Despite the massive scale of the theft of Personal Identifiable Information (PII) and credit card and debit card data resulting from last year's data breach of retail titan Target, the company's PCI compliance program may have significantly reduced the scope of the damage, according to new research by security firm Aorato, which specializes in Active Directory monitoring and protection.
Leveraging all the publicly available reports on the breach, Aorato Lead Researcher Tal Be'ery and his team catalogued all the tools the attackers used to compromise Target in an effort to create a step-by-step breakdown of how the attackers infiltrated the retailer, propagated within its network and ultimately seized credit card data from a Point of Sale (PoS) system not directly connected to the Internet.
Many of the details of how the breach occurred remain obscured, but Be'ery says it is essential to understand how the attack happened because the perpetrators are still active. Just last week, the Department of Homeland Security (DHS) and United States Secret Service released an advisory that the malware used to attack Target's PoS system has compromised numerous other PoS systems over the past year.
Tracing the Attack Is Like Cyber Paleontology
While Be'ery acknowledges that some of the details in Aorato's account may be incorrect, he feels confident that the reconstruction is largely accurate.
"I like to think of it as cyber paleontology," Be'ery says. "There were many reports on the tools that were found in this incident, but they didn't explain how the attackers used these tools. It's like having bones, but not knowing what the dinosaurs looked like. But we know what other dinosaurs looked like. With our knowledge we were able to reconstruct this dinosaur."
In December 2013, in the midst of the busiest shopping season of the year, word began trickling out about a data breach at Target.
Soon the trickle was a torrent, and it would eventually become clear that attackers had gotten the Personal Identifiable Information (PII) of 70 million customers as well as data for 40 million credit cards and debit cards. CIO Beth Jacob and Chairman, President and CEO Gregg Steinhafel resigned. Target's financial damages may reach $1 billion, according to analysts.
Most who have followed the Target story know that it began with the theft of credentials of Target's HVAC contractor. But how did the attackers get from that initial point of penetration, at the boundary of Target's network, to the very heart of its operations? Be'ery believes the attackers took 11 deliberate steps.
Step 1: Install Malware that Steals Credentials
It started with stealing the credentials of Target's HVAC vendor, Fazio Mechanical Services. According to KresonSecurity, which first broke the story of the breach, the attackers infected the vendor with general purpose malware known as Citadel through an email phishing campaign.
Sign up for CIO Asia eNewsletters.