He also notes that the reconnaissance actions taken in step four are another example of abnormal usage that activity monitoring can detect.
"It's very important to monitor for reconnaissance," Be'ery says. "Every network looks different, has a different structure. Attackers have to learn about that structure through queries. That behavior is very different from the normal patterns of users."
Step 7: Propagate to Relevant Computers Using the New Admin Credentials
With their new credentials, the attackers could now proceed to go after their targets. But Aorato notes two obstacles were in their path: bypassing firewalls and other network-based security solutions that limit direct access to relevant targets, and running remote processes on various machines in the chain toward their relevant targets.
Aorato says the attackers used "Angry IP Scanner" to detect computers that were network accessible from the current computer and then tunneled through a series of servers to bypass the security measures using a port forwarding IT tool.
As for remotely executing processes on the targeted servers, Aorato says the attackers used their credentials in conjunction with the Microsoft PSExec utility (a telnet-replacement for executing processes on other systems) and the Windows internal Remote Desktop (RDP) client.
Aorato notes that both tools use Active Directory to authenticate and authorize the user, which means Active Directory is aware of this activity if anyone is looking for it.
Once the attackers had access to the targeted systems, they used the Microsoft Orchestrator management solution to gain persistent access, which would allow them to remotely execute arbitrary code on the compromised servers.
Step 8: Steal 70 Million PII. Do Not Find Credit Cards
At this point, Aorato says the attackers used SQL query tools to assess the value of database servers and a SQL bulk copy tool to retrieve database contents. And here, Be'ery says, is where PCI compliance seems to have presented a big obstacle to the attackers — ultimately what may have kept them to stealing "only" 40 million credit cards and debit cards rather than 70 million, a 40 percent reduction of the incident's repercussions.
Section 3.2 of the PCI-DSS standard states: "Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process."
In other words, while the attackers had already managed to access the PII of 70 million Target customers, it did not have access to credit cards. The attackers would have to regroup with a new plan.
"Since Target was PCI compliant, the databases did not store any credit card specific data, so they had to switch to plan B and steal the credit cards directly from the Point of Sales themselves," Be'ery says.
Sign up for CIO Asia eNewsletters.