Target confirmed Friday that the hack attack against the retailer's point-of-sale (POS) systems that began in late November triggered alarms, which its information security team evaluated and chose to ignore.
"Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team," said Target spokeswoman Molly Snyder via email. "That activity was evaluated and acted upon."
Unfortunately, however, the security team appears to have made the wrong call. "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," she said. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."
[Collaboration with competitors may be the key to slowing security threats. See Retail Industry May Pool Intel To Stop Breaches.]
Target arguably wasn't breached because it failed to invest in proper information security defenses. In fact, Snyder said the company had "invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant." Likewise, the retailer apparently heeded multiple warnings from US-CERT -- part of the Department of Homeland Security -- about the increasing threat of POS-malware attacks against retailers.
Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.
When reviewing Target's log files, digital forensic investigators also found the November 30 alerts, as well as multiple alerts from December 2, all of which tied to attackers installing multiple versions of their malware -- with the alerts including details for the external servers to which data was being sent -- Bloomberg Businessweek reported. Later on December 2, attackers began siphoning 40 million credit and debit card numbers from POS terminals, as well as personal information on 70 million customers. Ultimately, they exfiltrated at least 11 GB of data, according to Aviv Raff, CTO of Israel-based cybersecurity technology company Seculert, which found one of three FTP servers to which the data was sent. From there, the data was transferred to a server hosted by Russian-based hosting service vpsville.ru.
Obviously, had Target's security team reacted differently, they might have contained what turned into a massive data breach. But the security team didn't even have to be in the loop. The FireEye software could have been set
to delete the malware automatically, although that option was reportedly deactivated. Then again, Edward Kiledjian, chief information security officer (CISO) for aircraft maker Bombardier Aerospace, which is a FireEye customer, told Bloomberg Businessweek that Target's hands-on approach wouldn't have been unusual. "Typically, as a security team, you want to have that last decision point of 'what do I do?'" he said. Of course, not using automation puts a greater onus on security teams to react not just quickly, but correctly.
What might have caused Target's security team to ignore the alert? "In two words: 'actionable intelligence,'" said Seculert's Raff via email. "With today's amount of detection data, just signaling an alarm isn't enough. The operator/analyst should be able to understand the risk as well as the recommendation of each incident, in order to be able to prioritize."
In response to the Bloomberg Businessweek report, FireEye published a blog post saying that it's company policy "to not publically identify our customers and, as such, we cannot validate or comment on the report's claims that Target, the CIA, or any other companies are customers of FireEye." The company also dismissed Bloomberg Businessweek's assertion that FireEye "was initially funded by the CIA." The publication was likely referring to the 2009 investment in FireEye by In-Q-Tel (IQT), which is an independent, not-for-profit investment firm that was launched by the CIA in 1999. FireEye said In-Q-Tel now owns less than 1% of the firm and "has no influence on our roadmap, operations, financials, governance, or any other aspect of our business."
The malware attack against Target came after attackers first breached the retailer's network using credentials stolen from a third-party contractor. According to security reporter Brian Krebs, the contractor was heating, ventilation, and air-conditioning firm Fazio Mechanical Services. Regardless, that attack vector suggests that Target failed to segment its networks properly so that remote third-party access by a contractor couldn't be parlayed into access to the retailer's payment systems.
Target's CIO, Beth Jacobs, resigned March 5, the same day that Target promised to make a number of technology, information security, and compliance changes, including hiring its first-ever CISO. Meanwhile, the retailer said that its breach investigation continues. "Our investigation is ongoing and we are committed to making further investments in our people, processes, and technology with the goal of reinforcing security for our guests," said Target's Snyder.
Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio