The exposure really began in September, when a 3rd party Mechanical Services company installed a Windows base computer to monitor HVAC operating systems. Attackers had managed to phish credentials enabling access to the network.
In November, using the stolen credentials, they were a able to access the client network installing malware on a target Point of Sale (POS) system. Within a few weeks, the attackers, had tested and validate their software successfully installing exfiltration software enabling the extraction of millions of customer credit card numbers directly from store cash registers.
FireEye alerts were recorded in the Secrutiy Operations Center (SOC) within the Security Information and Event Management (SIEM) software. However, these were one of thousands of alerts received each day. Users didn’t fully trust the alerts, as they had received numerous false positives in the past. There was also no additional activity information to provide context.
Context such as what traffic preceded and followed the event, from and to where. There was no network and business context, which could have answered the question do these alerts indicate the ability to reach critical assets?
There was also no business process for for triaging and analysing alerts to determine if they were truly false.
Between December 2nd and December 12th, more alerts were received from different areas of network which were not correlated with other activity or in the context of the business or network.
Bottom line, there was not enough context or visibility to correlate events, so they were still ignored. Why?
- The victim was using a set of “first gen” security products that were not fully integrated with their SIEM platform
- The data that indicated they were under attack and being exploited was there; incumbent security products did not detect suspicious activity
- Due to large quantity of false positives reported by other security tools, other warning signs were missed
- It’s all about adding CONTEXT and detecting anomalous behavior in a vast sea of data…in real time!
How the breach could have been avoided: