Welcome to

PES University
Ring Road Campus, Bengaluru
Information Security
UE21CS343BB6
Prof. Prasad Honnavalli
Prof. Sushma E, and Dr. Sarasvathi V

Lec 22, 23, 24

 Emergency Exit Assembly Point Washroom

No Chatting Phones on silent No Sleeping

UE22CS343BB6 – Information Security 3

Disclaimer
☞ This presentation is purely educational.
☞ The views expressed by the presenter is not representation of
any organization.
☞ The views are based on professional experience of the
presenter and no liability is accepted by the
presenter in the event of any potential
or perceived losses resulting from
this presentation.

UE22CS343BB6 – Information Security 4

A Note on Security

☞ In this course, you will be exposed to information about security problems

and vulnerabilities with computing systems and networks.
☞ To be clear, you are not to use this or any other similar information to test
the security of, break into, compromise, or otherwise attack, any system or
network without the express consent of the owner.
☞ In particular, you will comply with all my instructions when doing the labs.
➢ My instructions are in consonance with applicable laws of India and PES
University policies.
➢ If in any doubt, please consult your professor!
☞ Any violation is at YOUR RISK!
And may result in severe consequences.
UE22CS343BB6 – Information Security 5
Cyber Breach at Target
A Harvard Business School Case Study

ISFCR
UE22CS343BB6
Executive Education
– Information Security 6
Anyone Hacked?

• Anyone experienced a cyber breach? A data breach?

• Those who haven't experienced one yet! – perhaps you don’t

know you have been hacked

• Cybersecurity is very serious and real issue – every individual and

company is having to deal with
UE22CS343BB6 – Information Security 7
Contents

☞ Introduction ☞ Missed Opportunities

☞ Scope and Impact ☞ Post Attack Activities

☞ Timeline ☞ Conclusion

☞ Attack Discovery ☞ Q&A

☞ Attack Details ☞ Research References

☞ Malware Details

UE22CS343BB6 – Information Security 8

The case
☞ This case relates to information systems, cybersecurity, risk
management, and executive leadership.

☞ The case has been used at Harvard and other educational

programs.

☞ To discuss processes that enable or hinder effective detection

and prevention of cyber breaches as well as an effective
response to detected breaches.

UE22CS343BB6 – Information Security 9

The case
☞ Issues relating to cybersecurity raised by the Target breach are
not unique:
➢ But the scope and publicity of the attack makes it stand out.

☞ The case explores the intersection of technical and managerial

aspects of cybersecurity issues with added focus on
management accountability and response to a highly publicized
Incident.

UE22CS343BB6 – Information Security 10

Pedagogy
Introduction and Assessment of Target’s
Vulnerability

Accountability of Target’s Management

Post Breach response by Target

Lessons regarding Cyber Risk and accountability

of Management

Takeaway and update on Target

UE22CS343BB6 – Information Security 11

Scope of impact
☞ 70 Million Customers impacted
☞ 40 Million Credit/Debit Cards
☞ 1 to 3 Million card sold in black market
☞ $54 Million in Fraud income
☞ $200 Million+ loss to financial institutions
☞ $100 Million to upgrade POS
☞ $252 Million in Cost to Target – Reported in January 2015
☞ $10 Million settled with customer – Reported in March 2015
☞ $67 Million settled with Financial Institutions – Reported in August 2015
☞ $$$ More to come – its not over yet
UE22CS343BB6 – Information Security 12
 A month in Target’s network!
▪ Target Company experienced a cyber attack from Nov 12 through Dec 15, 2013.
▪ Customer card and personal data was stolen from Nov 27 through Dec 15, 2013.

a Month in Target's Network

November 2013 December 2013
Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday
27 28 29 30 31 1 2 1 2 3 4 5 6 7

3 4 5 6 7 8 9 8 9 10 11 12 13 14

10 11 12 13 14 15 16 15 16 17 18 19 20 21

17 18 19 20 21 22 23 22 23 24 25 26 27 28

24 25 26 27 28 29 30 29 30 31 1 2 3 4

Source: Forbes.com. The POS terminals at Target were compromised between Wednesday November 27 and Sunday December 15 according to a report by Seculert’s Research Lab.
Url: http://www.forbes.com/sites/anthonykosner/2014/01/17/researchers-report-exact-timeline-of-massive-target-data-breach/

UE22CS343BB6 – Information Security 13

Target - Time Line of the Attack

UE22CS343BB6 – Information Security 14

UE22CS343BB6 – Information Security 15
Was Target Unlucky?
☞ Complexity of retail systems:
☞ Lack of generally accepted external standards:
☞ Constant preparation vs. one-off attacks:
☞ Target was unlucky to be the first “big” hack:

UE22CS343BB6 – Information Security 16

The Attack

ISFCR
UE22CS343BB6
Executive Education
– Information Security 17
How the Attack Happened: A Step-by-Step Breakdown
(1/5)

1. Initial Access – Compromised Third-Party Vendor

o Attackers phished credentials from Fazio Mechanical, a HVAC
vendor that had remote access to Target’s network for billing and
maintenance.
o The vendor’s credentials were stolen and used to access Target's
internal network.

UE22CS343BB6 – Information Security 18

Suspicious Login from Third-Party Vendor
1. What anomaly do you notice in the login logs?
Anomaly: The login originated from an
unusual IP address.

2. Why is this important for identifying a

potential security breach?
Importance: Indicates a potential credential
compromise or unauthorized access.

3. What security measures could have been

implemented to prevent this unauthorized
access?
Prevention: Implement geo-restrictions, multi-
factor authentication (MFA), and behavioral
analytics.

UE22CS343BB6 – Information Security 19

How the Attack Happened: A Step-by-Step Breakdown
(2/5)

2. Lateral Movement – Network Access Expansion

o Once inside, attackers moved laterally within the network, eventually
gaining access to the point-of-sale (POS) systems.
o Lack of network segmentation allowed attackers to move from third-
party access to critical systems(POS terminals).

UE22CS343BB6 – Information Security 20

 Lateral Movement and Privilege Escalation

4. Should a third-party vendor have access to a Domain Controller? Why or why not?
Vendor Access: No, third-party vendors should have limited access to critical systems.

5. How could network segmentation have prevented this attack?

Network Segmentation: Limits movement within the network to prevent attackers from escalating
privileges.

6. What additional security controls could have been used to detect and respond to unauthorized
access?
Detection Controls: Implement SIEM (Security Information and Event Management) alerts for
unusual access.
UE22CS343BB6 – Information Security 21
How the Attack Happened: A Step-by-Step Breakdown
(3/5)

3. Malware Deployment – POS System Infection

o Attackers installed RAM-scraping malware (Kaptoxa/BlackPOS)
on thousands of Target’s POS systems.
o The malware captured credit card details in memory before encryption
and transmitted the stolen data to attacker-controlled servers.

UE22CS343BB6 – Information Security 22

Malware Installation on POS Systems
7. What does the hash tell you about the file
that was executed on the POS system?
Hash Analysis: Confirms the file as malware
using threat intelligence.

8. How could a company detect and block

malware before it executes on critical
systems?
Prevention: Use application whitelisting
and endpoint security.

9. Why is endpoint detection and response

(EDR) important in this scenario?
EDR Importance: Provides real-time
detection and response capabilities.

UE22CS343BB6 – Information Security 23

How the Attack Happened: A Step-by-Step Breakdown
(4/5)

4. Data Exfiltration – Sending Stolen Information Out

o The attackers exfiltrated stolen card data to a server in Russia.
o The data was then sold on dark web markets, enabling fraud and
identity theft.

UE22CS343BB6 – Information Security 24

How the Attack Happened: A Step-by-Step Breakdown
(5/5)

5. Detection and Response – Failure to Act Promptly

o Target’s security tools (FireEye, Symantec) did detect the intrusion and
malware installation.
o However, security alerts were ignored or not escalated in time.
o The breach was only discovered when law enforcement and banks
noticed fraudulent transactions linked to Target customers.

UE22CS343BB6 – Information Security 25

Data Exfiltration to External Server
10. Why is this outbound traffic suspicious?
Suspicious Traffic: Large outbound data
transfer to a known malicious IP.

11. How could Target have detected and

blocked this data exfiltration attempt?
Blocking Exfiltration: Implement Data Loss
Prevention (DLP) and outbound traffic
monitoring.

12. What role does network monitoring and

anomaly detection play in preventing data
breaches?
Network Monitoring: Detects
anomalies in real time to prevent breaches.

UE22CS343BB6 – Information Security 26

Causes of the Attack
☞ Weak Vendor Security: The HVAC vendor had poor cybersecurity hygiene, allowing
attackers to steal credentials via phishing.

☞ Lack of Network Segmentation: Target’s network wasn’t properly segmented, so

attackers could move from third-party access to critical systems.

☞ Failure to Act on Security Alerts: Target’s security tools detected the attack,
but alerts were ignored or not properly escalated.

☞ Lack of Multi-Factor Authentication (MFA): If MFA had been required, attackers

wouldn’t have been able to log in with stolen credentials alone.

UE22CS343BB6 – Information Security 27

 Wireshark Analysis of Malicious Traffic
Instructions:
1. Open the provided pcap file in Wireshark.
2. Apply a filter to only show HTTPS traffic.
3. Filter: tcp.port == 443
4. Identify large data transfers to external IPs.
5. Look for communications with 193.104.21.25.
6. Determine if the data transfer was encrypted.
7. Analyze the User-Agent strings in HTTP headers (if available) to detect anomalies.

13. How can you confirm that the exfiltrated data was sent to a malicious server?
Wireshark Confirmation: Analyze traffic patterns and confirm exfiltrated data sent to malicious
servers.

14. What additional Wireshark filters could help detect suspicious activity?
Wireshark Filters: Use ip.dst == 193.104.21.25 and tcp.stream analysis to track sessions.

15. How could intrusion detection systems (IDS) complement Wireshark in real-time detection?
IDS Integration: IDS like Snort or Suricata can provide real-time alerts for anomalous traffic.
UE22CS343BB6 – Information Security 28
Final Discussion and Recommendations
16. Based on the logs and answers above, reconstruct the timeline of the attack.
Attack Timeline: Initial access → lateral movement → malware execution → data exfiltration.

17. Identify key security controls that could have prevented each stage of the attack.
Security Controls: MFA, least privilege, segmentation, SIEM, EDR, firewall rules.

18. How does this attack compare to other high-profile breaches (e.g., SolarWinds, Colonial
Pipeline)?
Comparison: Similar tactics were used in later breaches, showing evolving attacker
techniques and the importance of proactive defense.

UE22CS343BB6 – Information Security 29

Attack Paths

30
UE22CS343BB6 – Information Security 30
 Attack Details Attacker explored
Target’s Network Target’s Internal Network
Attacker phished Fazio and Systems
Mechanical PC & stole
Target’s login
credentials
Attacker infected
Attacker entered POS systems with
Target Network Malware
using stolen ALERTS!!!
credentials

Attacker infected
internal systems

Stolen data is transferred Malware gathered credit

Attacker collects the data to an external FTP server card and personal data.
and sells online Saves it on a file on a local
server

Source: IBM Corp. Anatomy of an advanced retail breach Url: http://www.slideshare.net/ibmsecurity/anatomy-of-an-advanced-retail-breach

UE22CS343BB6 – Information Security 31

 POS Ram Scrapper
☞ Attackers used a malware from the family of “POS Ram Scrapper” called Black POS
☞ It captures the card & customer information from the POS terminal’s memory banks during transaction
processing and stores it at a local file for later transmission to a remote server
☞ Vulnerability Areas - Data is briefly unencrypted for card transaction approval and not properly protected
(or eliminated) in the memory banks

Malware captures the unencrypted

data from POS system RAM
Data is temporary
Malware is installed unencrypted for payment Cust. Name..
on the POS System card processing

G65gd%xfdy Cust. Name

G%df1fc7jf6y3 Card Number Data is sent
54t67d7d Card Exp. Date to a remote
Data is saved server
on a local file

Source: websense.com. Point-of-Sale Malware and the seven stage attack model. Url: http://www.websense.com/assets/pdf/Infographic-Security-Labs-2014.pdf
UE22CS343BB6 – Information Security 32
Malware complexity
☞ According to reports by Brian Krebs, a tailored version of the “BlackPOS” malware –
available on black market cyber crime forums for between $1,800 and $2,300 – was
installed on Target’s POS machines. (Brian Krebs, A First Look at the Target Intrusion, Malware,
KrebsOnSecurity (Jan. 15, 2014) (online at http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-
malware/)
☞ This malware has been described by McAfee Director of Threat Intelligence Operations as
“absolutely unsophisticated and uninteresting.” Michael Riley, Ben Elgin, Dune Lawrence, and Carol
Matlack, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, Bloomberg Businessweek
(Mar. 13, 2014) (online at http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-
of-credit-card-data).
☞ This assessment is in contrast with the statement of Lawrence Zelvin, Director of the
Department of Homeland Security’s National Cybersecurity and Communications
Integration Center, who describes the malware used in the attack as “incredibly
sophisticated.” (House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and
Trade, Protecting Consumer Information: Can Data Breaches Be Prevented?, 113th Cong. (Feb. 5, 2014).

UE22CS343BB6 – Information Security 33

Comparision with other attacks

ISFCR
UE22CS343BB6
Executive Education
– Information Security 34
 Comparison to Other Attacks
Factor Target (2013) SolarWinds (2020) Colonial Pipeline (2021)
Supply Chain Attack via HVAC Supply Chain Attack via
Attack Type Ransomware Attack via Phishing
Vendor Software Update
Stolen vendor credentials(Fazio Malicious update in SolarWinds Phishing compromised VPN
Initial Entry
Mechanical) Orion credentials
Attackers moved across
Weak segmentation allowed Attackers encrypted key IT
Lateral Movement networks using Orion software
movement to POS systems systems, affecting OT
backdoor
18,000+ companies & US
Shut down US fuel supply,
Impact 40M credit card numbers stolen government agencies
causing shortages
compromised
Ignored alerts, lack of MFA, no Lack of software supply chain No MFA for VPN and
Security Failure
network segmentation security & zero-trust policies weak incident response
Large-scale remediation, new Colonial paid $4.4M ransom,
Public outrage, lawsuits, CIO &
Response federal policies on supply chain stricter pipeline regulations
CEO resigned
security followed

UE22CS343BB6 – Information Security 35

Key Similarities
☞ Third-Party Weaknesses:
o Target: HVAC vendor was the weak point.
o SolarWinds: Software vendor was compromised.
o Colonial Pipeline: Employee credentials were stolen.

☞ Lateral Movement Due to Poor Segmentation:

o Attackers moved from initial access to critical systems in all three cases.

☞ Failure to Detect or Respond in Time:

o In all three attacks, security tools detected anomalies, but responses were slow or ineffective.

☞ Massive Business and Financial Impact:

o Target lost $162M in costs and lawsuits.
o SolarWinds led to nationwide security reforms.
o Colonial Pipeline caused fuel shortages across the U.S.

UE22CS343BB6 – Information Security 36

Lessons Learned
☞ Enforce Strong Vendor Security: Require MFA and least privilege access for third-
party vendors.

☞ Implement Network Segmentation: Prevent lateral movement by isolating critical

systems.

☞ Monitor and Act on Security Alerts: Automate escalation of high-risk alerts to

prevent delays.

☞ Use Zero-Trust Security: Assume no user or system is inherently trustworthy.

UE22CS343BB6 – Information Security 37

Governance, Risks and Compliance

ISFCR
UE22CS343BB6
Executive Education
– Information Security 38
Was Target Lax?

☞ Management accountability:
➢ Board accountability:
➢ Internal control weaknesses:

☞ Lack of responsiveness to warnings:

☞ Managing third-party vendor risk:

☞ Management did not understand the risks associated:

UE22CS343BB6 – Information Security 39

Management Issues
☞ The Verizon assessment, conducted between December 21, 2013 to
March 1, 2014, notably found “no controls limiting their access to any
system, including devices within stores such as point of sale (POS)
registers and servers.”

☞ In February 2014, KrebsOnSecurity was the first to report that

investigators had zeroed in on the source of the breach: Fazio
Mechanical, a small heating and air conditioning firm in Pennsylvania
that worked with Target and had suffered its own breach
via malware delivered in an email. In that intrusion, the thieves
managed to steal the virtual private network credentials that Fazio’s
technicians used to remotely connect to Target’s network.
UE22CS343BB6 – Information Security 40
A FireEye alert in XML

UE22CS343BB6 – Information Security 41

 Lack of Network
A high-level graphic Segmentation,
showing the enclaves
various routes that
Verizon penetration
testers were able to
use to get all the
way down to
Target’s cash
registers in 2013
and 2014.

UE22CS343BB6 – Information Security 42

86% of Passwords cracked within a week
• Within one week, they were able to crack 472,308 of Target’s 547,470
passwords (86 percent) that allowed access to various internal networks,
including;
o target.com,
o corp.target.com;
o email.target.com;
o stores.target.com;
o hq.target.com;
o labs.target.com; and
o olk.target.com.
UE22CS343BB6 – Information Security 43
 “Top 10”
rankings
of
password
s, lengths,
base
words,
and
character
set
complexiti
UE22CS343BB6 – Information Security
es. 44
Patchy Patching
☞ Systems missing critical Microsoft patches
☞ Running outdated [web server] software such as Apache, IBM WebSphere, and
PHP hosted on web servers, databases, and other critical infrastructure which
have many known vulnerabilities associated with them.
☞ In several of these instances where Verizon discovered these outdated services or
unpatched systems, they were able to gain access to the affected systems without
needing to know any authentication credentials.”
☞ “Verizon and the Target Red Team exploited several vulnerabilities on the internal
network, from an unauthenticated standpoint.
• The consultants were able to use this initial access to compromise additional systems.
• Information on these additional systems eventually led to Verizon gaining full access to the network
— and all sensitive data stored at on network shares — through a domain administrator account.”

UE22CS343BB6 – Information Security 45

Patchy Patching

UE22CS343BB6 – Information Security 46

Discussions

ISFCR
UE22CS343BB6
Executive Education
– Information Security 47
What were the strengths and weaknesses of the
cybersecurity organizational structure at Target?
☞ Three teams at Target had interrelated responsibility for data
security. These were the
➢ Target Information Protection (TIP);
➢ Target Technology Services (TTS);
➢ Corporate Security and Information Security Investigation

UE22CS343BB6 – Information Security 48

What were the strengths and weaknesses of the
cybersecurity organizational structure at Target?
☞ Target Information Protection (TIP); Sr. Director to President to
CFO
➢ Vendor assessment
➢ Risk Review
➢ Internal employee Direct Security

UE22CS343BB6 – Information Security 49

What were the strengths and weaknesses of the
cybersecurity organizational structure at Target?
☞ Target Technology Services (TTS); CIO to CFO
➢ Internal IT, data centres, network storage, 9000 people
➢ SOC
➢ RED team / “White hat”

UE22CS343BB6 – Information Security 50

What were the strengths and weaknesses of the
cybersecurity organizational structure at Target?
☞ Corporate Security and Information Security Investigation; VP to
General Counsel
☞ Cybersecurity program Governance
☞ Internal and External Auditors
☞ Board Committees

UE22CS343BB6 – Information Security 51

What were the strengths and weaknesses of the
cybersecurity organizational structure at Target?
☞ Lack of single point accountability:

☞ The company had lots of systems in place:

☞ Segmentation was an issue:

☞ Board oversight and feedback seemed limited:

☞ But there was nothing that really would have raised alarms:

☞ Compliance does not equal preparedness:

UE22CS343BB6 – Information Security 52
Negligence?

☞ What might have contributed to the lack of action on the

FireEye alerts?

☞ What do you make of the fact that the CEO was not informed
for three days after the FBI alert?

☞ What is your understanding of the cause of such breaches?

UE22CS343BB6 – Information Security 53

Lack of action?

• What might have contributed to the lack of action on the

FireEye alerts?

• What do you make of the fact that the CEO was not informed
for three days after the FBI alert?

• What is your understanding of the cause of such breaches?

UE22CS343BB6 – Information Security 54

Target’s Board is NOT accountable

☞ The company had reasonable policies and procedures in place:

☞ External auditors and organizations certified that Target was

compliant with industry standards:

☞ It’s the responsibility of the management team:

☞ Cannot eliminate cyber-breach risk:

☞ It’s a very complex business

UE22CS343BB6 – Information Security 55

Target’s Board is accountable

☞ Unclear whether the board had ever defined or discussed cyber-risk and
the board’s role in overseeing it:

☞ Whatever the procedures in place, this clearly was a major violation.

Reputational risk is huge:

☞ Did not put the right people in place:

☞ The board needed to be aware of the threat landscape:

☞ Reactionary response:

☞ Weaknesses in breach reporting and notifications:

UE22CS343BB6 – Information Security 56
IS CEO accountable?

☞ The CEO can’t, and shouldn’t, have ownership of cybersecurity:

☞ Steinhafel isn’t responsible for day-to-day cybersecurity, but for

serious breaches he should be held accountable:

☞ In the end, the buck stops with the CEO:

☞ Show how central cybersecurity is to a business model:

UE22CS343BB6 – Information Security 57

What could Target have done better in the post-breach period?

☞ Unclear whether they stuck to a response plan, or even had one

in the first place:

☞ If they had a point person for the response:

☞ Identified the real risk to the company:

UE22CS343BB6 – Information Security 58

Post Attack

ISFCR
UE22CS343BB6
Executive Education
– Information Security 59
Post Attack
US Dept of Justice informed Target about malicious activity

KerbsOnSecurity website reported the incident in news media

Target’s PR/Media Response – Mix and multi-stage

Target hires Verizon for security consultancy

Credit/Debit Card Information sold in Dark Web

Target’s management called at Capital Hill for hearing

Several Target’s top managers left the company

UE22CS343BB6 – Information Security 60
 Target’s Strategic Response
▪ Target reports several changes and improvements to the security of its information systems
(separation of key networks, dual authentication, investment in security software, trend analysis,
continuous improvement, vulnerability scanning, apply patches) – many details are kept confidential
▪ Target hires its first CISO
▪ Verizon recently reported some details how it has helped Target find vulnerabilities

• Target’s “Cyber Fusion Center.” Image: Target.com POS Chip Card Systems

Source: Target.com. Inside Target’s Cyber Fusion Center. Url: https://corporate.target.com/article/2015/07/cyber-fusion-center

UE22CS343BB6 – Information Security 61
Retail Industry & Card Companies Response
▪ Retailers increase compliance with PCI-DSS and improved POS infrastructure
▪ Credit card companies started to transition to the chip cards – Goal 10/1/2015.

Magnetic Stripe

UE22CS343BB6 – Information Security 62

Evaluating Target’s Missed Opportunities
☞ If Target had implemented “kill chain” cyber security defense methodology, it could
have prevented such an attack.
☞ Establish strict vendor access standards and periodic auditing adherence to standards
☞ Proper security training (pay attention to alerts and warnings)
➢ Training to detect real threats verses false positives, Training to raise proper alarms, and
Training for management to pay attention to these alerts
➢ Password policy adherence and internal auditing
☞ Rigorous routine security patches installation and vulnerability remediation program
☞ Rigorous routine internal tests to discover vulnerabilities
☞ Observed due care – go above and beyond PCI-DSS standards to encrypt data
☞ Strategic & Operational oversight
➢ Chip card technology recourse in 2004
➢ Management attention to alerts
UE22CS343BB6 – Information Security 63
Source: Committee on Commerce, Science, and Transportation. www.commerce.senate.gov. The Intrusion Kill Chain (Page-5,7)
Url: http://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf
UE22CS343BB6 – Information Security 64
Target’s Possible Missed Opportunities

Source: Committee on Commerce, Science, and Transportation. www.commerce.senate.gov. Target’s Possible Missed Opportunities (page-11)
Url: http://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf

UE22CS343BB6 – Information Security 65

UE22CS343BB6 – Information Security 66
Research References
1. Target missed multiple data breach warnings, Senate Report says
http://www.startribune.com/target-missed-multiple-data-breach-warnings-senate-report-says/252451671/
2. A Kill Chain – Analysis of 2013 Target Data Breach
http://www.commerce.senate.gov/public/_cache/files/6e528123-41fc-4c22-a696-a224bbadb6b5/53810A4B
7A5AF128030BF310B514BA78.2014-0325-target-kill-chain-analysis.pdf
3. Target CIO resigns
http://www.nytimes.com/2014/03/06/business/targets-chief-information-officer-resigns.html
4. Target to Settle Claims Over Data Breach
http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013
5. Threat Encyclopedia – BlackPOS
http://www.trendmicro.com/vinfo/us/threatencyclopedia/malware/TSPY_POCARDL.U
6. 2014 – An Explosion of Data Breaches and PoS RAM Scrapers
http://blog.trendmicro.com/trendlabs-security-intelligence/2014-an-explosion-of-data-breaches-and-pos-ram
-scrapers/
7. A First Look at the Target Intrusion, Malware
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
Note: Above are references used in research in addition to the ones mentioned in slides.
68
8. UE22CS343BB6 – Information
The Target Breach, Security
Kill Chain Version https://www.securestate.com/blog/2014/08/13/kill-chain
Research References
9. $10 Million Settlement in Target Data Breach Gets Preliminary Approval
http://www.nytimes.com/2015/03/20/business/target-settlement-on-data-breach.html
10. Inside Target Corp., Days After 2013 Breach
http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/
11. Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer
http://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballed-giant-retailer-158
0056

12. Anatomy of the Target data breach: Missed opportunities and lessons learned
http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
13. Lockheed Martin – Intrusion Kill Chain
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Dri
ven-Defense.pdf
14. Krebs on Security. Cards Stolen in Target Breach Flood Underground Markets.
http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/
15. Krebs on Security. Inside Target Corp., Days After 2013 Breach.
http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/

Note: Above are references used in research in addition to the ones mentioned in slides.
UE22CS343BB6 – Information Security 69
Research References
16. Target's Not-So-Smart Cards The discount retailer could have been the ideal place to introduce chip-enabled
credit cards…. http://money.cnn.com/magazines/business2/business2_archive/2004/09/01/379524/
17. Target 'Smart Cards' Will Be Phased Out http://articles.latimes.com/2004/mar/04/business/fi-smartcards4
18. Symantec’s report on a brief history of POS malware
http://www.symantec.com/connect/blogs/pos-malware-potent-threat-remains-retailers
19. CIO Magazine warned about the BlackPOS malware in March 2013
http://www.cio.com/article/2387200/security0/researchers-find-new-point-of-sale-malware-called-blackpos
.html
20. BankInfoSecurity reported about breaches on retail businesses in July 2013.
http://www.bankinfosecurity.com/malware-attacks-hawaii-restaurants-a-5910/op-1
21. Target Warned of Vulnerabilities before the Data Breach.
http://www.wsj.com/articles/SB10001424052702304703804579381520736715690
22. Target finally gets its first CISO.
http://www.computerworld.com/article/2490637/security0/target-finally-gets-its-first-ciso.html
23. Smart Card. https://en.wikipedia.org/wiki/Smart_card
24. EMV FAQs. http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php

Note: Above are references used in research in addition to the ones mentioned in slides.

UE22CS343BB6 – Information Security 70

Research References
25. Detecting payment card data breaches today to avoid becoming tomorrows headline.
http://blogs.cisco.com/security/detecting-payment-card-data-breaches-today-to-avoid-becoming-tomorrow
s-headline
26. Symantec’s report on a brief history of POS malware.
http://www.symantec.com/connect/blogs/pos-malware-potent-threat-remains-retailers
27. CIO Magazine warned about the BlackPOS malware.
http://www.cio.com/article/2387200/security0/researchers-find-new-point-of-sale-malware-called-blackpos
.html
28. BankInfoSecurity reported about breaches on retail businesses
http://www.bankinfosecurity.com/malware-attacks-hawaii-restaurants-a-5910/op-1
29. Target Warned of Vulnerabilities Before Data Breach.
http://www.wsj.com/articles/SB10001424052702304703804579381520736715690
30. Researchers Report Exact Timeline Of Massive Target Data Breach
http://www.forbes.com/sites/anthonykosner/2014/01/17/researchers-report-exact-timeline-of-massive-targ
et-data-breach/

Note: Above are references used in research in addition to the ones mentioned in slides.

UE22CS343BB6 – Information Security 71

Assignment Question (1/2)
Based on the case discussions submit your individual written responses as
assignment in Edmodo. Your answers must be clearly typed in your own words.

1. How did the hackers break into Target? Was Target aware of the POS
vulnerabilities? Were online shoppers affected by this breach?

2. Why did Target not pay attention to the alerts issued by Symantec and
FireEye software?

UE22CS343BB6 – Information Security 72

Assignment Question (2/2)

3. Apply MITRE ATT@CK to analyze the Target attack. Your analysis

should be your own and NOT a reproduction of the slides from
internet.

4. What lessons can you draw from this case for prevention and
response to cyber breaches?

5. What do you think companies can do better today to protect

themselves from cyber breaches and in their post-breach response?

UE22CS343BB6 – Information Security 73

 Thank you!

Follow us

isfcr.pesu www.isfcr.pes.edu ISFCR