Security leaders discuss implications as Sony investigates recent cyber attack

Earlier this week, it was reported that Sony is investigating a potential cyberattack. It is still unclear if the company’s whole system was accessed, however one hacker group is claiming they have successfully compromised all of Sony’s systems.

According to reports, the Ransomed.vc group published a message on their leak site that saying “we have successfully compromised all of Sony systems. We won’t ransom them! We will sell the data. Due to Sony not wanting to pay. DATA IS FOR SALE.”

In 2014, Sony Pictures Entertainment suffered one of the most public cybersecurity breaches in history. The data included employee personal information, copies of then-unreleased Sony films and more.

Here, security leaders discuss their thoughts on the most recent alleged attack and what lessons can be learned.

Nick Hyatt, cyber practice leader at Optiv:

Ransomware has been a dominant threat for many years now, and trends do not show any sign of it going away. It is important for companies to be proactive in their defensive stance. Ransomware gangs exploit common tactics, techniques and procedures (TTPs) to gain a foothold and deploy ransomware in corporate environments. These TTPs often exploit basic security failings. In many cases, these are social engineering tactics that exploit the human aspect of security — phishing emails, voice phishing (vishing), etc. Companies should conduct security awareness training with a focus on educating employees and rewarding identification of malicious actions. Being proactive against ransomware also involves being prepared in case of an incident — having a defined incident response (IR) team and plan is crucial — not just for ransomware, but security incidents in general. If a ransomware attack does occur, ensure all IR processes are followed and any reporting that needs to be done occurs.

Gareth Lindahl-Wise, CISO at Ontinue:

Initially, it is difficult to tell if the alleged breach is IP or customer data. Either way, this is straight forward extortion. I have been wondering for a while if we should rename Ransomware to Extortionware as it is often multi-faceted. The proposed “benefit” for the victim to cough up is to retain competitive advantage and investment (in the case of IP) or, in theory, avoid significant fines for breach of data privacy. I say in theory as, if it is PII, the breach has happened regardless if the information is returned. Most data regulators will not take “thieves honor” that data has not been sold on. Sony would remain under scrutiny for their underlying controls (or lack of) and the way they managed the incident.

Tim Davis, Vice President of Solution Consulting at DoControl:

Protecting against attacks like ransomware is very challenging as the attacker only has to find one avenue of entry and expansion, whereas the defenders have to protect all possible avenues of attack at all times. Given the challenges with 100% prevention, a “defense in depth” strategy to detect quickly and limit expansion of an attacker is absolutely critical. This type of detection and preventing propagation is very challenging in the cloud, where organizations do not own or control the infrastructure directly. Almost every organization could benefit from more focus on detecting anomalous activity in their IaaS, PaaS and SaaS offerings to get ahead of ransomware and other types of attacks that increasingly leverage cloud as an entry or escalation path. 

Darren Guccione, CEO and Co-Founder at Keeper Security:

Using the threat of GDPR fines is a compelling tactic that weaponizes a government regulation for a cybercriminal group’s benefit. On the surface, it is unusual, but not necessarily obtuse, for a ransomware group not to deploy ransomware as a primary attack vector. Cybercriminal groups utilize a host of attack vectors in order to extract monetary value or inflict operational damage against a target. GDPR fines are not to be taken lightly and can be very steep, noting that authorities can fine organizations up to €20 million or 4% of a company’s annual global revenue based on the seriousness of the breach and damages incurred. In this case, blackmail can be an effective method used to compel a victim to pay what would otherwise be a ransom – in order to prevent the disclosure of sensitive data.