I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.
My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.
Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.
Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win.
Target did the right things. The story talks about them having good security products, network segmentation, and all of the things a good line of defense is supposed to have. To their credit, they had more than PCI DSS requires them to have. But they still lost.
I can only speculate, but there are any number of reasons why these defenses can fail. To defeat network segmentation, all it takes is someone running out of switch ports and bridging two switches that shouldn’t be bridged, then forgetting about it. A really good auditor will look for things like that, and given enough time, will find that. But not every auditor has enough time, and not every auditor is good, either.
To elude malware detection, you just pack the file in different ways until it evades detection. This is so common that many security professionals are surprised to hear I use packers to save disk space. That was their original use, but today disk space is cheap and Internet connections are fast, so packers tend to be used for nefarious things now more frequently than they were in my day. No antivirus software tries every possible unpacking method. A device like a Fireeye will catch it, but if you can get around network segmentation, you can get around the Fireeye.
Evading intrusion detection is possible too. Deliberately fragmenting the network traffic in ways that confuse the IDS is a common tactic. Packing or encoding the payload is another. Combining methods can also help.
On that note, hacking is mostly a matter of combining. Here’s this little mistake that doesn’t gain me much, but it gets me one step on my million-mile journey. Oh, and there, here’s another mistake that gets me another step in the right direction.
How many computers do you think Target has? I’ll bet we’re talking tens of thousands. The attackers probably had to find a couple dozen mistakes to get what they needed, but on a network with 20,000 devices on it, there will be more than a couple dozen mistakes. They’re there; what it takes is the skill and patience to get in, then the skill and patience to find the mistakes you need and turn them into a path to get what you want.
In a way, McAfee’s analysis of Target’s attack and calling it unsophisticated is a misnomer. The attack payload was unsophisticated. The attackers themselves, though, appear to have been pretty sophisticated.
The tool matters a lot less than the person using it. A skilled carpenter can build fine furniture with extremely simple tools. In my hands, the same tools will make very crude furniture, and probably would be better suited for demolishing a mold-damaged basement wall. The tools aren’t what matters–it’s the person using them.
Target’s defenses probably would have caught a lesser attacker, even if they’d come in with a costlier payload.