New reports indicate that the attackers in the Sony breach obtained access to administrator credentials, giving them broad latitude to access systems and data.
This is not completely new news – Trey Ford, Global Security Strategist for Rapid7, noted when the attack was first reported.
The attacker’s ability to change all the PC screensavers on the Sony network proved the hackers had compromised one of the most powerful accounts in the network, as the attackers had been able to make changes to the Windows software on every computer.
This attack technique is trivial for an insider with valid network credentials and only incrementally harder for an external actor.
Ford says, "I do not believe this data point is a useful indicator identifying an external or internal actor. The police likely have additional information which is leading them to believe the credentials were stolen."
"Gaining administrator credentials is one of the most sought after tactics by attackers because it enables them to access nearly anything they desire and it enables them to impersonate a valid user on the network, evade detection and stay on the network for days, months or even years."
"Identifying bad actors on the network, quickly, will be a key area of investment for organisation’s networks in the coming years."
Looking at the Sony breach in general, Ford also commented: "The Sony breach ends a year that has been dominated by high profile breaches – it’s a year since the Target breach was disclosed. I think the key lesson for all of us is that we must prioritize business continuity planning that includes the cyber security risk profile of our organisations."
"The Sony breach is dramatically different than the mega breaches that have come before it such as Target and Home Depot. It’s a reminder that attackers come in many forms and with many motivations."
"An attacker may not be driven by monetary gain as Target and Home Depot attackers appear to have been; they may seek to exact retribution, embarrassment, defacement or damage. When you consider risk and continuity for your organisation, it’s important to note that attackers are not only seeking the theft of credit cards."
"Companies have a lot more sensitive and valuable data than just credit cards and financial information, and there is potentially a very high cost to the business of the loss of intellectual property and other trade secrets, internal communications, and employee and customer personal information.
"We must also be mindful that attackers may not steal information at all and may instead focus on destruction, which could be just as disruptive to your business. The bottom line is that any business could be a target and you must fully assess what you have that might be valuable, and try to understand why you might be attacked. You need to have a plan to mitigate not just theft, but destructive attacks as well."