The Elements of Prevention, Detection, and Protection Must All Work Together
While there are always new and interesting things unfolding in the information security world, there are a handful of developments each year that are like something out of an edge-of-your seat Hollywood blockbuster, or a gripping novel that ratchets up the suspense level with each page. Over the last few months, it is hard to argue that any event has been as captivating — or triggered more passionate discussion within and beyond the information security community — than the high profile Point-of-Sale (PoS) malware attack at retail giant Target.
Much has been written about this headline-grabbing attack, and there will be plenty more discussion and analysis to come. Despite the fact that I am very interested in what unfolds here, both as the CTO of my company, and as someone who has been a member of the security community for over a decade, I am not going to focus on the latest news. Instead, I would like to take a step back from the riveting details, and highlight four key information security principles that we have gleaned, so far, from the Target PoS attack, and that may be illuminating and instructive for enterprise security professionals:
Principle #1: An “impenetrable” security perimeter is a myth.
The Target PoS attack has demonstrated that, with so many possible threat vectors to choose from, it is no longer difficult for attackers to find vulnerabilities and breach a targeted (no pun intended!) victim. This is not to say that enterprises should abandon their existing security perimeter infrastructure; just because there are burglars who can pick locks, does not mean we should all remove our doors. Rather, it means that having unwavering faith in an “impenetrable” security perimeter is dangerous, and frankly, plays right into the hands of the adversaries who are counting on this over-reliance and over-confidence.
Principle #2: It only takes one infection for a massive, headline-grabbing breach to occur.
While our “hyper-connected workplace” can be credited for boosting everything from productivity to profits, it is nevertheless the bane of most enterprise security professionals’ existence, since it means that even one infection — and not necessarily within the actual network, but on a remote device — can lead to a full-blown breach. After all, the Target PoS attack did not originate within Target’s very well guarded network perimeter; it originated from one infected device, and then spread into the Target Point-of-Sales and other network devices from there.
Principle #3: Advanced threats are designed to work in multiple attack stages.
After infecting Target’s PoS devices, the malware used in the attack remained quiet for six days before it started transmitting stolen data to an external FTP server via another infected machine within the Target network. This behavior illustrates a somewhat lesser-known aspect of advanced persistent threats (APTs), which is that they are engineered to be part of a multi-phase attack. In fact, we have analyzed APTs whose sole purpose is to open a backdoor for future attacks; and not necessarily by the original threat actors, either. Underground forums are full of threat actors selling and buying access to infected machines belonging to compromised enterprises.
Principle #4: Enterprises need to proactively look into their network traffic.
As noted above, while transmitting stolen data to the external FTP server, the malware used in the Target PoS attack communicated with an infected server at Target. This is an object lesson in why enterprises, retailers, and every other organization for that matter should use automated traffic log analysis which, when combined with Big Data analytics that uses machine learning algorithms, can help identify anomalies within the network traffic and detect unknown threats that are already inside their organization.
Advanced threats cannot be 100% prevented
If any of the principles above suggest that Target could have done something to 100% prevent the possibility of a malware attack, then let me put the record straight: there is no way for Target (or anyone else for that matter) to completely prevent malware attacks. As such, it is incumbent upon enterprise security professionals to adopt a new paradigm: one that continues to leverage intelligent prevention methods, tools and technologies, and augment those with solutions that emphasize detection and protection. Without all three elements working together — prevention, detection, and protection — threat actors will always have the advantage, and will find a way to carry out their illicit economic, political or social agendas. And for a victimized enterprise to the security community as a whole, that scenario is not merely problematic – it is unacceptable.