And in a story that should surprise no one, Target’s attack was unsophisticated

I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.

My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.

Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.

Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win.

Target did the right things. The story talks about them having good security products, network segmentation, and all of the things a good line of defense is supposed to have. To their credit, they had more than PCI DSS requires them to have. But they still lost.

I can only speculate, but there are any number of reasons why these defenses can fail. To defeat network segmentation, all it takes is someone running out of switch ports and bridging two switches that shouldn’t be bridged, then forgetting about it. A really good auditor will look for things like that, and given enough time, will find that. But not every auditor has enough time, and not every auditor is good, either.

To elude malware detection, you just pack the file in different ways until it evades detection. This is so common that many security professionals are surprised to hear I use packers to save disk space. That was their original use, but today disk space is cheap and Internet connections are fast, so packers tend to be used for nefarious things now more frequently than they were in my day. No antivirus software tries every possible unpacking method. A device like a Fireeye will catch it, but if you can get around network segmentation, you can get around the Fireeye.

Evading intrusion detection is possible too. Deliberately fragmenting the network traffic in ways that confuse the IDS is a common tactic. Packing or encoding the payload is another. Combining methods can also help.

On that note, hacking is mostly a matter of combining. Here’s this little mistake that doesn’t gain me much, but it gets me one step on my million-mile journey. Oh, and there, here’s another mistake that gets me another step in the right direction.

How many computers do you think Target has? I’ll bet we’re talking tens of thousands. The attackers probably had to find a couple dozen mistakes to get what they needed, but on a network with 20,000 devices on it, there will be more than a couple dozen mistakes. They’re there; what it takes is the skill and patience to get in, then the skill and patience to find the mistakes you need and turn them into a path to get what you want.

In a way, McAfee’s analysis of Target’s attack and calling it unsophisticated is a misnomer. The attack payload was unsophisticated. The attackers themselves, though, appear to have been pretty sophisticated.

The tool matters a lot less than the person using it. A skilled carpenter can build fine furniture with extremely simple tools. In my hands, the same tools will make very crude furniture, and probably would be better suited for demolishing a mold-damaged basement wall. The tools aren’t what matters–it’s the person using them.

Target’s defenses probably would have caught a lesser attacker, even if they’d come in with a costlier payload.

2 thoughts on “And in a story that should surprise no one, Target’s attack was unsophisticated

  • March 14, 2014 at 3:49 pm
    Permalink

    ““Security often takes the back seat to selling,” he says.”
    Report Says Target Could Have Stopped Hacker Attack, But Didn’t
    March 13, 2014 4:51 PM
    http://philadelphia.cbslocal.com/2014/03/13/report-says-target-could-have-stopped-hacker-attack-but-didnt/
    …..
    Dave,
    Heard this earlier this morning on national news.
    Why run FireEye and disable it’s response? I have only a novice knowledge of security but this doesn’t make sense.
    Any thoughts?
    Joseph

    • March 14, 2014 at 6:09 pm
      Permalink

      You’re right, Joseph, you don’t want to go buy an expensive, flashy device like a Fireeye and then ignore it. I don’t have any insider knowledge, and can’t think of any good reason to disable that functionality, but can imagine two possible scenarios where someone would do it:

      1. Someone high enough was nervous about automatically blocking something important and ordered the functionality that would have blocked the malware disabled.
      2. They had it enabled, the alerts went off, and someone decided they were getting too many false positives, so that person (with or without supervisor approval–either sub-scenario is possible) disabled the functionality to make the false positives (whether they were real or imagined) go away.

      At some points in my career, I may have argued against both forms of logic, in lower-stakes situations.

      I’m impressed that Target had a Fireeye, or potentially more than one Fireeye. But it sounds like they weren’t using it to the extent that they could have. The Fireeye isn’t invincible, but the general consensus among my colleagues is that having one is much better than not having one, but, as this demonstrates, you need people who are able to configure it and correctly interpret its alerts, and you need processes to ensure proper, consistent configuration and use of the device. Just buying a bunch of flashy technology doesn’t stop bad things from happening.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux