Attacks/Breaches
3/14/2014
11:58 AM
50%
50%

Target Ignored Data Breach Alarms

Target's security team reviewed -- and ignored -- urgent warnings from threat-detection tool about unknown malware spotted on the network.

Target confirmed Friday that the hack attack against the retailer's point-of-sale (POS) systems that began in late November triggered alarms, which its information security team evaluated and chose to ignore.

"Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team," said Target spokeswoman Molly Snyder via email. "That activity was evaluated and acted upon."

Unfortunately, however, the security team appears to have made the wrong call. "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," she said. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."

[Collaboration with competitors may be the key to slowing security threats. See Retail Industry May Pool Intel To Stop Breaches.]

Target arguably wasn't breached because it failed to invest in proper information security defenses. In fact, Snyder said the company had "invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant." Likewise, the retailer apparently heeded multiple warnings from US-CERT -- part of the Department of Homeland Security -- about the increasing threat of POS-malware attacks against retailers.

Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.

Image credit: Jay Reed on Flickr.
Image credit: Jay Reed on Flickr.

When reviewing Target's log files, digital forensic investigators also found the November 30 alerts, as well as multiple alerts from December 2, all of which tied to attackers installing multiple versions of their malware -- with the alerts including details for the external servers to which data was being sent -- Bloomberg Businessweek reported. Later on December 2, attackers began siphoning 40 million credit and debit card numbers from POS terminals, as well as personal information on 70 million customers. Ultimately, they exfiltrated at least 11 GB of data, according to Aviv Raff, CTO of Israel-based cybersecurity technology company Seculert, which found one of three FTP servers to which the data was sent. From there, the data was transferred to a server hosted by Russian-based hosting service vpsville.ru.

Obviously, had Target's security team reacted differently, they might have contained what turned into a massive data breach. But the security team didn't even have to be in the loop. The FireEye software could have been set

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
BGREENE292
100%
0%
BGREENE292,
User Rank: Apprentice
3/15/2014 | 5:53:42 PM
Re: These stories all present misleading or incomplete data with sensational titles
.
hhendrickson274 said, "... these stories all present misleading or incomplete data with sensational titles..."
 
 
NOT HARDLY
 
Enough information is already present for an informed judgment about the Target IT team response. To plead unlikely extenuating circumstances such as (1) the team was overwhelmed by the volume of alerts, and was unable to distinguish signal from noise, or (2) the team might have seen similar alarts, which were investigated (despite the overwhelming volume of alerts) and dismissed as probable false positives, or (3) any Russian IP address is not necessarily cause for suspicion, since "(we do not know why) they would feel outbound connections from their POS to a Russian based IP wouldn't be suspicious" is worthy of a press release from Target public relations.

The FireEye system did its job well enough, elevating the alerts to the attention of Target IT, which eliminates the "sheer overload" excuse. Likewise, if the administrator had turned off automated response, it was critical to forge a field-tested policy for dealing with such detections manually, and then follow it to the letter. As for a number of Russian IPs, that in itself carries enough negative freight to merit special consideration-- aside from the principle that any "strange" address merits investigation.

Target did none of these things. What Target did is typical of the "90-day Wonder" policy of generating new managers ex nihilo, an IT person placed in the job for reasons that have little to do with experience or competence. As the survival tactic of one lacking experience, that manager essentially bought a well-respected brand, and then tried to hide behind it-- blaming FireEye for what was a Target responsibility.

Any Target promotion of a favored, specific person over those with more skill and'or experience is also excruciating commentary on the politics of Target management, since it focuses on factors which have little or nothing to do with professionalism. Such "fast track" promotions insidiously kill incentive among staff to demonstrate responsibility and competence. Fast track staffing is also disingenuous to the extreme, a breach of trust between executive management and staff-- especially those who were told promotion is based on demonstrated effort, competence and experience.

With the extremely questionable managerial culture at Target, the only possible defense against a charge of deliberately risky behavior with customer accounts is "mistakes were made"-- an abject confession of incompetence. While every manager is entitled to on-the-job training, that training should ensure millions of customer credit cards and bank accounts are not also at risk.
Duane T
100%
0%
Duane T,
User Rank: Apprentice
3/14/2014 | 6:58:36 PM
You need more security that tech that tells you you've been infected
PCI and Security are like insurance, unfortunately Target spent $M on detection and left the response process to manual labor. But your insurance shouldn't just tell you that you're sick. This is like having insurance that just tells you that you indeed have an illness. They should have also spent at least 10% of that budget on process and technology to automatically investigate, prioritize, and lock down/contain their detected threats. You would think that they could have asked FireEye who they recommend for automated incident response. The tech is out there and available, and all this craziness and costs could be avoided.

Think of it this way, Target probably saw 1000s if not 10s of thousands of alerts each day, and they know it. They probably detect more than they can process effectively, and the result is that malware gets through. They probably could have spent a fraction more to get automated incident response technology in house.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
3/14/2014 | 3:42:04 PM
Re: Target Security team is inexperienced and or incompetent.
I wonder whether this incident will help retailers understand that retaining credit card data is more trouble than its worth. "No Data" should become the next "Big Data."
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/14/2014 | 3:15:40 PM
Re: Target Security team is inexperienced and or incompetent.
"This also underscores the near uselessness of the PCI spec. It is not a something to use to avoid a breach, its something to use to reduce the chance of a lawsuit." True PCI is about covering your business. The retail data breaches are causing pain, but healthcare data breaches may someday make these look tame by comparison.
VWalker
50%
50%
VWalker,
User Rank: Apprentice
3/14/2014 | 2:50:00 PM
Re: Image credit?
Thank you - I've fixed the attribution here and on a previous story where we used this image. Vicki Walker, News Editor.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
3/14/2014 | 2:25:44 PM
Does automated security watch for the right things?
I'd like to know the context: how many total alerts did FireEye provide during the hour it signaled the intrusion? How did it distinguish those that applied to the intrusion. I woujld think a notice that malware was being fanned out to multiple Target servers should be made to stand out. If you know the malware won't automatically be eliminated, what's the action plan to get it out of there? Wsa there any alert on 11GBs of internal data flowing out to Russia? Even in context, I'm afraid Target's response is going to be judged and judged harshly. Continuous sensitive credit card data should have triggered alarms that normal transaction data wouldn't. If it can happen to anyone with a large number of alerts pouring at them, then we're in more trouble than I realized.
ke4roh
50%
50%
ke4roh,
User Rank: Apprentice
3/14/2014 | 2:17:47 PM
Image credit?
Wikimedia Commons did not create this image.  The image was taken by Flickr user Jay Reed who requires attribution to HIM for its distribution.  Wikimedia says that here. Please credit the photographer and copyright owner rather than the venue on which you found the picture!
hhendrickson274
50%
50%
hhendrickson274,
User Rank: Apprentice
3/14/2014 | 1:43:59 PM
These stories all present misleading or incomplete data with sensational titles
I don't know any more than what is in the various articles written about this, but everyone is some quick to jump on the Target team for reviewing and ignoring the alarms.  And articles like this with sensational titles don't help. That's really disingenuos without understanding the entire circumstances around the situation.  No meniton is made to the volume of alerts that may have been coming out of the FireEye system (or other systems they had deployed) to know if this was seen as normal noise or not.  Was that team used to seeing alerts similar to this that turned out to be false positives or of little significance? 


What I can fault them for would be not taking at least basic precautions like blocking outbound access to the IP that the malware was communicating with, and sending a sample off to their A/V vendor for analysis and inclusion in signature updates.  I can't say that either of those would have really made much of an impact, but I'm not sure how much business Target does with users in Russia to understand why they would feel outbound connections from their POS to a Russian based IP wouldn't be suspicious.  Maybe they did some of these things, I have no idea. 

I guess what my point is, let's not rush to judgement before we have all the facts.  They are only coming out in dribs and drabs at this point.  Hindsight is 20/20 and it's easy to be critic.  I'd rather we tried to be constructive and learned from this event.
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
3/14/2014 | 1:01:57 PM
Re: Target Security team is inexperienced and or incompetent.
I am not so sure that IP filtering would have helped at with the infiltration, since the penetration vector was through a contractor, unless that HVAC contractor was in the blacklist, in which case they wouldn't have been able to do their jobs. IP filtering would of course not help with exfilatration.

This development really highlights the growing difficulty of filtering the signal from the noise in an age of exponentially expanding volume of data. Its like many of us are falling in to the same trap that amateur website owners often do: If everything is in all caps, people will read everything because all caps means its important right? I would not be at all surprised if the same people that evaluated the alarm mentioned in the article were also monitoring alarms from countless workstations and who knows what else. Doesn't surprise me at all that this got lost in the shuflle. But it still terrifies me!

This also underscores the near uselessness of the PCI spec. It is not a something to use to avoid a breach, its something to use to reduce the chance of a lawsuit. "Hey! We were PCI compliant! Its not our fault!"
JoeS149
100%
0%
JoeS149,
User Rank: Apprentice
3/14/2014 | 12:35:59 PM
Target Security team is inexperienced and or incompetent.
A competent IT and security individual  would have been in code red attempting to stop the attack. The fact the target "security team" did not recognize the threat shows a lack of technical understanding and/or experieence.

It has been a number of years  since I have done system security however a simple  thing to do is filter out all IP addresses outside of the needed range. Certain  countries(i.e. China, Russia) have been threats for years and years. The Target "security team" didn't understand this?


On the positive side, maybe now the non-tech world which is using technology to make money will spend more money on better security.
<<   <   Page 2 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?