Reflecting on the Sony Pictures Entertainment Breach

2015: THE YEAR OF THE RAT – THREAT REPORT Reflecting on the Sony Pictures Entertainment Breach by Gary S. Miliefsky, CISSP, fmDHS, CEO, SnoopWall LLC Copyright © 2014, SnoopWall LLC. All rights reserved worldwide. www.snoopwall.com sales@snoopwall.com 2015: THE YEAR OF THE RAT – THREAT REPORT Reflecting on the Sony Pictures Entertainment Breach While the Chinese Zodiac calls 2015 the “Year of the Sheep” (how apropos), I predict that 2015 will be the Year of the Remote Access Trojan (RAT). It all started in November, 2014, when Sony Pictures Entertainment (SPE) was hacked. Many speculated it was a ‘malicious insider’ but the facts show it was something very different and something you should expect when you least expect it. Let’s take a quick look at the SPE attack and realize that it’s the tip of the iceberg for what’s coming our way in 2015. If you don’t take actions and head my warnings to get more proactive in protecting your personal privacy (see: http://www.snoopwall.com/halting-hackers-on-the-holidays/) and also in your business environment, avoid being phished and infected with RATs, then you might actually be one of the sheep losing your fleece in 2015. How Sony Pictures Entertainment Was Hacked – Maliciously From the Outside The story is an ‘internal administrative’ password was used to take down Sony Pictures Entertainment (SPE). That is a tiny piece of the real story. It’s easy to get an admin password, especially when it’s stored in a file called “Usernames&Passwords” in clear text on an adjacent system in the same computer network, if you’ve already deployed a RAT. Antivirus is Dead The first problem is that so many computers throughout the globe are infected with zero-day (new) malware. In fact, when NTT tested the top antivirus products for a year, in their recent report, they concluded that between 50-70% of the malware made it passed their antivirus scanners. That means, and I’ve been saying this for years, that Antivirus is dead. Just look at this May 4, 2014 Wall Street Journal article, where Symantec's senior vice president for information security, Brian Dye, told the Wall Street Journal that antivirus "is dead." If you can’t detect the malware and you’re already infected, then what can it do? How about controlling your computer and using it as one of many ‘hops’ in the chain to obfuscate the source of an attack? If you get infected with one of these Zero-day RATS (Remote Access Trojans), you’re not only a victim, you are an accidental accomplice. 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 1 Remote Access Trojans Remote Access Trojans (RATs) that make it onto a computer, undetected, give someone far away all the control they need of the victim’s computer. RATs are generally sent through emails by ‘riding’ what looks like as a trusted file attachment such as a PDF, Excel spreadsheet or Word doc. Once the victim opens the email and clicks on the attachment, they may actually see a useful or trustworthy looking PDF, XLS or DOC open up but at the same time the RAT is being installed. Some less sophisticated RATs will display a fake error message ‘file corrupted’ so you think the attachment didn’t come through completely and didn’t open. Many RATS can disable antivirus and firewall software or create covert channels to bypass them, when sending and receiving information, commands, data and files. RATs can do just about anything you can think of – this is a sampling of what they are capable of:  Watch you type and log your keystrokes  Watch your webcam and save videos  Listen in on your microphone and save audio files  Take control of your computer  Download, upload and delete files  Physically destroy a CPU by overclocking  Install additional tools including viruses and worms  Edit your Windows registry  Use your computer for a denial of service (DoS) attack  Steal passwords, credit card numbers, emails and files  Wipe your hard drive completely  Install boot-sector (very hard to remove) viruses A well-designed RAT will allow the operator the ability to do anything that they could do with physical access to the machine. RATs can be used to install additional tools so a program to upload or download files can be installed secretly – what a great way to move an entire electronic copy of an upcoming movie onto a peer to peer file sharing network? Phishing Attacks – Social Engineering 101 According to Phishme.com, “Phishing can be defined as any type of email-based social engineering attack, and is the favored method used by cyber criminals and nation-state actors to carry out malware and drive-by attacks. These are fraudulent emails disguised as legitimate communication that attempt to trick the recipient into responding – by clicking a link, opening an attachment, or directly providing sensitive information. These responses give attackers a foothold in corporate networks, and access to 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 2 vital information such as intellectual property. Phishing emails are often carefully crafted and targeted to specific recipients, making them appear genuine to many users. Phishing is effective, low-cost, bypasses most detection methods, and offers criminals little chance of capture or retribution. It’s little wonder then that several prominent security firms have confirmed it to be the top attack method threatening the enterprise today, with security firm TrendMicro noting that spear phishing accounts for 91% of targeted attacks, incident response consultant Mandiant citing spear phishing as Chinese hacking group APT1’s most common attack method, and Verizon tracing 95% of state-affiliated espionage attacks to phishing.” Lex Parsimoniae: Here’s What Most Likely Happened Understanding the means, the motives and the capabilities of the ‘actors’ involved, and using Occam’s razor - the least assumptions, problem solved: 1) SPE puts out a teaser in June, 2014 2) A Nation state reacts in June, 2014 and asks both The Whitehouse and UN to halt release of the movie “The Interview” 3) No response to their request and threat to pull “The Interview”, to them an ‘act of war’. 4) Between July, 2014 and October, 2014, a crack team from a large cyberarmy is charged with Reconnaissance (RECON) on Sony Pictures Entertainment for the deployment of a highly targeted Phishing attack that deploys a RAT. 5) Internal network RECON takes place, files are stolen by being transferred (uploaded) to other RAT victims, not directly to the attacker, in this case most likely a cyberarmy. 6) File uploads, email and records pilfering along with hard drive wiping tools were most likely controlled by Command and Control (C&C) RAT servers located outside of the US with other computers controlled remotely inside the US. 7) Pilfered files are leaked, threats are made through spoofed IP addresses accessing gmail accounts to make tracing difficult. 8) 9-11 type threats are made to trick Sony and Movie Theaters into blinking. They blinked. 9) US Government and top security forensic professionals (FBI.gov, Mandiant, Fireeye) figure this all out as well and share some of this information including the fact that the malware was developed on Windows in the Korean language (most likely using WINE running Windows on a 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 3 linux derivative OS). The Whitehouse reacts, now that the initial forensics is complete and the POTUS is fully briefed. Can We Protect Against This Type of Attack? If my analysis is correct then any organization could defend against this attack, in spite of the FBI’s statement that 90% of businesses would have been victimized (this is probably true, sadly). To defend against this attack, even though “Usernames&Passwords” was one of the files discovered, with plaintext passwords like the word “password”, that’s not what triggered the attack, changing those passwords would have made it a longer and harder RECON and pilfering period but it wouldn’t have stopped them. It’s very embarrassing for SPE to have used such foolish passwords and file names. But that’s not the heart of the problem. Here’s my view: 1) We’re all infected and don’t know it. Assuming you are infected positions you better to proactively harden your systems and remove zero-day infections. With this key assumption, you need to backup all your data files, wipe and reimage your computers and install only legally owned copies of software. 2) You can’t let Smartphones and Tablets onto corporate networks (bring your own devices – BYOD dilemma) unless they can be managed. This also means deleting all apps and then starting to install trustworthy apps from sources you know and trust. How many apps do we have installed without knowing if they have backdoors or they, themselves, are not just tools and games but are also RATs in disguise? 3) Employees at Sony are not trained like employees at Coca Cola. This company hasn’t had a breach or lost a secret formula in 100 years. Cyberarmies could attack Coke for the formula and most likely would never succeed in getting it, using the means they used on Sony. Why? Because Coke practices Employee Training (for social engineering), has frequently tested and updated security policies (including physical security, people security and network security) and 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 4 they don’t leave the secret formula out in the open – they practice COUNTERVEILLANCE (see http://www.snoopwall.com/free to take my free beginner’s course on this subject matter). Best Practices for 2015 Working backwards, reviewing this Sony Pictures breach, we can see lots of reactive behavior. Why not get proactive instead of reactive by: a) Training Employees Better b) Hardening Systems (see: http://nvd.nist.gov) c) Detecting and Removing RATs d) Deploying Full Disk Encryption and Real-time Backups e) Defending Against Phishing Attacks f) Managing the BYOD Dilemma Of course it’s easier said than done. The biggest weakness at SPE was their employees and if you can’t train them to behave better and understand phishing attacks, proper password management and leverage full-device encryption, storing important information always encrypted and frequently backed up, then what can you expect but another successful breach from the inside out. I would suggest we all start writing emails as if everyone in the world can see them. Sony Pictures executives have learned this lesson the hard way. But, again, that’s not what caused the breach, that’s data that was stolen and used against them – that’s just throwing salt in the wound. The real issue is that all employees need better security training. How Do RATs Travel Behind Corporate Firewalls? While most folks think it’s the phishing attack (through the email port – the front door) as the only and key point of entry, you need to start assuming that most of your smartphone or tablet apps are creepware – malware that spies on you and your online behavior – many free apps are RATs. Do you really need them? Delete all of the apps you aren’t using that often. Replace those apps that take advantage of too many of your privacy settings like GPS, phone & sms logs, personal identity information, with similar apps that don’t. If you don’t manage this bring your own device (BYOD) dilemma then expect RATs on your portable devices to invade your corporate network. 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 5 Coca Cola Practices Counterveillance – You Should Too How old is the Coca Cola recipe? Has it been hacked or stolen in over 100 years? So what is Coca Cola doing better than everyone else? They are doing steps a) through f) above and frequently checking and rechecking their security posture. If you don’t have a plan, expect to be a victim in the Year of the RAT. If you can make the important information “invisible” to the malware – the RAT, then they can’t steal it. Practicing Counterveillance, like Coca Cola could be the most important thing you do for privacy and security. Think about it. If you could be invisible, no one could see you. They wouldn’t know when you are browsing the web or using your smartphone. If you could make all the private information about yourself become completely invisible, no one could every steal it. That’s right – your personally identifiable information (PII) could not be stolen if no one could see you or your data. It’s so simple – it sounds too good to be true. Right? If you could make yourself invisible, if you could hide your PII from prying eyes, you would be practicing counterveillance. That’s right – you would be countering surveillance. What makes the US B2 Stealth bomber so unique? It disperses its radar signature so that it becomes invisible to traditional radar – the design of the ‘skin’ of this aircraft is a counterveillance technology. It is possible to become nearly invisible but you’re right to think it’s very challenging – many would say nearly impossible. However, if you start out with this as a goal ‘how do I make my data invisible to criminals and hackers?’ then each day you should be working to reach this goal – to build your own B2 Steath bomber – a more secure and encrypted database, better password management, real-time backups, defense against RATs and phishing attacks and ultimately better trained employees who realize that ‘loose lips sink ships.’ 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 6 About SnoopWall At SnoopWall, we invented the world’s first counterveillance technology and filed an international patent on it. This technology is very very hard to implement on computers and mobile devices – but we’re doing it anyway. We have some of the best programmers in the world working hard every day, building our counterveillance solution. We’re going to help your computer and mobile device become ‘nearly’ invisible. That means hackers, cyber criminals, online predators, cyber terrorists and other ne’er do wells won’t be able to find you or your confidential information. It won’t matter how advanced their malware becomes – advanced persistent threats (APTs)? No problem! Zero-day Malware? No problem! If they can’t see you or your data, they can’t steal it. Hard to implement but simple to understand. About The Author Gary is the Founder of SnoopWall and the sole inventor of the company’s new technology. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine and the cover story author and regular contributor to Hakin9 Magazine. He also founded NetClarity, Inc., an internal intrusion defense company, based on a patented technology he invented. He is a member of ISC2.org, CISSP® and Advisory Board of the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. He also advised the National Infrastructure Advisory Council (NIAC) which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), serves on the advisory board of MITRE on the CVE Program (http://CVE.mitre.org) and is a founding Board member of the National Information Security Group (http://www.NAISG.org). Email him at: ceo@snoopwall.com. Sources: SnoopWall.com, FBI.gov, CIA.gov, wikipedia.com, USCERT, and public domain information. Copyright © SnoopWall LLC. All rights reserved worldwide. Excerpts and full reprints and republishing allowed with minimal attribution as follows: “Provided by Gary S. Miliefsky, Cybersecurity Expert and CEO of SnoopWall at www.snoopwall.com. Email: ceo@snoopwall.com.” 2015: YEAR OF THE RAT – THREAT REPORT WWW.SNOOPWALL.COM PAGE 7 www.snoopwall.com Copyright © 2014, SnoopWall LLC. All rights reserved worldwide. www.snoopwall.com sales@snoopwall.com