Kill Chain Executed in Target Attack

The US Senate has just published a full analysis on the Target breach. The report analyzes the seven steps the attackers took to compromise Target’s security defense system. When it comes to cyber attacks, the attacker must go through a series of steps in order to compromise any system. This attack method is called an “Intrusion Kill Chain” that is based on a framework developed by Lockheed Martin back in 2011. In summary, the report outlines the human failures that occurred at the various stages of the attack. Below are the key takeaways.

Target Mishaps

• “Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
• “Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.”
• “Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”
• “Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.”

 Key Takeaways of the Report

• Conventional defenses like IDS and Anti-virus software are not effective in protecting organizations from sophisticated advance persistent threats (APT)
• Best way to fight APT is through “Intelligence driven, threat-focused approach that studies intrusions from the adversarial perspective giving network defenders the upper hand in combating cyber attackers
•  Defenders must continuously monitor their environment, and look for patterns and correlations, in order to address gaps
• Kill Chain – Attackers must follow a series of steps before they execute an attack
• Kill Chain Steps: Reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objective

 Kill Chain Executed in Target Attack

1. Recon: Attacker secretly gather information on the target
2. Weaponization: Attacker prepares attack payload (PDF, Word doc, etc.) to deliver to victim
3. Delivery: Attacker delivers payload to victim
4. Exploitation: Attacker payload deployed in the victim’s network
5. Installation: Attacker establishes foothold in victim network
6. Command & Control: Attacker has “Hands on the Keyboard” remote access  to victims network
7. Actions on Objectives: Attacker acts on accomplished data exfiltration

 For full 18 page report click here.