The recent Target breach provided the security industry with much to talk about, with wildly varying views on “what happened”, and no doubt with many of the vendors jumping up with their panacea for such incidents.
Now the dust is settling on the incident and more of the detail is starting to filter through into the public domain, the background is becoming clearer – with respected blogger and security writer Brian Krebs offering probably the best view of “what happened”. You can read his article here, although in short he states that the combination of a 3rd party supplier breach utilising an industrialised version of spear phishing is most likely to blame.
Let’s take those 2 items one at a time and think about them a little. First of all, the 3rd party supplier consideration; Here is a major retailer, using a 3rd party organisation whom it may have considered to be relatively harmless given the work engagement, yet it is alleged that this organisation had access to a billing system (along with other 3rd parties) which was in the core of the Target network – and potentially with a simple login (i.e. no 2-factor authentication)
For the 2nd part, to quote Krebs directly “Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.” In other words, what we at Proofpoint would describe as a “longlining”
So, to the lessons to be learned from this recent attack:
1) Ensure that 3rd party supplier assessments are robust and are appropriate to the the potential risk
2) Ensure that any 3rd party access to internal systems is subject to the same stringent access as an internal user
3) Segregate systems that are accessed by external parties
4) Review processes and controls for email and advanced threat detection
In the case of 4, this incident has arguably proven that once again the humble email and clever obfuscation techniques were the first step to the very expensive breach for one of the largest retailers in America. We know that traditional email filtering isn’t enough – and nor are the new advanced sandbox technologies in isolation. New attack methods are highly sophisticated and require the same level of sophistication in order to combat them. Target won’t be the last to fall victim like this – and chances are there are many other compromised organisation that don’t yet realise they are on the hook.