Ira Winkler and Araceli Treu Gomes

In threat assessment, the ‘who’ matters

Knowing who could come after you helps you prepare the appropriate defenses and response

anonymous masks
Vincent Diamante (CC BY-SA 2.0)

We’re a bit perplexed by the attention being given to the hack of Sony Pictures. It’s not that the hack doesn’t deserve attention; it was potentially devastating from a business and operations standpoint, and companies that are hacked should not try to bottle up that information.

What is perplexing is that so much of the attention has centered on the question of whether or not North Korea was behind the attack. This storyline seems to have arisen from the fact that the studio has an upcoming Christmas release, The Interview, in which two journalists who have snagged an interview with Kim Jong Un are recruited by the CIA to assassinate the North Korean leader. That scenario isn’t impossible, but it is highly unlikely. Giving it credence is counterproductive, because who is behind any particular hack — and who is likely to attack your enterprise — is of utmost importance.

Here’s why North Korea is an unlikely culprit. The damage done by a North Korean attack would be different, because of what that nation would want to accomplish by attacking Sony Pictures. It would likely want to impose maximum damage, while potentially extorting the studio into agreeing not to release the film.

What was actually done, however, fits the profile of a hacktivist group: complete destruction of systems, and embarrassment of the targeted organization.

And, indeed, a hacktivist group, calling itself #GOP, has taken credit for the attack. So what is really worth knowing in this affair, rather than pretty much baseless speculation about North Korea’s role in it, is any and all information about this previously unknown group. This is especially true because #GOP has threatened to target other organizations, including law enforcement agencies. Therefore, organizations interested in protecting themselves need to learn as much as possible about this group, determine its attack strategies and the type of malware it uses. Gathering that kind of information will allow organizations to recognize when they are under attack by #GOP or have been successfully infiltrated by it.

That kind of knowledge is key in building defenses. Anytime an organization believes that it has been compromised, the ability to figure out who is behind the attack is essential. When you know the who, you know which countermeasures are likely to be effective, you know what type of data is being sought, and you know how to begin to mitigate any damage due to information leakage and/or destruction.

This is the discipline of security intelligence. It involves tracking potential threats and vulnerabilities for relevance to your organization. If a threat is determined to be relevant, then the organization can determine the appropriate countermeasures to implement and what sorts of signs of compromise to look for. And keep in mind that relevance can wax and wane over time. #GOP may be worth tracking now, but at the same time, Lulzsec and Anonymous, which not too long ago dominated concerns about corporate hacking, have significantly decreased as threats.

Might North Korea and the so-called advanced persistent threats (APT) like Russia and China attack your organization? Perhaps; that’s for you to determine. But what you shouldn’t do is assume that because something has been labeled with the current buzzword APT, it must be among the entities you keep a close eye on. Yes, China has been accused of attacking NOAA and the U.S. Postal Service, and Russia is apparently targeting the U.S. energy sector and the White House. But what is relevant for you is the likelihood that either would ever attack your organization.

Security intelligence in action

When you employ security intelligence to gauge the likelihood of attack and predict attack methodologies, you can potentially repel the attack, or at least proactively mitigate damage. That was the case when the Syrian Electronic Army (SEA) targeted Computerworld and IDG, its parent company, in response to Ira Winkler’s article detailing the SEA’s activities and attacks. Working on the assumption that the SEA would attempt to compromise IDG, its staff was able to execute a plan based on knowledge gleaned from Winkler and law enforcement on the likely forms of attack, the specific look of the spearphishing messages to expect and the best way to respond when receiving such a message.

Most organizations have many threats to consider and defend against, and they must prioritize their limited security resources. But even if you can’t create a security intelligence group or hire a commercial service, there is much you can do to make security intelligence work for you.

Applying security intelligence, even in a limited way, can enhance the effectiveness and the return on security investment (ROSI) of any security program. With or without an implementation of security intelligence, the security staff will have to stay abreast of ongoing nefarious activities, but doing that without a formal process makes that much more difficult. And an organization that forgoes security intelligence has to guess about which countermeasures will have the greatest ROSI.

All organizations have to consider themselves vulnerable to attack. If an attack does come, wouldn’t you be better off if you could quickly determine who was behind it, what they were after and what methods they used to attack you?

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomes can be contacted through Ira's Web site,

Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon