you're reading...

Post attack analysis

I’ve been thinking about this breach over the past week and there are several points that need discussion in Sony and any of the recently attacked companies:

  1. Analysis (breach)
  2. Fix (security)
  3. Review (Processes)
  4. Repair (Reputation)

And that, in my opinion is the order of priority. Obviously these processes are partly parallel, especially as they involve different elements of the company.
Now, diagnosing in these situation is one of the most extremely challenging procedures ever faced by IT professions.
Primary Sources
The audits and logs that are commonly used to track normal software or hardware issues can be next to useless after a security breach.
This is because often the first task of a hacker is to hide his tracks, even hide his presence from the disrupted system. But this doesn’t make this data useless. The disruption in the logs and services can itself leave fingerprints as to how the attack took place. Perhaps the logs are remotely saved? That would allow access to vital information. The remote logging cannot be hidden from a hacker who has access to a compromised system but you can try to protect that logging server.
Secondary Sources
What you are then doing is analysing the peripheral data. The firewall logs are a good source but remember one thing: this is a system that has 77 million registered users. That is a huge amount of data to sift through. And here’s the awful crunch part: logging the required amount of data to absolutely confirm an attack requires significantly more storage than the rest of the system added together, even if you only store it for a short time.
There is every probability that IDS and even IPS systems were in place in the Sony environment. These, when they work effectively, filter (into offline logs) the network activity down to suspicious activity or possible anomalies. Still a large amount of data but many many factors smaller.
Tertiary Analysis
The data itself can give immediate and direct clues quite often. Comparison to backups and snapshot at least will indicate corruptions and changes in the system. Integrity is vital at this point as the hacker could easy leave hooks in the system. Indeed, preventing this 100% is nearly impossible if the underlying OS/Hardware/System is prone to change, for example the leaving of a Rootkit.
Plugging the hole
At some point you must stop the analysis and start ensuring the renewed/updated system is strengthened at least to the point that the same attack cannot succeed in future. Also that no hooks have been left behind by the hacker, allowing even quicker – easier access.
This is an excellent opportunity to seriously improve the environment. However two pressures make this independently difficult: time and cost.
Possibly the latter in such a huge case as Sony’s is discarded but they need the system back up ASAP. That is the kind of pressure that isn’t needed by the security team as they work night and day to design a new model without requiring the product to be rewritten. After all the significant flaw may be a fundamental issue with the product programming. That is the kind of fault that can, in normal circumstances, start a new versioning process – perhaps lasting months. So you end up asking the Network and System teams to mitigate against flaws at a layer that is out of their control so that a temporary fix can be put in place. Not good. Not good at all.
Responses and Procedures
A few things have rankled the PSN community during the current debacle: lack of action and lack of information.
The attacks appear from the announcements to have been active for 2 days before they were detected and it was another day before the system was disconnected. Bit of a dilemma for the system analyst; when to decide that an issue is so serious that the panic button must be hit.
Because the security team at Sony was distracted by Annonymous’s OpSony they were unable to pick ip the ball quickly with this more serious issue. They allowed all their resources to be diverted in one direction, something that happens in almost all IT departments. It is commonly called “all hands to the pumps“, using the analogy of a sinking ship.
Others have pointed out that Sony appear to have advertised for a security expert 20 minutes after dropping the PSN portcullis. This would imply they did not have in house skills to handle the incident. They employed several well respected security companies to do external analysis and reviews but that is just good practice. Not having an existing security expert or at least a relationship they could call on rapidly is a lack of foresight.
All of these indicate that management need to review the process and procedure within Sony around IT, Networking and possibly not just On breach management and security either.
Sony is a four letter word
All public companies rely on their name. Sony is a retail company and so you square this effect. Customer and Shareholders/markets. If you add in SOE then it is again multiplied by the content partners they work with.
So repairing the reputation of the company is essential.
I won’t go through the measures announced by Sony but they are in the right direction. They are likely to survive, PSN too if they get the security fixed, if these measures placate both markets and consumers.
But a lot of the repairing will come from better problem and process management and that can be hard to get across.
Taking the network down was the correct thing to do. Keeping it down whilst full analysis and fix takes place is also the correct thing to do. But they must get it right when it is reconnected. A repeat would be a disaster.

Fix once, fix right.

The future?
Sony have a huge issue once you take the above in mind: the hackers have an advantage. They only need one flaw in the security to ruin the company but Sony have to think of every scenario in advance. Practically impossible. They should expect other attempts over the next few years – or indeed from now on and way more frequently.

– Posted using BlogPress

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: