Following the news that Sony malware discovered and was sat on network for months http://www.bloomberg.com/news/2014-12-19/sony-hackers-seen-having-snooped-for-months-planted-bomb.html?hootPostID=c0c500303a14291b7538fbf26cadf435, the following comments have been offered by cyber security experts:
Jon French, security analyst, AppRiver says:
“I don’t find it a surprise that the malware was there for months going undetected. It says the malware was customized for the attack, meaning that if the malware went initially under the radar when it was introduced in to their network, it would be unlikely to suddenly get detected since shutting down anti-virus is usually the first step in malware. There are other ways to look for malware infections such as network anomalies but the difficulty in catching malware after a successful infection probably increases significantly on such a large network. Especially with a targeted attack.
“Some AV companies mentioned in the article their software could have prevented execution, but obviously there were some out there that did not detect it. This is where sharing the malware with the security community could help other vendors catch up and make sure they are blocking it. Even if they don’t want to release it publicly it may be worth sharing with major AV companies to help prevent further infections (which is what seems to have happened/is happening since McAfee, Trend Micro, and Symantec have analyzed it). Eventually I’m sure samples will start to make their ways public for further analysis by researchers.”
Kevin Epstein, VP of advanced security and governance at Proofpoint remarks:
"The degree of unnoticed access is an unsurprising testament to the need for automated incident response - and best practice in the current situation would suggest openly sharing the docs, malware, and attack vector to enable others to better secure and defend against similar attacks"
Ken Westin, security analyst, Tripwire writes:
“I believe this reflects lack of sophistication on Sony's side in terms of security policies and controls and less an indicator of the attackers sophistication. Indicators of compromise relating to this malware has been shared with businesses by the FBI including MD5 hash sums, file changes, remote IP addresses and other artefacts that they should be looking for. These elements should be visible in various threat intelligence tools as well.”
Tim Erlin, Director security and risk, Tripwire writes:
“This may be news outside the information security community, but it’s really no surprise. In order to gather and copy the information they’ve published and to coordinate the simultaneous take down of systems within Sony, the attackers would have needed time inside the network.
“There’s a lot of focus on the malware itself here, but it’s really the last step in the process. We should be more concerned than we are about the means and methods used to install that malware and expand their hold on the network. A good defense starts before the intruder gets inside the system.”
Lamar Bailey, Director security R&D, Tripwire observes:
“Given the complete and total breach of the Sony networks the attackers were present on network for months if not years. The number of compromised systems and malware needed to pull this off is astounding. It is unlikely that Sony will be able to have a remediate the affected systems in the near future. They will need to prioritize assets and networks then systematically clean them. “