ASSESSMENT: Target Lessons Learned
While there is a lot of information out there on how the Target hack allegedly happened there are a few points that have been clarified. The blackPOS was installed in systems within Target after the hackers had been in for some time carrying out recon and getting a handle on how to carry out the ex-filtration of data. Given the information already out there it is a postulate that the hackers got hold of the Fazio credentials to the Target portal and then leveraged that system to carry out the compromise internally. The system trafficks in excel, word, and pdf files and to my mind, as the hackers had the Fazio creds to get onto that system they just uploaded a malware laden file for someone internally to open and compromise their system. The question then becomes just how long it took from that moment to the moment that the hackers gained access to the Target POS systems and servers to install their malware on.
According to PCI rules as well as the CEO of the company (Gregg Steinhafel) Target was in PCI compliance and that means that the network should have been segmented to disallow easy compromise from end users systems etc. Of course we are relying on the testimony of the CEO and others at this point in time because we have no other reports from FireEye or anyone else to attest to that fact. In any case the hackers got to the data and ex-filtrated it while triggering alerts that should have started an incident Response (IR) internally at Target. This did not happen though it seems and thus the hackers made off with all the data that they wanted. The moral of the story here can be summed up in an old aphorism I love to cite; “A fool with a tool is still a fool”
The After Action Report:
According to sources close to the investigation of the incident (Fireeye/Mandiant) alerts were given on key systems that were infected by the BlackPOS and detected as malware of indeterminate kind due to there not being any current signatures on it in the AV and IDS/SIEM systems. If the information given by the anonymous sources, then the fact of the matter is that the technologies that Target bought into to protect their data were in fact ignored at best and at worst turned off by the SOC managers internally at Target because they perhaps gave too many alerts. This is a common problem with IDS/SIEM/AV systems as they need tuning constantly and in larger companies the amounts of traffic that pass through the sensors is huge and complex. It is not uncommon in some organizations to have no real FTE’s watching those systems either with a reliance on employees who may be under-trained or not trained at all watching over the hen house. Security it seems has always been an afterthought for many companies, until that is they get hacked and outed in the press.
In the case of Target there are moves going on since the incident happened to shuffle the internal deck so to speak and make it seem that changes are happening to policy regarding security. The CEO is making the rounds with legalese responses couched in flowery language that really boils down to “no comment” and the CIO has resigned perhaps under considerable pressure. After the incident occurred I began checking the Target postings for security and began to see a lot of activity out there for workers to take over their security operations. I am assuming that there has been a bit of attrition other than the CIO and this should really be the case given the information that has come out to date on how this attack succeeded and the failures afterwards to cope with it. Suffice to say that the aphorism above about fools and tools applies certainly to Target in this instance but who else might it also cover as well out there today one wonders.
The final analysis of the Target hack cannot be fully determined because the evidence is not yet public. However, the data that has come out (re: Bloomberg piece linked above) shows a very salient fact that should be heeded by us all in INFOSEC. That fact is this; “Technology is great but one has to use it properly to stop these things from happening” If the Target SOC had not turned off functionality they would have caught this attack happening. If the Target SOC had in fact been paying attention to the Fireeye system as well as the Symantec system they could have reacted quickly to at least attempt to catch the data being ex-filtrated out of their company via FTP. The sad truth is that they did not catch it nor did they see it because the human propensity for ease of use caused a systemic failure to occur in security.
I am sure more data will come out someday as much as Target will allow. One has to wonder in a publicly traded company how much transparency they should provide and what you actually will get though. The information coming out so far though, if indeed true, is pretty damning to Target and their practices. I will say that I believe what has been told to reporters in confidence given my experience over the years with corporate entities and their lackadaisical attitudes toward security thus far. All too often companies are pretty cavalier about security and in the case of Target all you have to do is look to the reports coming out now about how they plan on hiring a CSO for the company. It seems the CIO had no real experience and the company did not see fit to have a CSO or CISO until now. To boot, if you look at the wording it was implied that they were seeking an internal candidate up until recently. Think about that for a minute, they wanted an internal candidate for a job function where they lacked skill sets to begin with and had such a spectacular failure? The word hubris comes to mind.
The ultimate takeaway I would like to leave you with here is that Target is just one corporation of many that have the same problems. In fact I would hasten to add that we as a species are our own worst enemy when it comes to security and if you add to this the dynamic of corporate mores you have a recipe for epic failure. You can have all the high tech gadgets in the world but you still can be defeated by the human animal either through shrewdness on their part of laziness and stupidity on yours. There is a trend today in a reliance on technology as the panacea to all of security’s ill’s and this must be tempered with the human nature of those who operate it before we will ever be at all secure.