The fallout from the Sony Pictures hack was significant, costing the studio tens of millions of dollars. Terabytes of information was stolen, most of which ended up online. At least five films were made freely available via file-sharing websites. The theatrical release of “The Interview” was canceled. Scripts for unreleased movies were made public. Detailed personal employee information (e.g., employee salary information, medical information, employee performance reviews, social security numbers, etc.) of 6000 employees was leaked, resulting in Sony recently agreeing to an $8 million settlement. Employees were unable to use their computers for well over week after the hack was detected. Emails containing embarrassing exchanges between executives and producers were published, and the co-chairman was forced to step down.
The advanced, multi-stage attack on Sony gestated over a long period of time, with attackers gaining access to the Sony network as early as September 2014. As such, there was ample time to detect and likely prevent the destructive, headline grabbing attack that occurred months later. I’ll safely assume that Sony had traditional perimeter defenses and security monitoring in place, but these were proven ineffective against such advanced attacks. This is where user and entity behavior analytics (UEBA) could have helped, provided the right data sources were used.
UEBA uses advanced math (e.g., machine learning and statistical models) to baseline user and entity (e.g., a device) activities and detect anomalies. If it’s doing a good job, UEBA should also attribute maliciousness, if any, to the anomalies. Given the daily deluge of security alerts that analysts are currently subject to, generating yet another alert on something that is abnormal but not harmful just adds to the alert white noise. Being able to attribute maliciousness to anomalies is key to helping analysts focus on the threats that matter, but not all UEBA solutions can do so.
Data is the fuel that powers behavior analytics, with the types of data sources being especially important, as researchers recently discovered. In the Sony hack, attackers used the Destover malware, which uses timestamp stomping to manipulate timestamps (throwing off investigators) and log wipers to delete Windows logs (enabling it to erase its tracks as it moves laterally through corporate networks). Only a full forensic analysis would have revealed the log wiping, and hence the presence of an attack, but that takes time. It’s during this time that the Sony attackers remained undetected and exfiltrated terabytes of sensitive information.
UEBA that relies on log-only data would have been unable to detect this malicious activity. After all, in the Sony example, there would have been no relevant logs to analyze. For this situation, UEBA on packets could have surfaced the attack before the devastating actions of November 2014 – after all, the network doesn’t lie.
Consider this analogy. Humans need a balanced diet to maintain a healthy body. A carbohydrate-only diet will get you only so far, even if you vary the type of carbs consumed (i.e., bread, pasta, etc.). Only with a comprehensive diet that also includes proteins, dairy, fruits and vegetables will you be able to maintain a healthy body. Similarly, cyber defenses become more robust and efficient as their data source input (i.e., packets, network flows, logs, files, alerts, threat intelligence feeds) rises in completeness. The most accurate portrayal of threats or attacks is delivered when this comprehensive mix of data sources is available. Only then can there be consistent detection of the malicious activities that would otherwise go unnoticed.
That said, we don’t live in a perfect world, and it’s not always possible to provide cyber defenses with all desired data sources. A top-tier UEBA solution must be able to use any combination of available data to thwart attacks. So packets only; logs only; packets and logs; logs, alerts and threat intelligence feeds and so on. This is with the understanding that if UEBA has access to more of the right set of data sources, superior results can be achieved.
An added benefit to using a variety of data for the machine learning-based UEBA modules is comprehensive visibility. Additionally, if the UEBA solution also provides integrated layered forensics, storing not just packet data but also transaction level metadata, files, event details, etc., analysts can quickly perform complex threat hunting without having to search across multiple siloed systems, thereby reducing the dwell time during which an infection can spread.
Analyzing what Sony could have done differently is easy, given that hindsight is 20/20. User and entity behavior analytics is something to be considered for strengthening your cyber defenses, as multistage attacks are becoming the norm. But with a number of in-market UEBA solutions all supposedly doing the same thing, making the right decision can be tough. The new 5 Step Security Analytics Evaluation Guide (which includes a handy checklist) will help you learn how to compare different security solutions and their capabilities to find the best solution for combating these advanced attacks and preventing the exfiltration of sensitive information.