Details of the Target Credit Card Breach

Long and interesting article about the Target credit card breach from last year. What's especially interesting to me is that the attack had been preventable, but the problem was that Target messed up its incident response.

In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn't publicly revealed: Poring over computer logs, Target found FireEye's alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn't begun transmitting the stolen card data out of Target's network. Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.

This is exactly the sort of thing that my new company, Co3 Systems, solves. All of those next-generation endpoint detection systems, threat intelligence feeds, and so on only matter if you do something in response to them. If Target had had incident response procedures in place, and a system in place to ensure they followed those procedures, it would have been much more likely to have responded to the alerts it received from FireEye.

This is why I believe that incident response is the most underserved area of IT security right now.

Posted on March 17, 2014 at 9:10 AM • 29 Comments

Comments

Carl 'SAI' MitchellMarch 17, 2014 10:01 AM

A big problem with IDSs is the sheer volume of alerts. The automatic classification systems are often poor, so if your admins don't set up a good custom logfile parser they'll miss things due to the sheer volume of information. FireEye is better than most here, but for a business the size of Target I'd bet it's still putting out more false positive alerts than anyone can reasonably respond to, especially if it was installed and left in its default configuration.

Aaron AndruskoMarch 17, 2014 10:58 AM

Farming out the first responders was a mistake. Sounds like ring 0 new about it and our minneapolis fellows didn't want to take any pages. Someone should defect from target and write a book :D

BenMarch 17, 2014 11:55 AM

I would expect the base rate fallacy is the real cause here. Very likely that the few positives were drowned in a sea of false positives.

zMarch 17, 2014 1:13 PM

“Target was certified as meeting the standard for the payment card industry (PCI) in September 2013..."

"A statement on Fazio’s website says its IT systems and security measures are in compliance with industry practices..."


I refuse to believe either one was hacked. They both complied with standards after all! Big, shiny ones!


DanielMarch 17, 2014 1:13 PM

In my observation the real problem isn't statistical but human. Companies resent spending money on security because they feel that it is, for the most part, an unproductive investment. At best it prevents something bad from happening and at worst it is simply a money pit. So they go cheap...security theater...and hire people with security degrees who wouldn't even now how to hack into a system themselves. The reason the students have no basic practical experience with hacking is because universities run scared from lawsuits or the bad press that would happen should one of their students go rogue. Universities are so paranoid about producing a "bad guy" that they mostly produce incompetent good guys.

So while protocols and plans and design and automation is all well and good at some point in time the actionable response is triggered by a human...and for the most part that human is an over-educated idiot.

GopiballavaMarch 17, 2014 1:14 PM

"Farming out the first responders was a mistake. Sounds like ring 0 new about it and our minneapolis fellows didn't want to take any pages"

I wonder if there are any cultural or hierarchic issues here?

I worked (outside the US) in a company with a lot of expats from India and Bangladesh, who were both on the lowest rung in the ladder and who'd grown up in their respective cultures.

Having the ring 0 guys feel like easily replaceable people outside the management hierarchy would make them far less likely to ask somebody higher up, "Hey, I think we sent along a really important notification, any idea what happened to it?"

They did their job. They passed something along. Wasn't their responsibility to do anything else.

I have no idea what sort of notifications or what volume of notifications were going around but I am now thinking of the stories I've read about airplane accidents where the co-pilot was afraid to tell the pilot how serious the problem was.

Simon JesterMarch 17, 2014 1:27 PM

Speaking from experience as a former member of a Fortune 50 Incident Response Team, all higher management wants is to be able to check off the action items required to meet basic certs for finance. Any changes that would increase security and/or decrease vulnerability are measured against short-term changes in the assets available or stock-market ticks against the shareholders. My frustration was always being told that solving the problem wasn't worth the investment or would "impact the bottom line".

I wonder how Target is enjoying their "bottom line" now...

Brandioch ConnerMarch 17, 2014 2:41 PM

@Carl 'SAI' Mitchell

FireEye is better than most here, but for a business the size of Target I'd bet it's still putting out more false positive alerts than anyone can reasonably respond to, especially if it was installed and left in its default configuration.
And that is why "compliance" is not the same thing as "security".

I've seen companies "comply" with whatever regulations simply by installing X. Once it is installed, it can be ignored because the check box is checked.

It's not about "security". It's about whatever is easiest/cheapest TODAY.

TomMarch 17, 2014 2:48 PM

In this case, incident response is secondary to event analysis. If you generate thousands of alarms a day, you can't triage them effectively through an incident response system.

Classic SIEM tuning / security event analysis optimization has to be applied first before the alarms can be interpreted properly.

Coyne TibbetsMarch 17, 2014 6:40 PM

I appreciate the add for Co3, bt it won't help. No software or process is good enough to overcome being ignored

zMarch 17, 2014 7:16 PM

@Coyne Tibbets

True, but a lot of work can be done to make IDS software cut down on the false positives that cause it to be ignored.

Chris AbbottMarch 17, 2014 9:57 PM

The first big contract I got was with a community center that called me for incident response. Their old IT person starting acting weird and had to be let go. On her way out, she blocked everyone out of their network, planted malware on every PC giving her remote access and then destroyed all of their databases. While I was there putting the fire out, she actually showed up at the door with an axe, yes, an axe. I hid under a desk until she left. Talk about incident response...

Moira VasquezMarch 18, 2014 7:56 AM

This article is long, yet contains valid points about incident response. On the other hand, it would also be interesting to see educated, fact based opinions on how the incident could have been prevented as well. My experience is products like like FireEye will reveal many positive positives (rather than false positives). The tool does what it aims to do, which is showing how AV, IDS and traditional firewalls are not working. Is an ounce of prevention no longer a pound of cure?

In many ways I fear our industry is failing business financially and operationally by hyper focusing on response as the best solution.

ArkhMarch 18, 2014 11:25 AM

"No software or process is good enough to overcome being ignored"

Until hunter-killer robots are available on the market. When some terminator-like android comes knocking at your door for each alert, you're not gonna ignore it.

Slava GomzinMarch 18, 2014 2:39 PM

Neither PCI DSS compliance nor IDS would stop the card data breaches as payment card systems are vulnerable by design. Once a hacker discovers a new exploit and sneaks into the merchant’s network, the fortress falls. There is nothing inside that protects the sensitive cardholder data from being stolen. The only real solution to this problem is point-to-point encryption. I have published a more detailed analysis of Target breach in VentureBeat: Target, Neiman-Marcus, Michaels: How PCI data security standards are failing us.

yesmeMarch 18, 2014 4:51 PM

@Chris Abbott

It could be interesting to know. Who knows she is working for the NSA. But serious, your story ... scary.

Clive RobinsonMarch 19, 2014 3:55 AM

@ Chris Abbott, yesme,

Whilst not as dramatic I've seen a couple of "Ex-employee" revenge strikes, one of which put a company out of business because it got the company owner jailed.

There are some consultant organisations that give guidence on how to spot the "over the edge types" the problem is when you apply their guidence to IT techs and similar way way way more fit the catagory than the supposed norm.

How ever collected statistics sugest that it's less likely to happen with IT types techs ans engineers than it is with managment and sales types.

One study I've seen done by a forensics organisation actualy shows that by far the worst offenders are partners and such like in marketing and law firms etc where their revenge is stealing the clients, letting confidential information/evidence find it's way over to the competitor etc. In fact many appear to assume it's going to happen before they join the company and squirel stuff away from day one of their employment...

I guess the reason we here about it in happening in IT is actually it's scarcity makes it way more news worthy.

vas pupMarch 19, 2014 2:52 PM

@Clive. Revenge is very powerful motive. It is rooted to the general biological feeling of fairness and balance. Even some mammals (not only our close relatives like apes or primates) are very stressed when encounter injustice (e.g. unfair food distribution during some bio-psychological experiments). Injustice than triggers fly or flight response activated unconditionally right away. mammals have their own mechanism of risk assessment to select one of those responses (avoidance or confrontation). Humans differs because they could postpone and plan their revenge. Completed revenge brings catharsis of the stress generated by injustice (real or imagined). Most of the people eliminate that stress by different types of psychological defense rather than revenge, but not resolved the stress - just sweep it under the rug of conscious. Have you read 'The Count of Monte Cristo' by A.Dumas?
It contains all answers to the subject matter.
People with mental problem usually react disproportionately to injustice towards them.
As example, below is link the to latest case of mass shooting in Turkey: http://www.euronews.com/2014/03/19/turkey-office-worker-kills-six-staff-then-shoots-himself/

Craig McQueenMarch 19, 2014 7:33 PM

Is this a case of something that seems obvious in hindsight? Similar to 9/11 where the circumstances of the pilot training seemed obvious in hindsight. But before the event, the data is buried in all the noise.

SamMarch 20, 2014 6:03 AM

Those of us who follow your blog are in the know of your connection with Co3 Systems, however it would have been prudent to make that clear in the bog, as you usually do.

SomebodyMarch 20, 2014 10:27 AM

The definition of "false positive" is not "more information than I care to deal with".

IMVU Credits Generator 2014March 20, 2014 9:51 PM

Appreciate your a further spectacular article. The spot in addition may any individual have that form of data ordinary fantastic way of writing? I've a display following 1 week, exactly what within the look for similarly info.

Denise MacColemanMarch 21, 2014 9:42 AM

As of yesterday, there was a $251.00 charge from Target on my Walmart money card, I use to send money to my daughter. She nor I have been to Target in months. This breach is still active. They sent me new cards a couple of months ago. This was the new card.

AnuraMarch 21, 2014 5:42 PM

@Denise MacColeman

That probably has nothing to do with the Target breach; it may have been used in Target, but it could have been stolen from anywhere.

Robert GoldmanApril 16, 2014 4:53 PM

We are left conjecturing about Target's performance in a vacuum. It would be really helpful to know how many alerts they were trying to handle every day. If they were flooded, as some assert, it makes the failure to respond understandable.

Indeed, if security systems are flooding response personnel with more alerts than they can field, the security systems may actually be a negative value for the companies fielding them. Such systems would leave the companies seeming to be blameworthy for breaches, even if they don't provide the information needed to prevent them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.