While cyber attacks by nation-state adversaries have been taking place for years, in 2014 it became abundantly clear that every company—no matter the industry—is a potential target. The Sony breach was a wake-up call for all organizations: if you have valuable information, you are a target.
CrowdStrike is part of a new wave of cybersecurity companies that view security from a different perspective. Traditional security models focus on guarding the “perimeter” in an “us vs. them” strategy, and deploying malware tools intended to identify and block specific attacks that are already known. CrowdStrike flips it around. CrowdStrike’s tagline is “You don’t have a malware problem, you have an adversary problem.”
CrowdStrike’s intelligence team had been tracking the adversaries who had infiltrated Sony for years and was able to analyze the wiper malware used in the Sony breach and tie it back to previous destructive attacks conducted against South Korea going back to 2009. I had a chance to chat with Dmitri Alperovitch, co-founder and CTO of CrowdStrike, about what they discovered.
I put our conversation together in the form of a Q&A. I’m TB (Tony Bradley), and Dmitri is DA (Dmitri Alperovitch):
TB: Could the attack on Sony have been prevented?
DA: Once a network has been breached, the adversary often spends weeks or months studying, exploring, and stealing useful data (including administrator credentials) in order to provide them with a comprehensive understanding of the network and ability to move around freely and stealthily. In the recent Sony hack, the adversaries embedded their custom malware with a hard-coded list of machines as well credentials for administrators in the environment, which implies that there was a significant reconnaissance period before the initiation of the actual destructive attack itself. To combat a sophisticated adversary you must have the right security tools to detect reconnaissance behaviors such as credential theft and lateral movement, giving you ample time to spot the attacker long before they can steal your data or wreak havoc on your network.
TB: What can be done beyond the reconnaissance stage of an attack?
DA: In the case of Sony, once the adversary succeeded in stealing administrative credentials, it became increasingly difficult to prevent the attack since at that point they could adopt the identity of any insider—and an administrator at that—and do the type of things that administrators typically do when they manage their network. If you don’t have the right types of detection tools on your network, sophisticated adversaries can within hours achieve their objective of obtaining the highest level of access on your network and proceed to implant themselves in it for the long haul.
The bottom line here is that you need to prevent the theft of credentials that are the necessary ingredient for lateral movement within your company. There are numerous password stealing tools freely available on the Internet, such as mimikatz and Windows Credential Editor, that are built specifically for that purpose and it’s also very easy to write your own tool from scratch that will be undetected by AV as well as Indicator of Compromise (IOC)-based detection technologies. However, if you focus on detecting the Indicators of Attack (IOAs) that describe the patterns of activity that an adversary has to take to steal credentials from memory, registry or disk, you can identify and stop the adversary in their tracks and prevent them from gaining easy access to other systems within the network.
TB: What can you do to protect your data when the adversary has a goal of network destruction?
DA: Once all the information the is gathered by the adversaries and all targeted accounts have been pilfered, they will move on to the ‘action on objective’ phase of their attack, which can include anything from theft of intellectual property, personally identifiable information, trade secrets, financial information, etc. In some cases, however, theft of data is not the only goal.
In the Sony case, after the adversaries had taken all the information they sought, they dropped a wiper malware payload onto the network, which deleted data from hard drives and overwrote the boot sectors to prevent the machines from booting. In fact, they used government standard algorithms for secure overwriting and deletion of data to wipe the hard drives and make it impossible for even a sophisticated forensics team to recover the data.
Leveraging a next-generation endpoint security solution is really the best way to protect your data at this stage of the attack. There are numerous ways that adversaries can use to hide themselves on systems and encrypt their data exfiltration paths. However, an IOA-based endpoint security technology will provide you with visibility into every execution action that is taking place on the system as well as insight into files that are being accessed prior to any sort of encryption being applied by the attacker.