Anatomy of a Cyber Attack

Between November 27th, 2013 and December 15th, 2013, over 40 million credit and debit card details were compromised and around 70 million confidential customer records were copied from Target (a massive US retailer) servers. So how did this happen and how could it have been prevented? What lessons can be learned to prevent smaller businesses who may be less equipped from falling victim to this type of attack?

Target was deliberately attacked by cyber criminals who had been exploring potential vulnerabilities. Search engines provided valuable information and resources for the criminals including:

While Target’s IT team would have implemented security controls for the organisation, these would not prove to be sufficient against dedicated individuals seeking to exploit a vulnerable supply chain with unfettered access to Target systems.

Microsoft had published a detailed Case Study concerning Target’s use of technology throughout the organisation, highlighting the communication between sites and central management of services and devices.

The cybercriminals researched the vendors relied upon by Target who would have access to Target’s vendor portal. The vendor identified and exploited by the criminals in this instance was an HVAC supplier “Fazio Mechanical”. An email was containing malicious software was sent prior to the breach which stole credentials used to access Target’s online vendor portal.

Fazio Mechanical’s credentials were exploited and, once past Target’s “Boundary” security protocols, the criminals moved laterally through the network using common network tools to perform reconnaissance.

From here, custom malware was deployed to point of sales systems which remained undetected until after the campaign. This software proceeded to gather credit card information, saving it to small data files shared throughout the network. Once enough of this data was gathered the criminals retrieved it using the default username and password for the performance monitoring and analysing software managing Target’s servers.

This resulted in massive repercussions for Target, it’s customers, employees, and banks. As well as the CEO and CIO losing their jobs, directors were threatened with removal and Banks refunded more than $200million for cards and refunds. Profits dropped 46% in the fourth quarter of 2013 during the historically lucrative holiday season.

Both Target and Fazio Mechanical had passed PCI compliance audits and checks, being certified against these regulations prior to the attack and while individual measures could have protected against a brute force attack, this directed attack would have required a more comprehensive approach.

Preventing an attack like this.

Protecting any company from a targeted criminal attack requires a multi-layered Holistic approach to security. As highlighted in the Target scenario, the supply chain must be evaluated when considering IT and data security as anyone with access could be compromised.

Related posts:

Screaming is loud and disrupting. It can release all of the stress you have been feeling in one noisy moment. Try screaming. You will feel better.

My friend asked me this morning “What are you going to write about today?” It took me a moment to decide. “Probably being unashamed of what you truly, deeply want.” So many of us say we want one…

For the past couple of months, I have found myself in a “writers’ funk.” Now, this may be different for every writer out there in the world, but for me, this funk has consisted of procrastination…