While the media storm surrounding Sony has subsided and the whodunit game has come to a stand-still (the FBI is still pointing the finger at North-Korea), the main consequences regarding the severe cyber-attack remain critical and must continue to be addressed. Just this week Sony declared it will miss the deadline for issuing its 3Q-2014 results due to the attack, and in the background, its employees are already building up for a class-action lawsuit.
The latest overwhelming attack on Sony brought to light some of the past year’s most important trends in the cyber field – the proliferation and monetization of advanced attack methods, which led to the rise in large-scale devastating attacks; the shift in focus by attackers to being asset-oriented; and the fact that companies and organizations also fall under the paradigm that for every action there is a cyber-reaction.
Just as in the case of nuclear weapon proliferation, where scientists such as A.Q. Khan transferred nuclear technology and training to Iran and Libya, we now see the same happening with advanced cyber-attack methods. Nation-states, nation-backed attackers and organized crime syndicates are all at the high end of the capability ladder and we continue to see advanced tools being used as part of cyber-espionage campaigns and attacks.
The alarming recent trend of proliferation and monetization of advanced tools, led to them being used by attackers which were unable to do so until recently. This includes financial hackers, independent espionage groups and basically any attacker with enough money and motivation.
Additionally, it is a known fact that many of the common malware today are actually reused and reversed-engineered code. This helps understand situations where similar code is seen in what seems to be otherwise completely different and unrelated attacks. Just recently, a research showed that attackers managed to modify the known Citadel financial malware (variant of Zeus) in order to perform espionage on Middle-Eastern pharmaceutical companies.
Another interesting trend is the shift in focus for attackers. While in the past, it was “simple” – financial-hackers targeted banking and finance, hacktivists targeted governments, and nation-states performed espionage on pretty much everybody – today, the tides have turned. As seen in the recent huge-scale attacks on American retailers and food chains, financial hackers began targeting every type of organization which manages financial transactions or holds payment card data. Attackers are very asset-oriented; they are more interested in the asset than the business sector they attack. To prove the point, we’ve recently seen attackers targeting parking lots’ payment systems to copy credit-card information. This, also, is part of the monetization trend.
And finally, as mentioned in our recent blog entry, for every action there is a cyber-reaction. In recent years, it has become a known fact, that if a country or its government performs actions which may be perceived as ‘provocative’, it automatically becomes a viable target for hackers, and specifically Hacktivists. Cyber-reactions have become the norm when it comes to military operations, campaigns and even tensions between countries – for example, Israel vs Hamas, Russia vs Ukraine, India vs Pakistan, US vs Iran, and many other cases. Same goes for internal political or law enforcement actions – for example, the Fergusson riots, Sweden taking down the Pirate Bay, Occupy Wall Street, and others.
But, in the past months, we have seen this trend expanding – while once it was relevant almost entirely for governments and law enforcement agencies, now it is becoming more and more relevant for companies and organizations.
Companies’ actions have become a main incentive for cyber-reactions. Additionally, we can see that in these cases the attackers vary and can be hacktivists, nation-states, nation-affiliated or basically anyone with a grudge against the company, who just needed the push.
As we’ve said in the past, companies and organization first have to understand that they are viable targets for hackers not only because of their assets but also because of their actions. They need to understand who their potential enemies are, what their capabilities are and what might trigger them to attack. They should be able to understand what the cyber-consequences of their actions are in advance. And, above all, their cyber defense strategies must become pre-active rather than reactive, using preemptive measures before planed actions and enabling quick recovery procedures, rather than putting the finger in the dike or extinguishing fires.
The Sony incident demonstrates how enterprises mismanage their cyber-security operations and how managements can be misaligned with security managers – someone at Sony should have taken into consideration that producing a movie about North-Korea would certainly trigger some aggressive response, and prepare means to mitigate the oncoming assault. This includes a concise decision regarding which assets are more important than others (company’s IP, correspondences, sensitive employee information, etc.) and protecting these at all costs, rather than just trying to secure the entire organization as tightly as possible (which never works); or, even worse, giving up in advance and saying: “we are going to be hacked anyway”, which leads to apathy and slackness. It is the management’s responsibility to determine which assets are the most critical, and the CISO’s role to secure these as best as possible with the resources allocated to him.