Most cyber attacks against a corporation aren’t conducted by a nation-state. Most cyber attacks against a corporation don’t seek to literally destroy data and PCs. The recent attack against Sony was not most attacks.
I had a chance to talk with Dmitri Alperovitch, CTO and co-founder of CrowdStrike, about what CrowdStrike has learned about the attack against Sony, and what advice he has for other companies to help them do a better job of defending against an attack like Sony faced:
While cyber attacks by nation-state adversaries have been taking place for years, in 2014 it became abundantly clear that every company—no matter the industry—is a potential target. The Sony breach was a wake-up call for all organizations: if you have valuable information, you are a target.
CrowdStrike is part of a new wave of cybersecurity companies that view security from a different perspective. Traditional security models focus on guarding the “perimeter” in an “us vs. them” strategy, and deploying malware tools intended to identify and block specific attacks that are already known. CrowdStrike flips it around. CrowdStrike’s tagline is “You don’t have a malware problem, you have an adversary problem.”
CrowdStrike’s intelligence team had been tracking the adversaries who had infiltrated Sony for years and was able to analyze the wiper malware used in the Sony breach and tie it back to previous destructive attacks conducted against South Korea going back to 2009. I had a chance to chat with Dmitri Alperovitch, co-founder and CTO of CrowdStrike, about what they discovered.
I put our conversation together in the form of a Q&A. I’m TB (Tony Bradley), and Dmitri is DA (Dmitri Alperovitch):
TB: Could the attack on Sony have been prevented?
DA: Once a network has been breached, the adversary often spends weeks or months studying, exploring, and stealing useful data (including administrator credentials) in order to provide them with a comprehensive understanding of the network and ability to move around freely and stealthily. In the recent Sony hack, the adversaries embedded their custom malware with a hard-coded list of machines as well credentials for administrators in the environment, which implies that there was a significant reconnaissance period before the initiation of the actual destructive attack itself. To combat a sophisticated adversary you must have the right security tools to detect reconnaissance behaviors such as credential theft and lateral movement, giving you ample time to spot the attacker long before they can steal your data or wreak havoc on your network.
TB: What can be done beyond the reconnaissance stage of an attack?
DA: In the case of Sony, once the adversary succeeded in stealing administrative credentials, it became increasingly difficult to prevent the attack since at that point they could adopt the identity of any insider—and an administrator at that—and do the type of things that administrators typically do when they manage their network. If you don’t have the right types of detection tools on your network, sophisticated adversaries can within hours achieve their objective of obtaining the highest level of access on your network and proceed to implant themselves in it for the long haul.
Read the full story, along with a link to view a live demonstration using the wiper malware that was employed at Sony, on CSOOnline: CrowdStrike demonstrates how attackers wiped the data from machines at Sony.