Sony Pictures reportedly has been hit by an attack that has taken over its network and locked out its employees. The group behind the attack calls itself the #GOP (Guardians of Peace) and is allegedly holding Sony Pictures’ data hostage.
An image originally shared on Reddit shows the ransom screen that the #GOP hackers put on the Sony Pictures network. The attackers have also posted several compressed .zip files that include alleged internal Sony Pictures financial reports.
Security experts contacted by eWEEK regard the Sony Pictures breach as an interesting event, though it is one that unfortunately is not unique.
Todd Harris, director at Core Security, said the attack is an interesting blend of hacktivism, social engineering, intellectual property theft and classic data breach.
“While the hack itself doesn’t surprise me, the varying tactics used does,” Harris said. “Not only was the entire network disabled, but the hackers put circa 1980s graphics on everyone’s computers with a semi-threatening warning in broken English.”
Mike Davis, CTO of CounterTack, told eWEEK that what is happening to Sony Pictures is not common but has definitely happened in the past. As examples, Davis noted a hospital network that was held hostage by an attacker as well as a few events in Mexico where attackers held networks hostage until paid.
Defenses
While the specific root cause of how the attackers were able to compromise the Sony Pictures network is not yet known, there are a number of best practices that enterprises should consider to limit risk.
One of the interesting aspects of the Sony Pictures breach, Davis noted, is that Sony’s attempt to remediate the problem simply involved shutting down systems to reduce the risk of further problems.
“This information highlights that even after being breached multiple times, the firm most likely does not have the ability to rapidly perform incident response to understand what the attack has done, where the attacker is and how to remediate the attack quickly,” Davis said.
There is no magic bullet for security, according to Kevin O’Brien, vice president and founding team member at Conjur. In general, organizations should stop relying on LDAP-based systems to segment permissions and find a role-based alternative that can adapt to the ways people and code actually interact on modern networks, O’Brien told eWEEK. He also suggests that organizations keep complete and immutable access and authentication logs and keep them away from the systems that generate them.
The idea of constant monitoring to help limit risk and speed the path to remediation is a theme that Tim (TK) Keanini, CTO at Lancope, also advocates.
“Companies have invested in security defenses, and it is time they become more strategic and think about the larger picture of business continuity in the face of advancing threat,” Keanini said. “Specifically ensure that network communications of all types, good and bad, are monitored so that there is nowhere for these adversaries to carry out their operations without being detected.”
If in the Sony Pictures attack there was not the blackmail attempt, it could have been months or even years before the attackers were detected, he said.
“Are we saying that adversaries have to be the ones to tell you that your computer systems have been compromised?” Keanini said. “There is a way to turn the entire network into a sensor grid, and companies need to make this investment sooner than later as most have already been compromised and just don’t know it yet.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.