8/12/2019 The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work

http://slidepdf.com/reader/full/the-target-breach-and-why-point-in-time-malware-detection-alone-doesnt 1/2

 

The Target Breach and why Point!in!time Malware Detection Alone Doesn’t Work 

March 20, 2014 

Bloomberg BusinessWeek published an article" and video"" last week that discussed the details of the now

infamous malware attack and data breach that hit U.S. retailer Target over the 2013 holiday season. As a result

of the breach, 40 million customer credit cards were compromised and personal information for up to 70 million

customers was stolen, constituting the largest retail hack in United States history. 

According to Bloomberg, hackers gained access to Target’s network and successfully uploaded malware to the

network and point#of #sale systems on November 27, 2013. Three days after this initial infiltration, Target’s 1.6

million dollar FireEye malware detection software spotted the malware and sent an alert to analysts in Target’s

security operations center on November 30th. However, this generic alert, likely sent with hundreds of other

alerts each day""", was not heeded, as was another generic alert sent on December 2nd

. Without providing any

visibility or context into the malware’s entry point or behavior, no action was taken and two weeks passed while

the malware continued to pilfer sensitive customer information. Only after federal law enforcement suspected

suspicious activity did Target look into the matter, and finally remove the malware on December 15th.

What are the real lessons we can learn from this failed approach? 

  Point!in

!time detection is not enough and will never be 100%

! FireEye missed the initial malware breach—

the infected file was never detected coming inbound. Furthermore, FireEye was blind to the malware’s

activity for 3 days until an outbound call back was picked up.

  One generic alert in a sea of alerts doesn’t help ! In response to Bloomberg’s article, “two security experts

who advise organizations in responding to cyber attacks and both have experience using FireEye technology

said ‘they believed it was likely that Target's security team received hundreds of such alerts on a daily basis,

which would have made it tough to have singled out that threat as being particularly malicious.’”"$ 

  Visibility without context and control is not visibility at all, it’s noise ! FireEye sends generic point#in#time

alerts, the type that “security personnel typically don't get excited about because FireEye does not providemuch information about those threats.”$  This type of point#in#time alert on its own is simply not enough. To

truly be actionable, that single alert needs to be linked with other indicators and contextual data related to

the event to highlight the scope of the problem and provide security/incident response teams with the

control to contain and remediate the threat.

Cisco understands this and offers Advanced Malware Protection (AMP), an integrated set of controls and a

continuous security model to detect, confirm, track, analyze and remediate these advanced threats –

before, during and after an attack.

  Detection, monitoring, and tracking beyond initial point!in!time ! Detecting malware the first time you

see it is important, but due to the very chameleonic nature of malware and the sophisticated hackers that

deploy it, what’s really important is being able to continue to analyze and determine the maliciousness of a

file beyond the initial point#in#time that it is seen. Any enterprise should assume that no detection method

is 100% effective. This is why your malware protection technology needs to go beyond point#in#time to

examine that file over a period of time—tracking where it goes, what it does when it gets there, and analyze

that behavior when an initial detection was not possible. 

8/12/2019 The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work

http://slidepdf.com/reader/full/the-target-breach-and-why-point-in-time-malware-detection-alone-doesnt 2/2

 

2 

  Intelligence correlated with context to raise priority ! With Cisco’s ability to track and analyze behavior

continuously at the file, process and communications level, advanced behavioral indications of compromise

can be used for further identification of compromise, and can raise the alert priority level for security teams

to help them distinguish between noise and what’s really important. Since the process is continuous, and

not just an enumeration of events, the technology will continue to track and monitor malware, even if the

initial detection event is ignored. As more and more information is collected, it snowballs, becoming ever

larger and larger, and becomes too large for security teams to ignore. 

Once an alert does reach the level of awareness, it’s critical that immediate analysis of events leading up to

and after the compromise be conducted quickly with an ability to zoom in and out to understand the scope

and answer the questions of exactly when, where and how the malware got there. The only way to do that

is to be able to continuously capture the information necessary for that analysis. 

  Integrated containment and remediation capabilities ! Finally, with the ability to track and analyze

continuously, you can use that context and depth of information to surgically contain and remediate the

problem without waiting for content or signature updates, or even worse, a scorched earth approach that is

disruptive to customers and security staff. Cisco gives you visibility into the scope and root causes, and the

ability to pinpoint the problem and remove it without the collateral damage and cost that is associated with

broad#brush removal and remediation.

Although the industry acknowledges that advanced malware attacks require new and innovative solutions

to detect and remediate, far too many organizations default to focusing the entirety of their efforts on

point#in#time detection and remediation tools. In order to have any chance of effectively defending against

modern day attacks, the solution must leverage a continuous model to track file interaction and activity

across the network, and utilize big data analytics, collective security intelligence and enforcement across

networks, endpoints, web and email gateways, virtual systems and mobile devices.

Cisco is the only malware protection vendor that delivers this continuous security model for protection and

remediation against the growing scourge of sophisticated malware attacks. 

To learn more about Cisco’s Advanced Malware Protection (AMP) and other Security Solutions, refer to the

resources here and here, or contact your sales representative. And for a deeper look at our POS retail

environment, watch the webinar here. 

! Bloomberg Business Week, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It  "##$%&&'''()*+!,-++'--.(/01&23#!/4-+&567896:97:&#23;-#91!++-<924231+9!,9-$!/9"2/.90=9/3-<!#9/23<9<2#2>$7 !! "##$%&&'''()*+!,-++'--.(/01&@!<-0+&567896:97:&"2/.!,;9#!1-4!,-9'"2#9<!<9#23;-#9.,0'92,<9'"-, !!! A-*#-3+B !"#$%& (")( *& +%,-*.%+ &/ ",& /. %"#-) "-%#& /0 ,)1%# 1#%",2 B "##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9

!<CDEAFG5H78I56786:7: !@ A-*#-3+B !"#$%& (")( *& +%,-*.%+ &/ ",& /. %"#-) "-%#& /0 ,)1%# 1#%",2B "##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9!<CDEAFG5H78I56786:7: @ A-*#-3+B !"#$%& (")( *& +%,-*.%+ &/ ",& /. %"#-) "-%#& /0 ,)1%# 1#%",2B "##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9

!<CDEAFG5H78I56786:7: