Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

The Target PoS Attack: Gleaning Information Security Principles

The Elements of Prevention, Detection, and Protection Must All Work Together

The Elements of Prevention, Detection, and Protection Must All Work Together

While there are always new and interesting things unfolding in the information security world, there are a handful of developments each year that are like something out of an edge-of-your seat Hollywood blockbuster, or a gripping novel that ratchets up the suspense level with each page. Over the last few months, it is hard to argue that any event has been as captivating — or triggered more passionate discussion within and beyond the information security community — than the high profile Point-of-Sale (PoS) malware attack at retail giant Target.

Much has been written about this headline-grabbing attack, and there will be plenty more discussion and analysis to come. Despite the fact that I am very interested in what unfolds here, both as the CTO of my company, and as someone who has been a member of the security community for over a decade, I am not going to focus on the latest news. Instead, I would like to take a step back from the riveting details, and highlight four key information security principles that we have gleaned, so far, from the Target PoS attack, and that may be illuminating and instructive for enterprise security professionals:

Enterprise Malware ProtectionPrinciple #1: An “impenetrable” security perimeter is a myth.

The Target PoS attack has demonstrated that, with so many possible threat vectors to choose from, it is no longer difficult for attackers to find vulnerabilities and breach a targeted (no pun intended!) victim. This is not to say that enterprises should abandon their existing security perimeter infrastructure; just because there are burglars who can pick locks, does not mean we should all remove our doors. Rather, it means that having unwavering faith in an “impenetrable” security perimeter is dangerous, and frankly, plays right into the hands of the adversaries who are counting on this over-reliance and over-confidence.

Principle #2: It only takes one infection for a massive, headline-grabbing breach to occur.

While our “hyper-connected workplace” can be credited for boosting everything from productivity to profits, it is nevertheless the bane of most enterprise security professionals’ existence, since it means that even one infection — and not necessarily within the actual network, but on a remote device — can lead to a full-blown breach. After all, the Target PoS attack did not originate within Target’s very well guarded network perimeter; it originated from one infected device, and then spread into the Target Point-of-Sales and other network devices from there.

Principle #3: Advanced threats are designed to work in multiple attack stages.

Advertisement. Scroll to continue reading.

After infecting Target’s PoS devices, the malware used in the attack remained quiet for six days before it started transmitting stolen data to an external FTP server via another infected machine within the Target network. This behavior illustrates a somewhat lesser-known aspect of advanced persistent threats (APTs), which is that they are engineered to be part of a multi-phase attack. In fact, we have analyzed APTs whose sole purpose is to open a backdoor for future attacks; and not necessarily by the original threat actors, either. Underground forums are full of threat actors selling and buying access to infected machines belonging to compromised enterprises.

Inspecting Network TrafficPrinciple #4: Enterprises need to proactively look into their network traffic.

As noted above, while transmitting stolen data to the external FTP server, the malware used in the Target PoS attack communicated with an infected server at Target. This is an object lesson in why enterprises, retailers, and every other organization for that matter should use automated traffic log analysis which, when combined with Big Data analytics that uses machine learning algorithms, can help identify anomalies within the network traffic and detect unknown threats that are already inside their organization.

Advanced threats cannot be 100% prevented

If any of the principles above suggest that Target could have done something to 100% prevent the possibility of a malware attack, then let me put the record straight: there is no way for Target (or anyone else for that matter) to completely prevent malware attacks. As such, it is incumbent upon enterprise security professionals to adopt a new paradigm: one that continues to leverage intelligent prevention methods, tools and technologies, and augment those with solutions that emphasize detection and protection. Without all three elements working together — prevention, detection, and protection — threat actors will always have the advantage, and will find a way to carry out their illicit economic, political or social agendas. And for a victimized enterprise to the security community as a whole, that scenario is not merely problematic – it is unacceptable.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...