Are we missing the big picture, again, in the fervor around the Sony hack?
It makes a great scene, you can picture it in a movie: Employees showing up on Monday unable to login or begin their day due to the flashing skull on their monitors. Frenzied white-collar workers rushing to secure pen and paper and lining up to use the fax machine. An escalation of damage as a puzzlingly worded extortion threat manifest as leaked sensitive internal information, then deleted and lost data, and finally followed by the loss of the crown jewels themselves – DVD quality rips of yet-to-be-released movies.
Despite the initial novelty, however, the industry and pundits reacted in a depressingly familiar fashion: victim shaming, an over-focus on malware, and an overall failure to look at the attack process and the attackers' goals as opposed to specific events of the attack. And we've failed to reflect on why this keeps happening.
After the last few years of ever-larger data breaches, it is disappointing that victim shaming is still so prevalent. By now, we should realize that this could happen to any of us, and immediately blaming the target for insufficient security benefits no one. Yet, as an industry and society we continue to blame the victim. Maybe it makes it easier for us to shrug off the risks we face with the standard dodge: “That could never happen to us...”
Meanwhile, the FBI is rushing out flash notices warning U.S. companies of new malware that is more damaging than what we've typically seen before. It isn't exactly as if wiping Master Boot Records (MBR) or overwriting data for secure deletion is cutting edge technology.
It is unlikely that adding yet one more signature to our vast list of malicious executables will make a difference. These attackers clearly spent time in the network: they penetrated, spread, stole data, exfiltrated, and infected on the way (perhaps even using the infection solely to inflict damage and not necessarily as the means of penetration). They probably would have made sure that whatever damage they planned to inflict wouldn't immediately be flagged and prevented by the resident anti-virus systems. Yet, as an industry we continue to focus only on the malware itself, the mere technical artifact of the attack.
Did malware identify that employee payment information, severance packages and even planned terminations was juicy and news-worthy when leaked? Did malware promise that more would be leaked, and ask reporters to request anything of interest? Did malware post Sony's movies to file sharing servers?
Of course not, the attacker(s) did, because in this case it appears that their goals seem to be to inflict much more direct and immediate damage than is typical of the more common, financially-motivated, hacks.
So, should we rush out signatures for this latest version of malware, or should we take a step back and figure out how to focus our technology and security operations around identifying attackers that are active in our systems – before they wreak such havoc?