The security company investigating the attack against Sony Pictures Entertainment has reportedly penned a letter that seemingly holds the entertainment firm blameless for the breach of its systems—a move that has opened up the investigating firm to criticism by security professionals.
The letter—to SPE’s CEO Michael Lynton from Kevin Mandia, the head of FireEye’s Mandiant, the incident response service the company hired to investigate the attack and restore its network—calls the attack “unprecedented in nature.” Mandia states that the attack would not have been detected by antivirus programs, and the attackers used non-standard strategies to cause damage to the company.
“In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public,” Mandia states in the letter, which was leaked to media outlets. “The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
Yet, security professionals aren’t buying it. Within 24 hours, several security experts had criticized the statements and refuted Mandia’s characterization of the attacks.
“We have tremendous respect for Kevin Mandia and the team he’s assembled at FireEye’s Mandiant, but we completely disagree with the statement he made over the weekend,” Ken Levine, president and CEO of security service provider Digital Guardian, said in an e-mail sent to Ars. “He is clearly offering Sony the opportunity to hide behind the veil of advanced persistent threats.”
Another outspoken security researcher, known online as “the grugq,” likened the letter to the Catholic Church selling forgiveness to sinners in the Middle Ages. “TIL [today I learned] Mandiant sells indulgences,” he tweeted on Monday.
In some ways, Mandia’s argument reflects the current wisdom in the security industry that, “There are two types of companies: Those that have been breached, and those that don’t know yet that they’ve been breached.” Yet, even for security professionals that accept that mantra, it does not mean that a successful compromise needs to lead to a significant breach, Levine told Ars.
“There is a lot of post-breach thinking,” he said. “What we are saying is, not that all breaches are preventable, but what the bad guys get from the breach is absolutely preventable.”
In the case of Sony Pictures, the attackers got quite a bit. The entertainment company has reportedly lost control of more than 100 terabytes of data [including unreleased movies, correspondence, contract, and other proprietary supplier, partner, and other industry-related information] without the company, or its security measures, detecting the breach. SPE’s security teams’ inability to catch the attackers in the act of stealing so much data is a direct result of its lack of focus on security, according to a paper by security-services firm Thinkst, outlining the lessons learned from the attack.
Thinkst points to a previous statement in 2007 by Sony’s executive director of information security that it had to focus on making cost-effective security decisions. While the executive, Jason Spaltro, maintained that the company had gone beyond requirements in many places, Thinkst characterized that mindset as focused on “minimum compliance.”
“That minimum compliance is the goal speaks volumes about Sony Pictures’ attitude towards the security of their data,” the company stated in its analysis. “Sony subsidiaries have fallen victim to tens of successful attacks in recent years, leading us to question the importance of security in the broader conglomerate.”
The company has invested mostly in a top-heavy security team, according to other analyses, which—along with the success of so many attacks—suggests that it is not adequately focused on security, according to Thinkst.
“What is abundantly clear from the attack is that Sony’s detection and response capabilities were about as poor as possible,” the company stated. “The public timeline of events implies that the intrusion was only discovered when the attackers moved from theft to destruction, announcing their presence bombastically with the altered desktop.”
Sony and FireEye declined to comment on the letter or any criticism of the letter.
When the details finally become clear, Levine believes that the overall picture will be of a familiar attack.
“The truth is, there is nothing new about what these attackers are doing,” he said. “They are using the same tactics they’ve used before to get inside these organizations—someone clicks on an attachment with malware and the malware sits and waits—and FireEye and/or other security products could have, should have caught this, especially given the volume of data that was stolen.”