The SONY Hack: What Are the Take-A-Ways?

The SONY Hack: What Are the Take-A-Ways?

Although the SONY Hack was brought to the
world’s attention in November 2014, it’s still
being talked about and trending on popular
social media. Three factors have played into
the long shelf life of its newsworthiness: its
shiny, sparkly target, SONY Pictures
Entertainment, the players and drama that
unfolded around the exploit and the amount
and sensitivity of the information that was
compromised.

The hack was apparently brought to SONY’s attention via a blackmail - an email indicating that
their systems were compromised, data stolen and they expected their demands to be met. The
public “announcement” of the breach was made on a Reddit post in late November 2014 by a
user claiming to be a former SONY employee along with a screenshot showing the defacement
message on a SONY computer.

From there it spread like wildfire with several leaks of stolen SONY data and threats from the
hackers, including the sinister promise of 9/11 style attack on theatres and movie-goers on
Christmas Day should SONY release the movie “The Interview” (worth noting, no active plots
were uncovered by Homeland Security and no threats were executed upon the release of the
film on or around its release).

At the risk of further regurgitating old news, here are the SONY Hack highlights to give some
context to the take-aways:

Who claimed responsibility? Guardians of Peace (GOP). Who are the GOP? We’re not
completely sure; GOP is just a name – a label – and the individuals behind it have not been
unearthed. There are claims by the FBI that they have evidence that suggests the North Korean
government is behind the attack but have not released proof; North Korea has lauded the
GOP’s exploits and threats related to the release of the movie “The Interview”, which depicts

Kim Jong-Un’s assassination. Others claim it was North Korean supporters. Others claim it was
SONY employees. And some cyber-analysts align the attack to the exploit of Saudi oil company,
Aramco, in 2012 and the South Korean banks and media exploits in 2013. And further to that,
some claim it’s a combination of external malicious actors and discontented SONY employees.

Playing devil’s advocate, one would wonder, if this were a plot devised by North Korea, why
would the first demand be an attempt to blackmail SONY for their stolen data and then weeks
later, focus on kiboshing the release of “The Interview”. They had the SONY data … the movie
was no secret … and the initial blackmail and the demand to pull “The Interview” seem totally
incongruent if actioned by the same group. At the end of the day, the lack of direct ideological
or political statements presents all the hallmarks of one or many disgruntled employees.

What did they steal/exploit? The GOP hackers claim that they stole upwards of 100 terabytes
of sensitive company and personal data from SONY Pictures Entertainment computers; 40
gigabytes of this data was verified as it was posted online. Information included unreleased
movies and scripts, contract details, and employees’ personal details, such as medical records,
severance, Social Security numbers and addresses. And other really embarrassing stuff. It was
also claimed that other information was compromised: PDF, Word and Excel-based internal
financial reports, production schedules, private keys, passwords and procedures on what to do
in the event of a security breach (funny that).

When did it start and what was the duration of the exploit? The GOP hackers claim to have
been stealing this data over a period of a year. If the amount of data is correct, the duration
would appear to be accurate (for example, it can take approximately 225 days to download 100
terabytes of data using a T3 connection, depending on a number of technical factors).

What was the motive? Well, obviously SONY ticked someone off. Whether the motive is
undisclosed or was truly a political stance against the release of “The Interview”, we may never
know ... Irrespective, the prospect of the culprit being an entire government versus pimply-
faced or worse white-collar hackers is a little more redeeming for SONY and FBI investigators.

Was this terrorism? No. Full stop. The slightly longer answer to this in that in order for any act
to be one of true terrorism, albeit a general term itself, there needs to be a clear indication of
real violence or threat of violence towards non-combatants evoking palpable fear and terror

enough to significantly modify behaviours and with some sort of ideological or political
motivation to further an idealized cause or agenda. This was high-stakes mischief and
intimidation. Data theft and unsubstantiated, erroneous threats (with no "intell" behind them)
directed towards movie goers of a black comedy doesn't cut it. But calling it terrorism or cyber-
terrorism does "sell papers".

What was the level of sophistication of the technology? Essentially, this was a medium
coordinated attack using a relatively low-to-medium level of technological sophistication to
perform the exploit - in short, it appeared to a black market malware - BKDR_WIPALL by Trend
Micro and Destover by Kaspersky - set loose on SONY networks. The degree of harm was
certainly notable depending on how you define harm and the vector scope and duration was
shocking but we're not talking Stuxnet here (the zero day exploit on Iran's uranium plant
utilizing multiple networks, targeting sophisticated SCADA technology and resulting in damaged
centrifuges). It was a small group of actors using what appears to be a black market, not
unknown, malware with some evidence of advanced persistence against one target, SONY.
Statements made by the FBI indicated that this was an "extremely" sophisticated attack that
would have circumvented 90% of available counter-measures ... *insert chirping crickets here*

To measure the sophistication of a cyber-attack by the effectiveness of current malware
protection is pallid – many current anti-malware solutions are ineffective and many lag behind
in their definitions as malicious software is rapidly produced; to suggest that all anti-malware
software is effective and that one safeguard - anti-malware software - is all that's required is
naive and overly simplistic. While it would be very useful to know which security measures
were in place on SONY’s networks, still the vulnerability that was exploited is a more accurate
and telling measure.

So what are the take-aways then?
There are a lot of unaddressed questions regarding the SONY hack: how the initial compromise
occurred, how the attackers stole large quantities of data without detection, how attackers
reconnaissance was exacted and how they obtained knowledge of administrator credentials
and infrastructure ... and there is the "who did it" question. While there are similarities to other
exploits such as Shamoon and Dark Seoul, none of these are conclusively tied to a particular
group, whether political or just a gang of hackers-for-hire.

1. Previous Targeting: It wasn’t too long ago that SONY was the target of two other hacks: the
SONY PlayStation breach in 2011 that leaked 77 million user credentials and the hack of SONY
Pictures itself that leaked 1 million passwords, emails and amongst other data. Whether or not
these vulnerabilities were addressed or not, we don't know. But one would expect that they
were. And one would also expect that SONY would have examined and amped up its entire
security strategy and framework after these attacks.

2. An Up-To-Date Multi-Safeguard Security Strategy and Framework: This aside, hardening an
asset requires addressing prevention, detection, response and recovery from a multi-safeguard
perspective with layers of security based on various exploit scenarios, as well as an ongoing
maintenance and audit program. The new security mantra should be not "if it happens but
when" to ensure sufficient monitoring and behaviour analysis of networks and systems. SONY
hosted the intruder for apparently an extended period of time and this is becoming a more
common tactic of malware and malicious software.

3. The Human Factor: The human aspect cannot be ignored either - skills training and work-
sharing (reducing single points of failure) for security resources, awareness training for
employees and proper remediation and off-boarding for exiting employees is crucial. It’s
important to not confuse the “human activities and behaviours” with the “cyber-threat
technology's activities and behaviours” - every piece of malicious code has a human behind it
and requires an existing vulnerability to be successful.

4. Share Your Worst Practices: Wouldn't be useful if, for every exploit, corporations and
governments treated them as national security concerns, rather than just an individual breach
and that the conditions around the exploits became a collection of "worst practices" others
could avoid and remediate off of? Aside from saving face and concerns (not being a lawyer I
don't know how real these are) around negligence, shielding the details around vulnerabilities is
a detriment to our greater security - trust me, the "bad guys" already know what they are.

The most important lessons to be learned from the SONY hack revolve around not
underestimating the attractiveness of the target and its assets, not assuming that one layer of
anti-anything safeguards is enough, that security strategies and frameworks are individual and
not a copy-paste-replace exercise and that no entity can transfer security responsibility or risk
into the hands of security companies. Above all, information sharing by exploited companies

and institutions post-attack will be key to threat intelligence - attribution and intelligence dies
off when living in a silo or a vacuum; therefore, sharing information laterally is crucial to
shortening all aspects of the threat lifecycle and hardening of individual assets that comprise
the entire strategy.

Imagine if police forces of varying jurisdictions refused to share information and details on
crimes ... few crimes would be solved in our highly mobile and globalized world; sharing threat
intelligence allows small pieces of the puzzle to be brought in to form the bigger picture. Until
that utopian time, we'll all be playing the guessing game and arbitrarily associating cause and
identity to malicious actors and indicators of compromise with little substantiation limiting the
overall effectiveness of our security practices.

The SONY Hack has been labelled (arguably) by some as the most unprecedented corporate
hack known, rivalling WikiLeaks and the hack of sensitive US data in 2011 by China. However, if
it is truly unprecedented, this is not due to a high level of technical skill and sophistication but
more likely negligent security procedures and the inability for us to treat these attacks as prime
intelligence gathering and sharing and attribution exercises that would lead to the hardening of
multiple cross-sector assets.

Valarie Findlay has a over decade of senior expertise in Canadian federal government and is President of HumanLed, Inc.
(www.HuamnLed.com). She has managed and participated in the transformation of mission critical systems, developed cyber-
security strategies and frameworks and risk assessment approaches for policing, military and government departments.

Currently, she is completing her dissertation on the effects of terrorism on law enforcement in Western nations in the Terrorism
Studies Program at the University of St. Andrew’s. As well, she has produced research papers and preliminary studies
(identifying areas for focus) on cyber-terrorism and threats in Canada and abroad, information security and valuation,
safeguards and counter measures for information and IT systems. She has privately produced a comprehensive study for on the
changing landscape of security capabilities and vendor markets in Canada.

As well, she has launched a study and report, following an in depth preliminary study, that will present a Proposed Structure for
Cyber-Security in the Counter-Terror Model, Cyber-Security Collaboration and Knowledge Sharing (Cross-Sector) and
developing a New Threat/Risk Assessment (TRA) Tool specific to Cyber-Threats for Canadian Government and private sector.

Speaking Engagements:

•    Panel speaker at CATA Conference on Cyber-Terrorism, Nov 2014: Understanding and Analyzing Cyber-Threats as a
         Malicious Method
    •    Panel speaker at International Security Forum, NATO / WIIS / Queen's University, June 2014: Canada and NATO:
         Capabilities and Priorities
    •    Keynote speaker at Canadian Government Conference on Cyber-Terrorism, May 2013: The Rise of Cyber-Threats in
         Government and NGOs

Articles and Studies:

    •    Security Sector Reform Article: Cyber-Terrorism and Canada’s Cyber-Security Strategy:
         http://www.ssrresourcecentre.org/tag/canada/
    •    Coradix Article: What's It Worth to You? Determining the True Cost and Value of Information: http://coradix-
         tech.blogspot.ca/2013/05/whats-it-worth-to-you-determining-true.html
    •    Canada's Cyber-Threat and CIP Strategy, 2013, Royal Canadian Mounted Police Serious Incident Reporting Library
    •    Validating Militarization of Law Enforcement, 2014, Royal Canadian Mounted Police Serious Incident Reporting
         Library
    •    Cyber-Threats, Terrorism and the Counter-Terror, 2014, Royal Canadian Mounted Police Serious Incident Reporting
         Library