Now that the dust has settled on the infamous hack of Sony Pictures Entertainment, it would be prudent to take a look back at how the attack was carried out, consider what lessons IT security professionals can learn from it, and formulate a plan to counter a similar attack.
To that end, I recently conducted an email interview with Gary Miliefsky, an information security specialist and founder and president of SnoopWall, a cybersecurity firm in Nashua, N.H. To kick it off, I asked him what the likelihood is that a Sony insider assisted with the attack, and whether it could have even been carried out without the help of an insider. Miliefsky dismissed the insider theory:
While many speculate that the attack on Sony Pictures Entertainment was done by a malicious insider, I believe that the DPRK carried out the attack themselves, originally initiated from IP addresses they lease from the Chinese government. I believe they initially eavesdropped on emails to learn a pattern of behavior for socially engineering a Remote Access Trojan to be installed via email of an unsuspecting employee, inside the network.
I asked Miliefsky if it was his belief that North Korea had the wherewithal to conduct this attack on its own, or if it had the assistance of a third party. He said all it needed was Internet access via China:
While it may have had the assistance of third parties, I do not believe they needed any help beyond the Internet access they have been granted by the Chinese government. They have a very skilled cyber army of as many as 6,000 members, whose livelihood depends upon successfully writing new malware and exploiting known and unknown vulnerabilities.
I asked Miliefsky what means North Korea likely used to penetrate and insert the malicious code onto Sony’s network. He said they were able to exploit the Sony network by means of a well-crafted “spear phishing” attack, which contained a Remote Access Trojan (RAT):
I believe the record books will one day show that between July 2014 and October, 2014, a crack team from a large cyber army was charged with reconnaissance on Sony Pictures Entertainment for the deployment of a highly targeted phishing attack that deploys a RAT. Once deployed, internal network reconnaissance takes place, files are stolen by being uploaded to other RAT victims, and later harvested by the attackers. File uploads, email and records pilfering, and hard-drive wiping tools were most likely controlled by command-and-control RAT servers located outside of the U.S., with other computers inside the U.S. controlled remotely. Pilfered files were leaked, and threats were made through spoofed IP addresses accessing Gmail accounts to make tracing difficult.
So could Sony have prevented this attack? Miliefsky said if his analysis is correct, any organization could defend against this attack, in spite of the FBI’s statement that 90 percent of businesses would have been victimized—which, he said is probably true:
Even though “Usernames&Passwords” was one of the files discovered, with plaintext passwords like the word “password,” that’s not what triggered the attack. Changing those passwords would have made it a longer and harder reconnaissance and pilfering process, but it wouldn’t have stopped them. It’s very embarrassing for Sony to have used such foolish passwords and file names. But that’s not the heart of the problem.
The heart of the problem, Miliefsky said, was the lack of proactive behavior. He said what’s needed is an action plan that includes training employees better, hardening systems (Miliefsky recommends a visit to the National Vulnerability Database), detecting and removing RATs; deploying full-disk encryption and real-time backups; defending against phishing attacks; and managing the BYOD problem. Of course, he said, that’s easier said than done:
The biggest weakness at Sony was their employees. If you can’t train them to behave better and understand phishing attacks, proper password management, full-device encryption, and the importance of storing important information in a way that’s always encrypted and frequently backed up, then what can you expect but another successful breach?
Finally, Miliefsky offered this advice to CIOs:
The CIO should be frequently training employees, using all the newer proactive tools to block phishing attacks and detect zero-day malware, and they should have a real-time backup system in place. Finally, encryption should be deployed across all devices with very smart password management. If he can say, with authority, that there are no RATs on the network, then the CIO is doing a good job.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.