Previously on Security-Architect, I wrote about the Target Breach that Spoiled Christmas
. It truly was a massive breach, affecting perhaps 40 million cardholders, among them members of my own family. Its not a pun to say that this attack appears to have been highly targeted in the way malware was infiltrated, how it moved laterally through the network, and even in the way the loot was exfiltrated.
Targeted attacks by advanced persistent criminals on large enterprises are hard to cover, necessitating above all A systematic, comprehensive approach to security As speculation swirls around the attack on Target, we definitely have some lessons to learn form information from several sources. Let’s dive in.
In “Target Breach Through Contractor’s Billing Link,” Paul Ziobro from the Wall Street Journal writes that “Target last week said the hackers infiltrated its system using stolen vendor credentials, without providing further detail….Cybersecurity blogger Brian Krebs on Wednesday reported that Fazio Mechanical was the vendor that was infiltrated…Fazio Mechanical operates in five states helping to install and maintain refrigerators for supermarket chains and other companies…Its clients include BJ’s Wholesale Club Inc., Costco Wholesale Corp., Supervalu Inc., Trader Joe’s and Wal-Mart Stores Inc…Target was the only customer to which Fazio Mechanical had remote access, and no other customer was affected in the breach, Mr. Fazio said.”
Lesson #1: Third party vendors are often the soft target that gets hacked to become a link in the kill chain to the enterprise. Providing third parties with remote VPN access is sometimes a necessary evil, but avoid it as much as possible. If its absolutely required, firewall systems so accessed into a subzone of the perimeter architecture and monitor the heck out of them (e.g. with instrumented DLP priority alerts and frequent log review.) Flag the vulnerability on your risk registers to avoid creating additional dependencies on it, and prioritize its future remediation. Alert the purchasing department to continuously assess the vendor and tighten contract terms or replace it if appropriate.
In New Clues in the Target Breach
, Brian Krebs reports that “attackers were able to infect Target’s point-of-sale registers with a malware strain [of BlackPOS] that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hoovered up from all of the infected registers.”
Krebs goes on to cite and analyze a Dell SecureWorks report speculating that a BMC system management account vulnerability on the “control server in Target’s network” facilitated lateral movement of data out of the compromised point of sale (POS) systems in preparation for later exfiltration.
Defense-in-depth is the only protection once hackers have infiltrated the network, an unfortunate circumstance that’s not a matter of if, but a matter of when for large enterprises. In fact, smart security pros operate from the premise that their network is already compromised. However, as described in Lateral Movement: There’s No Patch for Privilege Escalation
, “Although administrator accounts at the top of the administrative hierarchy may be heavily protected, the rest of the IT environment is not typically hardened to the same level.”
Check out the recommendations in that post concerning how to address this systemic weakness in the soft underbelly of IT security.
Apparently, even Krebs still doesn’t actually know how the malware initially infiltrated Target. Undaunted he continues his cyber-investigation and speculation in These Guys Battled BlackPOS at a Retailer. This post describes Krebs’ interview with Ton Arnold and Paul Guthrie from a security firm called PSC that investigated retail breaches of POS systems presumed similar to Target’s.
The investigators noted that application whitelisting software from vendors such as Bit9, Lumension or McAfee is often deployed on POS systems. These tools are an alternative to conventional anti-virus; “whitelisting” turns the “blacklisting” signature scan paradigm on its head by only allowing known good software be installed on or even execute on the system. They are popular on POS systems, which are static so as to require only infrequent update of the whitelist.
Even POS systems, however, need occasional patching. Krebs sources speculate: “The software update processes at a point-of-sale that is running one of those [whitelisting applications] has to come through one of the software update channels and has to be reviewed for the update and approved. And when it’s approved, the whitelisting software says okay this patch is approved to come online…three possible [vectors of infection]… it could come through a legitimate update channel, or the retailer was lax in their update procedures, or the attackers hacked the console of the whitelisting software and just whitelisted it themselves.”
Lesson #3: Beware of vulnerabilities in the security software itself, especially if the software has access to your internal network systems for the distribution of whitelists, patches or other updates. As noted in Lesson #2 above, make sure the account management process for system accounts are hardened to restrict potential lateral movement of malware through the enterprise. Often, as Krebs sources note, it is the consoles of management tools that expose the most dangerous vulnerabilities. Therefore, restrict both network access and administrator access to security management consoles, for they hold the proverbial keys to the kingdom.
Krebs closes on [NOT] a cheery note: “Anyone hoping that this retail breach disclosure madness will end sometime soon should stop holding their breath: In a private industry notification dated January 17 (PDF), the FBI warned that the basic code used in the point-of-sale malware has been seen by the FBI in cases dating back to at least 2011, and that these attacks are likely to continue for some time to come.”
Lesson #4: Change your credit cards frequently!
- After the Breach provides additional recommendations for what companies and individuals can do in the wake of a breach to reduce the fallout.