Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

Target: Actionable Intelligence

There is a lot to be learned from the Target Data Breach.  Brian Krebs initially broke the story on this data breach. This story just posted late this evening caught my attention and I thought a quick blog post would be in order to share some thoughts. Those of us in the information security and digital forensics field understand that the user is the weakest link in the security chain. But, what immediate actions can be done to strengthen this area of opportunity? 

Licensed under the Creative Commons  license

Licensed under the Creative Commons license

Target announced this evening, "The ongoing forensic investigation has indicated that the intruder stole a vendor's credentials, which were used to access our system," Target spokeswoman Molly Snyder said in a statement referenced in the MSN story.

There are so many takeaways from the Target data breach. Not only for the information security industry, but the retail sector and general public as a whole. As our lives are connected to the Internet and we conveniently use our plastic cards as forms of payment, we tend to brush security off to the side, for the "freedoms" in the technological age for whatever is more convenient. I'm optimistic that this very large scale data breach will begin dialogue on the necessity of cyber-security collaboration amongst the government and private sector. Not through a coalition or task force, but through sharing actionable, intelligible information. No matter what industry you derive from, information sharing is always a challenge (or has many obstacles). However, when you look at what occurred with this data breach and can begin to decipher media reports and other data sources, there are many lessons to be learned and actionable intelligence. Brian Krebs does an excellent job in dissecting the intrusion. In the last month, we have Target, Neiman Marcus, and now Michael's Stores announcing data breaches. The question remains, "Who else?"


More on this at a later date...

Now, some DFIR actionable intelligence for us to explore from this data breach... Brian Moran of BriMorLabs has some great information up on his blog. Today, Mr. Moran shared his research on the Target POS Malware. Very easy to set up a test environment and see how this malware is exfiltrating payment data from POS (Point of Sale) systems.  In case you missed it, Jake Williams shared his joint anti-forensics ADD talk with Alissa Torres from Shmoocon here. Basically, ADD is a conceptual tool to create fake memory artifacts, but just as @jackcr methodically points out, forensic analysis is focused on collaborating multiple artifacts, not just a single artifact. The forensic analyst must be aware of anti-forensic techniques, how artifacts are legitimately created, and how they can be falsified. Understanding normal will help you detect the anomalies during your forensic analysis.