Bloomberg Businessweek released a story today regarding the Target breach that stated Target received not one, but two alerts regarding the malware on their network that sent 40 millions credit cards and 70 million records of customer data into the greedy hands of criminals. Now, coming from a blue team background, this scenario happening on my $DAYJOB’s network keeps me up at night. One of my greatest worries is that I’m missing some kind of chain of events that I’m not piecing together while some ankle biter runs rampant over my work’s systems. It keeps me, and any other defender worth their salt, always looking over their shoulder and through their logs.
That being said, the article makes it sounds like these alerts were gift wrapped, tied with a bow, and adorned with a sign that said THIS IS GOING TO STEAL CREDIT CARDS surrounded by blinking LEDs. Anyone who has worked in a SOC or in an analyst position knows that this never the case. Starting from an event and working backwards to pick out from the noise the bits of applicable data that pointed to the event is trivial, trying to pick out data and see a pattern that points to an event on the horizon is much, much harder.
We’ve seen this kind of analysis before: Anyone who has read into military intelligence failures such as the September 11th or Pearl Harbor attacks, knows that there was a chain of events that when pieced together makes it obvious to any casual observer that the events were going to take place and if someone had simply acted, these tragedies would have been prevented. What the casual observer doesn’t realize is that while yes, the information was there, it likely was fragmented, incomplete, and most importantly, competing with many other bits of data that point to something else or nothing at all. The ability to take this data and form an accurate prediction about future events that allows someone to act takes skill, luck, and a bit of hubris.
I’m not saying Target has clean hands on this, they got their ass kicked, their security team failed, and anyone who saw that report and dismissed it or waffled on it knows that they had a hand in every bit of fraud that occurred due to those stolen records. But, I think it’s important to ask some questions before we condemn them as heavily as Bloomberg does:
- About that “team of security specialists in Bangalore”:
- What was their false positive rate?
- What was their false negative rate?
- How trained were they?
- How many alerts did they escalate on a daily basis?
- Regarding FireEye:
- How trained were the SOC staff on analysis of FireEye reports?
- How trained were the SOC staff on malware analysis in general?
- What was the false positive rate of the FireEye device?
- Regarding the SOC in general:
- Was there a defined process for malware remediation?
- How many alerts did the SOC staff deal with on a daily basis?
- Did SOC staff have a ability to pull the fire alarm?
The article from Bloomberg reads great, but it’s important to remember it’s not a detailed analysis report. Sadly, with the current state of affairs in information sharing, we’ll likely never know exactly what happened at Target during those fateful weeks, but if we don’t know, we really can’t judge.