Woops! Army’s attempt at a phishing simulation bombs

At PhishMe, we feel like we’ve done a pretty good job of debunking the idea that you can address the spear phishing threat using the pentest model, but after reading this Washington Post story about a phishing test gone awry, it looks like we still have some work to do.

In this test, an Army combat commander sent an email to a “small group” of Army employees disguised as an email from their retirement plan provider urging them to log in to their accounts. The email used the name of Thrift Savings Plan, the actual 401(k) account provider for most federal employees, and provided no indication that it was a simulated phishing exercise, causing a panic across the DoD as concerned recipients shared the email with colleagues and flooded the Thrift Savings Plan customer support line. It took nearly three weeks for the Pentagon to trace the origin of the email.

Will the Target fallout shift focus away from compliance?

While in the check-out line at Target recently, I observed an interesting exchange that shows just how deep the impact from Target’s massive data breach has been. While rummaging for bills in her wallet, the woman in front of me in line asked the cashier whether anyone still used their credit card at Target anymore. The cashier could only shrug, but the fact that two ordinary people were discussing the impact of a data breach was remarkable, and Target’s recent sales numbers show that people aren’t only nervous about using credit cards at Target, they are avoiding the retailer altogether. Only 33 percent of US households shopped at Target in January of 2014, a 22 percent decline from 2013, and Target’s lowest level of shopper penetration in the last three years.

This is bleak news for a company that has already generated an enormous amount of negative publicity that has led to a U.S Senate hearing, a restructuring of Target’s corporate leadership, and even a change in Target’s employee dress code.

Who’s to Blame for the Target Data Breach?

Why are we still discussing the Target data breach that occurred in March 2014? In a world where ‘news’ literally lasts minutes – OK maybe hours or in special cases days – here we are still discussing a data breach that started around November 27 – December 15, 2013! What is so special about the Target data breach that warrants all of this media attention?

Well let’s start by putting the importance of this data breach in context. At the RSA Conference, TripWire did a survey that revealed the Target data breach has had a larger impact than Edward Snowden’s leaks on cybersecurity budgets and executive awareness. That, in and of itself, underscores its significance. In short, it had a major impact on the business. Executives realized that data breaches can be incredibly expensive. There are remediation costs of course, but more importantly, reputational costs. The damage to a company’s reputation dwarfs the monetary costs of remediation. We speak with security professionals every day who dismiss the reputational costs to an organization following a breach. Well, to then we say, why not ask Target about how insignificant their reputation damage has been.

Yesterday, BusinessWeek issued its take on the Target data breach. The article shows just how mainstream cyberattacks have become. In their March 13, 2014 story titled “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” BW does a nice job telling the story, complete with a graphic of a target with data spewing out of it. However, I found something else mentioned in the article that was even more interesting.

Here are a couple excerpts:

“Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon.”

“…as they [cybercriminals] uploaded exfiltration malware to move stolen credit card numbers – first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia – FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …Nothing happened. For some reason, Minneapolis didn’t react to the sirens.”

“…But then, Target stood by as 40 million credit card numbers – and 70 million addresses, phone numbers, and other pieces of personal information – gushed out of its mainframes.”

Fascinating.

For as long as I have been involved in computing (since 1985), we have had performance monitors that alert IT professionals to issues or situations. In security, we have had IDS/IPS and SIEM tools for more than 10 years. So what is this article saying? That even with the newest and coolest security software solutions from FireEye, we still just send alerts and hope somebody takes action!

OK, maybe someone was supposed to do something and didn’t. The article seems to point to the Bangalore operation of Target for not reacting to the FireEye alerts:

“If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path.”

BW also says that the Symantec EndPoint protection Target used had detected the malware.

Hmmm.

Let’s see, if my fire alarm goes off and I am not home, I wonder who hears it?

Wait, if I do come home – by chance – and my alarm has gone off – my alarm quickly identifies where the smoke is coming from and helps me prioritize what room I need to go to. Wait – that doesn’t happen either.

Oh, and when the alarm goes off, my sprinkler system immediately goes off and the fire department comes. OK, on that last point, the fire department comes because I have an ADT system (not a standalone smoke alarm). And no, I don’t own a sprinkler system.

So, the fact the alarms went off with FireEye and ‘no one noticed’ isn’t so crazy. That happens every day in our own lives.

But let’s be more specific.

Alarms go off with IT products, and specifically security products, every day. All the time. Today’s security professionals need information that is actionable. Security professionals need to have usable threat intelligence information that identifies, prioritizes and then targets in the indicators of compromise and stops or mitigates the attacker’s behavior. That the Target systems sent alarms and no one ‘noticed’ is not so amazing. The BW article should ask why the FireEye system didn’t do something without manual intervention, no? Why isn’t the detection system actually responding, instead of just triggering an alert?

The traditional definition of the steps for security are protect, detect, respond and recover.  Target and its vendors clearly had the detection part down. However, without the other three steps, it did nothing to stop the Target data breach or limit the damage caused. In Target’s case, that is considerable damage to its reputation. For FireEye, potential customers may now be asking themselves, why choose a product that did not prevent the massive Target data breach.