The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work
-
Upload
cesar-ruiz -
Category
Documents
-
view
212 -
download
0
Transcript of The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work
![Page 1: The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work](https://reader031.fdocuments.us/reader031/viewer/2022021405/577cceeb1a28ab9e788e788f/html5/thumbnails/1.jpg)
8/12/2019 The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work
http://slidepdf.com/reader/full/the-target-breach-and-why-point-in-time-malware-detection-alone-doesnt 1/2
The Target Breach and why Point!in!time Malware Detection Alone Doesn’t Work
March 20, 2014
Bloomberg BusinessWeek published an article" and video"" last week that discussed the details of the now
infamous malware attack and data breach that hit U.S. retailer Target over the 2013 holiday season. As a result
of the breach, 40 million customer credit cards were compromised and personal information for up to 70 million
customers was stolen, constituting the largest retail hack in United States history.
According to Bloomberg, hackers gained access to Target’s network and successfully uploaded malware to the
network and point#of #sale systems on November 27, 2013. Three days after this initial infiltration, Target’s 1.6
million dollar FireEye malware detection software spotted the malware and sent an alert to analysts in Target’s
security operations center on November 30th. However, this generic alert, likely sent with hundreds of other
alerts each day""", was not heeded, as was another generic alert sent on December 2nd
. Without providing any
visibility or context into the malware’s entry point or behavior, no action was taken and two weeks passed while
the malware continued to pilfer sensitive customer information. Only after federal law enforcement suspected
suspicious activity did Target look into the matter, and finally remove the malware on December 15th.
What are the real lessons we can learn from this failed approach?
Point!in
!time detection is not enough and will never be 100%
! FireEye missed the initial malware breach—
the infected file was never detected coming inbound. Furthermore, FireEye was blind to the malware’s
activity for 3 days until an outbound call back was picked up.
One generic alert in a sea of alerts doesn’t help ! In response to Bloomberg’s article, “two security experts
who advise organizations in responding to cyber attacks and both have experience using FireEye technology
said ‘they believed it was likely that Target's security team received hundreds of such alerts on a daily basis,
which would have made it tough to have singled out that threat as being particularly malicious.’”"$
Visibility without context and control is not visibility at all, it’s noise ! FireEye sends generic point#in#time
alerts, the type that “security personnel typically don't get excited about because FireEye does not providemuch information about those threats.”$ This type of point#in#time alert on its own is simply not enough. To
truly be actionable, that single alert needs to be linked with other indicators and contextual data related to
the event to highlight the scope of the problem and provide security/incident response teams with the
control to contain and remediate the threat.
Cisco understands this and offers Advanced Malware Protection (AMP), an integrated set of controls and a
continuous security model to detect, confirm, track, analyze and remediate these advanced threats –
before, during and after an attack.
Detection, monitoring, and tracking beyond initial point!in!time ! Detecting malware the first time you
see it is important, but due to the very chameleonic nature of malware and the sophisticated hackers that
deploy it, what’s really important is being able to continue to analyze and determine the maliciousness of a
file beyond the initial point#in#time that it is seen. Any enterprise should assume that no detection method
is 100% effective. This is why your malware protection technology needs to go beyond point#in#time to
examine that file over a period of time—tracking where it goes, what it does when it gets there, and analyze
that behavior when an initial detection was not possible.
![Page 2: The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work](https://reader031.fdocuments.us/reader031/viewer/2022021405/577cceeb1a28ab9e788e788f/html5/thumbnails/2.jpg)
8/12/2019 The Target Breach and Why Point-In-time Malware Detection Alone Doesn't Work
http://slidepdf.com/reader/full/the-target-breach-and-why-point-in-time-malware-detection-alone-doesnt 2/2
2
Intelligence correlated with context to raise priority ! With Cisco’s ability to track and analyze behavior
continuously at the file, process and communications level, advanced behavioral indications of compromise
can be used for further identification of compromise, and can raise the alert priority level for security teams
to help them distinguish between noise and what’s really important. Since the process is continuous, and
not just an enumeration of events, the technology will continue to track and monitor malware, even if the
initial detection event is ignored. As more and more information is collected, it snowballs, becoming ever
larger and larger, and becomes too large for security teams to ignore.
Once an alert does reach the level of awareness, it’s critical that immediate analysis of events leading up to
and after the compromise be conducted quickly with an ability to zoom in and out to understand the scope
and answer the questions of exactly when, where and how the malware got there. The only way to do that
is to be able to continuously capture the information necessary for that analysis.
Integrated containment and remediation capabilities ! Finally, with the ability to track and analyze
continuously, you can use that context and depth of information to surgically contain and remediate the
problem without waiting for content or signature updates, or even worse, a scorched earth approach that is
disruptive to customers and security staff. Cisco gives you visibility into the scope and root causes, and the
ability to pinpoint the problem and remove it without the collateral damage and cost that is associated with
broad#brush removal and remediation.
Although the industry acknowledges that advanced malware attacks require new and innovative solutions
to detect and remediate, far too many organizations default to focusing the entirety of their efforts on
point#in#time detection and remediation tools. In order to have any chance of effectively defending against
modern day attacks, the solution must leverage a continuous model to track file interaction and activity
across the network, and utilize big data analytics, collective security intelligence and enforcement across
networks, endpoints, web and email gateways, virtual systems and mobile devices.
Cisco is the only malware protection vendor that delivers this continuous security model for protection and
remediation against the growing scourge of sophisticated malware attacks.
To learn more about Cisco’s Advanced Malware Protection (AMP) and other Security Solutions, refer to the
resources here and here, or contact your sales representative. And for a deeper look at our POS retail
environment, watch the webinar here.
! Bloomberg Business Week, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It "##$%&&'''()*+!,-++'--.(/01&23#!/4-+&567896:97:-#91!++-<924231+9!,9-$!/9"2/.90=9/3-<!#9/23<9<2#2>$7 !! "##$%&&'''()*+!,-++'--.(/01&@!<-0+&567896:97:&"2/.!,;9#!1-4!,-9'"2#9<!<9#23;-#9.,0'92,<9'"-, !!! A-*#-3+B !"#$%& (")( *& +%,-*.%+ &/ ",& /. %"#-) "-%#& /0 ,)1%# 1#%",2 B "##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9
!<CDEAFG5H78I56786:7: !@ A-*#-3+B !"#$%& (")( *& +%,-*.%+ &/ ",& /. %"#-) "-%#& /0 ,)1%# 1#%",2B "##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9!<CDEAFG5H78I56786:7: @ A-*#-3+B !"#$%& (")( *& +%,-*.%+ &/ ",& /. %"#-) "-%#& /0 ,)1%# 1#%",2B "##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9
!<CDEAFG5H78I56786:7: