Why WikiLeaks’ Sony Data Dump Raises the Stakes for Advanced Attack Protection

by Raimund Genes

Last week, WikiLeaks published a searchable online trove of over 30,000 documents and 173,000 emails relating to breached movie giant Sony Pictures Entertainment. Whether or not you believe the non-profit whistleblowing organisation was right to do so, the news should serve as a further warning to IT and security leaders. Information security breaches can have damaging repercussions long after the initial attack. So it pays to find ways of rooting out advanced targeted attacks early on, before they have a chance to dig in and cause serious and lasting damage.

The WikiLeaks legacy
The highly sensitive internal Sony documents were originally made public by whoever hacked the company, or an accomplice. However, the unsearchable documents were taken offline pretty quickly, before much analysis could be done by interested parties. WikiLeaks’ posting of the “Sony Archives” in their entirety, in perpetuity, and in a fully searchable manner, will be a worrying development for CIOs at other “influential multinational corporations”. How do they know Julian Assange and his team won’t deem information culled from similar breaches in the future to also be in the public interest?

Already, breached firms had to worry about remediation and clean-up costs, falling share prices, legal bills, damage to brand and reputation and other knock-on effects after a major breach. Now they can expect even greater scrutiny of their most sensitive internal documents. In short, WikiLeaks has just raised the data security stakes even higher.

Who did it?
The White House has alleged North Korean agents were behind the attack, carried out in revenge for satirical movie The Interview, although we aren’t so sure. For one, the attackers initially demanded a ransom for some of the stolen data they collected – not the behaviour of a nation state at all. In many ways it might be more reassuring if it were a nation state, but unless the Feds really do have a smoking gun somewhere, it’s unlikely. Some have claimed that company server and password names were programmed into the malware, suggesting insider knowledge.

What most organisations don’t want to hear is that this kind of attack could probably happen to a whole range of high profile companies. Whether it was purely financially motivated or a disgruntled insider, the prospect of your most sensitive information leaking online, and of a destructive malware attack causing chaos and disruption to key systems, is no longer the stuff of fiction. As the Sony breach and others in the news over recent months have demonstrated, organisations must wake up to the reality that it could be them next.

What next?
With the stakes now raised like never before, CISOs everywhere must assume they are actively being targeted by cyber criminals or could be hit at any time by an insider security breach.

With that in mind, here are some best practice steps to begin fortifying defences and enhancing your response against advanced targeted attacks:

  • Educate users on how to spot spear phishing emails and to limit the amount of personal information they post on social media
  • Formulate an incident response plan with other key stakeholders (legal, marketing, HR etc)
  • Consider advanced threat detection technologies to minimise infection times
  • Remove lower hanging fruit by keeping systems patched and up-to-date at all times
  • Gain improved visibility into unusual network events with file integrity monitoring/ log inspection
  • Consider security information and event management (SIEM) capabilities to monitor output of security controls
  • Regular cyber “fire alarms” and testing are important to keep teams alert and ensure defences are adequate

 

Leave a Reply

Your email address will not be published. Required fields are marked *