***# Postmortem - Target Case Study*** ### Report Status - Complete - Action items in progress ### Executive Summary - Between Nov 27th and Dec 18th, Target's network was compromised by malicious actors, resulting in an estimating total of 40 million credit and debit card numbers and 70 milion records of PII were stolen. ### Description - There was no downtown of company systems or servers associated with the attack. ### Impact - Total financial impact unknown at this time. However, we expect the incident to impact the corporate reputation along with stock holdings. ### Affected users - This effected all customers purchasing items through Target's "Point of Sale system." ### Start Date/Time - 11/27/2013 ### End Date/Time - 1/14/2014 ### Names of people involved @Matt, @Veer, @Corey, @Frank, @Sarah @Aaron ## Timeline - 11/27 2013 - Attackers gain access - 11/28 2013 - Attackers get creds - 12/11 - Suspected attacks are first discovered - 12/15 - Attackers are removed from affected systems - 12/18 - First public indication of breach. Someone outside the organization reports on possible breach - 12/19 Target officially acknowledges breach - 1/12/14 - Target says it was a malware - 1/14 - Target describes in detail of the type of malware ## Root Causes - The root cause was a insecure 3rd party vendor. It's speculated the insecure network was caused by insufficient security software - An employee of Fazio mechanical opened the malicious email and this allowed Citadel, a banking trojan, to be installed on the Fazio network. Then, the login credentials for the Target Vendor system were compromised, allowing the malicious actors initial access to the Target systems. - Once Target systems were compromised, the malicious actors used their access to navigate Target's system and install another trojan that targeted the POS system, allowing them to harvest credit and debit card information from customers. This information was saved to a file on a dump server and a special ping packet was sent to a remote server. When certain conditions were met the information was sent to an off-site FTP and sold on the black market. - This method allowed the malicious actors to access data from systems that were not connected to the internet, and they also included a time delimiter to hide the additional traffic. ### What went well? - The incident, from discovery to removal, was contained within 5 days. - Following the incident, Target took immediate action to improve their administrative and technical security policies and procedures. ### What could have gone better? - Target did not investigate security warnings generated by their IDS/IPS systems in place - Target's networks weren't properly segmented - The POS terminals weren't properly hardened - Proper access controls were not placed within networks, which allowed users associated with the third party vendor to access customer information on Target's system ## Action Items | Action Item | Type | Owner | Bug | Priority | | -------- | -------- | -------- | -------- | --------| | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | | Text | Text | Text | -------- | -------- | ## Resolution / Recovery - Improved monitoring and logging of system activity specifically in regards to intranet connections and firewalls. - Implemented POS management tools, application whitelisting, and improved firewall rules - Privilege reduction, reset, and disabling on 445k personal and contractor accounts, along side limiting or disabling vendor access on internal networks - Updated policy on password usage, including the use of password vaults, two-factor authentication, and training on best practices regarding password rotation.