The Target Breach – Case Study, Lessons Learned and the Lockheed Martin Intrusion Kill Chain Model

Home , The Target (The Wire)

The Target Breach – Case Study, Lessons Learned and the Lockheed Martin Intrusion Kill Chain Model . Improve your AIX Security by learning from the analysis of this breach

. Stephen Dominguez, WW AIX and LoP Security Lead for IBM Lab Services . Sept 21st, 2016 Who am I ?

 Peyton Manning/Broncos fan and also love jazz

 World-wide AIX and Linux on Power Security Lead for IBM Lab Services

 Worked with Power for 19 years, specifically security for 13

 I've worked with around 400+ corporate customers throughout the world

 Obtained US Top Secret Security Clearance in 2011

 I have a security blog, www.securitysteve.net Who am I ?

 I have a security blog, www.securitysteve.net

 You can follow me on twitter, @Secur1tySteve

 IBM Lab Services is a cost center that works closely with IBM development to assist Power customers with their systems

 To learn about all Lab Services' security services: www.securitysteve.net/consulting-services/

 We have several flexible funding IBM programs available to provide security consulting services at no charge to eligible customers

 If you'd like for me to setup a conference call so we can chat about security, shoot me an email at [email protected] Agenda

 Recent statistics on security breaches

 Introduction to the Target Breach

 The Lockheed Martin Intrusion Kill Chain Model

 The 13 Phases of the Breach

 5 Major Lessons from the Target Breach

 Countering the Breach in AIX Recent Statistics on Security Breaches

From the June 2016 Ponemon Institute's: “2016 Cost of Data Breach Study: Global Analysis” Abstract of Ponemon Institute's Findings

 383 companies surveyed from 12 different countries

 Average cost of security breach of large company globally: $4 million

 Since 2013, the costs have risen globally by 29%

 Average cost of stolen record globally is $158 Ponemon Institute's 7 Global Megatrends

1. The cost of a data breach hasn't fluctuated significantly since starting research 2. The biggest financial consequence to organizations that experienced a data breach is lost business ie regain and retain customers' trust 3. Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain. They have the highest cost per record. 4. Investments are being made in technologies and in-house expertise to reduce the time to detect and contain 5. Regulated industries, such as healthcare and financial services, have the most costly data breaches 6. Improvements in data governance programs will reduce the cost of a data breach. For example: Incident response plans, appointment of a CISO, employee training and awareness programs 7. Investment in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. Introduction to the Target Breach Primary Reference • Main reference for this session is “Case Study: Critical Controls that Could Have Prevented Target Breach” by Teri Radichel, [email protected] • Permission has been obtained from Teri to abstract from her case study • Target never released official details of the breach. This reference references around 50 other references. • You can download the PDF of the case study off of: www.securitysteve.net/links

9 Secondary Reference • Secondary reference for this session is “The Target Store Data Breaches – Examination and Insight” by Marianna Hardy • This is a book available from Amazon

10 Third Reference • Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Lockheed Martin Corp • Whitepaper. There's a link for this from my links section of my blog, www.securitysteve.net/links/

11 Abstract • In December 2013, 40 millions credit card numbers were stolen from 2000 Target stores by accessing data on point of sale (POS) systems • On January 10th Target also announced that PII data ie names, addresses, phone numbers, and email addresses of up to 70 million customers was stolen • There was an overlap of 12 million people between the two types of data stolen, so 98 million people total were affected in one way or the other • 11 GB of data was stolen • The customer data was sold on online black market forums known as “card shops” • The Senate Committee on Commerce in March 2014 concluded that Target missed opportunities to prevent the breach • Target reported the breach cost them $61 million

12 Abstract continued ...

• The Target security staff made their misgivings known about the vulnerabilities of their POS systems before the breach • The attackers had access to Target systems for over a month • Independent sources make a rough estimate as to the cost of fraudulent charges resulting from the stolen credit card numbers from $250 million to $2.2 billion • 80 lawsuits filed against Target • The Payment Cards Industry (PCI) Council could have fined Target $400 million to $1.1 billion • This was among the largest data breaches in U.S. history

13 Breach Aftermath • CEO and CIO lost their jobs • Target's board of directors were threatened with removal • Banks payed $200 million to customers affected by the breach • Banks sued Target's PCI compliance auditor, Trustwave • Target has dealt with investigations from the Department of Justice, the FTC, and SEC. • Target hit by PCI compliance fines and State fines

14 The Lockheed Martin Intrusion Kill Chain Model

From Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Advanced Persistent Threat (APT) • Initial security threats posed from self-propagating code (virus). Anti-virus technology has reduced that risk. • A new class of threat has emerged, the APT • The APT is when an adversary is well funded, highly skilled, focuses their attack manually (not-automated), and can attack over months or years “In February 2010, iSec Partners noted that current approaches such as anti-virus and patching are not sufficient, end users are directly targeted, and threat actors are after sensitive intellectual property. (Stamos, 2010)” - from Lockheed White Paper • The Lockheed Whitepaper says: “Yet APT actors continually demonstrate the capability to compromise systems by using advanced tools, customized malware, and 'zero day' exploits that anti-vrus and patching cannot detect or mitigate.” • The Target hackers used “advanced tools, customized malware and 'zero day' exploits that anti-virus and patching cannot detect ..” 16 What is a Kill Chain • “A kill chain is a systematic process to target and engage an adversary to create desired effects”. • The kill chain concept comes from the military • Lockheed adapted the Kill chain concept for providing a structure to analyze intrusions • We can use kill chains to understand how to deploy Computer Network Defense (CND). CND is a set of processes used to detect, monitor, analyze, and defend against network intrusions. • The kill chain is an end-to-end, integrated process where a deficiency in one segment of the chain can interrupt the entire process. • Multiple kill chains can occur within an adversary's campaign • Helps understand the iterative nature of intelligence gathering

Breach Phase 4: Establish a C2 System • Attacks used the vendor portal as a pivot to other systems • The attackers performed reconnaissance from this C2 to system to look for vulnerabilities on other systems • The attackers further infiltrated the target network from this system • Attackers performed additional reconnaissance from the system using network command tools • Attackers downloaded additional hacking tools to the system • Kill Chain 1 Phase 7 (Actions on Objectives) • Kill Chain 2 Phase 1 (Reconnaissance)

19 The 13 Phases of the Breach

Breach Phase 1: Reconnaissance • Google search used to learn about Target interacts with vendors • Search revealed information about a vendor portal and a list of HVAC and refrigeration companies • Google search also revealed a case study on Microsoft site that described Target's use of Microsoft virtualization software, centralized name resolution, and Microsoft System Center Configuration Manager (SCCM), to deploy patches. • This Microsoft case study revealed Target's technical infrastructure, including POS system information, in significant detail • Kill Chain 1 Phase 1 - Reconnaissance

23 Breach Phase 2: Phishing Attack • Email sent to refrigeration vendor, Fazio Mechanical, 2 months before the breach • Fazio could have prevented the malware via real-time malware prevention tooling. Instead, they were using the free version of Malwarebytes Anti-Malware • Malware, believed to be Citadel, installed on vendor computer. • Malware embedded in PDF or Microsoft document • Citadel is a password-stealing bot program • Citadel obtained the login credentials for the online vendor portal • Kill Chain1 Phase 2 & 3 (Weaponization & Delivery)

24 Breach Phase 3: Access Target via Vendor Portal • Attackers use stolen login credentials to gain initial Target network access • A former Target security team member indicated that it was probably Target's web portal: Ariba external billing system • According to the same source, this portal was not fully isolated from the rest of Target's network • The attackers used an administrative application BMC account with its default username and password to move within the network. • By using possibly NetCat.exe raw commands were issued on various systems. NetCat.exe could have been used to load hacking related commands to compromised systems • Access to the Target network was first gained on Nov 12th 2013 • The attack used this initial C2 system to gain access to more sensitve parts of the Target network that stored customer data. This is a network segmentation problem.

• Kill Chain 1 Phase 4, 5 & 6 (Exploitation, Installation, & C2) 25 Breach Phase 5: Vulnerable Domain Controller • Believed that attackers found a vulnerable Windows Domain Controller that was used to gain access to the POS systems • Each retail store was an autonomous unit except for centralized authentication, domain name resolution, and endpoint monitoring • The Microsoft case study could have keyed the attackers to look for this centralized pivot point • Kill Chain 2 Phase 1 (Reconnaissance)

26 Breach Phase 6: POS Malware Deployed • The malware was probably distributed by an automated update process • It is believed SCCM, Microsoft System Center Configuration Manager, was the deployment method • The malware was a custom type of “BlackPOS” malware undetectable by virus scanners. This malware was sold on the black market for $1800-$2300 (US dollars) • The malware was first installed on POS systems starting Nov 15 2013 • The majority of Target POS systems had this malware installed by Nov 30th • Kill Chain 2 Phase 2 & 3 (Weaponization & Delivery)

27 Breach Phase 7: C2 Dump Server • Another server with network access to the POS systems served as a C2 system to the POS Malware infected systems • This C2 Dump server used a 3rd malware to retrieve data from POS systems to the dump server • Kill Chain 2 Phase 5 & 6 (Installation & C2)

28 Breach Phase 8: C2 Dump Moves Data • The data was taken from memory as cards were swiped • The data was stored to a .dll file and stored in a temporary NetBios share over ports 139, 443, & 80 • C2 Dump server used its malware to retrieve customer data • Kill Chain 2 Phase 4 & 7 (Exploitation & Action)

29 Breach Phase 9: Signaling of Data Movement • Attackers used customized ping packets to signal when data moved from a POS machine to a compromised machine on the Target LAN • Netcat.exe is a Windows tool they may have used. It writes data to TCP and UDP connections. • Kill Chain 3 Phase 1 (Reconnaissance)

30 Breach Phase 10: C2 Exfiltration Server • On the Target network, there was a “exfiltration” server that the attackers hijacked and used to install a 4th type of malware that provided data extraction functionality for stolen customer data through the Target network and Target's firewall out to external ftp servers • Data was retrieved using the default administrative user name, Best1_user, and default password, BackupU$r” for BMC's Performance Assurance for Microsoft Servers • Data was exfiltrated from 10am to 6pm to obscure their work. • From Nov 30th to Dec 2nd, The attackers updated this data exfiltration malware several times. Target's FireEye intrusion detection system triggered urgent alerts each time the malware was updated, but the Target security team neither reacted nor allowed FireEye to remove the identified malware • Target's Symantec antivirus software also detected malicious behavior on this same server around Nov 2

• Kill Chain 3 31 Breach Phase 11: Data Moved to Drop Locations • On Dec 2nd, The Target server with the data exfiltration malware send customer data to an external ftp server which was used to send data to hacked servers all over the world • The Dell SecureWorks article, “Inside a Targeted Point-of-Sale Breach”, indicates 3 legitimate FTP servers were the drop locations • The hackers obtained compromised credentials to these servers and retrieved the data with the stolen credentials • The servers were believed to be in Eastern Europe • The data was transmitted in clear text • Target's FireEye software detected this exfiltration malware and the destinations that the exfiltration malware was sending data to

32 Breach Phase 12: Breach Detection Ignored • Target's security monitoring software, “FireEye”, alerted staff in India • The Indian staff notified the Minneapolis staff but no action taken • The Minneapolis staff simply did nothing

33 Breach Phase 13: Cards on Black Market • Customer credit cards were sold on the black market

34 5 Major Lessons from the Target Breach Lesson 1: Compliance Isn't Everything • Target passed their PCI compliance audits prior to the breach. John Mulligan, Target's Executive Vice President and Chief Financial Officer testified that they had been certified in Sept 2013 as compliant with PCI-DSS • Fazio Mechanical also stated they were compliant

The SANS report says:

'We can learn from the Target breach that compliance with baseline standards isn't enough. A comprehensive approach to security will consider all assets, not just those that fall under compliance regulations … As demonstrated in this breach, many different assets were used to move throughout the network, so consideration of the POS systems alone would not address the root causes that led up to this attack.'

36 Lesson 2: Holistic Security is the Answer • A holistic approach to information security is more effective to protecting an organization from security breaches • The SANS study recommended Risk Management and Defense in Depth

The SANS Study defines Risk Management as: 'Risk management assesses and prioritizes security needs based on what can cause the most damage to a company, rather than relying on legal or industry standard compliance.'

The SANS Study defines Defense in Depth as: 'Defense in depth makes use of multiple layers of protection.'

37 Lesson 3: Risk Management Recommendations • Perform organization-wide risk management activities on a regular basis

SANS report recommends: • 'PCI compliance alone is not a risk management strategy.' • 'Vulnerabilities and Threats for all systems, not just those within scope for compliance audits, are identified.' • 'Threats and vulnerabilities are then prioritized and fixed to limit risk to an acceptable level.' • 'Constant re-evaluation is required as the threat landscape is always changing.' • 'Businesses need to employ an adequate number of security professionals who understand the business, the risks and the potential loss.' • 'Security staff needs to be vigilant to understand new potential threats and vulnerabilities when they appear.' 38 Lesson 4: Insufficient Defense in Depth • Target had several layers of security defenses. They had firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools. • But they needed better quality of implementation and more layers

The SANS report said: • 'Although some level of segregation likely existed, vulnerable configuration and accounts allowed segregation strategies to be bypassed.' • 'Despite the fact that they purchased expensive monitoring software, staff was not sufficient, not well-trained or inadequate processes turned those systems into a liability rather than an asset when it was determined that Target was notified, but did nothing to stop the breach.'

39 Lesson 5: Intelligence-Based CND • The Lockheed white paper indicated: “As conventional, vulnerability-focused processes are insufficient, understanding the threat itself, its intent, capability, doctrine, and patterns of operation is required to establish resilience.” • Traditional security measures may be sufficient for thwarting the average hacker, but not the APT.

40 Countering the Breach in AIX

If the Target systems were all AIX partitions, how could we counter the attack Attack Phase AIX Countermeasures

Phase 1 & 2 N/A

42 Attack Phase AIX Countermeasures

Phase 3: Access Target via Multi-factor Authentication vendor portal with RSA PAM Module

43 Attack Phase AIX Countermeasure

Phase 4: Establish a C2 AIX Role-based Access System Control – limit access to privileged commands

AIX Trusted Execution – control foreign command execution & lock policies in kernel

44 Attack Phase AIX Countermeasure

Phase 5: Vulnerable Security Hardening with Domain Controller PowerSC Security and Compliance Automation

PowerSC Trusted Network Connect and Patch Management Network Segmentation via VLANs. MSAD shouldn't Have access to PCI and non PCI networks

45 Attack Phase AIX Countermeasures

Phase 6: Malware AIX Trusted Execution with Deployed TEP

Phase 7: C2 Dump Server AIX Enhanced RBAC & Multi-factor Authentication

46 Attack Phase AIX Countermeasures

Phase 8: C2 Dump moves AIX Role-based Access data control to eliminate unnecessary administrative access

AIX Trusted Execution to prevent malware execution and any hacking tools

47 Attack Phase AIX Countermeasures

Phase 9: Signaling of data AIX Role-based Access movement Control

AIX Trusted Execution

48 Attack Phase AIX Countermeasures

Phase 10: C2 Exfiltration AIX Role-based Access Server control to eliminate unnecessary administrative access

Password controls implemented with PowerSC Security and Compliance Automation

Multi-factor Authentication with AIX PAM module

49 Attack Phase AIX Countermeasures

Phase 11: Data moved to Implement separation of drop locations Duties feature for ftp with AIX Role-based Access Control

Password controls implemented with PowerSC Security and Compliance Automation

AIX Auditing to detect ftp

50 Attack Phase AIX Countermeasures

Phase 12: Breach Use runtime preventative Detection Ignored execution functionality in AIX Trusted Execution

PowerSC Real Time Compliance

51 Summary • Ponemon Institute indicates costs with security breaches are staying consistent • Target breach involved many phases • Many layers of defense were either missing or lacking in Target's defenses • Security compliance isn't everything, as Target was PCI compliant • Defense in depth and a Risk Management approach is the answer to best preventing breaches • If the breach happened with an AIX environment, the key countermeasures are: multi-factor authentication, AIX Role-based access control, AIX Trusted Execution, and PowerSC patching, monitoring and security hardening

52 53 IBM Systems Lab Services & Training - Power Systems Services for AIX, i5OS, and Linux on Power – PowerCare Eligible

http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html

Overview: AIX Security Assessment with PCI 3.2 Companies frequently and unknowingly can employ weak security practices that Phase 1 – Preparation (remote): are exposing their company to high risk. The ramifications of a security breach Conference calls are held prior to the service to validate the scope, agenda, could be unforeseeable litigation, identity theft, the bringing down of networks, and schedule and required materials. harm to a company’s brand. As described by the Jericho Forum, a company • Client provides overview of their current AIX Security environment shouldn’t solely depend on perimeter security for their security. The AIX Security • IBM team prepares the service agenda/schedule Assessment is the best way to identify weak AIX security practices that may be • IBM team details security data collection process exposing your company to high risk. This assessment is a comprehensive assessment of how you are implementing AIX security. • IBM team provides customer security questionnaire • Identify required materials / Finalize key players • At least one AIX or VIOS partition is assessed • A set of documents detail the results of the assessment Phase 2 – AIX Security Assessment (on-site): • The assessment details how the security settings correspond to PCI 3.2 Review the Results of the Assessment with Customer Example Tasks • Learn about AIX solutions available to reduce operational expense • Consultant reviews the results of the security assessment with • Learn about PowerSC solutions available to assist you with security & customer staff compliance • Customer reserves conference room with projector and invites relevant staff • Short overviews can be provided to help the customer understand • Customer staff can ask questions about the details of the assessment recommended solutions, such as RBAC and LDAP • Customer staff can ask questions about the security • Customers wanting to learn about securing VIOS partitions recommendations • Additional presentations can be provided to expound upon various • The assessment only reads existing security settings --- no settings are altered technologies that may be recommended on the assessment partition Deliverables – Detailed AIX Security Assessment Findings document, Heat Map, Executive Summary WHO benefits from this assessment and WHY? • Customers wanting to improve their AIX Security configurations • Customers wanting to stay abreast of the latest AIX security solutions • Customers wanting a security baseline for defining standard builds • Clients wanting to learn about ways to simplify the management of their AIX References: security environment The Jericho Forum: http://en.wikipedia.org/wiki/Jericho_Forum Duration • At least 1 day on-site

Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level54 of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.

IBM Systems Lab Services & Training - Power Systems Erin M. Hansen - PowerCare Opportunity Manager [email protected] Services for AIX, i5OS, and Linux on Power – PowerCare Eligible Linda Hoben – Opportunity Manager [email protected] 1-720-395-0556 Stephen Brandenburg – Opportunity Manager [email protected] 1-301-240-2182 IBM Systems Lab Services & Training - Power Systems Services for AIX, i5OS, and Linux on Power – PowerCare Eligible

http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html RHEL Security Assessment Overview: Duration As detailed in the Ponemon Institute's survey, “2015 Cost of Data Breach • Time varies depending on scope requested: 1-3 days on-site Study”, the average cost of a computer breach at a large company globally was $3.79 million. For U.S.-based companies, the average cost was Phase 1 – Preparation (remote): much higher, 6.5 million. These costs have risen globally 23% since 2013. Conference calls are held prior to the service to validate the scope, agenda, In the “2014 Global Report on the Cost of Cyber Crime”, the Ponemon schedule and required materials. Institute, a security research center, recommends that deployment of security intelligence systems and maintaining a strong security posture  Client provides overview of their current RHEL security environment makes a difference and moderates the cost of cyber attacks.  IBM team prepares the service agenda/schedule  IBM team details security data collection process IBM Lab Services is providing the following services to help you reduce  IBM team provides customer security questionnaire your security risk and improve the security of your information assets.  Identify required materials / Finalize key players These services are being provided to help you deploy the type of security intelligence systems and achieve the strong security posture Phase 2 – RHEL Security Assessment (on-site): recommended by the Ponemon Institute. Assessment Phase The RHEL Security Assessment's goal is to identify effective security • Partition data is collected controls for your company to utilize which will significantly reduce your • Data is processed and assessment documents are created security risk. Review Phase This service is designed for IBM Power Systems customers. The security • Consultant holds a review of the results of the assessment with key controls have been recommended for Red Hat Enterprise Linux by the customer staff United States NSA Information Assurance Directorate. The controls are • Additional presentations may be provided on recommended security primarily based on Red Hat and security community concesus-based solutions recommendations. Deliverables – Detailed RHEL Security Assessment Findings Client Benefits document, Heat Map, Executive Summary • Helps achieve regulatory compliance, such PCI, HIPAA, etc • Helps improve RHEL security configurations and lower risk • Helps promote the adoption of the latest RHEL security solutions • Provides a baseline for defining standard RHEL image builds References: • Learn of hundreds of security controls to reduce security risk NSA RHEL Guidelines https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guid es/operating_systems.shtml

Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.

Stephen Dominguez

www.securitysteve.net

If you'd like for me to setup a conference call so we can chat about security, shoot me an email at [email protected]