100TB of Sony Data Isn’t That Crazy

I don't think I can read another story or tweet about the Sony Pictures breach without flipping a table when it comes to people losing their mind over the alleged 100TB of data that was exfiltrated during said breach.

We still don't know if 100TB of data is even accurate.

If that number is accurate, it could be that there was 90TB of cruft, or full-quality video, or applications off hundreds of workstations—anything is literally possible. 100TB of data can be a lot of worthless data, not just treasure troves of passwords in spreadsheets and awkward e-mails.

"100TB is too big not to notice!"

100TB is too big? This is Sony Pictures. Do you really think they don't do large file transfers within their network, over fiber point-to-point, or to third-party vendors over the Internet?

Maybe, just maybe, a company that gets owned this badly doesn't have the best egress data monitoring alerts or network analysts at the ready. After Target and every other breach we've seen happen, why are people still dumbfounded that giant corporations manage to miss IOC alerts?

Do We Know How This 100TB Was Even Exfiltrated?

I see a lot of gossip over what it would take to transfer 100TB out of a network but people aren't considering that perhaps exfiltrated doesn't mean over the Internet, but rather to a host somewhere in the organization that did have storage (at least a few dozen TB) and that data was then sifted through.

Some data could have been sent to external hosts, some to internal hosts, some to third-party peered networks. Data isn't stolen in one lump sum, so it could have been a process of sorting, processing, and pilfering—internally or externally—from their primary network.

You Don't Need to Store 100TB to Steal 100TB.

There's this crazy perception that when attackers say, "we stole 100TB of data" that it means they have 100TB of data laying around. You can transfer data, evaluate it, and then delete it without holding it all at once. In fact, the idea they just went, "slurp, 100TB, now what?" is inane at best.

Stealing 100TB of data does not equate to having 100TB of data at one time. Still, 4TB hard drives are cheap, so...

Remember, it's All About the Timeline!

Depending on how long this breach was actually going on, the attackers could have transferred 1TB per day for 100 days, 2TB per day for 50 days, 4TB per day for 25 days, etc.

We don't know the timeline yet and anyone that says they do is probably making up facts. These attackers "let themselves be known," so do you really think they did so before they had plenty of time to take what they wanted?

This breach will hopefully have some outcomes we can learn from, not the least of which is related to perceptions of what attackers can accomplish when they have carte blanche over a network for an undetermined amount of time.