Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Giora Engel
Giora Engel
Connect Directly
E-Mail vvv

The Bad News For Infosec In The Target Settlement

The legal argument behind the $10 million Class Action lawsuit and subsequent settlement is a gross misrepresentation of how attackers operate.

Central to the recent Target data breach lawsuit settlement was the idea that cyber attacks are mechanistic and follow a prescribed course or chain of events. The judge hearing the case ruled that Target is liable for not mounting an adequate defense against the 2013 cyber attack that exposed some 40 million customer debit and credit card accounts. Unfortunately, the ruling also may have serious repercussions for many of us in the security profession.

In my opinion, Judge Paul A. Magnuson’s ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network.

Here are three examples of where the ruling went wrong:
Misunderstanding #1: Targeted attacks are not linear processes
The data breach lawsuit argued:
“The fundamental premise of kill chain security is that hackers must proceed through seven steps to plan and execute an attack. While the hackers must complete all of these steps to execute a successful attack, the company has to stop the hackers from completing just one of these steps to prevent completion of the attack and data loss…”

This is old-school, breach prevention thinking. While it is useful to categorize the different phases of an attack, assuming linearity is wrong.

The fact is that taking additional preventive actions would not necessarily have neutralized the Target attack. For example, the court points to a flaw of not blocking uploads to servers with a Russian domain. Taking this precaution would not have saved Target from the breach. The attacker could have set up US-based servers through Amazon Web Services at minimal cost. This is a good example of a dynamic, human-led attack, rather than something that is static.

Additionally, the legal contention that since the FireEye malware detection system and Symantec endpoint protection system identified suspicious activity, Target should have caught it and taken immediate action. Would detecting and removing specific malware have prevented the attack? No! It would only have neutralized one step. This was months after the attackers infiltrated the network. At this point, the attackers had numerous footholds inside Target. They could have easily chosen some other exfiltration tactics not detectable by Symantec or FireEye.

Listing the weak links compromised in an attack is easy ex post facto. But there were probably hundreds of other steps that the attackers planned, attempted and failed, taking instead the actual steps that were eventually successful. The attack was not an act of prescribed step-by-step mechanization.

Misunderstanding #2: Breaches can be prevented
The simple reality is that targeted breaches cannot be prevented in advance. The phrase “entirely preventable data breach” was stated as fact in the legal case, but it is a fiction. Unfortunately, much of the security industry suffers the same delusion.

When analyzing a data breach or a penetration test scenario, we always find weak points that can and should be strengthened. We also know that penetration tests always succeed, because they are run by well-trained, sophisticated attackers who are able to circumvent whatever specific security controls are in use given enough time and incentive. We simply need to accept as an industry that there will always be a way in to a network, and then a foothold can be established. There is no single step that can be taken in advance that would eliminate all breaches.

Misunderstanding #3: Breaches are identified by the malware
It’s clear that once the targeted attacker is through the perimeter, all preventative efforts become irrelevant. By definition, prevention systems that look for malware and other intrusions have only one chance to detect the “technical artifact” that they are built to identify, and if they miss that chance then the attacker gains a foothold in the network. But malware is generally only a small part of an active breach and may not be involved at all. And “intrusion” is only the first moment of a breach, whereas actual damage can take months to materialize.

Assuming that not all intrusions can be detected, the defender must then focus on the large volume of reconnaissance and lateral movement inside the breached network – the active part of the breach. This is the time after the initial intrusion and the resulting theft or damage – and usually lasts for months.

While the initial breach to Target’s network could not have been prevented, the attackers’ movement within the network could have been detected as the intruders explored the network and established points of control. In order to detect targeted attackers during this active attack phase, however, we as an industry needs to change the way we think about breach detection.

Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience. For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/24/2015 | 10:13:42 AM
Re: Disturbing Settlement
I completely agree that "the law must catch up with this industry", but I don't have very high hopes for that eventuality, simply because the legislative bodies that can make that happen seem to operate in a vacuum. Take the case of the latest news regarding new proposed cyber security laws, where vague language may lead to interpretation that actually criminalizes activities by security pros (Dark Reading Radio 3/18/2015). It is frustrating and scary because the laws that intend to protect us can wind up hurting us in the long run.
User Rank: Ninja
4/24/2015 | 12:23:26 AM
Disturbing Settlement
I'm still reading the court documents, but I'm not happy with this one.  This case should have helped establish the quickly changing security ecosystem and documented the need for more adaptive security architectures, but not placed full fault upon the security professionals behind Target's architecture and Target.

I'm all for protecting the consumer; that is the aim of InfoSec.  But damning the industry that is trying to keep up with very desperate and creative criminals is like closing prisons for being unconstitutional, letting out the inmates, and then letting citizens sue the Government for letting them out when they commit crimes.  Ok, that's mostly the irritation talking, but I see little difference.

The law must catch up with this industry, with the needs of InfoSec and show a better understanding of the gray areas of blame in cases like this one.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/23/2015 | 9:56:16 AM
Re: Great article...disconnect between law & tech
We're only at the very early stages of defining the parameters for acceptable risk and liability of a data breach. As the threats evolve, so too will our judicial system.  The Target settlement is only the first of many legal precedents to come. 
User Rank: Ninja
4/23/2015 | 9:32:00 AM
Re: Great article...
Sadly, many IT leaders are trapped in this old way of thinking. They have worked hard to build and establish their IT empire, bulldozing their way over those who do not think as they do. As long as organizations allow this type of behavior, where other ways to think about security are simply ignored or even shunned, IT infrastructures will remain a target rich environment. Instead of building security into every aspect of their infrastructure, following a solid security plan that involves every department in the organization, it is common to instead throw money and technology at the problem, hoping against hope that their investment will yield the desired ROI. What they fail to improve is the development of internal human resources, to provide solid analytical and technical skills necessary to defend infrastructures against the ever evolving and improving attack mechanisms.
User Rank: Apprentice
4/22/2015 | 4:34:57 PM
Great article...
It is misdated thinking like this (kill chains, linearity, etc) which is severely damaging organizations ability to mount effective response to determined attackers. While I could probably quibble a little with the blanket statement that 'breaches cannot be prevented'. this article does a good job of highlighting the risk of the intersection of security, liability and law.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.