Security Monitoring of FireEye Off-Target During 2013’s Big Retail Breach
“The biggest retail hack in U.S. history wasn’t particularly inventive…It’s a measure of …how conventional the hackers’ approach [was] that Target was prepared for such an attack…As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then…Nothing happened.”
I guess that when I wrote “Lessons Learned from the Target Attack“
- Third party vendors are often your weak link
- Defense-in-depth is the only protection once hackers have infiltrated the network
- Beware of vulnerabilities in the security software itself
…I should have added something about security monitoring. Although you could say that security monitoring is part of defense-in-depth so I sort of covered it. But what I didn’t know then was that Target had deployed FireEye – a leading vendor in advanced anti-malware sandboxing – and that they had a round-the-clock security monitoring team in Bangalore watching the logs and the alerts from security software.
The Bloomberg article speculates: “It is possible that FireEye was still viewed with some skepticism by its minders at the time of the attack.” But the article also raises the possibility that the Minneapolis security operations center (SOC) was in disarray because “the SOC manager…departed the company in October…leaving a crucial post vacant” (just before the attack started in November).
Bottom line: Something was going wrong in Target’s SOC. We don’t know conclusively yet whether it was a people problem or a technology problem. But we do have a new lesson learned:
- Make sure incident response is well-staffed and running smoothly