In 2013, Target Corp. discovered it had been the victim of a massive data breach. Some 11 gigabytes of personal and financial data were exposed, affecting 110 million consumers. As part of its remediation efforts, Target hired Verizon to conduct a security review.
When Verizon finally made its findings public, it confirmed what the security community suspected: Target’s network segmentation was non-existent. The findings also shed light on how the breach happened in the first place.
Target, like many companies, contracted a third party to maintain its HVAC systems. Target gave this company access to corporate servers through a vendor portal, so it could monitor the HVAC systems remotely.
Attackers found this information through public sources, including a Microsoft case study and Target’s own website. They targeted the HVAC company, compromised its network, stole login credentials for Target’s vendor portal, and gained access to Target’s network.
Once inside Target, the attackers used the same credentials to move through the network, deploying malware on point-of-sale (POS) machines and cash registers.
A thorough risk assessment of the HVAC vendor might have prevented the breach. But the primary issue really lies with Target, not the vendor. Target failed to segment and segregate its environment, and it failed to properly audit its Active Directory credentials. If Target had taken both steps, the breach most likely would not have occurred.
Of course, Target is not alone in overlooking simple mistakes. All too often, the most basic cyber-hygiene issues cost companies millions of dollars.
But it is extremely difficult to catch all of these simple mistakes. Proper security design and auditing are major challenge for most companies, particularly if they share data with outside contractors. And large companies with complex networks, like Target, especially need to identify and mitigate errors more effectively.
The Target breach is a good example of how “Risk Hunting” can help avoid basic — but critical — IT mistakes. Risk Hunting uses machine learning to understand technical issues in context with business risks. By quantifying potential outcomes in business terms, security teams can tackle the most important issues first—before an attack occurs.
Risk Hunting platforms ingest data from dozens of sources, like endpoint security suites and Windows Active Directory. These platforms can then map potential attack paths, identify where successful attacks could migrate, and measure the probability of business impacts.
A weighted risk score is assigned to each attack pathway. With that data, the greatest business risks can be prioritized to guide mitigation.
With this Risk Hunting methodology, security teams can identify many simple IT errors, like system misconfigurations, improperly assigned permissions, even an overabundance of permissions.