Sunday, March 16, 2014

Just When You Thought the Target Breach Story Was Over. A Tale of Advanced Persistent Threats (APT), FireEye, and Warnings Ignored

In the previous chapter of this adventure, Target CIO Beth Jacob had taken the hit and was going to resign.  Target was going to implement new processes in protecting their network. Prior to this, Target had gone through a number of phases since the attack began in late November – denial, CEO Gregg Steinhafel is  nowhere to be found, “Houston, we’ve got a problem”, “Let’s give customers a ‘we’re sorry’” discount”, CEO is found (finally, some look at a book on crisis management), transparency, free credit watch software for customers, etc.  The Russian hackers involved in this incident were not even very sophisticated with their coding.

Techtarget’s definition of Advanced Persistent Threat – “An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.  The intention of an APT attack is to steal data rather than to cause damage to the network or organization.  APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry.”

In the Bloomberg story “Missed Alarms and 40 Million Credit Card Numbers.  How Target Blew It”, the author writes about how Target HAD Advanced Persistent Threat appliances from FireEye (an APT company that went public several months ago for a gazillion dollars (Side note – FEYE’s  market cap was $10 B as of February 14, though their stock has dropped a bit less than 20% from its high).

The malware had completed most of the phases of the hacker’s objective. Credit card numbers were being stored on a Target server as they were swiped on store terminals. All that was left was for the numbers to be transmitted the cyber criminals for subsequent sale to other cybercriminals.  In November and early December, the hackers went about installing the SW that would send the customer info out to staging points, (probably a botnet), and then to Russia.  Busted!  Well. Sort of. FireEye appliances sent an alert to Bangalore. They alerted the people in Minnesota and…  Minnesota did nothing!  Then, the transmittal of ultimately 40 million records began (a nagging question – was there a DLP (Data Loss Prevention), installed on the network?  It wasn’t until mid-December when the Department of Justice got involved, that Target really began investigating.

By the way, the option for the FireEye appliance to  automatically delete malware as soon as it was  detected was turned off.  What’s even more ludicrous is that Symantec’s Endpoint Protection software, also identified the malware.  $61 million spent by Target so far. Lawsuits, Abysmal Q4 profit (down almost 50%).

Read the Bloomberg/Business Week article. It’s quite interesting.  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

McAfee this week wrote  that this particular attack  was "Far from 'advanced,' The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”  If this was the case, this is even more embarrassing for Target and their IT team.  http://www.mercurynews.com/business/ci_25322189/mcafee-report-says-target-cyber-attackers-used-common

Takeaways from this - If your network does not have them.  Look at investing in an APT solution.  Look at investing in a DLP solution. Don’t ignore your security solutions when you get flagged. NSS Labs, Ellen Messmer at Network World, and Lawrence Pingree at Gartner.  www.nsslabs.com , www.networkworld.com , www.gartner.com  have all written about Advanced Persistent Threat vendors. Type “advanced persistent threat” into a Google search and a slew of vendors will show up on the RHS.  

Craig Kensek  - Twitter - ckensek



1 comment:

Dan Chmielewski said...

In addition to FireEye products, Target was using privileged access products from CyberArk. Malware beaconing technology could have helped prevent the breach