FireEye’s technology functions as a first line of detection/defense and "impersonates" an organization's computer network so that hackers would attack it instead. In Target's case, they did, and the tool spotted the first and subsequent instances of the malware that the attackers deployed on it.
The alerts were noted by the team in India that was keeping an eye on things, and reported to the main IT team in Minneapolis. Unfortunately, this team poked around a bit and decided to do nothing.
"The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off," Bloomberg Businessweek reports.
Apparently, this is not that unusual as security teams often choose to have the last say when it comes to this type of decisions. Sadly, they didn't react in time or adequately to suppress the danger themselves.
According to some reports, the team might have not trusted FireEye's tool enough as they had finished deploying the technology throughout the company's IT system just months before the breach which started in November. On the other hand, when the company's AV system - Symantec Endpoint Protection - also spotted the POS memory scraping malware around Thanksgiving, and explicitly pointed to it coming from the same server that the FireEye-spotted threat was using, they should have reacted.
Why they didn't is still to be determined.
Target spokeswoman Molly Snyder commented the reports by saying that the company did investigate the alerts, but dismissed them.
"Based on their interpretation and evaluation of that activity, the [Target security] team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," she stated. I imagine heads will roll in the security team in due time.
Target's other mistakes were not doing a good job when segmenting their network, and not spotting malware that installed itself as and mimicked the name of a legitimate IT management software suite used by Target.
"If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path. The malware had user names and passwords for the thieves’ staging servers embedded in the code, according to Jaime Blasco, a researcher for the security firm AlienVault Labs," commented the reporters.
"Target security could have signed in to the servers themselves—located in Ashburn, Va., Provo, Utah, and Los Angeles—and seen the stolen data sitting there waiting for the hackers’ daily pickup. But by the time company investigators figured that out, the data were long gone."
These new revelations (and previous reports) show that many companies will readily invest in good technology, but are obviously skimping on hiring people who will known how to use it effectively.
I sincerely hope that other companies and retailers will learn from these mistakes and improve their defenses accordingly.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.