Breaking Down a Breach
What Happened & How to React
By: Jerry Horton, IT Director
Hello and welcome to the first in the Breaking Down a Breach series!
In this part of the newsletter, we select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks:
- Probe: This is the cybercriminal’s reconnaissance of the target. A surprising amount of information about any organization or individual is freely and publicly available.
- Penetrate: Once an attacker has completed their surveillance, they will choose one or more methods of gaining unauthorized access.
- Persist: Some cybercriminals are of the ‘snatch and grab’ school – launch some sort of attack to a wide variety of users and organizations, a small percentage will get infected, and the criminals will take the quick payday. However, persistence is the Holy Grail of cybercriminal activity. This is where real cybercriminals who have an agenda shine – they want to stick around and hide in the corners because you may have more than one thing of value. More importantly, they don’t want to leave enough traces of their penetration for you to find, meaning that they can be in your system for years (as they did in the Starwood Hotel breach)1.
- Pivot: This is one of the goals of persistence; attackers poke around, see if they can get into other systems besides the one already compromised, see if they can elevate their privileges, and then really go to town deciding how much and what to steal.
- Pilfer: The ultimate end goal – take what they can and sell it or use it for another attack, whether that is on the same company or a totally different one.
Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth2 and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.
Let’s kick this series off with one of the most famous breaches in recent memory – the Target breach of 2013. Your humble author and his lovely wife both had their debit and credit cards exposed during this debacle; fortunately, to no ill effect other than having to have new cards issued.
What happened: Cybercriminals did extensive probing to find a route into the Target network. Once a successful intrusion was accomplished, the criminals determined what vulnerabilities were available to exploit and, through a series of small attacks and elevations, were able to gain access to the Point Of Sale (“POS”) system. Once firmly entrenched in this system, the criminals pilfered records, an estimate of well over 40 million credit and debit card transactions, which were then put up for sale on the dark web (a hidden internet largely used for illegal activities). According to a Huffington Post article in 20153, the estimated cost to address this breach had exceeded $252 million and the loss in profit, stock value, and public trust required years to repair.
How it happened: While the extent of the reconnaissance cannot be fully known without interrogating one of the cybercriminals, what is known is that much information was easily accessible from simple internet searches. The Target Supplier Portal listed all of the vendors used by Target, giving the cybercriminals a nearly effortless group of initial targets.
The criminals, using social engineering and phishing techniques, compromised computers at Fazio Mechanical, an HVAC vendor for Target. As a part of this compromise, they were able to harvest Fazio’s credentials into the Target network. The criminals then logged into and compromised the Target vendor network.
Once into the Target network with credentials that were legitimate, it was a matter of scanning for vulnerabilities and exploiting them to move laterally and elevate their privileges. This portion of the attack is still not entirely known, but it is suspected that a common attack against web-enabled databases known as SQL injection was used to gain access to other systems, including the POS system. The attackers had now hit the motherlode, setting up a ‘skimming’ type of program which copied the transactions into a file on a ‘dump’ site which had been set up on a server with internet access (the POS system, by design, does not have direct internet access). They exfiltrated the files by disguising the outbound file transfer as an innocuous type of traffic.
What you can do to protect your company: Because of the complexity of the breach and the sophistication of the attack, there are a number of lessons to learn from the Target breach. Many of the vulnerabilities the attackers exploited have simple solutions, while others require technical and procedural fixes that are more stringent.
- Be cautious of the information you post publicly: The Target Supplier Portal was easy to find using a simple Google search. The Portal was a rich source of information that required no security whatsoever to access.4 Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation.
- Secure remote access: Any remote access to internal systems should require Virtual Private Network (“VPN”) connectivity and multi-factor authentication, at a minimum. The initial breach of the Target systems would have been nearly impossible had multi-factor authentication been required. Even with these extra measures, any direct access to internal systems should be severely limited using the principle of least privilege.
- Advanced endpoint protection: A simple anti-malware package is just not enough to protect against modern cyber threats. The majority of attacks launched during the Target breach could have been stopped very quickly if each of the computers involved had used advanced endpoint protection which monitors and reacts to any unusual activity. Taking this concept a bit further, network monitoring with intrusion detection and prevention would have gone a long way to stopping this breach dead in its tracks.
- Supply Chain management: While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
- Security maintenance: Configure any system access using the principle of least privilege – only assign the minimum rights and privileges required to perform the job. Use lengthy passphrases5 (14 characters, minimum) and multi-factor authentication where possible. Make sure to remove or disable unused or orphan accounts, not just on your internal network, but with any external source as well. Those old online accounts may have been compromised and provide a potential attack vector.
- Education: The Target breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.6 Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned.
At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.