Given the recent news of Target’s data breach, where 40 million credit card numbers and security codes have been compromised, many of us wonder how this could have been prevented.
Even though investigations are still occurring regarding how they infiltrated their systems (or that of their partners), there are common steps that hackers will perform when dealing with a breach of this magnitude in order to exfiltrate data in an efficient manner.
Because these commonalities exist, it is imperative that there is an early detection process in place that could interrupt the progression of a cyber attack. An attacker could have used a misconfigured network share, a malicious executable or extract the data using unknown listening ports on an endpoint.
By watching all of these, you could track the movement of data from captured end point to storage for mass exfiltration. There are a variety of ways where we could have detected this type of incident early on and prevent a data breach from occurring:
Detecting rogue executables: The attacker involved in a breach at this scale, most likely installed malicious code on the end points for card data capture. Detecting these rogue executables is important because the attacker would need to offload data from all the remote collection points (POC terminals) to a central place to retrieve the data.
Detection of new and unknown listening ports: An attacker would have leveraged a non-standard port or would have used an insure port to send data to the attacker’s target destination. If you could see that new ports were connected out, you could track where the data is going.
Improper or mis-configured network shares: This step would have been critical to the attacker, as they would not want to connect to each terminal at each store nationwide to extract the data they collected. They would rather exfiltrate the data from one location versus multiple locations to minimize the risk of being detected. Once the data was in a centralized data point, then it went to the hacker’s target destination. At that point, they could sell it or do anything with it.
Unknown at this point is how the attacker infiltrated the systems to be successful in this distributed data breach. Regardless of the method, the above scenarios could have alerted security teams that data was being extracted. Even if the actual card swipes were the ones who were compromised, targeting the patch server or processing gateway for those devices would be a good mitigation strategy.
At Tripwire we have helped many organizations create these alerts for early incident detection. Tripwire Enterprise users can immediately benefit from these cybercrime control rules, as they’re offered as free content that can be downloaded from the Tripwire Customer Center.
The information in this article is based off available details as of the time of writing.
- Combating ‘Smash and Grab’ Hacking with Tripwire Cyber Crime Controls
- Target Data Breach: Millions of In-Store Credit Cards Affected
- Major Breach Discovered During Deployment
- Additional Incident Detection articles on The State of Security
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Title image courtesy of ShutterStock