March 26, 2019 Mark Stamford

Lessons learned from working with media companies

OccamSec has delivered security assessment and management services to a range of media companies. Below are some of the common issues discovered during these engagements and how we helped solve them. Media companies are high value targets and often the focus of determined adversaries.

Complexity

The complexity of media company environments means there are many vulnerabilities, in many places, that are not being covered by core processes. Given how media companies are typically very dispersed there tend to be areas that are easily “overlooked” by the core security processes.

In action..

Using a combination of factors — our intelligence team, client resources, and an initial organization analysis — our team was able to identify potential areas that were overlooked and focus testing on those. The objective being to reach the organizations critical assets and demonstrate the ability to steal them, or modify the data.  This information was then used by the client to ensure their security program covered all of the (known) organization.

Specifically Targeted

We have seen threat actors focusing on media companies because they are highly influential and high value targets. This has included attempts to disrupt radio and TV broadcasts, steal IP, and get info on M&A activity. This has included specific targeting of individuals in an organization (last occurrence was someone in finance) with social engineering attacks.

They are also interesting targets for anyone looking to distribute malware, and for nation state actors due to how much we rely on these networks.

Finally, their social media accounts are highly valued. Media companies are one of the most active users of social media platforms and we have seen a high value placed on their accounts.

In action..

Through targeted intelligence collection we identified a threat actor targeting one of our clients. Using information obtained through forensics on several compromised websites we then utilized our automated collection systems, along with manual efforts, to identify the attacker and their techniques. We then worked with the client to configure their SIEM and supporting tools to detect similar activity.

Out of the box, a SIEM is usually good at detecting run of the mill attacks, however, developing good correlation rules takes time. We provided details on the attack scenarios they were likely to face; the client then used their own team to develop the correlation rules. We followed up with some testing to ensure these were working as planned.

Under Utilized Protection

Media companies (like everyone else)  have access to lots of security tools, however  in some cases many are not utilized to their full potential. Some companies we have worked with have every tool imaginable, yet there is considerable overlap and much of it is not being used as effectively as it could. This then leads to new tools being purchased to plug gaps which may not actually be there.

In action..

One client had been struggling with their SIEM for several years, it collected large amounts of data but little was done with the data and the client was about to switch to a new outsourced provider. To increase the effectiveness of this we undertook a project to analyze what was currently being collected, develop threat models against critical assets, identify gaps in the data being collected, and develop the rules to detect the activities identified in the models.

Physical Security

Physical security is often overlooked. Several of our media clients  have lots of locations (transmission towers, studios, comms hubs etc..) with physical security systems that are separated from their cyber counterparts. Some sites provide ease of access, others are virtually entirely automated, and in some instances the location was temporary (but still connected to the core network). All present viable attack vectors.

The physical security and information security teams do not always play well together. This leads to gaps in control which can be exploited.

In action..

In one instance we breached a local radio station to gain access the core network. Our team physically breached the radio facility (using a cunning disguise), connected to the network, bypassed all the perimeter controls, and reached the target data.

We then acted as mediator between the information security and  physical security teams leading to a joint effort to integrate controls, as well as recommending additional measures.

As a side note, security awareness always comes up when any physical security testing is successful. Experience has shown that this only has a minimal impact in reducing the risk. Even in locations where awareness training seems to be an almost daily occurrence, an attacker pretending to be in distress, in charge or just “blending in” has a high chance of success – the evolution of our brains is more powerful than an informative poster.

Third Party Risk

The risks from third parties continues to grow as more “cloud” solutions are used, and media companies appear to be no exception. This is exacerbated by the number of physical locations many organizations in the industry have. In several instances we have found locations using different cloud applications for the same function, as well as a wide range of outsourced providers providing similar services.

Content is often provided by third parties, as well as being sent to them for editing. Both of these processes introduce potential risks and we have utilized them in our assessments. In addition, a lack of controls at third parties can lead to proprietary content being stolen, and the network affects provided by modern technologies allow for rapid distribution.

In action..

In one instance we breached a target via their use of an external provider. A virtual machine hosted at the third party was unsecured, this was compromised and utilized to capture credentials. There were used for further exploitation which ultimately led to access at the target company being acquired. The client revised their vendor review process (using an application we have built) and expanded their security program to cover these new areas of risk.

In another we responded to an incident where a third party had been breached and media (in this case several movies) had been stolen from a file sharing system. Our client was relying on the third party’s controls, which were found to be lacking when they came under scrutiny. Further investigation revealed that malware had infected both the third party and our clients environment via the file sharing that the two organizations were doing. Our response activities contained the malware and led to various controls being enhanced.