Target Ignored Signs of Data Breach

puddingebola writes "Target ignored indications from its threat-detection tools that malware had infected its network. From the article, 'Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.' Unfortunately, it appears Target's security team failed to act on the threat indicators."

Remind me later

[pushing-robot]

In Target's defense, FireEye said it would have to restart the computer to remove the threats.

False to true ratio?

[joe_frisch]

It isn't clear (at least to me) how many false alarms they got before they got the real one. The key to a good security monitoring system is not just to catch all the real threats, but to not flag imaginary or minor ones.

Re:To be fair?

[James-NSC]

I'd wager it wasn't the security team that dropped the ball. I work in the same role (I'm the most senior member of the security team), and I can tell you first hand that I don't have the authorization to act in matters of that scope independent of the executive team in situations like those. I have to forward my recommendations up the chain and get approval.

That causes delays. Often times, things then get lost in the executive level. Whenever there are contractors involved it's even worse as they spend a week or so arguing over whose responsibility it is, who is going to pay for it, how much down time it's going to represent, how much money they're going to lose, etc,etc, etc. Executives are also really bad at judging risk when it comes to security. They'll expose themselves and their companies to staggering amounts of risk - if for no other reason - than the fact that the failure/security breach/what-have-you isn't impacting business "right now" but shutting down an ecommerce system to patch it will impact the bottom line *right now* and they would rather risk "maybe" losing money at some future date than know they're losing money "right now".

Executives will mortgage their companies futures at every possible opportunity for a few extra dollars today.

The number of times I've taken a GLARING security issue up only to have the "how long can we leave it before it impacts business" be their main concern. If it's a vulnerability on a production, WAN facing system - but we don't have evidence of it being actively exploited - it's not considered to be as critical as taking that system offline for an hour to patch/test it. The certainty of lost revenue in that hour is more meaningful than the potential of abuse at a later date. Worst part of it all is that when that later date does come around and things get really bad, they all point their collective fingers at the security team and none of them take any responsibility whatsoever.

You're damned if you do, damned if you don't and blamed all the way around.

Corporate InfoSec is a very, very frustrating occupation. I feel for those poor guys at Target.

Re:To be fair?

[DarkOx]

The security team should have a license to kill from the executive team. We do, our instructions are if we believe we breach is in progress, "shut it down".

Mind you we have never done it. We came very very close to doing so once on a false positive. The operations team failed inform us of some activity they were going to be doing. Fortunately the guy answered his phone, but otherwise we would have pulled the plug and islanded the entire dmz ecommerce and the corporate home page and all.

After reviewing the after action report the executive team agreed and would've been right to do it given what we knew.

That is how it should work

Have you used FireEye?

Their alerts are the closest thing to security magic I have ever seen. Their false positive rate is astronomically low and they really do detect brand new malware.

On the FireEye system I use at work if it alerts we take action. Always. For URLs they sometimes get it wrong but we see 1 false positive a year with binaries. That's way beyond impressive when protecting tens of thousands of particularly gullible users, it's downright witchcraft. We often find another systems like URL filtering, IPS or endpoint protection prevented a true infection but we always do the homework when FireEye triggers. When you have real confidence the security threat is real doing legwork to confirm infection is easy.

For Target to have ignored FireEye's data borders on criminally negligent. It's really common to dig back through IPS logs once you know something was wrong and find a trove of data about the attack. FireEye is something else altogether; it's the most actionable security intelligence I have ever seen. It's truly astonishing technology since it's so effective. It captures binaries and URLs from the wire (IPS-style), email (SMTP MTA) and file shares and runs them in VMs. If enough malicious activity is detecting like deleting itself, changing registry keys, or contacting suspicious or blacklisted IPs (along with lots of other things) the binary is flagged in an alert. It's prefect for filling in the gaps left by traditional antivirus and the noise of intrusion prevention.