We know that some strain of memory scraping malware permeated the Target POS systems, and then parsed the payment information into digestible chunks. It could then be siphoned out of their network unknowingly and over protocols Target wasn’t necessarily watching for suspicious communications or attacker behaviors. Ultimately, the attackers exercised what appears to be a two-phased approach to compromising the 40 million credit and debit cards. This breach also included cards that were loaded with social security payments. This type of attack against the payment ecosystem was a classic “slow and low” approach.

The attackers first phase of the attack was to install the payment processing parser malware onto the POS systems. This process was most likely automated and not done manually by going to each register, one by one. This heist appears much more sophisticated than that. Historically, we have seen trusted patch management systems and configuration management platforms become compromised internally and subsequently leveraged to push malware out from what appears to be a trusted system update system. This is how the scale and stealth factor is achieved.  It could have been one approach for the hackers to get the POS malware on the systems. Insider threat hasn’t been ruled out at this juncture as well. The memory parser then was executed and conveniently hooked into the POS binaries at the registers to capture and store in a miscreant managed database inside the Target infrastructure. The strain of malware was undetected in Target’s network.

The second stage of the attack was the critical one and often the toughest to pull off. Ultimately it was getting the payload out of the network using a command and control server and the FTP protocol to export it to the criminal’s safe haven. This was done with calculated intervals during the day and slow enough not to set off any alarms or suspicion from Target IT and security personnel.

But it got worse…It also appears another system was in play which led to the exposure and capture of nearly 70 million customer records that included email, phone number and addresses. I don’t think the attackers care too much about the “national do not call list”….  This system ultimately could have been a proprietary customer database or CRM system in which Target housed key information about customers and potentially their transactions. These analytics are extremely powerful for the monster retailer and if this system was indeed compromised, other telling information about us as consumers could be in the results of the exfiltrated data by these attackers and circling about in the cyber underworlds.

In conclusion, we will continue to learn more about this attack and it will serve as a major awakening not only for Target, but for consumers and other major retailers. We should all recognize and appreciate the level of professionalism and sophistication in which this heist was carried out. However, we should also understand that new innovation exists to thwart these types of targeted attacks. Target could have used a Custom Defense. This strategy not only focuses on advanced malware detection but also “slow and low” attacker behaviors and communications across ports and protocols in which they could have could have been inspecting.  A new approach is needed. Take the target off your back today…

JD Sherry is Director of Public Technology and Solutions for Trend Micro. He is responsible for providing guidance and awareness regarding Trend Micro’s entire security portfolio aimed at protecting both commercial and government cloud ecosystems.  Well-versed in enterprise and data center architecture, Mr. Sherry has successfully implemented large-scale public, private and hybrid clouds leveraging the latest in virtualization technologies.  Over the last seven years, he has established himself as a trusted senior advisor for the protection of Payment Card Industry (PCI), Health Information Privacy Act (HIPAA) and Personally Identifiable Information (PII) data. Mr. Sherry also has an extensive background in developing and bringing to market mobility platforms and applications. JD has spent the last 10 years in senior IT leadership roles. [Twitter]