I would be very interested to find out more information about this and how they will engage the community.

http://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-speaks-cybercrime-2020-symposium

In the release they describe the workings of the malware. It attacks the MBR and all data files. After infection the infected systems to connect to one of three random, one of these three IP addresses (88.53.215.64, 217.96.33.164, 203.131.222.102) via either port 8080 or 8000.
Sony Pictures Entertainment is dealing with the aftermath of a massive infection that must be keeping them very busy and many people out of work.

Snort can be configured to detect the traffic. The FBI also release the following siganture:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;

It’s time to check your log files and check if those IPs are listed as destination IPs in any of your traffic or log data.

This week and next week, many organizations are consumed with keeping the lights on and making sure e-commerce platforms keep up with the anticipated spike in demand due to the big sale event. We are days away from Black Friday and many are crying foul before the whistle blows to start the game.

Justified or unjustified fear? I can tell you with certainty, coupled with many years of experience, that some of that fear is justified. American holidays such as Thanksgiving, Christmas and the Super Bowl are days when security operation center monitors go up, up, up in events volume.

So, make no mistake, Black Friday and Cyber Monday will not only attract shoppers, they will also attract hackers.

Unfortunately, most organizations do not have the resources to keep a fully staffed 24/7 network event monitoring effort, especially around non-working days such as weekends and holidays. Is it really necessary? My answer will bother some, but yes, it is necessary.

Why?

Well, is your network important to you? Are those assets important to you? Will your brand be affected by unauthorized access? Are there legal ramifications in the event of a data breach? The answer to all of these is most likely yes. However, the most important question is will a data breach negatively affect your clients? This is a yes/no question. If the answer is yes then, unequivocally, your organization must find ways to monitor your networks twenty-four hours a day seven days a week.

In that effort, I’d like to offer some insights:

• Monitor both external and internal events.
• Aggregate and analyze your logs to establish a baseline.
• If outsourcing is not possible, combine automatic alerting with on-call designations, or staff a 24/7 security operations center. A minimum of nine analysts with one manager should suffice. In terms of technologies, the options are plenty and varied.
• Reduce unnecessary noise without ignoring relevant events.
• Address the alerts generated, otherwise members of the organization will soon treat these alerts the same way they treat spam email.
• Define your incident response and apply the priority that the risk deserves. Not all threats are equal.
• Do not overlook access control related events such as failed logon attempts, even if it painful due to the volume.

In terms of commercial tools, there are many out there and some could be very pricey. In terms of open source tools, there are also plenty of options; icinga, snort, logstash, etc.

Is it possible to combine open source tools with commercial tools? Absolutely. It requires a solid architecture design and strategic planning, but very possible.

Although we read on a daily basis about these events we also know that not all data breach incidents are reported or who knows if even discovered.

More comprehensive stats are available are at DatalossDb where they are reporting that so far in 2014 there has been 831 incidents. The same site reported 1472 incidents for 2013. When we compare 2014 against 2013 it seem that 2014 has been better but it feels otherwise.

My take on this is that this year the press has been paying more attention to these type of news and the public is now more concerned about their credit cards.

Wondering what the level of forensics, if the incident response teams were in place to handle the incidents and aftermath. Is it based on NIST 800-61?

Who could it been? Russia, China, Venezuela, Brazil, a teenager from a basement?

On this day and age as soon as an organization is breach we get to read about the dirty details, the how, and more especially the who. How come we are not hearing these this time around?

The security community deserves an explanation and more importantly tax payers have the right to know.