Vulnerabilities / Threats
02:00 PM
Giora Engel
Giora Engel
Connect Directly
E-Mail vvv

The Bad News For Infosec In The Target Settlement

The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.

Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.

In my opinion, Judge Paul A. Magnuson’s ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.

Here are three examples of where the ruling went wrong:
Misunderstanding #1: Targeted attacks are not linear processes
The data breach lawsuit argued:
“The fundamental premise of kill chain security is that hackers must proceed through seven steps to plan and execute an attack. While the hackers must complete all of these steps to execute a successful attack, the company has to stop the hackers from completing just one of these steps to prevent completion of the attack and data loss…”

This is old-school, breach prevention thinking. While it is useful to categorize the different phases of an attack, assuming linearity is wrong.

The fact is that taking additional preventive actions would not necessarily have neutralized the Target attack. For example, the court points to a flaw of not blocking uploads to servers with a Russian domain. Taking this precaution would not have saved Target from the breach. The attacker could have set up US-based servers through Amazon Web Services at minimal cost. This is a good example of a dynamic, human-led attack, rather than something that is static.

Additionally, the legal contention that since the FireEye malware detection system and Symantec endpoint protection system identified suspicious activity, Target should have caught it and taken immediate action. Would detecting and removing specific malware have prevented the attack? No! It would only have neutralized one step. This was months after the attackers infiltrated the network. At this point, the attackers had numerous footholds inside Target. They could have easily chosen some other exfiltration tactics not detectable by Symantec or FireEye.

Listing the weak links compromised in an attack is easy ex post facto. But there were probably hundreds of other steps that the attackers planned, attempted and failed, taking instead the actual steps that were eventually successful. The attack was not an act of prescribed step-by-step mechanization.

Misunderstanding #2: Breaches can be prevented
The simple reality is that targeted breaches cannot be prevented in advance. The phrase “entirely preventable data breach” was stated as fact in the legal case, but it is a fiction. Unfortunately, much of the security industry suffers the same delusion.

When analyzing a data breach or a penetration test scenario, we always find weak points that can and should be strengthened. We also know that penetration tests always succeed, because they are run by well-trained, sophisticated attackers who are able to circumvent whatever specific security controls are in use given enough time and incentive. We simply need to accept as an industry that there will always be a way in to a network, and then a foothold can be established. There is no single step that can be taken in advance that would eliminate all breaches.

Misunderstanding #3: Breaches are identified by the malware
It’s clear that once the targeted attacker is through the perimeter, all preventative efforts become irrelevant. By definition, prevention systems that look for malware and other intrusions have only one chance to detect the “technical artifact” that they are built to identify, and if they miss that chance then the attacker gains a foothold in the network. But malware is generally only a small part of an active breach and may not be involved at all. And “intrusion” is only the first moment of a breach, whereas actual damage can take months to materialize.

Assuming that not all intrusions can be detected, the defender must then focus on the large volume of reconnaissance and lateral movement inside the breached network – the active part of the breach. This is the time after the initial intrusion and the resulting theft or damage – and usually lasts for months.

While the initial breach to Target’s network could not have been prevented, the attackers’ movement within the network could have been detected as the intruders explored the network and established points of control. In order to detect targeted attackers during this active attack phase, however, we as an industry needs to change the way we think about breach detection.

Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience. For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/24/2015 | 10:13:42 AM
Re: Disturbing Settlement
I completely agree that "the law must catch up with this industry", but I don't have very high hopes for that eventuality, simply because the legislative bodies that can make that happen seem to operate in a vacuum. Take the case of the latest news regarding new proposed cyber security laws, where vague language may lead to interpretation that actually criminalizes activities by security pros (Dark Reading Radio 3/18/2015). It is frustrating and scary because the laws that intend to protect us can wind up hurting us in the long run.
Christian Bryant
Christian Bryant,
User Rank: Ninja
4/24/2015 | 12:23:26 AM
Disturbing Settlement
I'm still reading the court documents, but I'm not happy with this one.  This case should have helped establish the quickly changing security ecosystem and documented the need for more adaptive security architectures, but not placed full fault upon the security professionals behind Target's architecture and Target.

I'm all for protecting the consumer; that is the aim of InfoSec.  But damning the industry that is trying to keep up with very desperate and creative criminals is like closing prisons for being unconstitutional, letting out the inmates, and then letting citizens sue the Government for letting them out when they commit crimes.  Ok, that's mostly the irritation talking, but I see little difference.

The law must catch up with this industry, with the needs of InfoSec and show a better understanding of the gray areas of blame in cases like this one.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/23/2015 | 9:56:16 AM
Re: Great article...disconnect between law & tech
We're only at the very early stages of defining the parameters for acceptable risk and liability of a data breach. As the threats evolve, so too will our judicial system.  The Target settlement is only the first of many legal precedents to come. 
User Rank: Ninja
4/23/2015 | 9:32:00 AM
Re: Great article...
Sadly, many IT leaders are trapped in this old way of thinking. They have worked hard to build and establish their IT empire, bulldozing their way over those who do not think as they do. As long as organizations allow this type of behavior, where other ways to think about security are simply ignored or even shunned, IT infrastructures will remain a target rich environment. Instead of building security into every aspect of their infrastructure, following a solid security plan that involves every department in the organization, it is common to instead throw money and technology at the problem, hoping against hope that their investment will yield the desired ROI. What they fail to improve is the development of internal human resources, to provide solid analytical and technical skills necessary to defend infrastructures against the ever evolving and improving attack mechanisms.
User Rank: Apprentice
4/22/2015 | 4:34:57 PM
Great article...
It is misdated thinking like this (kill chains, linearity, etc) which is severely damaging organizations ability to mount effective response to determined attackers. While I could probably quibble a little with the blanket statement that 'breaches cannot be prevented'. this article does a good job of highlighting the risk of the intersection of security, liability and law.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.