After FBI blames North Korea for Sony attack, now what?

More important than arguing over who attacked Sony Pictures is what companies do in response to the breach.

The FBI today named the North Korean government as responsible for the cyber attack against Sony Pictures last month, saying its technical analysis points to the isolated, Communist country.

But now what?

"This could embolden future attackers," Johannes Ullrich, dean of research for the SANS Technology Institute and the head of SANS's Internet Storm Center security arm, said of Sony's withdrawal of its comedy, The Interview, earlier this week after threats were posted online by the alleged hackers. "Just like with real-world threats, a successful highly-publicized attack like this will draw out copy cats to conduct similar attacks against other companies."

The attacks, which were disclosed in late November, made off with gigabyte upon gigabyte of internal Sony documents and files, including embarrassing emails, financial information, passwords, and current and former employees' personal information.

Speculation that North Korea was behind the attack has been circulating for weeks, primarily because of The Interview, a movie whose plot centers around an assassination attempt against the country's dictator, Kim Jung-Un.

But fingering North Korea is a waste of time, said John Pescatore, director of emerging security trends at the SANS Institute.

"There's been so much focus on the cyber warfare aspect of this, as in 'Oh, my God, this was North Korea,'" said Pescatore in an interview today. "The focus has been on the actors, not on the [weak security] that enabled the actors."

More important than arguing who was responsible, said Pescatore, will be what companies do in response to the massive leaks from Sony.

"We've been scared of trying out stronger authentication, but maybe we'll try that now," hoped Pescatore, talking about two-factor authentication for accounts, including email and network access, that relies on more than a username and password. Two-factor authentication also requires another piece of information, typically a multi-digit code generated by a specialized hardware token or more commonly, by a service provider or enterprise IT department, that's sent to a user's smartphone.

Without that code, hackers who manage to dupe victims into disclosing their passwords -- typically via a phishing attack, which many experts believe was at the root of the Sony attack if it wasn't an inside job -- are not able to access hijacked accounts.

"Maybe this is the one more straw on the camel's back," said Pescatore.

Sony's example should also convince companies to encrypt all of their data, or at least more of it. "Encryption is not easy to do when you want to collaborate, but the hope now is that the attacks cause enough management attention for companies to say, 'We are going to do this hard thing,'" Pescatore said.

The decision to yank The Interview -- triggered by U.S. theater chains' announcements that they would not show the movie for fear that the hackers' threats of physical attacks would be carried out -- was blasted by many security experts this week.

Today, President Barack Obama weighed in, too, saying, "I think they made a mistake," of Sony and the theater chains.

"This will encourage others, certainly," said Tom Chapman, director of cyber operations at Edgewave, a San Diego-based security firm, and a former U.S. Navy cyber-warfare commander who also worked with the FBI and the Navy's criminal investigative service, or NCIS. "What's going to happen if there's a movie that a Muslim terrorist doesn't like? What will happen if some group says, 'Don't sell this product' or 'Don't support this cause?'"

Ullrich agreed. "With the wave of DDoS [distributed denial-of-service] attacks over the last years, they found a lot of 'followers' [when] they where successful," he said in an email reply to questions.

For Chapman, implementing stricter security measures -- something Sony in hindsight certainly should have done, as none of the documents leaked by the hackers was even password protected, much less encrypted -- is well and good. But he urged companies to do more than that.

"An IT department must know what's normal [on their network] and what's not normal," Chapman argued. "They have to watch what's going on on their network. There's no way someone should be able to remove gigabytes of data and not be noticed."

In its statement today, the FBI said it would "identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests," a hint that the reports of possible retaliation against North Korea were accurate.

Good luck with that, said Chapman.

"There's not much we can do to get back at them," Chapman said, pointing out the sanctions already imposed on North Korea and its almost non-existent digital infrastructure. "We have to find a different method."

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Technology InstituteintrusionSANS InstitutesecuritySony PicturessonyfbiCybercrime & Hacking

More about FBISANS InstituteSonyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place