(Updated 12/9/14 11:15AM to reflect FBI announcement of North Korean attribution)
There has been a great deal of “cyber saber rattling” in response to North Korea allegedly being connected to the recent Sony Pictures Entertainment breach. The FBI tied attribution to North Korea this afternoon; however, the evidence provided I feel is still lacking and am hoping additional data will be provided regarding the attribution.
Some have called for the U.S. to initiate a “strong response” to North Korea if there is a connection, such as sanctions, a counter-cyber-attack or worse. This type of talk is concerning, due to the lack of knowledge related to attack attribution by those clamoring for retaliation. Determining who is to blame with any level of certainty usually take a long time to determine, if it is determined at all, particularly when the actors provide only vague clues as to the motivations, or their origins. All of the attribution points at this stage are circumstantial and are machine indicators, but nothing linked to specific actors/people, at least based on evidence provided to the security industry.
Shades of Black Hat
I am personally still not completely convinced that North Korea is solely behind the attack. Another possibility could be a false flag. The fact that parts of the malware had Korean language settings, and possibly connected to an IP in North Korea (as well as several other countries) would be an amateurish mistake for an APT level attack. However, if the artifacts pointing to North Korea were implemented on purpose, it could be a sign of sophistication in an attempt to divert attention from the real attackers.
The FBI indicates that the same malware and infrastructure were used in the Sony attack that was also used in an attack earlier against South Korean banks and media. If this was really North Korea it calls into question the actual sophistication of the attack.
It would also be useful to know who the anonymous U.S. officials are speaking to the media regarding the North Korean connection. Cybersecurity has become an increasingly political topic thanks to recent NSA revelations and increased defense spending being allocated to cyber defense (and offense), not to mention issues of pirating, net neutrality, privacy and related topics—all of which the Sony breach touches on.
The Best Offense Is A Good Defense
Instead of going on the offensive, I believe the better option for the U.S. is to focus on defense. It has become clear that Sony Pictures Entertainment had inadequate security policies and controls in place at the time of the breach. Businesses need to start taking some responsibility for implementing better security, not just for their own business, but the impact it has on their community and nation as whole.
We are all in this together – government, retail, industrial, financial, entertainment and media. An attack on one is an attack on us all. Every retail breach further degrades consumer confidence; every compromise of news websites enables propaganda to instill fear; defense contractors and technology companies are breached constantly draining intellectual property and degrading our defenses and economy.It no longer takes nation state level resources to initiate APT level attacks against organization. The tools and motivation of a small group with malicious intent can have a significant impact.
It will take a grass roots effort and stronger collaboration with business and government, which is already happening. Companies need to adopt strong security frameworks such as NIST 800-53, which although an authoritative security control catalog for government is also a free resource for private business. In this day and age, there is no excuse for not having mature security policies and controls in place, as there are numerous frameworks and best practices to follow and implement.
Any organization that says they cannot afford security should look at the cost of a breach, the loss of intellectual property, legal fees, lost of trust, damage to employees. All of this should not only be evaluated with regards to how it impacts on the bottom line, but even also how it impacts the broader industry, economy and community you serve.
The Sony breach, as well as the number of other mega breaches we have seen this year, should serve as a wake up call to businesses and governments alike.