Who hacked Sony?
That’s the big question, and one that has been dominating my RSS reader and Twitter lists for some time now, almost to the exclusion of everything else ‘cyber’.
The consensus, among mainstream media at least, points to North Korea but that isn’t my view and nor is it held by many in the infosec community.
In fact, I myself, am surprised that no definitive answer has arisen yet. After all, as Martin McKeay points out, certain agencies have spent rather a large number of dollars on snooping and generally unsettling internet users everywhere in their quest to know everything:
Shouldn't the NSA be able to look inside all the data they've captured from the internet and just tell is who hacked Sony?
— Martin McKeay (@mckeay) December 19, 2014
So what exactly do we know?
The answer lies somewhere between nothing and not a lot, but here is an interesting and, in my opinion, quite valid view from Tripwire’s Ken Westlin, along with a very salient point at the end about just who wagging fingers should be pointed at:
“There has been a great deal of “cyber rattling” in response to ongoing speculation of North Korea being connected to the recent Sony Pictures Entertainment breach. Unnamed U.S. official(s) provided some information to the media regarding a connection to North Korea, however no evidence has been provided and no “official” statement. FBI notices have been sent out stating specifically no connection has been made and that the investigation is still underway.
Some have called for the U.S. to initiate a “strong response” to North Korea if there is a connection, such as sanctions, a counter-cyber-attack of worse. This type of talk is concerning, due to the lack of knowledge related to attack attribution by those clamoring for retaliation. Determining who is to blame with any level of certainty can take a long time to determine, if it is determined at all, particularly when the actors provide only vague clues as to the motivations, or their origins.
Although I still believe it is unlikely North Korea is behind the attack directly, it could likely be a group who are sympathizers of the hermit kingdom. Another possibility is that of a false flag. The fact that parts of the malware had Korean language settings, and possibly connected to an IP in North Korea (as well as several other countries) would be an amateurish mistake for an APT level attack. However, if the artifacts pointing to North Korea were implemented on purpose, it could be a sign of sophistication in an attempt to divert attention from the real attackers.
It would also be useful to know who the anonymous U.S. officials are speaking to the media regarding the North Korean connection. Cybersecurity has become an increasingly political topic thanks to recent NSA revelations and increased defense spending being allocated to cyber defense (and offense), not to mention issues of pirating, net neutrality, privacy and related topics all of which the Sony breach touches on.
Instead of going on the offensive, I believe the better option is focus on defense. It has become clear that Sony had woefully inadequate security policies and controls in place. Businesses need to start taking some responsibility for implementing better security, not just for their own business, but the impact it has on their community and nation as whole.
We are all in this together, government, retail, industrial, financial, entertainment and media. An attack on one is an attack on us all. Every retail breach further degrades consumer confidence, every compromise of news websites enables propaganda to instills fear, defense contractors and technology companies are breached constantly degrading our defenses and economy . It no longer takes nation state level resources to initiate APT level attacks against organizations, the tools and motivation of a small group can have a significant impact.
It will take a grass roots effort and stronger collaboration with business and government, which is already happening. Companies need to adopt strong security frameworks such as NIST 800-53, which although an authoritative security control catalog for government is also a free resource for private business. In this day and age there is no excuse for not having mature security policies and controls in place, there are numerous frameworks to follow and implement. Any organization that says they cannot afford security should look at the cost of a breach, the loss of intellectual property, legal fees, lost of trust, damage to employees. All of this should not only be evaluated with regards to how its impacts on the bottom line, but even also how it impacts the broader industry, economy and the broader community you serve. The Sony Pictures Entertainment breach should serve as a wake up call to businesses, that finger we are pointing at North Korea should be pointing at ourselves.”