Just When You Thought the Target Breach Story Was Over. A Tale of Advanced Persistent Threats (APT), FireEye, and Warnings Ignored

In the previous chapter of this adventure, Target CIO Beth Jacob had taken the hit and was going to resign.  Target was going to implement new processes in protecting their network. Prior to this, Target had gone through a number of phases since the attack began in late November – denial, CEO Gregg Steinhafel is  nowhere to be found, “Houston, we’ve got a problem”, “Let’s give customers a ‘we’re sorry’” discount”, CEO is found (finally, some look at a book on crisis management), transparency, free credit watch software for customers, etc.  The Russian hackers involved in this incident were not even very sophisticated with their coding.

Techtarget’s definition of Advanced Persistent Threat – “An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.  The intention of an APT attack is to steal data rather than to cause damage to the network or organization.  APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry.”

In the Bloomberg story “Missed Alarms and 40 Million Credit Card Numbers.  How Target Blew It”, the author writes about how Target HAD Advanced Persistent Threat appliances from FireEye (an APT company that went public several months ago for a gazillion dollars (Side note – FEYE’s  market cap was $10 B as of February 14, though their stock has dropped a bit less than 20% from its high).

The malware had completed most of the phases of the hacker’s objective. Credit card numbers were being stored on a Target server as they were swiped on store terminals. All that was left was for the numbers to be transmitted the cyber criminals for subsequent sale to other cybercriminals.  In November and early December, the hackers went about installing the SW that would send the customer info out to staging points, (probably a botnet), and then to Russia.  Busted!  Well. Sort of. FireEye appliances sent an alert to Bangalore. They alerted the people in Minnesota and…  Minnesota did nothing!  Then, the transmittal of ultimately 40 million records began (a nagging question – was there a DLP (Data Loss Prevention), installed on the network?  It wasn’t until mid-December when the Department of Justice got involved, that Target really began investigating.

By the way, the option for the FireEye appliance to  automatically delete malware as soon as it was  detected was turned off.  What’s even more ludicrous is that Symantec’s Endpoint Protection software, also identified the malware.  $61 million spent by Target so far. Lawsuits, Abysmal Q4 profit (down almost 50%).

Read the Bloomberg/Business Week article. It’s quite interesting.  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

McAfee this week wrote  that this particular attack  was "Far from 'advanced,' The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”  If this was the case, this is even more embarrassing for Target and their IT team.  http://www.mercurynews.com/business/ci_25322189/mcafee-report-says-target-cyber-attackers-used-common

Takeaways from this - If your network does not have them.  Look at investing in an APT solution.  Look at investing in a DLP solution. Don’t ignore your security solutions when you get flagged. NSS Labs, Ellen Messmer at Network World, and Lawrence Pingree at Gartner.  www.nsslabs.com , www.networkworld.com , www.gartner.com  have all written about Advanced Persistent Threat vendors. Type “advanced persistent threat” into a Google search and a slew of vendors will show up on the RHS.  

Craig Kensek  - Twitter - ckensek

Target Data Breach – Target CEO Belatedly Starts to “Man Up”

Target and CEO Gregg Steinhafel have finally downloaded a book on crisis management and are following the script for when a company crisis occurs.   They could have begun a lot earlier after this November/December data breach occurred. Right after the breach was discovered.  They have managed to never say the phrase “Advanced Persistent Threat (APT)” in their communications. I would imagine that any company offering an APT solution has contacted them.

On January 14^th, Target ran a full page ad in a number of major US newspapers. Below are snippets of the four bullet points and my comments. These adverts do cost $$.  Earlier blogs on this topic are on www.us.ahnlab.com

1. Closed the access points that were used and removed the malware.  I should hope so!  Preferably, this was done a month ago.
2. Hired a team of data security experts to investigate how this happened.  Good.  Hopefully this happened a month ago. The internal IT department kind of messed up here.  However, most current security technology is unable to stop these kind of attacks. Hence, the number of APT solutions being offered.
3. Communicated that  guests will have zero liability for any fraudulent charges.  First, they’re customers, not guests.  A bit of a $$ olive branch. Usually, customers have a small window of  to dispute charges on debit cards and credit cards. The rules vary. They don't have unlimited liability.  But a person’s checking account could, in theory be emptied.  This communication hopefully happened right after the breach was discovered and closed.
4. Offered one year of free credit card monitoring and identify theft protection.  This should have happened weeks ago.  Target – do not auto renew this on Target debit cards. That would be tacky.

Target is now doing much of the right thing. Steinhafel even said, “Sorry”.    All the above   was late. The crisis management book would have had Steinhafel front and center right after the breach was discovered, rather than having an update section on the Target web site.  www.target.com/databreach

Demerits for Target for not being transparent early to customers. Demerits for not keeping Target employees in the trenches in the loop immediately and ongoing about this.  Target should even consider having something conspicuously posted (with copies available) at checkout lines at their stores.  The 10% additional weekend discount offered was barely an olive branch.

It now appears that even non Target customers are now getting emails from Target. These read, in part,  from one article on the topic: 

"The good news first: A Target spokeswoman has confirmed to Consumerist that the email is “an official communication,” despite it seeming like the perfect chance for hackers to strike yet again. So, whew. But when we asked where Target obtained email addresses for people who are not now and have never been customers of the retailer, the spokeswoman simply said, 'The information was obtained by Target through the normal course of our business.'" 

http://consumerist.com/2014/01/17/non-target-customers-wondering-how-target-got-contact-info-to-send-email-about-hack/

Target IT employees. Start evaluating APT solutions.

Why hasn’t Target and/or the relevant financial institutions gone out and immediately sent out replacement cards?  First, a less costly solution would be if all customers would go and change their passwords. This isn’t going to happen. The information (fortunately a lot of it encrypted) has already been stolen. Second – behind the scenes, the financial institutions and Target are probably pointing fingers at each other regarding inadequate protection.  Third – the cost of sending out replacement cards is around $10.  This could be   an up to $440 million hit in revenue to Target and/or the affected financial institutions. So, this isn’t going to happen.