Anatomy of a Cyber Attack

Between November 27th, 2013 and December 15th, 2013, over 40 million credit and debit card details were compromised and around 70 million confidential customer records were copied from Target (a massive US retailer) servers. So how did this happen and how could it have been prevented? What lessons can be learned to prevent smaller businesses who may be less equipped from falling victim to this type of attack?

A detailed SANS report is available online with appropriate references and justifications for further reading.

Target was deliberately attacked by cyber criminals who had been exploring potential vulnerabilities. Search engines provided valuable information and resources for the criminals including:

    • Target’s vendor portal
    • Target’s vendors
    • Target’s case study on Microsoft’s website

While Target’s IT team would have implemented security controls for the organisation, these would not prove to be sufficient against dedicated individuals seeking to exploit a vulnerable supply chain with unfettered access to Target systems.

Microsoft had published a detailed Case Study concerning Target’s use of technology throughout the organisation, highlighting the communication between sites and central management of services and devices.

The cybercriminals researched the vendors relied upon by Target who would have access to Target’s vendor portal. The vendor identified and exploited by the criminals in this instance was an HVAC supplier “Fazio Mechanical”. An email was containing malicious software was sent prior to the breach which stole credentials used to access Target’s online vendor portal.

Fazio Mechanical’s credentials were exploited and, once past Target’s “Boundary” security protocols, the criminals moved laterally through the network using common network tools to perform reconnaissance.

From here, custom malware was deployed to point of sales systems which remained undetected until after the campaign. This software proceeded to gather credit card information, saving it to small data files shared throughout the network. Once enough of this data was gathered the criminals retrieved it using the default username and password for the performance monitoring and analysing software managing Target’s servers.

This resulted in massive repercussions for Target, it’s customers, employees, and banks. As well as the CEO and CIO losing their jobs, directors were threatened with removal and Banks refunded more than $200million for cards and refunds. Profits dropped 46% in the fourth quarter of 2013 during the historically lucrative holiday season.

Both Target and Fazio Mechanical had passed PCI compliance audits and checks, being certified against these regulations prior to the attack and while individual measures could have protected against a brute force attack, this directed attack would have required a more comprehensive approach.

Preventing an attack like this.

    • 1. Mail Filtering
    Fazio Mechanical could have been protected from the malicious email through mail filtering which would have prevented the rogue sender from having their email received.
    • 2. User Awareness
    User awareness training for Fazio Mechanical would have ensured knowledge of phishing attacks and the dangers of credential exposure resulting in a reduced likelihood of divulging these.
    • 3. Anti-Malware
    An effective anti-malware agent may have detected and removed the software which compromised their credentials for Target’s vendor portal.
    • 4. Multi-Factor Authentication
    Target’s vendor portal could have been enabled for multi-factor authentication, adding an extra layer of verification for vendors accessing Target’s portal.
    • 5. Whitelisted Applications
    A secure whitelist of approved applications would have potentially prevented the installation of unknown software agents, protecting the POS endpoints.
    • 6. Point to Point Encryption
    Encrypting data between the pin pad and the decryption environment would have prevented Credit and Debit card data being scraped when stored in POS memory during transactions.
    • 7. Privilege Management
    Ensuring that administrative accounts are securely locked down and not used for anything other than administrative purposes. Access, passwords and users should be monitored and logged. This could have prevented remote use and access for general purposes.

Protecting any company from a targeted criminal attack requires a multi-layered Holistic approach to security. As highlighted in the Target scenario, the supply chain must be evaluated when considering IT and data security as anyone with access could be compromised.

The UK Government and National Cyber Security Centre have produced guideline measures in the form of Cyber Essentials which companies can self-evaluate themselves against, certify with a Certification Body to prove their commitment or align themselves with a supporting company to help them through the process towards embedding security more deeply into the organisation.