M+E Daily

CPS 2021: Richey May Explores What’s Keeping M&E Companies Up at Night

Media and entertainment organizations continued to be a popular target for pirates and other bad actors, and that is expected to only continue into 2022 and beyond, according to Richey May Technology Solutions (RMTS).

“Over 2021, M&E was attacked more than any other industry, by far – a pretty significant amount,” Jason S. Hamilton, a Certified Information Systems Security Professional (CISSP) who serves as managing director of Cybersecurity Services at RMTS, said Dec. 16 at the Content Protection Summit (CPS) event, during the breakout session “What’s Keeping Hollywood Up at Night? A Year in Review.”

“To my mind, I don’t know if that’s because of the value of the content or the value of the data or if it’s because [of] ease of success – a high success rate of compromising some of that data,” he told attendees.

The session provided a review of the past year in security for Hollywood movie studios and TV networks, and a forecast of what we can expect in 2022. The speakers pointed to some pitfalls and successes, as well as what trends seem to be at the forefront in the coming year, what RMTS plans to do to combat them, and what organizations can do to prepare for and defend themselves against those cyber threats.

A “Soft Target” With “High Value Content”

“From a hacker’s perspective, what do you think” about why M&E companies are such a favorite target of pirates, Hamilton asked the other speaker, Jason Weeding, RMTS cybersecurity engineer.

“It’s definitely a mixture of both: being a soft target and then high value content,” according to Weeding. “The media and entertainment industry has a wide attack surface. As any industry, they’re susceptible to a variety of different attacks. These types of attacks range from insider threats to leaked content, ransomware threats. And leaked and pirated content is worth a lot of money to both the studios and to hackers. Hackers can generate a lot of revenue through [online] services and hosting and selling that content, and then, as we know with ransomware, ransomware threats are really expensive to contain and can cause a lot of damage and disruption to every industry out there.”

Some of the services out there that the pirates use are “easily able to generate over $100K a month – probably more – and these are small groups,” Weeding noted.

You also “still have Pirate Bay out there,” Weeding said, noting, “we’ve been dealing with those guys for almost 15-20 years, since basically peer-to-peer became a thing.”

Pirating video content has been a common activity for decades. After all, Weeding pointed out: “There’s money in it for the hackers. They can profit off of it.”

Eighty percent of all cyberattacks are financially motivated, according to Hamilton. “Even the Colonial Pipeline hack that was a ransomware attack that had a huge impact on the infrastructure in the United States” last year was about the money, he said. “The Russian hacker group DarkSide that perpetrated that attack came right out [and] issued a public statement that said” they weren’t attacking the infrastructure and didn’t intend to have that impact on it – it was only about the money,” he noted. “Those guys are raking in $90 million a year using ransomware as a service to anybody that wants to pick up the tab and attack something. So that’s not going away,” he warned.

One major ongoing challenge that does not help is that the “time to identify and contain a threat in 2021 averaged 287 days,” according to Hamilton. “That’s a little over nine months to not just identify the threat but actually contain it. So, even moving at a slow pace and trying to avoid detection, you could probably extricate a ton of content – a ton of data – in nine months,” he pointed out.

How to Fight Back

“So what do we do to protect ourselves against some of these attacks and respond a little better?” Hamilton asked Weeding.

“If you have somebody in your environment for 287 days undetected, you’re probably missing some security controls,” Weeding responded. “As a hacker and, I guess, a professional penetration tester in that sense, some of the hardest things I run up against that make my life a lot more difficult is good endpoint detection controls.”

A strong endpoint detection and response (EDR) solution will “slow an attacker down,” Weeding said, adding: “To be able to bypass an EDR, an attacker has to spend a lot more time doing R&D work and creating attacks that can get around those controls. The automation part helps. One example of this would be a Word document comes in through email, a user opens it, enables the macro and then that macro’s going to open a command executable, and run some code. In no business environment ever would that be a legitimate business use case so an EDR’s going to step in and say, ‘hey, don’t do that.’ It’s going to lock it down and then the attacker’s going to lose that ability to attack that workstation.”

Another effective tool is two-factor authentication, Weeding told attendees, noting: “If you’re not doing it, you’re doing yourself a disservice.”

Another tool that M&E organizations should be using are layered security controls that Weeding explained “increase the difficulty for any attacker – and it requires an attacker to chain multiple vulnerabilities together to infiltrate a system.”

What it comes down to, therefore, is that the “fundamentals” are what’s required, according to Hamilton. “It’s the same old stuff that we’ve been hearing about for years and years – the building blocks of a security program,” including multifactor authentication, continuous testing including penetration testing, vulnerability scanning and endpoint detection and prevention,” along with “automating some of these processes so that we’re not taking nine months to realize that we’re being hacked.” Those  are “really the most effective things to keep attackers out of our networks,” he said.

Also important are patch management and keeping systems updated, Weeding noted. When a company uses all these methods, hackers must “go back to the drawing board and design new attacks and build new techniques,” he said.

The Biggest Threats in 2021 and 2022

The biggest issues in 2021 for M&E organizations were content theft and leaking content before release dates to peer-to-peer networks and others, which is a “big revenue killer,” according to Hamilton.

Supply chain attacks were also a challenge for the sector in 2021, along with ransomware and denial-of-service attacks, he said.

So can we expect more of the same in 2022 or something new?

“Both,” Weeding said. There will be “more of the same” but also “new threats including Log4Shell,” he noted. It only recently reared its head but “I think that’s going to be a heavy hitter going into the new year,” he predicted. “The thing that I’m worried about with Log4Shell: It’s a remote code execution vulnerability [so] it’s easy to pull off. And then, comparing it to past attacks, I’m worried that Log4Shell could be like a vehicle for distributing malware. And then you start to pair that with other attack tools and add modularity to it and you end up with” an even worse situation, he warned.

“So we definitely need to be on top of Log4Shell going into the new year. If you guys aren’t looking for it in your environment right now, I would say get on top of that and let’s start patching that,” Weeding said.

“Supply chain attacks,” like the SolarWinds attack last year, “have been big,” Weeding went on to say, predicting: “I think we’re going to continue to see an uptick in that over the years. And I guess a way we can prevent that is through understanding what our code is that we’re deploying into our environments. Static code analysis and dynamic code analysis could detect any malicious code that’s written to a software update and then pushed into your environment.”

To view the full presentation, click here.

The Content Protection Summit was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

The event was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.