How Endpoint Security Analytics Could Have Cut the Target Hack Short

Alfred Chung

Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.

The critical point, however, is that the malware that was undoubtedly designed specifically for Target is probably already morphing into something unrecognizable by those signature-based tools for the next organization being drawn into the hackers’ crosshairs. Each organization that is hit with a form of this malware in the future will be on the receiving end of its own, customized attack for which no signature can be created.

Re-Compiled Code and Cross-site Scripting Foiled the Perimeter Defense

Here are some other facts about the Target hack that have recently emerged:

• As we in the security analytics community suspected, known malware was used in the attack, but it was undetected by antivirus tools because it had been recompiled or packed/encrypted to present an unknown signature
• A massive 11 gigabytes of data was exfiltrated
• Cross-site scripting may have been deployed in an earlier attack, which gave the hackers the ability to reach the point-of-sale (POS) systems

How Security Analytics Could Have Helped

Because most organizations of any size have already been breached, but just don’t know it, and because malware is now so often custom designed for each organization, the best—and only effective—way to cut a hack short is to take regular baselines of all endpoints and get proactive alerts of anomalous behavior on them.

This approach to security intelligence could have discovered the breach in a number of ways, by detecting:

• An unknown or non-whitelisted process running on the POS node
• Frequent and atypical connections made to the drop server; reports show that on December 2, 2013, the malware that hit Target began transmitting payloads of stolen data several times a day over a two-week period
• A new DLL used by the malware being dropped in the SYSTEM32 folder
• Detection of new, non-whitelisted registry keys.

All of this depends on constantly updated baselining of every endpoint on a network, of course, something that EnCase® Analytics can perform on organizational endpoints like laptops and servers on a regular basis. Because the most effective malware is finding its way into nearly every large network on the planet, the security focus must shift to add baselining and threat hunting in order to keep the invaders from succeeding in reaching their long-term goals.

Have an Opinion? I welcome discussion in the Comments section below.