How Target Blew It: Missed Alarms And 40M Credit Card Info Stolen; And Some Parallels To The Intelligence Community
Bloomberg Business Week had an article on Thursday (Mar. 13, 2014) noting that the “biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success,” wrote the authors, Michael Riley, Ben Elgin, Dune Lawrence, and Carole Matlack. The authors note that, “in the days prior to Thanksgiving, 2013, someone installed malware in Target’s (TGT) security and payments system — designed to steal every credit card used in the company’s 1,797 U.S. stores. At the critical moment — when the Christmas gifts had been scanned and bagged, and the cashier asked for a swipe — the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”
“Six months earlier,” the authors add, “Target began installing a $1.6M malware detection tool made by the cyber security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers 24/7. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.”
“On Saturday, Nov. 30, the hackers set their traps and had just one thing to do before starting the attack: plan the purloined data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers — first to staging points spread around the U.S. to cover their tracks, then into computers in Russia — FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then…..
“For some reasons, Minneapolis did not react to the sirens. Bloomberg BusinessWeek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight others with specific knowledge of the hack and its aftermath — including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system installed to protect the bond between the retailer and the customer, — that worked beautifully. But then, Target stood by as 40M credit card numbers — and some 70M addresses, phone numbers, and other pieces of personal information — gushed out of its mainframes.”
These kind of “actions” and reactions, have been plaguing the Intelligence Community warning apparatus forever.
In addition to missing or disregarding the initial warning sirens, Target was slow to react as well as grasp the magnitude of the breach they had just suffered. Indeed, it was only after the Justice Department notified the company in mid-December that its’ security network had been breached — that Target began a damage assessment protocol to understand what had happened, and how. When the company began to pour over the computer security logs, Target found FireEye’s alert’s from November 30th, as well as additional red flags on December 2nd, when hackers installed yet another version of the malware. The Bloomberg authors note that FireEye’s alerts that something was amiss should have been impossible to miss, and, they went off early enough that the hackers hadn’t yet begun transmitting the stolen credit card data out of Target’s network. Had Target’s security team responded when it was originally alerted, the theft that has severely damaged the company — at least in the short-term — could have been prevented.
Sadly, Target is not alone in missing potential warning signs of a strategic surprise. But, I would argue that what happened in the Target case falls into the category of a “known” surprise. Target knew that cyber criminals posed a serious threat to the company’s ‘Crown Jewels,’ — personal data of their customers — and proactively took measures to mitigate against that “surprise” by procuring the security products and services of the cyber security firm FireEye — before this breach happened. Thus, this incident can be fairly characterized as a “known surprise,” something Target management knew could happen, but did not adequately prepare. A breakdown occurred at the company’s security operations center where alarm bells went off; but, no one acted on that information.
This begs the question: Were the alarm bells that a network breach occurred “loud enough,” that someone in the center should have acted? Or, was the alert ambiguous and/or filed/noted as a routine — run-of-the-mill cyber threat? Was there a lack of training at Target’s end? The company acted to enhance their cyber security posture; but, did they adequately ensure proper cyber security training for their “watch standers?” Hopefully, the company will do a thorough lessons-learned from this unfortunate event; and, share their findings with others in the hopes that similar type attacks can be prevented or mitigated to a substantial degree.
These kind of events and the inevitable fallout and second-guessing have been plaguing the Intelligence Community warning apparatus forever. As a 2008 Defense Science Board (DSB) Summer Study on Capability Surprise found — surprise falls into two broad categories: The overwhelming majority of cases are “known surprises,” — one’s we should have not only expected; but, acted in advance of — and, “surprising surprises,” those surprises that we might have known about or, at least anticipated — but, which were buried among the hundreds of thousands of other possibilities.”
In both cases, the DSB found “the biggest issue is not a failure to envision events that may be surprising; rather, it is a failure to decide which ones to act upon, and to what degree.”
We are at the dawn of the cyber warfare age and although I am not a cyber vulnerability expert — I suspect the doctrine and well-thought out cyber threat warning apparatus is still coming to grips with this evolving threat. Although certain mechanisms can be proposed (Red Teaming, Gaming Vulnerabilities, Exercises, Training, etc.) and technology acquired — as in the Target case with FireEye — to make these kind of “catastrophic” cyber attacks less likely, Target and their private sector counterparts need to focus inward — rather than outward.
Technology (like FireEye) and a well-trained cyber security structure within a company such as Target can warn senior management when it believes a serious cyber threat appears in progress — or, about to occur after several probes/trial runs — but, fundamentally the top-level/senior management has to emphasize and inculcate best cyber hygiene practices across their entire enterprise; otherwise, additional Target-like cyber attacks are a certainty.
Additionally, as big-data analytics matures, structures to assess massive and rapid threat information flows — is critical. New analytics is required to rapidly assess the value of the information received; and, a linkage from those assessing the threat, to those in charge of policy, implementation and back — are a must. Target, and others, need global visibility on the evolving cyber threat, as well as ensuring that a “closed loop” of notification and action/response actions are implemented.
But, the unfortunate truth is that there can never be complete safeguards against these kind of cyber attacks. The trusted insider, e.g., Edward Snowden or a Bradley Manning; or, vulnerabilities of the second and third-tier suppliers, etc. demonstrate that the number of ways the adversary can compromise one’s network — will always exceed the measures that can be taken to defend them.
Inculcating a culture of best hygiene practices, ensuring a “closed loop” on cyber attacks, warning, notification, and remediation is a must. Corporate America also needs to find a way to make these kind of cyber attacks “costly” to the adversary/perpetrator. Going after the culprit/s legally and financially whenever possible is mandatory. Thoughtful actions on how to restore trust — as quickly as possible — also requires dedicated and intense effort. Finally, the business and the customer — must always assume that the network is never 100% “clean.” V/R, RCP