Sony Hack Spotlights Vulnerabilities: A Review of the Threat Landscape
FBI director James Comey recently reaffirmed the agency’s initial position, attributing the late December attacks on Sony Pictures Entertainment to North Korea. Some are already speculating that all out state-sponsored cyber warfare is just around the corner. However, this isn’t the first time Sony’s systems have been compromised, and government elements are rarely identified as instigators of these kinds of attacks. While a point of entry has yet to be discovered, there are myriad ways hackers of any stripe could have broken into Sony’s systems. The most advanced cybersecurity teams in the industry anticipate multiple attack vectors, and with companies around the world beefing up security in the wake of this and other recent attacks on the likes of Home Depot and Target, it is important to take stock of three major classes of cyber attacks and how to defend against them.
In addition to the recent breach of its entertainment division, Sony’s Playstation Network has been compromised on several occasions; most recently this past Christmas, but perhaps most notably in 2011. The result of the 2011 attack was exposure of personally identifiable information of all 77 million users and a resulting cost to Sony of $171 million. How the hackers got in remains officially unknown (companies tend to keep known vulnerabilities close to the vest), but speculation across the web is rife with terms synonymous with inbound attacks, which are direct attempts to access corporate servers, databases, or other systems.
When considering inbound attack vectors used by external “bad actors,” terms like ‘SQL injection’ and ‘malware’ should be highlighted in the IT security lexicon. Rushed coding and well-intended employees who open unfamiliar email attachments can lead to in increased system vulnerabilities. One of the most challenging aspects of inbound attacks comes in the form of rogue employees, who either deliberately install malicious software or steal files directly by way of a disk or USB memory stick. Companies can strengthen defenses by updating server hardware, firewall software, and threat intelligence capabilities. Equally important is the need to train managers in the identification and proactive monitoring of disgruntled employees.
Outbound attacks threaten individual customers by convincing them to provide sensitive data or unknowingly download malicious software. Most often, these attacks occur in the form of widespread phishing. Whereas inbound attacks require at least a modicum of sophistication, phishing is cheap, can be done by anyone, and almost always garners some level of desired response. Those perpetrating outbound attacks range from government-sponsored organizations to small groups and individuals. Defending against these attacks can be difficult since attackers are able to sidestep corporate servers and send mail directly to known or suspected customers.
Fortunately, protocols are being adopted at the mailbox provider level (i.e. Gmail, Yahoo!, AOL, etc.) that allow for greater mitigation of and visibility into outbound attacks. One such protocol is known as Domain-based Message Authentication Reporting and Conformance (DMARC), of which Return Path is a cofounder and major proponent. This standard allows companies much greater control over their own sending domains. As of the publication of this article, only about 10% of global companies that are the target of outbound attacks have implemented DMARC, but demand is rising quickly. By implementing this relatively simple standard, global brands can eliminate an entire class of outbound attacks instantly. And with phishing-related fraud costing companies and consumers over $6 billion each year, no one can afford to be a laggard.
An area of real concern is an extension of outbound attacks, most commonly manifesting as a tactic known as spear phishing. These attacks target individuals who hold key credentials, have access to information, or sit in a position of power in an organization. Spear phishing often incorporates some level of social engineering, which can come in the form of a phone call or email that not only sounds legitimate, but employs some measure of authority to convince victims to provide personal information.
On April 23, 2013, the Associated Press (AP) tweeted a report indicating there had been explosions at the White House and President Obama was injured. The resulting panic led to a 150-point flash crash of the Dow Jones, a loss of some $136 billion in market value.
In fact, the president was at the White House that day, but was meeting with advisors in the Oval Office, completely undisturbed. There was no attack. Instead, the AP’s Twitter account had been hacked by a quasi-governmental group known as the Syrian Electronic Army (SEA). Details of the hack revealed that credentials had been stolen by way of a simple phishing email that encouraged AP employees to click on a link that appeared reputable, but led to a website that installed spyware, eventually providing hackers with information necessary to access and post to the AP’s official Twitter account.
The nature of the attack on AP and geopolitical aims closely mirror some of the rhetoric that coincided with the Sony attack. It takes little stretch of the imagination to see how the Sony incident could have propagated as a result of a targeted attack such as spear phishing. Protecting against targeted attacks requires multiple layers of security, starting with authentication of communication methods (viz. email), adding advanced threat detection methods, and incorporating training on the importance of separating work data from personal.
Means, Motives, and Opportunities
While President Obama maintains that the recent Sony breach was not so much an act of war as an act of “cybervandalism,” the truth is that the attack was one of the first of its kind to simultaneously expose corporate secrets, personal information, and incorporate terroristic threats. The dangers of cyberspace are as multifaceted as they are misunderstood. Unlike a physical battlefield where enemy combatants can be identified and grouped based on flags, uniforms, and equipment, the cyber battlefield is one where identities can be easily hidden, individuals are often as well-equipped as government entities, and motives are as varied as the people behind them. As threat intelligence measures continue to improve to identify behaviors associated with the planning and initial execution of an attack, the best defenses are keeping updated on prevalent attack vectors, using available tools and protocols to shut down bad actors, and taking every step necessary to ensure our people, customers, and companies remain safe.
About Robert Holmes
Robert Holmes is General Manager, Email Fraud Protection at Return Path. Rob has been in the brand & fraud protection industry for 15 years, helping major corporations understand, quantify and manage risk across the digital channels. Having previously held global roles running the product teams at Corporation Service Company and Melbourne IT's Digital Brand Services, Rob is a frequent speaker at major security events, including RSA Conference, Gartner Security & Risk Management Summit, FS-ISAC, and the global eCrime series. Rob has a MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford.