As you might expect, as a key player in the network monitoring and analysis space, WildPackets has been following the press on the Target breach very closely. If you want an excellent summary you can refer to this online Bloomberg Businessweek article, or to the many detailed blog posts on KrebsonSecurity.
The latest news from the Bloomberg Businessweek article indicates that Target received alerts from software they had recently installed about malware being uploaded to some of its systems, but the alerts were ignored. The article hypothesizes that these alerts may have been “viewed with some skepticism by its minders at the time of the hack”, since the software was relatively new to Target, and false positives are often a problem with security monitoring software. But whatever the reason, we know the alerts were not acted upon.
The decision not to investigate the alerts is particularly troubling, not just because we know in hindsight it was a bad decision, but because there were clearly overriding considerations that caused the decision to be made. Lack of faith in a system alone isn’t compelling enough to ignore the alerts. It must be coupled with other issues, and although WildPackets has no first-hand knowledge of the Target breach itself, we do know from our experiences working with customers that indications and alerts get ignored when verification is difficult. If that difficulty can be removed, and verification can happen quickly, alarms and alerts are far less likely to be ignored.
And it’s here where we lament “Oh, if only Target had used network forensics”.
Network forensics is the recording, storage, and analysis of network traffic. It provides a complete record of network communications, along with powerful search and analysis tools for combing through stored traffic to find critical information. For more detailed information on network forensics solutions, including use cases, please refer to http://www.wildpackets.com/use_cases/network_forensics.
Network forensics makes it extremely easy to verify any security alert. In this specific case, we can assume that the original alerts that malware was being introduced included at least some IP addresses where the infections were taking place. If so, a simple forensics search on recorded network traffic for a specific time range and IP address(es) would show exactly the activity that was going on, making verification effortless and taking very little time. And not only would it show what was happening on the IP addresses in question, it would also show any other network assets that the “suspect” IP addresses was communicating with. So if the malware alert turned out to be real, which in this case it was, the staff at Target would have known not only that they needed to take action immediately, but also exactly which network assets to quarantine to stop any further spread of the malware. With network forensics this can all happen the instant the alert is received, and with just a few simple clicks the alert is verified and the depth of the breach is known.
If only Target had used network forensics. If they had, the situation would have been nipped in the bud, and none of us would be the wiser.