Game Change: Three Reasons Why #SonyHack Will Change Security

December 19, 2014
No Comment

By Anup Ghosh

Editor’s note: As an advisor to Invincea I closely track not only their capabilities but the context they provide the community. Anup Ghosh, CEO of Invincea published well reasoned context on the Sony Hack at the Invincea blog, it is reposted below for your consideration. – bg

Let’s be honest. As wild as this year has been in InfoSec, none of us, and I mean nobody, anticipated the events that unfolded this week with the Sony hack:

  • A major studio cancels a theatrical release with big time Hollywood actors because hackers threatened violence in movie theaters.
  • The White House declares it’s a national security issue and leaks intelligence that North Korea is behind the attack.
  • An attack that began as an extortion attempt against Sony for money becomes an international incident, where now the White House and Congress are talking about “proportional responses”.

Really? It sounds like a Hollywood script, a movie in a movie type movie.

As this was still unfolding, I was asked to appear on Fox Business with Maria Bartiromo on 12/18 — prior to Sony canceling the theatrical release and prior to the White House declaring it was North Korea on background — to comment on Cyber Terrorism aspects of this. For what it’s worth, I don’t think this rises to the level of cyber terrorism. See the interview here:

Watch the latest video at <a href=””></a>

Tactics Not Malware Are the Story

The #SonyHack was not a run-of-the-mill corporate hack, like we see every week in just about every sector. Most corporate hacks we see are focused on either customer data (credit cards, medical records, social security numbers, passwords, bank account information, email addresses) or company proprietary documents. The former for fraud, the latter for corporate espionage.

The #SonyHack was that unusual bird, a black swan if you will, that was designed to destroy the Sony brand via name & shame tactics. Tactics that played brilliantly to the media, an industry that is all too eager to publish salacious details, no matter how inappropriate, to draw eye balls.

The #SonyHack is the equivalent of detonating a nuclear bomb on a network that employed four key stratagems: capture, destroy, extort, and publish. The hackers captured and exfiltrated hundreds of terabytes of data then torched the network with wiper malware. After extorting Sony, they leaked pre-release movies, published sensitive files and then corporate email. This is HBGary (name & shame) meets CryptoLocker (extortion) meets Edward Snowden (publish through leaks and media sensation) meets Shamoon/DarkSeoul (destroy infrastructure).

This is not to say the exploits or the malware were sophisticated — they are not. The software and components employed are readily available. No zero-days are known to have been used, no animals harmed in this production. However, the tactics employed — capture, destroy, extort, publish — combined with a savvy campaign to name & shame Sony executives, while lathering the media into a frenzy over salacious details, public extortion, leaked movies, an ever changing agenda and demands, threats of violence invoking 9/11, shows a mastery of American psyche and media while creating utter chaos for crisis management.

The story that will be told about the #SonyHack — and surely there is a Hollywood script being written as we speak — will be one of a savvy band of hackivists likely with insider help executing a well thought out plan hell bent on destroying a great consumer electronics brand.

Game Change

In a field that is still in its infancy — Information Security — the #SonyHack I believe will emerge as a Game Change moment. A defining moment that causes significant change in behavior. The last big one we had was the Mandiant APT1 report in 2012 and the RSA Security keys compromise that caused companies to stand up and notice something called APTs.

You ask, why not Target, Home Depot, and the other big breaches of the past year? Not to diminish the significance of these events, but the reality is corporations, and now the public, are conditioned to loss of customer data. Customers typically do not experience the losses themselves. Corporations absorb losses beyond insurance coverage for fraud. The awareness rises, but not enough to cause companies to change established patterns of behavior: check the box compliance-driven security.

The #SonyHack is different — the Black Swan of attacks that may become the new norm. It is different because extortion is involved. It is different because the intent was to destroy the company, not just steal its sensitive data. It is different because the networks were torched. It is different because email was leaked and executives publicly humiliated, and because ultimately Sony capitulated. Capitulation will embolden hackers. And there is little doubt in my mind this same attack can be replicated over and over again at will against other companies because:

(1) most companies are not equipped to deal with targeted attacks, let alone {capture, destroy, extort, & publish} Sony-style attack tactics,

(2) the likelihood of being properly attributed and caught is slim, and

(3) the aggressors’ efforts worked and demands were met.

The impact will be far reaching beyond Sony. I expect at the first Board meeting of the New Year at every major corporation, the question will be asked “What are we doing to make sure we don’t become the next Sony?” I suspect that checking compliance boxes won’t answer the mail. I suspect that doing the same as we’ve always done will not suffice.

Rather, CISOs, Chief Risk Officers, and Chief Executive Officers will need to think outside the box about how to protect their company, and ultimately their shareholders’ value, from Sony-style attacks. This will involve a combination of getting better talent, better intel on threats, understanding the risk for their enterprise against targeted attacks, establishing processes for incident response and crisis management, and upgrading technology to meet the threat of targeted attack.

If you are a CISO, be prepared to answer the Board how you will need to upgrade to defeat Sony style attacks in 2015 and beyond. They will be all ears.