Target Kill Chain Analysis

May 07, 2014, Rick Dakin, CEO, Co-founder and Chief Security Strategist

Last week, I talked with Wall Street Journal reporter Ben DiPietro about the persistent communications gap between the data center and the board room when it comes to recognizing and tackling security threats:

In almost every breach situation after his company completes a forensic analysis, Mr. Dakin said the chief executive or chief financial officer pulls him aside and says if he had better information earlier he would have made smarter and quicker decisions. “They are intimating that their tech teams are just not talking about cyber risk in terms of business impact.”

But when he speaks with the IT people, Mr. Dakin said he gets a different story, “that my boss just doesn’t get it and we are stuck here with outdated tools, outdated systems and we are not prepared to defend ourselves.”

This “communications breach” persists across many industries and countries. In April, the Ponemon Institute released a study of IT security practitioners that found 48 percent “believe their board-level executives have a sub-par understanding of security.” Eighty percent of respondents also said senior executives don’t see the revenue risk of losing confidential data, despite multiple surveys finding consumers will take their business elsewhere after a high-profile breach.

These are tough conversations, because security professionals often approach the issue from one perspective (technical, risk-focused), while company leaders have another (business drivers, costs).
To that end, a great resource just became available. Staff for the Senate committee on Commerce, Science, and Transportation put together a blow-by-blow report of the breakdowns that allowed cyber attackers to steal the personal and financial information of more than 100 million Target customers.
As a C-level education document, the report succeeds on multiple levels:

  1. Attacks, defenses and missed opportunities are described in plain English, with minimal technical details to disrupt the presentation.

  2. As the story unfolds, it becomes clear that IT security can’t be achieved and checked off. It’s an ongoing, continuous effort that requires CEO and board-level leadership to move from mere compliance to true risk management.

  3. The authors place appropriate emphasis on the importance of defense-in-depth, a key component of modern cyber defense. Start with a firewall to keep most threats out, but also use dynamic monitoring programs, internal barriers between systems, and other controls to detect and defeat malware that makes it through the first line of defense.

The report is especially strong on point #3:

Instead of installing static defense tools and waiting for the next attack … network defenders should continuously monitor their systems for evidence that attackers are trying to gain access to their systems … When a defender analyzes the actions of attackers, finds patterns, and musters resources to address capability gaps, “it raises the costs an adversary must expend to achieve their objectives”… While the attacker must complete all of these steps to execute a successful attack, the defender only has to stop the attacker from completing any one of these steps to thwart the attack.


For all the things the report gets right, it does need some context. The Congressional Report indicates that Target’s security team missed some chances to stop the breach before it affected consumers, but they also did a lot of things correctly. They had a good security program and tools in place; they were compliant with payment card standards; and significant investments in security had been made.  Most important, the security team we met at mutual training sessions throughout the years was top notch in both focus and skill.

The truth is that there are a great many companies that don’t come close to having in place the protections Target’s team did. When evaluating their own businesses, executives need to begin by assuming the worst – that a breach has already happened. Get a truly independent assessment and act now on what it recommends.
# # #

Rick Dakin

Author

Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS
Top