As a security professional, every breach provides a valuable lesson. As more information is revealed about how the breach took place, I’m always careful to take some valuable information away from it. This is a really high profile breach which in many ways is unprecedented. Not only was the malware extremely sophisticated in nature and able to infect a massive amount of point-of-sale terminals undetected, but the sheer magnitude of the card data stolen is also impressive. Unfortunately, I think we are only in the beginning of a new age for digital security. Most companies plan for “when” a breach happens, not “if”. One of the things I think is interesting in Target’s situation is that they claimed they had pretty well designed and thorough security controls in place. Despite this, the breach happened, and the reasons why it happened are a great lesson to be learned. According to the Verizon Data Breach Investigations Report for 2013, you will see the numbers make sense. In 2013, 24% of breaches targeted the retail industry. While the financial industry makes up the highest percentage, retail outlets are often less prepared and contain much of the same PCI compliant information that banks and credit unions are faced with protecting under compliance such as GLBA. In 76% of these breaches, stolen credentials played a role. Recent press has announced that the Target breach has been traced to compromised credentials owned by one of Target’s close vendors, an HVAC company named Fazio Mechanical. In this case, the criminals targeted Target through their vendor. They attacked the HVAC company with a sophisticated phishing attack which is believed to be a version of the Citadel malware (based on the ZueS banking trojan).
1. Vendor Security should be a top priority. Despite Fazio Mechanical’s statement claiming they comply with industry standards, Fazio Mechanical is believed to not have had adequate security measures in place to prevent this attack. In fact, it has been reported that they were using a free version of a popular home-use anti-malware client that did not use real-time protection. Fazio had a direct data connection to one of Target’s outside facing billing systems (Ariba), which is believed to have been exploited as part of the attack. These credentials were most likely Active Directory credentials which then were used to exploit the server application’s access to the rest of the network. Companies must consider how each external or vendor facing application could be exploited. The mindset has to be: “If someone with malicious intent obtains these credentials, what could they possibly achieve using this vendor facing system?” But not only that, the security of each vendor must be evaluated and verified. I wonder if Target would have re-evaluated their vendor contract if they had learned that Fazio was using a home-based free version of malware protection running under an illegal license model. I think companies should be doing their due diligence by verifying that anyone who has access to their network and/or vendor facing systems has adequate security in place on their own networks. Requiring compliance such as SAS-70 from your vendors proves that the vendor not only has controls, but that the controls are being used adequately. This is extremely important, especially in more high profile vendor relations, such as VPN and extranet access.
2. Network segregation is a huge factor in securing vendors. Many times, vendor credentials have authorization that is beyond the normal bounds of a typical user, either from a network segregation point of view or even a database view. Target may have put a lot of due diligence into their VPN access vendors, but could have failed to treat their other vendor facing applications with the same care. A set of vendor credentials should always fall under the least privilege concept. If a database consultant has VPN access to maintain a set of servers, his network authorization should only allow him to access those servers, and not the entire network. In this case, having the payment system network properly segregated from the vendor-facing system, may have prevented this breach.
3. Blacklisting is not an effective form of protecting systems from targeted malware. I’ve been saying this for a while now, but anti-virus and anti-malware industry current methods are becoming obsolete, especially against targeted attacks. Not only was Fazio’s network compromised easily by a common, yet advanced trojan, but Target’s own point-of-sale systems were eventually compromised using a sophisticated form of malware which was able to scrape the RAM for card data before the cards were even approved or denied. The fact of the matter is, traditional detection methods range from 40 to 60% when it comes to signature-based and anomaly-based detection methods. The only true preventive method against targeted attacks is whitelisting. Vendors such as Bit9 and Savant come to mind. Not only could they have prevented the attack, but they could have been alerted to the attempt. Enforcing change management on system files such as DLL’s and kernel level files really is the only way to prevent this form of attack where no signature or behavior was known.
4. Context-based monitoring is key in detecting malicious behavior with known-good credentials. What Target was missing was the ability to be alerted on abnormal behavior by the vendor credentials. While a vendor logging in to a system during a normal baseline of times is no reason for concern, those same credentials being used to log into other various systems should have been a red flag. For instance, if vendor credentials were used at 3 a.m. on a system unrelated to the vendor’s role, then there should be an alert in place that flags this behavior. Modern SIEM products such as IBM’s QRadar can easily do this. Reference sets and rules can be created to alert on any of this activity based on the context of usage. I think a big part of preventing breaches like this is understanding what is going on on your network and being alerted of abnormal activity, even if it is by trusted credentials.