TARGET BREACH: Security warning ignored before heist

NetworkingStudent · March 2014

TARGET BREACH: Security warning ignored before heist.

Pretty crazy these guys had fire eye and it detected the the malware, however Target IT security employees decided to wait a week to delete the malware.

Please go to link for the video:

TARGET BREACH: Security warning ignored before heist - KMSP-TV

Cert Poor · March 2014

I believe the Chief Technology Officer resigned as well. (Or was forced to resign.)

YFZblu · March 2014

Some analysts get so used to flicking away false-positives day-in-and-day-out, when an actionable security Incident comes around, a bad analyst might flick it away just like the rest; or fail to treat an Incident with the seriousness it deserves. I'm not saying that's what happened at Target, but it's possible.

I'm currently working in my 2nd SOC environment monitoring real-time security alerts; not all analysts are created equal. Like all areas of IT, some of them are utterly worthless. Ultimately it's Management's job to help prevent burnout, and put the right pieces in place.

docrice · March 2014

Whenever you introduce a new technology into the environment, whether signature or analysis-based (FireEye being the latter), there's always the chance of false-positive noise which requires a degree of tuning. Solutions like FireEye aren't so easily fooled since it does validate potential actions of payloads (although it doesn't confirm if a payload was executed on a target and its associated exploit was successful). I've seen false positives on FireEye before though, although few in number.

Part of analysis is assessing impact and prioritizing accordingly. If you detect legitimate malware on the wire, you need to also determine if the potential victim host was vulnerable or the likelihood of compromise (did antivirus catch it, was the host patched against the particular vulnerability, was sufficient hardening already in place to mitigate the intrusion, etc.). Determining context is everything, otherwise you waste a lot of people's time going on wild goose chases, re-imaging machines when it wasn't necessary, and reducing employee productivity.

In a security environment, there can be a lot of dashboard noise for analysts which lead to event fatigue. Whenever a new shiny box is deployed, it's easy to assume it'll require calibration before its output gets taken seriously. That said, there could be many reasons why the Target security team missed or chose to ignore these issues, including lack of integration into their main alert systems, lack of support for escalated events, and so on.

A lot of organizations damper the severity of these issues, choose to accept the risk to reduce business disruption (remember that the Thanksgiving/Christmas holidays are a major revenue window for the year), or don't resource a SOC sufficiently to keep up with the potential flood of alerts to prevent staff exhaustion.

Constant attention and 24x7x365 vigilance is very mentally draining and can certainly lead to burn-out. When you're swimming in an ocean of data and trying to connect the dots from disparate systems, it's very easy to become drowned in irrelevant tides.

JeanM · March 2014

docrice - you are exactly right imho. I haven't worked with FireEye, but the same concept worked with another big name monitoring solution at a big hospital I worked at, called BMC Patrol/BPPM. I have to agree, the amount of "noise" these add to the already busy monitoring screens at SOC can be very taxing. Especially if the system is new to the environment, the staff may not know how to react and some alerts may not be mapped properly to cut tickets etc, things like alert severity/priority/de-duping, mapping with ticketing system and then alerting correct staff all adds failure points ..

TARGET BREACH: Security warning ignored before heist

Comments