Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:19 PM
Jeff Schilling
Jeff Schilling
Connect Directly
E-Mail vvv

Deconstructing The Sony Hack: What I Know From Inside The Military

Don't get caught up in the guessing game on attribution. The critical task is to understand the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.

The heightened tensions in cyberspace over the Sony cyberattack and the subsequent DDOS in North Korea have all network security professionals around the globe on high alert. Some sensationalists will want to equate this to the cyber equivalent of the Cuban Missile Crisis. I believe that is an overreach based on the facts that we know and my experience working in government and incident response.

Many folks are fixated on trying to figure out who is behind this attack. In my opinion, the public cannot draw any clear conclusions on the attribution of the actors behind the Sony attack based on the information that has been released to date. Connecting tradecraft and infrastructure is not enough evidence for clear attribution to North Korea. Advanced, targeted threat actors use other's infrastructure and tradecraft all the time to obfuscate their activity.

Significant (unpublished) evidence
I have to believe if the FBI and Sony are pointing the finger at North Korea, there is significant evidence not made public that allows them to draw that conclusion. The basis for my assertion relies on two observations:

First, major corporations immediately retain legal counsel upon the discovery of a major breach. Legal counsel's advice is to always limit public disclosure of information to reduce future liability. If this is the case here, it does not make Sony or their legal counsel evil. It is a fact that we must all live with considering the very litigious world of cyber security.

Second, the FBI and other government organizations likely have multiple sources of intelligence (signals intelligence and human intelligence) that they believe triangulates attribution of the actors behind this attack. Likely, these other sources of intelligence are highly classified and will never be released to the public. This classified information requires the cyber security community to take on faith that the government's attribution picture is credible when paired with these other methods of intelligence that cannot be shared.

The role of ransom
Another question everyone is asking: Is this escalation to a destructive capability going to be the norm going forward? Absolutely. This is truly the one element of the Sony story that keeps me up at night. We are seeing a trend in destructive activity on the rise.

Previously, cyberthreat actors were mainly focused on computer network exploitation for purposes of crime, fraud, or the theft of intellectual property. I observed a disturbing trend a couple of years ago with the crypto locker actors holding victims for ransom. These activities started off more as an annoyance, but have quickly escalated in the past few years to the point where major damage has been done to companies by ransom actors.

To me, the Code Spaces incident should have sent a shockwave through the security community. Ransom actors are now an existential threat to some companies. In the Code Spaces incident, the company had its hosted environment compromised and all of its customer data deleted when they could not pay the ransom. Code Spaces had to shut down their successful company as a result.

When you boil down the motive behind the Sony attack, it truly is about ransom. There has been no disclosure that the actors were seeking money, but they were definitely demanding concessions and actions by Sony which caused them to modify their business plans.

What we don't know
The other big question everyone is asking is did the US government strike back against North Korea? While I don't definitively know the answer, one thing I am positive about is that the process to approve offensive operations in cyberspace on behalf of the US government does not happen quickly. I think it is very unlikely that the US government would retaliate against North Korea for the Sony attack. I think our government's response is more likely that our intelligence organizations will increase their collection on North Korean targets, but the bar for offensive cyber operations is very high. There are other more effective levers in diplomatic and economic pressure that the US can leverage to achieve our national objectives.

Where does that leave us? My first bit of advice: Don't get caught up in the guessing game on attribution. Leave it to government organizations and the victim -- in this case, Sony -- to worry about the "who done it." In just about all cases, the government or victim organization will be unable to release all of the relevant facts around attribution. The critical task is understanding the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.

It's also important to add a risk factor of sophisticated ransom actors to your math homework when you present to the board to justify additional security investments. Too much of the security industry is still focused on the data that you "have to protect" instead of protecting the entire organization. In today's cyberrisk environment, you cannot predict who the ransom actors will go after. In fact, in many cases, your organization could become a target due to some random opportunity threat actors find to gain access to your systems. The best strategy is to become a hard target by seeking out the most secure infrastructure to host your most critical data and applications.

This article is probably not going to help any of my fellow security professionals sleep better. However, I hope this discussion brings into focus some things you should be worried about in the wake of the Sony attack and helps guide you in where to invest your future security efforts.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/7/2015 | 9:20:31 AM
Re: Commentary
Thanks for the reminder about the relative speed of government cyber-attack.  It reminds me of a scam model where the bad guys also impersonate the authoratative response, confusing the issue and slowing down actual law enforcement actions.  What if the same group that attacked Sony also attacked N Korea's infrastructure?  Then the public is left with the impression that maybe the US is retaliating for the Sony attack, as is a common reconstruction floating around the Internet right now. 
User Rank: Author
1/6/2015 | 6:08:35 PM
Re: Commentary
The ransome actors are gaining in sophistication of their operational processes.  If this truly is ransome actors, this is a serious escalation that is should not be a wake up call, it should be an awakening.
User Rank: Author
1/6/2015 | 6:06:22 PM
Re: Take on faith that the government's attribution picture is credible
Marliyn, thank you for your comments.  Attritbution in this case is really only important for the government/Law Enforcement and the victiim to worry about.  I applaud the FBI for getting some techical data out to us relatively quickly that allowed us to take some proactive measures.  Knowing how that process worked, Sony likely gave them permission to share that information with the broader community which is to their credit as well.  
User Rank: Apprentice
1/6/2015 | 5:23:48 PM
Good article. Your comment about not sleeping well at night should definitely be heeded. Every CSO/CISO should not sleep well at night! I have enjoyed all of the commentary from the mainstream media - like they know! Retired Air Force member here!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/6/2015 | 4:20:01 PM
Take on faith that the government's attribution picture is credible
Thanks for this analyis @JeffSchilling.  You make a strong case that there is alot more that we don't know about the government's thinking on North Korea than we do know (or ever will know). That said, to those in the cybersecurity world who have lost their trust in government, it's a giant leap of faith.. 
<<   <   Page 2 / 2
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.
PUBLISHED: 2020-04-04
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
PUBLISHED: 2020-04-04
bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file.
PUBLISHED: 2020-04-04
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.