Target Breach Review: Stopping Attack Escalation

Jody Brazil

The Target incident opened a lot of eyes to the potential impacts of a security breach. While a lot is still unknown, there is significant information available about what happened and it’s worth taking a closer look at steps that enterprise security teams can employ to prevent their organizations from becoming victims of similar attacks.

Based on the reported details, clearly malware, even well-known attack variants familiar to security vendors and researchers, remains highly difficult to detect and deter altogether. The attack that compromised Target’s point-of-sale devices was no cutting-edge advanced persistent threat, but rather a variation on a well-known piece of code available for only $2,000.

These details highlight the fact that despite continued evolution of malware analysis engines and solutions, some percentage of attacks will always evade initial detection and subsequent prevention. That said – what approach could security and IT risk management officials at Target and other enterprises invoke to prevent a repeat of such devastating results?

For starters, there’s absolutely no reason that once a malware threat compromised one of Target’s point of sale systems, or even a small subset linked together for business purposes, this should have resulted in successful compromise of many other POS devices, or even the organization’s underlying core systems.

Whether the campaign was in fact launched via a POS system itself or from deeper within Target’s network, clearly existing security controls that could prevent propagation across the larger environment were not functioning effectively. Without question organizations of this scale have many different types of such network defenses in place (including firewalls, IDS, SIM, DLP etc.), but in this case the attack escalation was not be mitigated.

Every security and IT risk management official reviewing the Target attacks should be asking if their organization is vulnerable to similar campaigns. And, they should examine the enforcement capabilities of their existing network security controls to serve in just such a manner. Security teams should be conducting a tactical attack vector analysis on every available pathway of access existing across their networks that could potentially expose critical systems, including, where applicable, POS devices, among others.

And while it may still be impossible to prevent every malware infection, effective network segmentation and security device policy enforcement can be leveraged very effectively to limit the impact of attacks if they circumvent initial anti-virus controls. No one would still be talking about Target if one store’s POS systems were compromised, versus the reality that the involved attack was able to propagate across its larger network.

Traditional security technologies including firewalls and next generation firewalls will continue to play a critical role in limiting risk of malware infection, as well as the spread and success of modern threats. However, if you don’t have the detailed information to identify gaps in network security – preventing, mitigating and remediating security breaches will remain a significant challenge.

Today’s enterprises already have the security capabilities in place to stop attacks such as the one that affected Target from escalating throughout their environment. They need greater visibility into how those defenses are aligned, arguably in real-time, and more conclusive security intelligence regarding their overall level of IT risk exposure, in general.

The FireMon Security Manager platform was designed for the specific purpose of providing enterprise practitioners with continuous visibility into the current alignment of their network security device infrastructure, as well as the related exposure of underlying vulnerabilities.

By gaining control of network access and isolating every pathway available across infrastructure that could be leveraged to introduce or escalate attacks, organizations can significantly limit their risk of falling prey to attacks such as the one experienced by Target.

Request an in-depth demonstration of FireMon Security Manager today and learn how more effective management of existing network security defenses can prevent and contain attacks, before your organization is forced to react and spend resources looking at past events, instead of stopping those of tomorrow.