Anyone involved in cybersecurity (practitioners, managers, researchers, vendors, etc.) should make sure to read and internalize the Senate report released yesterday titled, A "Kill Chain" Analysis of the 2013 Target Data Breach. The report takes readers through each step of the well-established Lockheed Martin "kill chain," illustrating how the initiation of the Target attack, how it progressed, and what Target should have done to prevent, detect, and respond at each phase. (Note: In addition to the Senate report, there is an excellent synopsis of the Target breach in this BusinessWeek article).
These two publications lay out the whole enchilada - from the initial incursion, through the breach, to the public announcement on December 19, 2013. In fact, Target CFO John Mulligan testified before the U.S. Senate Committee on Commerce, Science, and Transportation yesterday (March 26, 2014), to update the Feds on the breach itself and its aftermath.
The report points to some fundamental cybersecurity errors in terms of people, process, and technology. These issues are well-documented so there's no need to repeat them here, but I did come away with a few additional thoughts after reading through each publication:
1. The cybersecurity skills shortage probably had an influence on the Target breach. According to ESG research, 39% of enterprise organizations say that their biggest incident detection/response challenge is a "lack of adequate staff," while 28% claim that their biggest incident detection/response challenge is a "lack of adequate skills." I believe these kinds of skills issues may have been in play at Target. Why? First, the BusinessWeek article reveals that Target's Security Operations Center (SOC) manager left the company in October, before the breach. Other SOC personnel may have depended upon their manager's skills and authority, and thus Target took a big cybersecurity skills hit at the exact time of the attack. The report also postulates that cybercriminals were able to advance the attack using a default administrator password of a BMC software product. It may be that an overworked IT security and operations team simply missed this obvious security faux paux. Finally, the security staff did not act when it was alerted by FireEye anti-malware systems and its cybersecurity support staff in India. Clearly FireEye and the India team did their job, but these alerts still required Target's Minnesota-based security team to investigate the incident further. It's likely that this over-worked team was buried under the volume of holiday transactions and an avalanche of other security alerts, so they decided to fight other fires.
2. The notion of a network perimeter is ancient history. Didn't the Jericho Forum warn about "de-perimeterization" about 10 years ago? In spite of this caution and everything that's happened since then, the Target breach was initiated through the compromise of one of the retailer's service providers, a small HVAC company in PA (i.e. outside the network perimeter). This is just a blind guess but I've got to believe that this heating and air conditioning firm isn't staffed by ex-NSA cybersecurity experts. Of course, third-party suppliers, business partners, and customers need network access, but Target let these outsiders in with basic user name/password authentication, and didn't do nearly enough to segment the network to keep them out of sensitive areas. So Target opened its network to outsiders without managing cyber supply chain risks in an adequate fashion - an all too common mistake.