Earlier this month, Varonis issued a sizzling note analyzing the Sony breach that would have likely done far better at Halloween than Christmas because it is one scary piece of work. It walks through the process that likely occurred for the massive Sony breach, which ended the careers of a number of executives and kept one of Sony’s top movies from being released in movie theaters.
The note showcases how one attack can not only bring a company to its knees, but do a considerable amount of damage to the images of a number of Hollywood celebrities at the same time. It also showcased why it is unwise to badmouth co-workers in writing on anything.
Let’s explore this event, which put at risk 47,000 people by compromising their Social Security numbers and doing personal damage to an untold number of employees by exposing their 170K of emails to a very hostile force.
Spy Guys Process
This is the second time I’ve seen where an attacker, over a relatively long period, used phishing emails to steal credentials and gain access to confidential information including IDs and passwords. The last time was at a huge company where they took a full year to figure out who the executives were and how to create and deliver a payload that quickly captured every non-executives’ personal identity and financial information.
In the Sony case, the phishing attacks focused on not only getting passwords and IDs but fully mapping the network and company environment. Then spyware was dropped on servers using the stolen IDs and passwords. As I saw in the prior case, the attackers worked slowly for around a year so as not to alert security, IT or executive management that the breach was ongoing.
They dropped malware on critical servers that included employee log-in information. This malware was in the “wiper” class, which means it is designed to destroy the data on the servers it compromises. So they didn’t just steal stuff, they destroyed stuff, and it is a little surprising that Sony actually survived an attack this compromising.
The attackers proceeded to move laterally, looking for additional passwords and other login information. Sadly, Sony hadn’t even enforced basic password policy and it became clear that many passwords were trivial, often using the word “password,” making for a very easy exploit. As they progressed, they discovered more and more plain-text passwords and then escalated privileges to gain access to RSA tokens securing Sony’s most valuable information.
Hundreds of gigabytes of data were extracted, including productivity documents, presentations/pitches, word documents, text files, videos, and tons of personally identifiable information that compromised not only Sony but most everyone who did business with or worked at the company. This even included budgets, scripts, and defining information on unreleased movies that, if leaked, could destroy demand for these unreleased properties.
This was all because IT wasn’t enforcing password policy, no one was watching unstructured data movement, and both the breach identification and response were inadequate. It even got their top executive canned. And trust me, getting a CEO fired really doesn’t look good on a CIO resume. Or should I say an ex-CIO’s resume.
Wrapping Up: Hostile World
This just showcases the fact that we live in a hostile world where people want to gain access to private information for illicit profit and/or to control the compromised firm. For Sony, this attack was incredibly damaging and I expect that Varonis is highlighting the attack because they have one of the leading solutions designed to prevent ones like it. But it goes without saying that if you are a high-profile company that isn’t enforcing complex password management policies, if you ever tick off a large competitor--or worse, a country--then you’d better be covered or be ready for early retirement. If you haven’t done the former, the latter is your unfortunate destiny.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+