INDIAN INSTITUTE OF TECHNOLOGY ROORKEE

Electronic Commerce & Application

Cyber Breach at Target

Presented by: Group 6
• Nikhil Meshram - 20810031
• Mukesh Patel -20810034
• N Ravi Kiran - 20810037
• Siddharth - 20810062
• Sharan Das -20810057
• Aravind Anil -20810011
 Summary
• Target is the eight largest retailer in the United States with more than 1800 stores. It was established as the
discount division of Dayton company in 1962.
• In between November 27 and December 15, 2013, Target corporation was the subject of one of the largest
cyberattacks in history, which involved stealing of credit, debit card information of 40 million customers and
another 70 million home, email addresses.
• The Hackers primarily targeted Fazio Mechanical Services, external heating and ventilation providers for Target,
through a phishing email campaign in September 2013.
• Target did not monitor Fazio’s lax security measures and also looked past its own vulnerabilities like lack of two
factor authentication in payment card systems.
• Target’s network is also not properly segmented which provided the hackers a way to access the payment data through Fazio.
• The attack started with a few Point of Sale (POS) systems and then the majority by the end of November. The Hackers then installed
malware ‘Citadel’ on these POS and gathered data.
• Hackers were able to install three variants and multiple updates of the malware without Target’s notice and gathered 11GB of user data.
And presumably sold on black market.
• Target ignored the alert raised by FireEye (security provider) after November 30, assuming it is a false positive.
• Target began an investigation into the breach on December 17 and announced the news to the public on December 19.
• Although Target initially denied that the PIN information was not stolen, they reversed it stating PIN, CVV and expiration dates were also
stolen.
• Target’s net earnings for the fourth quarter of 2013 dropped by 46% and its stock price was down by 8.8% by February 2014.
• Target faced investigations by the Congress, the SEC, the DOJ and the FTC and litigation from various shareholders, customers and banks.

2
Was Target just unlucky or security management
problem?

Vulnerabilities
• A phishing email sent to Target's HVAC vendor. The response to the email gave
the attackers the vendor’s user code and password
• The attackers disguised the malicious component as a legitimate one to hide it
in plain sight
• Once the malware obtained the credit card data, it created a remote file share
remotely, and it would periodically copy its local file to the hacker’s remote
share.
Ignorance
• Target’s FireEye advanced monitoring system had noticed suspicious activity and
alerted Target on the first data transfer and alerts escalated from there
• Target had chose to do nothing in response.
• The software itself could have prevented the attack but Target chose to
deactivate this part of the software as it was new and unfamiliar
• Target’s own anti-virus system had detected fowl activity and these warnings
were also ignored.

3
 What to do to minimize false positives in fraud detection?

• The FireEye team in India sent an electronic

alert to Target’s in-house security team in
Minnesota indicating that the monitoring
software had detected malware intrusions but
that the install had not been activated yet.
• However, the U.S. team could have potentially
viewed the FireEye alert as a false positive
since multiple alerts were being generated
under generic names like malware binary.
• Once the malware started extracting the data to
the hackers on December 2, the security team in
India again alerted Target’s security team in
Minneapolis, but got no response.
• If a customer swiped a card at the register, the
financial data linked to the card was sent to one
of three “staging points”.
• The storage facilities created within Target’s
networks. To avoid setting off alarms, the data
was stored on Target’s networks for six days
and then transmitted through a number of fake
servers before being sent to the hackers’
personal servers.
• “The breach could have been stopped there
without human intervention. The system has an
option to automatically delete malware as it’s
detected. It was unclear why this function was
turned off.

4
 “Kill Chain” analysis undertaken by the Senate Committee

1. Reconnaissance - Information about victims gathered quietly by attacker

– Attackers may have sent emails with malware to Fazio, Target’s external vendor. Simple internet searches enabled hackers to find Target’s
supplier portal and facilities management pages, and map out Target’s internal network. Target could have limited publicly available information.

2. Weaponization - Hacker prepares the malware to be sent to victim

– Through a simple email attachment such as a PDF or Microsoft Office document, the hacker likely weaponized its malware. Fazio improperly
used a free version of its anti-malware software, which did not provide real-time protection, and was intended for individual and not corporate
use.

3. Delivery - Malware sent to victim

– The attacker began the phishing attack, and the malware provided hackers with Fazio’s passwords to Target’s systems (Target could have
required two-step authentication at this stage, a password and a mobile confirmation, as a protective measure). PCI-DSS standards require two-
step authentication for remote access to payment networks, but this was not technically a part of Target’s POS system. Attackers uploaded the
RAM scraping malware to Target’s POS terminals.

4. Exploitation - Malware deployed in victim’s networks

– The RAM scraping malware started recording data of millions of cards as they were swiped at registers. At this step, Target could have checked
any of the alerts sent by its FireEye software, or it could have enabled the software to automatically delete the malware. Target could also have
paid greater attention to one of many industry and government alerts of increased cyber threats.

5. Installation - Attacker gains ground in victim’s networks

– Hackers used Fazio’s systems to further breach Target’s networks, although it is unclear how. A protective step at this stage would have been to
delete unneeded default accounts.

6. Command and Control (C2) - Attacker gains remote access to victim’s networks

– Hackers maintained a line of communication between the outside internet and Target’s network—Target could have checked why Fazio’s logon
was being used to access unrelated parts of Target’s network, and could have developed stronger firewalls.

7. Actions on Objectives – Attacker initiates data extraction

– Hackers extracted the data to servers in Russia, which should have been flagged as suspicious. Target’s FireEye system did detect the
extraction malware, and Target could have acted on this.

5
Security Management Plan
Risk Assessment
•• Business
Business Strategy,
Strategy, Supplier
Supplier &
& logistics,
logistics, Customer
Customer and
and Employee
Employee banking
banking &
& personal
personal information,
information, Financial
Financial data
data

Security Policy
•• Made
Made sure
sure to
to be
be up
up to
to date
date with
with policies
policies and
and guidelines
guidelines
•• Got
Got certified
certified by
by industry
industry leader(Trustwave)
leader(Trustwave)

Develop Implementation Plan

•• AnAn Internal
Internal Security
Security Team
Team
•• External
External cybersecurity
cybersecurity team(Fire
team(Fire Eye)
Eye) for
for Monitoring
Monitoring
•• Automatic
Automatic Malware
Malware Deletion
Deletion Program
Program

Security Organization
•• Target
Target failed
failed at:Ensuring
at:Ensuring security
security system
system for
for company
company &
& associates,
associates, educate
educate and
and train
train vendors
vendors &
& employees,
employees, authentication
authentication &
& verification
verification mechanism,
mechanism, segmentation
segmentation of
of
network,
network, post
post breach
breach plans
plans

Security Audit
•• Information
Information access
access to
to concerned
concerned department
department only
only
•• Thorough
Thorough audit
audit for
for threats
threats and
and leaks
leaks

6
 Management Accountability
• The whole accountability can not be put on the top management.
They did take steps to stop this type of incident to happen and placed
controls to monitor risks. The whole ordeal can be said to be a result
of human error.
• While true, there were many others things that were overlooked like
the over reliance on certification; negligence of the report from Visa
about RAM scraping malwares; increased trend in hacking etc
• Management should have persisted and came up up with a foolproof
plan; tried and tested. They started the implementation and lost the
plan midway. No organization structure was created.
• Needed a separate Head of Security; the responsibilities were divided
between CFO; CIO and General Counsel and data security for them
was not the primary concern.

7
 Observation
 Multiple warning ignored at various level in the company
• Fire Eye alerts were ignored
• Malware removal was turned off
 EVM Technology alone is not enough to stop Fraud
 Network Segmentation is a Necessity
 Third-party oversight is part of compliance
 Log-monitoring needs analytics.
 Third-party vendor access to all networks
 Executives are accountable for digital frauds
 Cyberthreat Intelligence sharing must improve
 Delay in providing full information to affected customers

Conclusion
While the security breach at Target impacted a single corporation, it is important to note that such
breaches have now become part of our everyday lives. It is not a matter of if, but when a breach will occur.
Thus, the lessons learned from Target are valid and can be generalized to other organizations as well. For
instance, the breach stimulated retailers to install chip readers on their POS terminals. Such best practices
show that others realize the importance of strengthening their security posture and providing better
protection against individuals with malicious intents. Further, Target demonstrated that they have the
capacity to recover from such serious events due to having up-to-date disaster recovery/business
continuity plans. These best practices should be followed by others who want to prepare themselves for
the inevitable.

8
Thank You