Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/22/2015
02:00 PM
Giora Engel
Giora Engel
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Bad News For Infosec In The Target Settlement

The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.

Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.

In my opinion, Judge Paul A. Magnuson’s ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.

Here are three examples of where the ruling went wrong:
Misunderstanding #1: Targeted attacks are not linear processes
The data breach lawsuit argued:
“The fundamental premise of kill chain security is that hackers must proceed through seven steps to plan and execute an attack. While the hackers must complete all of these steps to execute a successful attack, the company has to stop the hackers from completing just one of these steps to prevent completion of the attack and data loss…”

This is old-school, breach prevention thinking. While it is useful to categorize the different phases of an attack, assuming linearity is wrong.

The fact is that taking additional preventive actions would not necessarily have neutralized the Target attack. For example, the court points to a flaw of not blocking uploads to servers with a Russian domain. Taking this precaution would not have saved Target from the breach. The attacker could have set up US-based servers through Amazon Web Services at minimal cost. This is a good example of a dynamic, human-led attack, rather than something that is static.

Additionally, the legal contention that since the FireEye malware detection system and Symantec endpoint protection system identified suspicious activity, Target should have caught it and taken immediate action. Would detecting and removing specific malware have prevented the attack? No! It would only have neutralized one step. This was months after the attackers infiltrated the network. At this point, the attackers had numerous footholds inside Target. They could have easily chosen some other exfiltration tactics not detectable by Symantec or FireEye.

Listing the weak links compromised in an attack is easy ex post facto. But there were probably hundreds of other steps that the attackers planned, attempted and failed, taking instead the actual steps that were eventually successful. The attack was not an act of prescribed step-by-step mechanization.

Misunderstanding #2: Breaches can be prevented
The simple reality is that targeted breaches cannot be prevented in advance. The phrase “entirely preventable data breach” was stated as fact in the legal case, but it is a fiction. Unfortunately, much of the security industry suffers the same delusion.

When analyzing a data breach or a penetration test scenario, we always find weak points that can and should be strengthened. We also know that penetration tests always succeed, because they are run by well-trained, sophisticated attackers who are able to circumvent whatever specific security controls are in use given enough time and incentive. We simply need to accept as an industry that there will always be a way in to a network, and then a foothold can be established. There is no single step that can be taken in advance that would eliminate all breaches.

Misunderstanding #3: Breaches are identified by the malware
It’s clear that once the targeted attacker is through the perimeter, all preventative efforts become irrelevant. By definition, prevention systems that look for malware and other intrusions have only one chance to detect the “technical artifact” that they are built to identify, and if they miss that chance then the attacker gains a foothold in the network. But malware is generally only a small part of an active breach and may not be involved at all. And “intrusion” is only the first moment of a breach, whereas actual damage can take months to materialize.

Assuming that not all intrusions can be detected, the defender must then focus on the large volume of reconnaissance and lateral movement inside the breached network – the active part of the breach. This is the time after the initial intrusion and the resulting theft or damage – and usually lasts for months.

While the initial breach to Target’s network could not have been prevented, the attackers’ movement within the network could have been detected as the intruders explored the network and established points of control. In order to detect targeted attackers during this active attack phase, however, we as an industry needs to change the way we think about breach detection.

Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience. For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/24/2015 | 10:13:42 AM
Re: Disturbing Settlement
I completely agree that "the law must catch up with this industry", but I don't have very high hopes for that eventuality, simply because the legislative bodies that can make that happen seem to operate in a vacuum. Take the case of the latest news regarding new proposed cyber security laws, where vague language may lead to interpretation that actually criminalizes activities by security pros (Dark Reading Radio 3/18/2015). It is frustrating and scary because the laws that intend to protect us can wind up hurting us in the long run.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
4/24/2015 | 12:23:26 AM
Disturbing Settlement
I'm still reading the court documents, but I'm not happy with this one.  This case should have helped establish the quickly changing security ecosystem and documented the need for more adaptive security architectures, but not placed full fault upon the security professionals behind Target's architecture and Target.

I'm all for protecting the consumer; that is the aim of InfoSec.  But damning the industry that is trying to keep up with very desperate and creative criminals is like closing prisons for being unconstitutional, letting out the inmates, and then letting citizens sue the Government for letting them out when they commit crimes.  Ok, that's mostly the irritation talking, but I see little difference.

The law must catch up with this industry, with the needs of InfoSec and show a better understanding of the gray areas of blame in cases like this one.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/23/2015 | 9:56:16 AM
Re: Great article...disconnect between law & tech
We're only at the very early stages of defining the parameters for acceptable risk and liability of a data breach. As the threats evolve, so too will our judicial system.  The Target settlement is only the first of many legal precedents to come. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/23/2015 | 9:32:00 AM
Re: Great article...
Sadly, many IT leaders are trapped in this old way of thinking. They have worked hard to build and establish their IT empire, bulldozing their way over those who do not think as they do. As long as organizations allow this type of behavior, where other ways to think about security are simply ignored or even shunned, IT infrastructures will remain a target rich environment. Instead of building security into every aspect of their infrastructure, following a solid security plan that involves every department in the organization, it is common to instead throw money and technology at the problem, hoping against hope that their investment will yield the desired ROI. What they fail to improve is the development of internal human resources, to provide solid analytical and technical skills necessary to defend infrastructures against the ever evolving and improving attack mechanisms.
michaelargast
50%
50%
michaelargast,
User Rank: Apprentice
4/22/2015 | 4:34:57 PM
Great article...
It is misdated thinking like this (kill chains, linearity, etc) which is severely damaging organizations ability to mount effective response to determined attackers. While I could probably quibble a little with the blanket statement that 'breaches cannot be prevented'. this article does a good job of highlighting the risk of the intersection of security, liability and law.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.