I am watching the news reports on the Sony breach and laughing at all of the “facts” that are being bandied about. I want to use the Sony breach as a teachable moment and explain that the “facts” may not be as factual as represented by the media, forensic examiners or even the FBI. I have done a number of forensic investigations and from my own experience there is a lot of effort required to prove conclusively that a particular device or actor is the actual attacker.
So let us take a look at the “evidence” we have at this point and see if the conclusions drawn should be treated as facts.
My first issue is how quickly the FBI and Mandiant have come out with the “fact” that North Korea is behind the attack. According to the timelines I have seen, it was on November 21. 2014 when Sony was told by the attackers, GOP, that Sony had been hacked. So in around three weeks of time the FBI and Mandiant have figured out, definitively, it was North Korea that was behind the attack. Granted, Mandiant and the Bureau could have been investigating this long before, but given the way the news reports were written, I have to believe that Sony had no idea anything was wrong until November 21.
Why do I find this timeline spurious? It took Mandiant over three years to trace things back to the Chinese for their report, APT1, last year and we are to believe that the FBI has the skill and manpower to trace a “sophisticated attack” (Kevin Mandia’s words to Sony) back to North Korea? I find that hard to believe. Not because the Bureau and Mandiant are not skilled, but that it is just impossible to cram a year’s worth of investigation into a few weeks, regardless of the manpower tossed at the investigation.
In my own experience, I typically had ideas as to what and how things happened within a few weeks, but now the difficult work of determining exactly how things went down began. It can take months or even years to figure out an attack if it is ever figured out. It is why NTSB investigations of airplane crashes take at least a year to have a report issued. Any attack may not be as simple or uncomplicated as you initially think.
“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”
We do know for a fact that hackers reuse other attackers’ code. Why reinvent the wheel if you do not need to? Hence the variants of all of the attack code to not only evade anti-virus but to also enhance or improve techniques and methods. Just because there are similarities in some lines of code, algorithms, methods, etc., does not mean that it was the North Koreans that were the actual actors. It just means that the attackers used code attributed to North Korea. Key word, “attributed”. To me, a far better piece of evidence would have been if the code had been written in Korean or a North Korean dialect.
“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”
Hard coded IP addresses are evidence? So does that mean that everyone is guilty if I write their telephone number on a napkin and that turns up as evidence? No. A better piece of evidence would have been log data that actually can tie those IP addresses to the data that was exfiltrated out of Sony. Just because IP addresses are hardcoded in an application does not necessarily imply that the IP end point was in fact the actual endpoint. Hackers regularly own other organizations’ and governments’ servers to obfuscate their actual location. Just because there’s a hardcoded IP address in a piece of code does not necessarily mean that is the endpoint. It just means that a device could be involved.
“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”
The attack on certain South Korean banks and TV stations in 2013 was never definitively pinned on North Korea, it was just suspected. The prime piece of evidence was a Chinese IP address that was assumed to implicate North Korea. So using the South Korean attack as though it was definitively proved to be done by North Korea is not a fact.
While I had some issues with the Mandiant report on China and their investigation methods, the information being offered as “facts” that North Korea is behind the Sony breach are positively appalling. People want an answer immediately and so one is given regardless of accuracy or even believability. However, this is a technology issue and so it is easy to feed the public supposed “facts” since only the true technology people in the world will know the difference.
Unfortunately a breach such as the one at Sony will take time, probably a lot of time. I would not be surprised if we end up with a lot of “suspicions” and “assumptions” when a final analysis is done and released, if we ever get a definitive answer. The reason I believe that is that I do not think Sony had the kind of security implemented and working given the amount of information that has been supposedly gathered by the attackers. The other clue in this is that it was November 21 when Sony was notified by the attackers they had been breached.
The key take away here is that forensic examinations very rarely prove WHO the bad actor was that caused the breach. This is particularly true when the attacker is outside the organization. There are just too many ways that an attacker can obfuscate their actual identity/location.
What forensic examinations do provide is a road map of improvements and enhancements in an organization’s security measures and procedures to minimize future attacks. Note that I did not say “prevent” future attacks. I use minimize because security is never an absolute. Anyone with an extreme desire to attack an organization will do so regardless of how well your security program is constructed and executed.
Bruce Schneier points out this very fact about determined attackers in his post on the Sony breach. I have always referred to this as the ‘98-2 Rule’. Properly implemented and managed information security keeps 98% of attackers out. However it is the remaining 2% that are determined enough to figure out how to work around even the best security. All any organizations can do about that remaining 2% is to put controls in place so that when the 2% get through, they are detected as soon as possible and their impact minimized. This is why security frameworks are so important because they provide organizations with guidance as to what it does take to only have the 2% to worry about.
Given the limited evidence provided thus far, could it be that this is all a sophisticated marketing ruse that went sideways? Would it not be apropos if Seth Rogen and his production company did the attack as a promotional stunt and the attackers they hired found out that Sony was ripe for such an attack and then went further than what they were supposed to?
Something to think about.