tradecraft and infrastructure is not enough evidence for clear attribution to North Korea. Advanced, targeted threat actors use other's infrastructure and tradecraft all the time to obfuscate their activity.

Significant (unpublished) evidence
I have to believe if the FBI and Sony are pointing the finger at North Korea, there is significant evidence not made public that allows them to draw that conclusion. The basis for my assertion relies on two observations:

First, major corporations immediately retain legal counsel upon the discovery of a major breach. Legal counsel's advice is to always limit public disclosure of information to reduce future liability. If this is the case here, it does not make Sony or their legal counsel evil. It is a fact that we must all live with considering the very litigious world of cyber security.

Second, the FBI and other government organizations likely have multiple sources of intelligence (signals intelligence and human intelligence) that they believe triangulates attribution of the actors behind this attack. Likely, these other sources of intelligence are highly classified and will never be released to the public. This classified information requires the cyber security community to take on faith that the government's attribution picture is credible when paired with these other methods of intelligence that cannot be shared.

The role of ransom
Another question everyone is asking: Is this escalation to a destructive capability going to be the norm going forward? Absolutely. This is truly the one element of the Sony story that keeps me up at night. We are seeing a trend in destructive activity on the rise.

Previously, cyberthreat actors were mainly focused on computer network exploitation for purposes of crime, fraud, or the theft of intellectual property. I observed a disturbing trend a couple of years ago with the crypto locker actors holding victims for ransom. These activities started off more as an annoyance, but have quickly escalated in the past few years to the point where major damage has been done to companies by ransom actors.

To me, the Code Spaces incident should have sent a shockwave through the security community. Ransom actors are now an existential threat to some companies. In the Code Spaces incident, the company had its hosted environment compromised and all of its customer data deleted when they could not pay the ransom. Code Spaces had to shut down their successful company as a result.

When you boil down the motive behind the Sony attack, it truly is about ransom. There has been no disclosure that the actors were seeking money, but they were definitely demanding concessions and actions by Sony which caused them to modify their business plans.

What we don't know
The other big question everyone is asking is did the US government strike back against North Korea? While I don't definitively know the answer, one thing I am positive about is that the process to approve offensive operations in cyberspace on behalf of the US government does not happen quickly. I think it is very unlikely that the US government would retaliate against North Korea for the Sony attack. I think our government's response is more likely that our intelligence organizations will increase their collection on North Korean targets, but the bar for offensive cyber operations is very high. There are other more effective levers in diplomatic and economic pressure that the US can leverage to achieve our national objectives.

Where does that leave us? My first bit of advice: Don't get caught up in the guessing game on attribution. Leave it to government organizations and the victim -- in this case, Sony -- to worry about the "who done it." In just about all cases, the government or victim organization will be unable to release all of the relevant facts around attribution. The critical task is understanding the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.

It's also important to add a risk factor of sophisticated ransom actors to your math homework when you present to the board to justify additional security investments. Too much of the security industry is still focused on the data that you "have to protect" instead of protecting the entire organization. In today's cyberrisk environment, you cannot predict who the ransom actors will go after. In fact, in many cases, your organization could become a target due to some random opportunity threat actors find to gain access to your systems. The best strategy is to become a hard target by seeking out the most secure infrastructure to host your most critical data and applications.

This article is probably not going to help any of my fellow security professionals sleep better. However, I hope this discussion brings into focus some things you should be worried about in the wake of the Sony attack and helps guide you in where to invest your future security efforts.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Jeff.schilling
50%
50%
Jeff.schilling,
User Rank: Author
1/8/2015 | 3:23:31 PM
Re: REGIN
@Ryan,

I probably did sound contradictary in the comments you highlighted.  Great catch.  I did not do a good job in defining where I am talking about threat and where i am talking about data/applications.  

In the first reference, I was referring to Data and Applications.  In other words, you cannot protect all of your data and applications, you should aggressively segement and control access to your company crown jewels.  

In the second reference, I am referring to threat.  I am trying to coach CISO's and business owners to assume you are a target.  Too many companies, like CodeSpaces, probably believe they are not a target because they do not have something of value to criminals (i.e. Credit card data, Electronic Health Records).  Even in this case, these companies should still NOT try to protect their whole environment, especially if it is very complex or dynamic.  They should still identify the company crown jewels and aggressively segement.   In the use case of CodeSpaces, they might have been saved by 2 factor auth for their admin access to their cloud envrionment.   

Hopefully that clears up the confusion, thanks for asking for clarification.

 

  
Jeff.schilling
50%
50%
Jeff.schilling,
User Rank: Author
1/8/2015 | 11:33:55 AM
Re: Ransomware and backups
As I mention in my article, the government could have some forms of intelligence that they can not share with the general public.  I am not going to speculate, but I have a good idea based on my experience of what it takes to truly get attribution.  It is kind of like triangluating your position on a map from reference points.  The more reference points you have, the greater accuracy you can plot your position.  

Bottom line, the more reference points in intelligence collection you have, the greater the accuracy you can predict attibution.  I will say that what has been released, to include the additional information that Director Comey release does not make that case to me.  But as he says, "If you could see what I see..." there maybe other forms of intel that does make the case.  The whole point of my article is to get security folks focused on the important facts and leave the attribution to the government and Sony.

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/8/2015 | 9:58:15 AM
Re: REGIN
@Jeff.

Could you elaborate on the following two statements; one was made in the article and the other was made in a post from you. The two seem to contradict each other.

 

Post- " I think some of the big companies should start changing their strategy from trying to protect everything, to protecting what is important and assuming everything else is potentially compromised."

 

Article-"Too much of the security industry is still focused on the data that you "have to protect" instead of protecting the entire organization. In today's cyberrisk environment, you cannot predict who the ransom actors will go after."


The only discrepancy I could find was that one elaborates to big organizations but the other is ambiguous to use case. Thanks!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:36:29 AM
Re: Ransomware and backups
@Jeff, I wonder what your thougts are about the FBI comments that "Sloppy' North Korean backers gave themselves away...

 

 

Jeff.schilling
50%
50%
Jeff.schilling,
User Rank: Author
1/7/2015 | 2:05:45 PM
Re: Ransomware and backups
Terry B,

For the CodeSpaces incident, the threat actors owned their corp network.  They sent ransome threats.  As the victim tried to clean up their infected network, the threat actors captured their log on creds for their customer environment, hosted by a cloud provider.  Once they had those log on creds, they locked the victim out of their own hosted cloud environment.  Sent another ransome threat.  When the company could not pay, the threat actors deleted their customer data (because they had admin creds), to include backups, in the hosted cloud environment.  

Root cause, No Multifactor auth for admin access by the victim to control their hosted environment, no security controls in their hosted environment, no way to recover deleted data and walk back what the threat actors had done.  

The real lesson here is you get what you pay for in security when you host in a cloud provider.  You have to secure that environment as vigiously as you would secure any of your data.  Most cloud companies make security an add on feature.  At FireHost, we are a secure cloud, our customers can't opt out of our security protection.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/7/2015 | 1:36:38 PM
Ransomware and backups
Jeff, how did that ransomware attack put that hosted company out of business? Surely people are still making backup copies of their (hopefully) virtual servers and more timely copies of the data itself? I could see this causing a loss of some data, like from last backup. But to take them out of business completely? How is that possible?

Is there something about ransomware and backups I'm not understanding? What you describe would be major pain in rear end here while we rebuilt services and data. But knocking us out of business, I don't think so.

Actually I know so since our primary business server is an IBM i5 server which is not addressable from internet and can't be infected by someone clicking on rogue attachment/web page.

It is our infatuation with Windows type computers which run script and allow easy o/s corruption, combined with connecting directly to Internet for "customer services" which has put us all here. Anyone got stories of IBM mainframes being pawned like these Windows/Linux servers are? Besides an inside attack, of course. No system can survive that if the good guy decides to become a bad guy. You can only hope to stop them sooner rather than later in that case.
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/7/2015 | 12:14:28 PM
Re: REGIN
I suspect that since the Sony situation has overtaken the media and completly obfuscated the REGIN discovery we will not hear much more about it.  There were several fine technical analysis of the code and it's methods.  A seriously long read for anyone who cares to speculate on the methods and uses of this type of malware.

 

Let's hope that we and our networks we protect don't have anything interesting enough for the players that play to ruin our day.

 

Don't forget to hide your backups!  They can't encrypt or erase what they can't find.

 

 
Jeff.schilling
0%
100%
Jeff.schilling,
User Rank: Author
1/7/2015 | 12:06:17 PM
Re: REGIN
Re: REGIN, no clear attribution has been assigned to this framework.  I doubt that it ever will be clearly attributed.  There are lots of sophisticated nation-state threat actors, I would not jump to any conclusions on who is holding the strings on that framework.

In the US, we have US Code Title 50 congressional legislation that limits foreign intelligence collection on US soil by the US Intelligence Community.  Any exceptions to this are adjudicated by the FISA court when the Intelligence Community can show that the data they want to collect on US soil is critical to putting the pieces together on other global collection efforts.  There have been some well-publicized cases where some folks believe the FISA court got the decision wrong, I am inclined to agree in some cases with those skeptics that the collection was an over reach.  However, I will offer that there is no other cyber super power that has this kind of oversight that keeps their intelligence collection limited to foreign collection only.  They might not get it right every time, but there is no systemic abuse that we should worry about.  I do not lose any sleep over this at all.

To clarify what keeps me up at night, threat actors had for the most part focused on Computer Network Exploitation.  Now they are more increasingly getting kinetic and destroying IT infrastructure, having a serious business impact.  Most large multinational organizations like Sony and many others have a very large surface area of attack due to the massive complexity associated with managing a global enterprise.  I think some of the big companies should start changing their strategy from trying to protect everything, to protecting what is important and assuming everything else is potentially compromised.

Thank you for your comments.  This is great dialogue.  

 
SgS125
100%
0%
SgS125,
User Rank: Ninja
1/7/2015 | 11:07:04 AM
REGIN
Should we also wait to hear from the Government on what they had intended to do woth the REGIN attacks?

I agree that the "media" who ever you consider them to be, has it wrong, will always have it wrong, and can't understand enough of the situation to ever report anything other than what they are told to repeat.

If you are sleepless over this then you have already lost your battle.  It's always the next unknown threat that gets us, no point in worrying over it or asking for more money to protect you from things you don't know about or can't plan for.  

We can only hope that all the exploits that our "freinds" in Government hold secret will not be used against us.

 

 

 

 
Jeff.schilling
100%
0%
Jeff.schilling,
User Rank: Author
1/7/2015 | 10:04:38 AM
Re: Commentary
That is an interesting theory and very plausable.  That would be what I would do as well to cause more confusion.
Page 1 / 2   >   >>
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.