The Sony Hack: Vital Lessons for Microsoft Admins

On November 24th, a post on Reddit announced that Sony Pictures Entertainment (SPE) had been hacked by a group calling itself the Guardians of Peace (GOP). Since that time, a steady stream of claims, counterclaims, data from the breach, and reports about that data has occupied both mainstream and IT-focused media. There are lots of open questions about what happened, who exactly is responsible, and what the long-term impact of the breach will be for SPE. The more important questions to ask right now, though, revolve around how to ensure that you’re not the next high-profile organization to have its security woes splashed across the front page of the New York Times and CNN.

What we know

Examining what we know (or can assume with a high level of confidence) about the breach is a good place to start. The most comprehensive public analysis is probably the one posted by RiskBased Security, which has gathered a treasure trove of links to analysis and commentary. Different media outlets and security professionals have very different takes on the attack, from the outlets focused on the sensational aspects (who’s badmouthing who, how much SPE spent or made on individual projects) to those that instead focus on the mechanics of the attack and the possible legal consequences for SPE.
Here’s a brief summary of what we know, based on the materials that have been released by the attackers, research and commentary from security experts, and credible press reports:

• The breach is very large. While GOP’s claim that they exfiltrated 12TB of data cannot be proven, the size of the individual releases and the ongoing pattern of releases indicates that the attackers stole a lot of data.
• The scope of the breach is very wide. GOP releases have included a wide range of commercially sensitive data, personal information (including information that might fall under HIPAA, as well as results of criminal background checks on employees), and detailed information about SPE’s internal IT operations.
• Several of the data sets released include information, such as passwords and digital certificates, that could be used to launch follow-on attacks on SPE, or on systems and services that SPE uses.
• Much of the content appears to come from individual workstations rather than servers. For example, many of the dumps contain folder structures with work products that all seem to have come from the same user.
• The released email all seems to be in the form of Outlook offline folder (.ost) files, not the larger mailbox database (.edb) files that would have to come from the mail servers themselves.
• The Destover malware implicated in the Sony attack wipes affected systems, in addition to or instead of just stealing data. Sony suffered a major nationwide outage over Thanksgiving weekend as they attempted to deal with wiped machines.
• SPE had significant existing security problems at the time the attack became known.
• The initial method of attack isn’t known, although there are several possibilities discussed later in this article.
• The attackers are very sophisticated; the breadth of the attack, the amount of data they’ve stolen, and the continually changing nature of their release processes all point to an extremely knowledgeable and well-funded group.

Speculation vs reality

As with almost any discussion involving computer security, it’s hard to separate reality from fantasy (or, more charitably, from speculation). Just one example: initial reports breathlessly claimed that North Korea was behind the attacks, because the cited cause was SPE’s forthcoming release of “The Interview,” a movie in which the CIA attempts to assassinate Kim Jong Un. Later reports said, no, it probably wasn’t North Korea. Then on December 17th, NBC News and the New York Times reported that unnamed US officials “have found linkage to the North Korean government.” At the same time, other experts were saying that the evidence pointing at North Korea is spotty at best.
So, building on the list of what we do know about the breach, let’s examine some things that we don’t know:

• We don’t know when the initial intrusion took place. SPE had a breach in February 2014 that may or may not have been related to the GOP breach.
• We don’t know specifically what kind of vulnerability the attackers exploited: Windows, Flash, Office apps, and Adobe Acrobat are all possibilities.
• The attackers claim to have had insider help but it’s impossible to say whether that is true. In addition to vulnerabilities that could be directly exploited, an insider with physical access to the network or to targeted machines could have directly installed the malware.
• No one is saying publicly whether the attack was targeted at key executives and decision makers or more broadly across Sony’s network.
• Some reports indicate that a longer list of the attackers’ demands have been directly communicated to SPE executives.
• The true identity and motives of the attackers remain unknown, although it seems clear that one key motive is to cause damage to SPE-- as evidenced both by the release of damaging information and the use of malware that erases target systems.
• We don’t know how many more releases of data GOP may be planning (although some indirect hints in their existing releases indicate that they will probably continue through Christmas Day).
• We don’t know what other organizations GOP may have penetrated. Interestingly, the Screen Actors’ Guild suffered an intrusion in October 2014 (http://variety.com/2014/film/news/sag-aftra-members-hit-by-oct-18-hack-at-art-payroll-1201370552/); this attack may have used credentials stolen during the SPE intrusion.
• We don’t know what other organizations may currently be under attack by similar means.
• We don’t know why Sony’s chief information security officer (CISO) left in September 2014.
• If North Korea is responsible, directly or indirectly, we don’t know what response the US government might undertake, if any.

How the breach might have occurred

The SPE attack was clearly sophisticated. In fact, the CEO of security firm Mandiant (which has a long, distinguished record investigating and fixing advanced persistent threat attacks orchestrated by the Chinese government and its surrogates) said
The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat.
That raises the interesting question of how the attackers got the malware into SPE’s network. There seem to be four basic possibilities:

• A watering hole attack, in which a compromised web site dropped malware on visiting computers. These attacks normally target web sites that are likely to be visited by the specific population; for the SPE hack, entertainment industry web sites or even internal web sites maintained by SPE might have been vectors.
• Spear phishing refers to malware-carrying messages that appear to be legitimate communications from vendors, partners, or other employees. The attacker’s goal is to craft a legitimate-looking message that tricks the victim into opening an attachment; the attachment can then exploit vulnerabilities in the OS or locally installed applications.
• Installed malware refers to applications that are installed by an authorized user, either on purpose or because the user accidentally visited an infected site or ran an infected application. If GOP had insider assistance, the insider might have deliberately installed malware on target systems.
• Other more exotic attacks: there are a variety of other possible ways to get an attacker’s code to run on a target system, including USB and IEEE 1394-based attacks and various other hardware- and software-based exploits. Given SPE’s overall poor security, these avenues seem unlikely.

The common thread across all these attacks is that they are aimed at end users. Other attacks, such as passive eavesdropping on network traffic or man-in-the-middle SSL attacks, could also have been used to gather data from the network, and targeted attacks against specific server types aren’t out of the question either. A full forensic analysis of the SPE breach may never be completed due to the number of compromised systems that were wiped by the attacking malware.

What the attackers got

We have to assume that the attackers got every piece of SPE’s data: email, contracts, screenplays, finished films, the code used to animate SPE movies such as Cloudy with a Chance of Meatballs, and all manner of other data could now be in the attacker’s possession. Steve Ragan, writing for CSO Magazine, summed it up nicely: "Sony didn't just lose PII [personally identifiable information] or financial records. Sony lost their business models and their revenue generating assets. It's bad enough that employee records and financial data was compromised, but compounding that is the loss of sales and marketing plans – the core of their bottom-line."

Worse, SPE has lost the trust of their employees and business partners. This loss of trust is especially problematic in a personality-driven industry such as entertainment: if major actors, directors, or producers were to decide that SPE is too risky a partner, that could essentially destroy SPE’s ability to compete for talent, financing, and distribution.

Unfortunately, keeping an accurate census of what data even exists on a network is something that very few companies manage to do, so figuring out exactly what an attacker got away with can be difficult and time-consuming: it took the US National Security Agency more than a year to complete their own assessment of what materials were stolen by Edward Snowden. If you have comprehensive and accurate backups, at best you can inventory them to see what an attacker might have taken.

What does this mean to you?

There are several strains of magical thinking that become common after a breach such as this. You’ll hear security professionals and decision makers repeat a few common themes:

• “That can’t happen to us because we are too well protected.” If you really believe that’s true, re-read the Mandiant CEO’s quote above. Every asset on every network is at risk to a sufficiently motivated and competent attacker.
• “No one will bother to attack us; we’re too small.” If you’re large enough to have $1 in the bank, you’re large enough to be at risk from financially-motivated criminals. Small and medium-size businesses are increasingly at risk from attackers who install malware to steal banking credentials, then use them to suck funds out of the victim’s account and transfer them elsewhere. In addition, smaller organizations tend to have weaker security, smaller security staffs, and fewer auditing and intrusion detection assets.
• “We’re using the cloud so we’re not at risk; Microsoft (or Google, or Dropbox, or whomever) has really strong security.” The SPE hack was primarily targeted at workstations—so as long as you have workstations on your network that process the data that your cloud service stores and transports, you’re still at risk.

The Sony breach has critical impacts on four systems that, separately and together, are used in the vast majority of organizational IT in the modern world. As organizations and individuals, we’ve become increasingly dependent on communications technology; the way people communicate has changed drastically over the last decade. These key systems are:

• Windows Active Directory: because it’s the core of identity management, authentication, and authorization at virtually every Windows-using organization, an attacker who can compromise your AD can steal account data, create new accounts, escalate their own privileges, evade some types of system auditing, and compromise security logs. The data stored in AD has low intrinsic value but AD is an inviting target because it is a critical core service. In fact, a savvy attacker can use Active Directory group policy objects to automatically push malware out to every AD-connected system in an enterprise!
• Microsoft Exchange, the leading enterprise e-mail system, represents a huge potential target because an attacker who can steal email—as the SPE attackers did—can learn virtually everything about an organization, from its internal politics to who its customers are to its strategic weaknesses and major opportunities. Because most Exchange clients cache data locally, attacking clients can yield a jackpot of information for the attacker without the increased risk of alerting the target by attacking servers.
• Microsoft Lync is an increasingly important part of enterprise communication networks. Because its instant messages, meetings, and conferences can be archived (either in standalone archives or into Exchange), casual and unguarded discussions conducted over instant messaging can be recovered by an attacker.
• Microsoft Office 365 is becoming increasingly popular, in part because Microsoft has successfully convinced many customers that it offers better security than those customers can provide for themselves. Microsoft faces a huge number of daily attacks and has a large and well-designed security infrastructure to counter them. However, the SPE breach clearly demonstrates that an attacker can cause huge amounts of damage without directly damaging (or perhaps even accessing) the servers themselves.

A related problem cuts across these technologies. Instant messaging, microblogging systems such as Tumblr and Twitter, and ubiquitous communications have trained users to post first and think later. It is virtually certain that every organization that has employees will find that its employees have business-critical data in places it isn’t supposed to be, and embarrassing or sensitive material mixed in with legitimate business communications. That’s the nature of the environment now; as administrators, we have to help protect these system components while trying to both educate and protect users.

How can you protect your own organization?

What should you be doing to protect yourself? The answer may surprise you. The tendency for most of us is to think that better technology is always the answer, but there are a surprising number of basic, time-tested security measures that can help greatly reduce the risk that you’ll get SPE’d:

• If you don’t want to see it in the newspaper, don’t say it electronically. Loose lips sink ships. Any time you write an email, you should assume that it might end up on CNN.
• All of the basic security domains are relevant as ever. Auditing membership of privileged groups like Domain Admins, auditing Active Directory, NTFS, and Exchange permission changes, and maintaining administrator audit logs are all well-understood processes that too many customers ignore.
• Back up all your data, frequently, and verify the backups. This is effective protection against malware that erases or encrypts and then ransoms your data.
• Consider where your sensitive data is stored: in email? SQL Server databases? File servers? Each data type and storage location will have unique security capabilities, and you should use them as appropriate.
• If you encrypt your data, an attacker will have a much harder time making use of it if they manage to steal it. S/MIME encryption of sensitive email might have greatly reduced the amount of data that GOP was able to recover from SPE, for example. Keep in mind that different encryption systems protect against different threats; for example, Microsoft BitLocker prevents an attacker from recovering data from a stolen disk drive but doesn’t prevent them from stealing data by having malware read it while the computer is running.
• Limit the amount of data you keep and you limit the amount of data an attacker can capture. For example, Outlook 2013 allows administrators to restrict the amount of mail data cached on a workstation, and Exchange has powerful tools for controlling retention of email based on content, who sent or received it, or age. In a successful attack, would you rather the attackers get the last six months of everyone’s mail or all of it?

Finally, in addition to some of these basic principles, the SPE hack gives us all an opportunity to examine 3rd party tools available to help us sleep at night. What solutions are available to ensure compliance, security and overall systems health are all being monitored appropriately and exposed to more than just a person or two resulting in a single point of failure?

ENow aims to provide monitoring and reporting software against Exchange, Exchange Online, Lync and Active Directory that is comprehensive yet very simple and easily accessible by anyone in an organization who can look up at a screen on the wall or login to their customized reports dashboard. Again, some of the basic policies come into play, but who’s watching and where in your IT Department are these policies and KPIs displayed loudly and clearly for everyone to see? ENow solution tools like Mailscape and Compass provide this information on a stoplight dashboard to ensure nothing is missed liked database backups, usage alerts, prohibited senders, large mailboxes, mobile device usage and device type, password enforcement and much more. Simply put, consider taking advantage of the marketplace solutions available to bolster your 2015 security plans ensuring you are staying proactive and protected.