Three days after Target's confirmation on the nineteenth of a substantial point-of-sale breach, and three days after Brian Krebs broke the story on the eighteenth, the picture is now sharp enough that the structural lessons can be drawn. Forty million credit and debit card records taken from in-store transactions between roughly the twenty-seventh of November (Black Friday in the US) and the fifteenth of December — that is, across the whole of the US Christmas-shopping window. The technical chain is, on what is in the public reporting so far, point-of-sale RAM-scraping malware that captured the unencrypted track-data from cards as they were swiped, before the data was encrypted by the POS terminal for upstream transmission. The malware is being identified in the press as "BlackPOS" or one of its variants. The cards are now circulating in underground markets at, by Krebs's reporting, between $20 and $100 per card depending on the card type and the limits, with substantial inventory.
The technical chain matters because it is going to be the operational template for the next several years of retail breaches. RAM-scraping at the point-of-sale terminal is not a novel technique — it has been demonstrated since at least 2008, and there have been smaller-scale incidents through 2010 and 2011 — but the Target deployment shows that it is now operationally feasible at substantial scale against a major retail estate. The structural condition that makes RAM-scraping work is that the POS terminal, by the design of the magnetic-stripe payment system, has unencrypted track-data in memory at the moment of the card-read. Encryption-at-rest on the POS terminal does not help; encryption-in-transit upstream from the terminal does not help; the only structural answer is to encrypt at the point of card-read itself, which is the EMV chip-and-PIN model that the rest of the world has been moving to for a decade and that the US has, for various commercial-and-political reasons, been delaying. The Target breach is the cleanest single illustration of the cost of the US delay; whether it accelerates the EMV migration is a question the retail-and-payment-network conversation will work through over the coming year.
The lateral-movement question is the part of the analysis that is still being worked out. POS terminals at Target stores are not, in standard architecture, supposed to be reachable from internet-facing infrastructure; the malware therefore had to be deployed through some chain that started at internet-facing systems and ended at the POS estate. The reporting through the past forty-eight hours is suggesting that the entry point may have been a third-party HVAC vendor whose remote-monitoring access to Target's network had been compromised, with subsequent lateral movement from that initial foothold. If that reporting holds up, the structural lesson is the same one Stratfor demonstrated two years ago about network segmentation and third-party access — the most sensitive systems in an estate need to be unreachable from the least-secured third-party connections, and most retail estates are nowhere near that segmentation discipline.
For the engagements I run with retail or hospitality exposure — two of the Hedgehog clients have small retail estates with POS infrastructure, several others have third-party-vendor access patterns that are operationally similar — the post-Target conversation has been about three things. First, the network segmentation between POS estate and general corporate infrastructure: the practical questions of how the POS terminals connect upstream, what credentials are used, what monitoring is in place, and whether a compromise of any other part of the estate could reach the POS layer. Most of the answers are uncomfortable. Second, the third-party vendor access patterns: who has remote access to what, what credentials they use, how their security postures are validated, and what lateral movement is possible from any of those connections. Again, most of the answers are uncomfortable. Third, the EMV chip-and-PIN migration timeline at the small minority of clients with US-facing exposure: the structural answer to RAM-scraping is to make the unencrypted-track-data window as small as possible, and chip-and-PIN does that.
For the Hedgehog SOC, the detection-content additions for the BlackPOS family of malware are being written this week. The signatures for the specific BlackPOS variant Target was hit with are circulating in the threat-intelligence community; the broader detection patterns for POS-RAM-scraping malware are well-documented and are going into the engagement-team material. The wider question — how to detect lateral movement from third-party vendor access into sensitive estate segments — is harder and is going on the longer-term detection-development list.
The Krebs reporting on the underlying carding-market dynamics is, as always, the right place for the operational-economics analysis. Underground markets for stolen card data have been operationally mature for a decade; the post-Target inventory is going to depress prices in the short term, drive innovation in card-validation tooling on the underground side, and produce a measurable spike in fraud activity over the coming weeks. The downstream consequences for the Target customer base — the millions of cardholders now needing to monitor their statements, dispute fraudulent charges, and replace cards — are operationally substantial; the financial-system response (the issuing banks will absorb most of the direct fraud cost) is well-rehearsed but not free.
The next post is the year retrospective. 2013 has been the largest single year of structural change in the threat landscape since the run of incidents I wrote about across 2011, and writing it up coherently is going to take the rest of the holiday week.