Sony hack highlights importance of breach analysis

Determining the scope of a breach can be a huge challenge for enterprises without the right tools and data

1 2 Page 2
Page 2 of 2

Commercial and open-source tools are available that allow companies to do full packet capture of all traffic on a network for future analysis.

Other technologies, from companies such as NetWitness and Solera Networks, allow companies to record and store every single network event, and then to replay them back in DVR-like fashion if needed.

Although such tools can give companies invaluable insight into security incidents such as the one that hit Sony this week, they are relatively expensive and only now beginning to get deployed in significant numbers.

A lot of times, companies also become stymied in their investigation of a breach because of the initial manner in which they react to its discovery, said David Amsler, president and CIO of Foreground Security.

It's not unusual for enterprises that discover a breach to get into a panic and start immediately shutting down systems and unplugging them from the Internet. One example is Oak Ridge National Laboratory, which quickly shut down its email systems and disconnected itself from the Internet after discovering intruders in its network earlier this month.

Such measures can be critical in preventing data theft, but they can also make it harder to determine what happened, Amsler said. Oak Ridge for instance, is still without Internet access nearly two weeks after it pulled the plug on it.

Often, those behind such intrusions have already established a presence deep inside the network by the time their intrusion is discovered. When a company takes actions that indicate that the intrusion has been detected, that typically causes the attackers to take measures to erase their tracks, including wiping logs clean, altering time stamps and going even deeper into hiding, Amsler said.

"Many times, victims don't even know what data was breached because the artifacts from the breach are encrypted and password-protected" by the time the intrusion is detected, said Marcus Carey, community manager at security vendor Rapid7.

In many cases, attackers take control of multiple systems and multiple accounts once they get into a network. They can drop multiple malware packets, each carrying a different payload. They also often disguise themselves to appear as legitimate users on the network and often delete log files or put in fake logs to throw administrators off their trail.

"If you suddenly take a subset of host systems offline, they are just going to switch their MO midstream," Carey said. "They will change their attack vector. They will drop multiple different toolkits. They'll even throw stuff out there that they'll want you to find so you think you have found them.

"It's no surprise at all that some of these big companies are taking weeks to find out what's going on," he added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon