Lessons Learned from the Target Breach

Anyone involved in cybersecurity (practitioners, managers, researchers, vendors, etc.) should make sure to read and internalize the Senate report released yesterday titled, A “Kill Chain” Analysis of the 2013 Target Data Breach. The report takes readers through each step of the well-established Lockheed Martin “kill chain,” illustrating how the initiation of the Target attack, how it progressed, and what Target should have done to prevent, detect, and respond at each phase.  (Note:  In addition to the Senate report, there is an excellent synopsis of the Target breach in this BusinessWeek article). 

These two publications lay out the whole enchilada – from the initial incursion, through the breach, to the public announcement on December 19, 2013.  In fact, Target CFO John Mulligan testified before the U.S. Senate Committee on Commerce, Science, and Transportation yesterday (March 26, 2014), to update the Feds on the breach itself and its aftermath.

The report points to some fundamental cybersecurity errors in terms of people, process, and technology.  These issues are well-documented so there’s no need to repeat them here, but I did come away with a few additional thoughts after reading through each publication:

1.  The cybersecurity skills shortage probably had an influence on the Target breach.  According to ESG research, 39% of enterprise organizations say that their biggest incident detection/response challenge is a “lack of adequate staff,” while 28% claim that their biggest incident detection/response challenge is a “lack of adequate skills.”  I believe these kinds of skills issues may have been in play at Target.  Why?  First, the BusinessWeek article reveals that Target’s Security Operations Center (SOC) manager left the company in October, before the breach.  Other SOC personnel may have depended upon their manager’s skills and authority, and thus Target took a big cybersecurity skills hit at the exact time of the attack.  The report also postulates that cybercriminals were able to advance the attack using a default administrator password of a BMC software product.  It may be that an overworked IT security and operations team simply missed this obvious security faux paux.  Finally, the security staff did not act when it was alerted by FireEye anti-malware systems and its cybersecurity support staff in India.  Clearly FireEye and the India team did their job, but these alerts still required Target’s Minnesota-based security team to investigate the incident further.  It’s likely that this over-worked team was buried under the volume of holiday transactions and an avalanche of other security alerts, so they decided to fight other fires. 

2.  The notion of a network perimeter is ancient history.  Didn’t the Jericho Forum warn about “de-perimeterization” about 10 years ago?  In spite of this caution and everything that’s happened since then, the Target breach was initiated through the compromise of one of the retailer’s service providers, a small HVAC company in PA (i.e. outside the network perimeter).  This is just a blind guess but I’ve got to believe that this heating and air conditioning firm isn’t staffed by ex-NSA cybersecurity experts.  Of course, third-party suppliers, business partners, and customers need network access, but Target let these outsiders in with basic user name/password authentication, and didn’t do nearly enough to segment the network to keep them out of sensitive areas.  So Target opened its network to outsiders without managing cyber supply chain risks in an adequate fashion – an all too common mistake. 

3.  Incident response has become a cybersecurity bottleneck.  Information security best practices put a lot of emphasis on incident prevention with things like hardened system configurations, access controls, antivirus software, etc.  Around 2010, APTs demonstrated that the bad guys were pretty adept at circumventing existing security controls, so the industry turned its attention to all kinds of tools and analytics for incident detection.  Okay, we’re now addressing two-thirds of the process but what about incident response?  Unfortunately, it’s hard to deal with this quagmire because incident response is highly specialized and requires precise details about network assets, traffic patterns, historical behavior, system configurations, etc.  When the Target SOC team received alerts from FireEye and India, they had a choice – investigate the alerts (i.e. when did they happen, which systems were impacted, which IP addresses did the compromised systems contact, what changes were made to these systems, etc.), or dismiss them as false positives.  It takes time, skills, and diligence to perform this type of investigation.  Yes, security analytics can help here but you still need people who know what the data is telling them.  The Target team failed to do the necessary grunt work, placed a bet on “false positive,” and lost. 

4.  Basic blocking and tackling is still important.  I’ll be the first person to admit that cybersecurity has become a highly complex discipline requiring advanced technical skills.  That said, it’s easy to get carried away with science fiction and forget the basics.  For example, Target could have isolated its partner portal in the DMZ or on a VLAN with no access to the production network.  Additionally, Target could have installed application control software on its POS systems (which are Windows PCs under the covers), to block all unapproved software from installing.  Finally, Target should have changed the default password on the BMC software, required multi-factor administrator authentication, and monitored all privileged user activity.  This is cybersecurity 101 and is still necessary. 

As more details come out, Target will likely remain the poster boy for cybersecurity ineptness.  Clearly the company deserves some of this ridicule but I can tell you from experience and volumes of research that the issues described above and in the Senate report are far more common than most people think.  It’s likely that the focus on Target will quickly fade when the next big breach occurs.  Given the state of cybersecurity, it is likely to happen at any time.