Vulnerabilities / Threats
4/22/2015
02:00 PM
Giora Engel
Giora Engel
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Bad News For Infosec In The Target Settlement

The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.

Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.

In my opinion, Judge Paul A. Magnuson’s ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.

Here are three examples of where the ruling went wrong:
Misunderstanding #1: Targeted attacks are not linear processes
The data breach lawsuit argued:
“The fundamental premise of kill chain security is that hackers must proceed through seven steps to plan and execute an attack. While the hackers must complete all of these steps to execute a successful attack, the company has to stop the hackers from completing just one of these steps to prevent completion of the attack and data loss…”

This is old-school, breach prevention thinking. While it is useful to categorize the different phases of an attack, assuming linearity is wrong.

The fact is that taking additional preventive actions would not necessarily have neutralized the Target attack. For example, the court points to a flaw of not blocking uploads to servers with a Russian domain. Taking this precaution would not have saved Target from the breach. The attacker could have set up US-based servers through Amazon Web Services at minimal cost. This is a good example of a dynamic, human-led attack, rather than something that is static.

Additionally, the legal contention that since the FireEye malware detection system and Symantec endpoint protection system identified suspicious activity, Target should have caught it and taken immediate action. Would detecting and removing specific malware have prevented the attack? No! It would only have neutralized one step. This was months after the attackers infiltrated the network. At this point, the attackers had numerous footholds inside Target. They could have easily chosen some other exfiltration tactics not detectable by Symantec or FireEye.

Listing the weak links compromised in an attack is easy ex post facto. But there were probably hundreds of other steps that the attackers planned, attempted and failed, taking instead the actual steps that were eventually successful. The attack was not an act of prescribed step-by-step mechanization.

Misunderstanding #2: Breaches can be prevented
The simple reality is that targeted breaches cannot be prevented in advance. The phrase “entirely preventable data breach” was stated as fact in the legal case, but it is a fiction. Unfortunately, much of the security industry suffers the same delusion.

When analyzing a data breach or a penetration test scenario, we always find weak points that can and should be strengthened. We also know that penetration tests always succeed, because they are run by well-trained, sophisticated attackers who are able to circumvent whatever specific security controls are in use given enough time and incentive. We simply need to accept as an industry that there will always be a way in to a network, and then a foothold can be established. There is no single step that can be taken in advance that would eliminate all breaches.

Misunderstanding #3: Breaches are identified by the malware
It’s clear that once the targeted attacker is through the perimeter, all preventative efforts become irrelevant. By definition, prevention systems that look for malware and other intrusions have only one chance to detect the “technical artifact” that they are built to identify, and if they miss that chance then the attacker gains a foothold in the network. But malware is generally only a small part of an active breach and may not be involved at all. And “intrusion” is only the first moment of a breach, whereas actual damage can take months to materialize.

Assuming that not all intrusions can be detected, the defender must then focus on the large volume of reconnaissance and lateral movement inside the breached network – the active part of the breach. This is the time after the initial intrusion and the resulting theft or damage – and usually lasts for months.

While the initial breach to Target’s network could not have been prevented, the attackers’ movement within the network could have been detected as the intruders explored the network and established points of control. In order to detect targeted attackers during this active attack phase, however, we as an industry needs to change the way we think about breach detection.

Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience. For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/24/2015 | 10:13:42 AM
Re: Disturbing Settlement
I completely agree that "the law must catch up with this industry", but I don't have very high hopes for that eventuality, simply because the legislative bodies that can make that happen seem to operate in a vacuum. Take the case of the latest news regarding new proposed cyber security laws, where vague language may lead to interpretation that actually criminalizes activities by security pros (Dark Reading Radio 3/18/2015). It is frustrating and scary because the laws that intend to protect us can wind up hurting us in the long run.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
4/24/2015 | 12:23:26 AM
Disturbing Settlement
I'm still reading the court documents, but I'm not happy with this one.  This case should have helped establish the quickly changing security ecosystem and documented the need for more adaptive security architectures, but not placed full fault upon the security professionals behind Target's architecture and Target.

I'm all for protecting the consumer; that is the aim of InfoSec.  But damning the industry that is trying to keep up with very desperate and creative criminals is like closing prisons for being unconstitutional, letting out the inmates, and then letting citizens sue the Government for letting them out when they commit crimes.  Ok, that's mostly the irritation talking, but I see little difference.

The law must catch up with this industry, with the needs of InfoSec and show a better understanding of the gray areas of blame in cases like this one.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/23/2015 | 9:56:16 AM
Re: Great article...disconnect between law & tech
We're only at the very early stages of defining the parameters for acceptable risk and liability of a data breach. As the threats evolve, so too will our judicial system.  The Target settlement is only the first of many legal precedents to come. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/23/2015 | 9:32:00 AM
Re: Great article...
Sadly, many IT leaders are trapped in this old way of thinking. They have worked hard to build and establish their IT empire, bulldozing their way over those who do not think as they do. As long as organizations allow this type of behavior, where other ways to think about security are simply ignored or even shunned, IT infrastructures will remain a target rich environment. Instead of building security into every aspect of their infrastructure, following a solid security plan that involves every department in the organization, it is common to instead throw money and technology at the problem, hoping against hope that their investment will yield the desired ROI. What they fail to improve is the development of internal human resources, to provide solid analytical and technical skills necessary to defend infrastructures against the ever evolving and improving attack mechanisms.
michaelargast
50%
50%
michaelargast,
User Rank: Apprentice
4/22/2015 | 4:34:57 PM
Great article...
It is misdated thinking like this (kill chains, linearity, etc) which is severely damaging organizations ability to mount effective response to determined attackers. While I could probably quibble a little with the blanket statement that 'breaches cannot be prevented'. this article does a good job of highlighting the risk of the intersection of security, liability and law.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.