Interview with Stephen Gates, Chief Research Intelligence Analyst for Zenedge
How could hackers have gotten into the HBO network? How long would this hack have taken? Do you think this is a trend that we’ll continue to see in the entertainment industry (e.g. Sony /Netflix hack)?
SG: The likelihood that hackers gained access to HBOs network through a phishing attack is highly probable. It seems no matter how much we train employees to not fall prey to phishing attempts, they still click, open, or take some sort of action that unlocks the doorway for hackers. Once hackers are in the network through an infected computer, it can take days, weeks, or even months to search through the network to find what they are looking for.
A phish happens in a matter of seconds, but once the door has been opened, hackers can remain resident inside of networks for months or even longer without being detected, which appears to be the case for HBO.
I do believe this trend will continue in the entertainment industry, since so much money is at stake. These scripts and shows are of extraordinary value to organizations like Sony, Netflix, and HBO. Hackers know that and have attacked accordingly. Unlike many smaller companies, these networks have the money to pay when hackers come calling and they may be tempted to pay a significant amount of ransom if it means keeping their shows from leaking.
Breaches and cyber-attacks make news headlines everyday – major companies continue to fall victim to hackers. Why are they still consistently outwitted – given the breadth of cybersecurity technology that’s available today?
SG: In nearly every circumstance, hackers are motivated by money. That’s an extremely strong motivation and since this is the case, hackers are determined to develop new hacks, tools, malware, and other ways of making money from their activities. This is not about fun, this is simply about money, and often times there’s lots of money at stake.
Entertainment firms like Sony and HBO continue to face ransom demands because sometimes the protection they have in place is limited to their own network and simply isn’t enough!, They have the budget and manpower to implement state-of-the-art cybersecurity technology and have large security teams, but the host of production vendors that they contract with may not have the same resources.
Take for example the Orange is the New Black leak. It wasn’t Netflix that was hacked, but post-production vendor Larson Studios that was breached. The attacker then demanded payment not from Larson, but from Netflix, who in the end was the one to pay the price for a breach that they could not control. As these incidents become commonplace, larger companies are going to have to start looking at the security practices of their partners and contractors, to remain safe. As a result, smaller vendors will start to realize that in order to remain viable options in their marketplace, their security needs to be just as strong.
Everyone knows that firewalls are not enough to stop hackers, who easily get around firewalls by way of phishing attacks. Once someone clicks, firewalls allow all malware to easily pass through, as a response to the click. Intrusion prevention and detection systems are only as good as their detection mechanisms that are enabled, and how they’re deployed. Plus, they cannot block malicious packets when they don’t have a matching signature. Sandboxes operate out of line and after the fact, meaning an infection may have already taken place, while the sandbox is trying to figure out what the infection was.
End-point security products that utilize signatures and hashes have been rendered nearly useless due to polymorphic malware that changes with every subsequent infection. SIEM solutions that touted an ability to intelligently chain together alert logs so that an operator would be able to piece together the steps taken during an attack, have not stood up to their claims, and are often are seen as a technology that never fulfilled its promises. WAFs and anti-DDoS solutions are only valuable when they are deployed and maintained properly, instead of being on the security teams’ wish list. And no matter how good each of your security technologies are, if they are not configured and used properly, then they only leave you with a false sense of security.
Hackers understand and have likely used, configured, and found ways of breaching every security technology available to organizations today. Remember, hackers are experts at cybersecurity, not just experts at hacking.
What are some of the biggest holes that you’re seeing in network and application security strategies at large enterprises? What are the top exploits used by hackers?
SG:One of the biggest problems that I see daily is that leaders inside of organizations often believe it won’t happen to them. As a result, they try to “manage” their risk, instead of taking aggressive action and implementing approaches that will “eliminate” their risk. It’s often a financial balancing act for them.
Some of the top exploits used by hackers are directly targeted at the exposed applications, and the data that’s often behind them. Hackers want that data because of its value. There is no money to be made from simply infecting a computer. Instead, hackers must use that infection to get them closer to the data they want to steal and use it for monetary gain.
Can you name at least three actions that entertainment companies can take today, to ensure that they’re taking an offensive approach to their cybersecurity strategy? How can a hack like HBO’s be prevented at the network level?
- Ensure that the devices accessing private data on the inside, are not already compromised and being run remotely by hackers. Monitor every activity from every computer, smartphone, tablet etc. that has access to internal data.
- Always monitor paths in and out of your network, to ensure that only authorized transactions are taking place at your perimeters. When a hacker remains resident in a network, there must be some sort of communication going on between them and the infected internal computer they have access to. Most perimeter firewalls are configured with “Any, Any, Allow All” on their outbound policies. Lock down what’s leaving your network with good outbound firewall policies. Though crucial to a company’s overall security strategy, its always surprising to see how many organization fail to monitor what’s leaving their networks.
- Encrypt and backup all data at rest and ensure that all data in transit is encrypted as well. If hackers gained access to highly-encrypted data, it would be nearly useless to them if they can’t crack the encryption algorithms. Any data that is not encrypted is open season for hackers.
- Begin to find ways of implementing “smart automation” into your security strategies. The best place to start is by automating exactly what users and devices have access to critical data as well as how/when they are allowed to access it. If this device or this user has no reason to gain access to critical data then put controls in place that automatically blocks their access; regardless of whether the device or user is located on the inside or outside of a network. In addition, select cyber defense vendors that have a “real” ability to implement supervised machine learning on their platforms and not just vendors who tout that its coming.
HBO reportedly paid $250,000 to the hackers. In the case of a ransom, what action do you recommend companies take? Do you recommend that they pay?
SG: It depends on the circumstances. In HBO’s case, the value of their data well exceeded the ransom they reportedly paid. When Stolen Data Ransom happens to highly valuable data, it may be best to pay when the stolen data is more valuable than the ransom itself. The losses incurred when an organization decides not to pay a ransom can be massive in some cases.
Ransomware on the other hand can be defeated by having good backup and restore procedures in place. Best not to pay here if your backup and restore procedures are proven effective.
The final is DDoS for Ransom. If you have DDoS defenses in place that you know will work, there is no reason to pay. If you don’t have DDoS defenses in place, you will have to evaluate what an outage will cost vs. the price of the ransom. Many anti-DDoS vendors make lots of money implementing emergency defenses. Best not to wait and get defenses in place now before you receive a threat of an outage.