Sony Pictures hack the ‘perfect APT story,’ says ESET

By Gabey Goh December 29, 2014

Larger firms being targeted via SMB vendors
Security 'a serious problem' in IoT universe

Sony Pictures hack the ‘perfect APT story,’ says ESET

SONY Pictures Entertainment publicly disclosed on Nov 24 that it had been hacked, with a group calling itself #GOP (Guardians of Peace) claiming responsibility for the attack which saw the theft of large amounts of internal corporate data.

In the weeks since, the company and the relevant authorities have been grappling with the aftermath of the breach, which resulted in thousands of executive emails and other documents being posted online, along with unreleased films made available for illegal download.

It was an incident that one could only describe as the “perfect Advanced Persistent Threat (APT) story,” according to Juraj Malcho, the chief research officer for ESET, an IT security company headquartered in Bratislava, Slovakia.

“It has everything: A determined attacker with a motive monitoring the victim’s network for a long time, learning all the details, and planning carefully where and when to strike. More importantly, the victim did not pay enough attention to securing its systems properly.

“The leaked data showed that there have been a couple of past security incidents at Sony Pictures and apparently they did not have proper control of the systems, or pay proper attention to the incidents,” he told Digital News Asia (DNA) via email.

Malcho called the hack “a heavy blow,” and added “hopefully by seeing the impact on the company’s reputation and the loss of trust from its customers, other businesses will be forced to take security more seriously.”

“This proves that an exposed company or individual can’t rely solely on technology and trust and hope that an adversary won’t be able to bypass it. You need to look at the indicators and react properly,” he added.

The fact of the matter is, many companies may not be prepared to deal with the type of attack Sony fell victim to, with the state of readiness varying from one organisation to another.

While traditional malware, simply tries to target as many random victims as possible, targeted threats are a completely different issue, noted Malcho.

“We need to start with the definition of APT. In fact, this label can be very misleading. Most of the times, these threats are not advanced; they are an off the shelf standard RAT (Remote Administration Tool).

“These attacks are also not about one single threat. It is about the attacker persistently trying to get into your systems, trying different ways, different malware, different exploits, or an altogether different technique, such as social engineering, or even combining all of them,” he added.

Malcho argued that instead, a much better label for APT should be TPA or Targeted Persistent Attacks as that is exactly what it means.

“If you want to fend off these threats, you need to have people capable of detecting a perpetrator sneaking around in your systems. If you rely only on ‘static’ software solutions, those can and will be eventually bypassed by the attacker. It is always easier to attack than defend,” he said.

Securing the weakest and mobile links

It’s not just large corporations that need to be vigilant with cybersecurity, with small and medium-sized businesses (SMBs) also attractive targets and considered “lowhanging fruit.”

SMBs are more appealing for today’s sophisticated and often well-funded attackers, as they generally have smaller budgets to allocate towards cybersecurity which makes them easier targets compared to larger firms that invest in more comprehensive security solutions.

Sony Pictures hack the ‘perfect APT story,’ says ESET “As such, the websites of SMBs are often less secure, making them an easy access point for cybercriminals. In fact, we are seeing larger firms being targeted via SMB vendors, as was the case with the theft of data from Standard Chartered this time last year,” said Malcho (pic).

In December 2013, client information was stolen from a server used for Standard Chartered Private Bank at a Fuji Xerox printing facility in Singapore.

Asked about any regional differences in the approach of landscape of cybersecurity, Malcho noted that it is an international issue.

“Due to the connected world we live in, we are vulnerable to cyber attacks no matter where we are. The threat landscape then, is unsurprisingly similar.

“It is however arguable that Asia, which has a large number of internet users compared to the rest of the world, is an increasingly attractive target for cybercriminals.

“Economic growth within Asia Pacific, as well as Singapore and Hong Kong’s status as major financial hubs for the region, make them prime targets for attackers,” he added.

Malcho said that organizations should invest in cybersecurity solutions that are up-to-date, as a good security system will enable an organization to monitor for malicious activities and prevent attacks from happening.

“It’s also crucial for them to have proper back up of their data and be vigilant of online activities,” he added.

The human factor should also not be overlooked, Malcho said, and organizations also have to understand that their employees are their first line of defence.

Security policies should be implemented in the workplace and employers need to educate their employees on cybersecurity and the risks that exist with certain online activities.

The role of people in ensuring security is mnot compromised takes on hieghtened importance with Bring Your Own Device (BYOD) becoming the norm in many organisations.

Malcho reported that with BYOD gaining popularity across Asia Pacific and the world, organizations investing in more mobile-focused security policies, which is crucial as BYOD can make organizations more vulnerable to cyber attacks.

“It’s also important for businesses to invest in educating their employees on BYOD. You can have the best security software in the world however a careless mistake made by an employee may still result in a breach.

“By providing cybersecurity training to all employees, you can substantially minimise this risk,” he added.

The IoT issue

At a briefing hosted in Singapore in November, Andrew Milroy, vice president of ICT Research at Frost & Sullivan said that security remained the “elephant in the room” in discussions about the Internet of Things (IoT).

IoT refers to the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure.
“What’s interesting is that when I give a presentation about cloud computing, the first question is always ‘What about security?’ But when I talk about IoT, that question is missing.

Sony Pictures hack the ‘perfect APT story,’ says ESET “Security is a huge issue when it comes to IoT; you’re talking about having everything Internet Protocol-enabled and that makes everything vulnerable,” Milroy (pic) said.

Malcho concurred with Milroy’s assessment, adding that security is “a serious problem” in the diverse universe of IoT.

“We are seeing the 90’s of Internet era return, where most companies try to come up with new cool products without giving much thought to security and the impact on overall usability.

“It is important for everyone connected to Internet to realize that they bear a part of the collective responsibility to keep the ecosystem clean,” he said.

However, Malcho admitted that it is easier said than done as these devices are hard to update, with non-standard communication protocols and one can’t deploy endpoint security for all of them.

“There is no reason to think that new devices are not going to be a target for cybercrime. The IoT trend will definitely create an interest from cyber criminals,” he said.

Malcho added the world is already seeing pieces of this on-going trend take shape, such as using Engine Control Units (ECU) to attack cars as shown at the Defcon conference in 2013 or hacking a Tesla car to open its doors while in motion in 2014.

“Attacks and proof of concepts were also shown on several SMART TVs, Boxee TV devices, biometric systems on smartphones, routers and also on Google glasses.

“While these things are starting to happen, it doesn’t mean that we’re doomed next year. The adoption of smart devices will be gradual, during which I hope more security and ‘unified language’ will be adopted,” he said.

While IoT creeps towards its tipping point, if there is one area that industry and consumers need to pay immediate attention to in Malcho’s view, it is to home routers – Many of these devices have vulnerabilities, equipped with default passwords and are hard to update.

“It’s really time to address this, before it gets too big. In order to detect home router infections, we added functionality in our endpoint desktop products to detect redirections to known malicious sites, caused by infected routers.

"But that’s only detection and the only advice we can give to our users is to log on to the router and reimage it with the latest possible firmware,” he added.