In the weeks that have passed since the well-publicized Sony breach I have been asked the same question dozens of times, ‘could eSentire’s services have prevented this breach?’ I should say eSentire does not have all the details about this particular breach and we are relying on recent comments issued by FBI Director James Comey and Sony’s own CEO to give us insight to make a determination. In short, the answer is that there is a high probability that the type of threat Sony experienced would have been detected and contained had continuous monitoring like that provided by eSentire, been employed.
Regardless of how the threat actors (or hackers), gained initial network entry access, the resulting breach actually would’ve taken several weeks to achieve, not days. The combination of state-of-the-art detection technologies and human monitoring – the core premise of Active Threat Protection – would have immediately flagged inconsistencies associated with the attack.
When a breach of this level occurs there are several red flags that arise before the damage is done. The key to preventing a serious breach is to identify the significance of those red flags and actively mitigate the harm. Here are some examples of the inconsistencies that should have set off alarm bells:
1. Numerous external connections using non-company proxy servers (eSentire Solution: Network Interceptor™ to identify the connection attempts and Asset Manager Protect and Country Killer to recognize blacklisted IP addresses).
2. Lateral movement within the network originated from different hosts (eSentire Solution: Network Interceptor™ and Host Interceptor).
3. For exploit deployment, numerous payload drops would have to occur (eSentire Solution: Active Forensics, Network Interceptor™ and Executioner).
4. Changes in logging, as privileges were escalated to gather the necessary data to extract (eSentire Solution: Log Sentry™).
5. Finally, Active Threat Protection would have caught and alerted a threat analysis as a result of the 100 TB data exfiltration, as described by Sony’s CEO (eSentire Solution: Active Forensics and Network Interceptor™).
In the world of Active Threat Protection, we act on each of these signals immediately. The elements of this attack are what we detect and block everyday. Intricate attacks such as these are becoming commonplace – so much so that leading analyst firm Gartner Research published a best practices framework (in 2014) to help organizations defend against and mitigate against these kinds of targeted attacks.
As we have seen with the case of Sony, the clean up work involved after a breach has occurred is far more complex and expensive than the preventative measures available to stop and prevent this level of damage.
Without forensic-level network traffic at your disposal, the job of tracking down the culprits and retrieving data is immeasurably more difficult – approaching impossible. In hindsight it is easy to say, “I should have used a working fire alarm,” after you’ve experienced a house fire. In the same way, we don’t want a business to find out too late that they could have had protection measures in place to protect their high value assets.
When we revisit the question of whether Active Threat Protection would help to prevent a breach like Sony’s, the answer is that every indicator points to yes.