The Diamond Model in cybersecurity is a concept used for intrusion analysis. There are four main aspects adversary, capability, infrastructure, and victim. Every cybersecurity incident will have at a minimum these four factors.
Background of the Target Breach
I will be examining the Target Corporation data breach that occurred in 2013. During this time, it was “estimated 70 million pieces of personally identifiable information” (Rowe) were stolen from the Target Corporation. In many cases, Target has been made an example of how security can impact a corporation; however, there is still only minor changes occurring to remedy cyber security threats. The following is an overview of what happened during the breach. A third-party vendor was working with Target on their refrigeration services for incorporating food into their sales. The third-party vendor was vulnerable to poor password security and an adversary was able to get into their system. The adversary was able to traverse the network and install malware on the cash registers that sent the credit card data to the adversary before being sent to be processed for purchase. The malware was on the network during the busy season around Thanksgiving. The breach was reported in December of 2013 and following there was an investigation as to what part of their system was vulnerable and was to prevent a similar cyber-attack in the future.
Applying the Diamond Model
Within the Diamond Model, there are four vertices, adversary, victim, infrastructure and capability. Additionally, there are two edges that exist, the connection between the adversary and victim, called the social-political meta-features, and then the connection between the infrastructure and the capability, called the technology meta-feature.
When applying the Target data breach to the Diamond Model, the necessary terminology can be given values. The adversary is unknown. During the investigation, the root cause of the breach, the capability, was the concern not the adversary. The victim is the organization Target and the customers who provided their credit card data to Target during their purchases. The social-political meta-features was the adversary drive to sell the information they were able to gather for money on the black market. The capability is the “stemmed from hijacked credentials stolen from Fazio Mechanical Services, a third party service provider.” (Plachkinova) Once inside the network there was not much network segregation, so the adversary would have been able to jump from the “point of sale terminals to mission critical back-end systems.” (Plachkinova)
The adversary was able to install malware on the point of sale terminals and pull the credit card data as it passed through the system during a sale. The infrastructure is then the ability to get the data off the infected machines. Due to the malware being installed on the point of sale machines and having insufficient whitelisting and malware detection, the adversary was able to have command and control over the systems to be able to send the credit card data out of the network, where they were able to retrieve it. (Rowe)
Policy Assessment
This incident occurred during a time when not many cyber security attacks had occurred yet, it was basically the beginning. At this time, Target did not have a Chief Information Security Officer employed or anything similar. They had no one in place on staff to be making decisions on how to make the information and network safe and secure from the possibility of cyber security attacks.
There could be many ways to try to regulate cyber security for organizations, but when looking at how to solve the solution we have to look at many different aspects. Many cyber security issues could be corrected through legislation on the international level; however, this is not feasible for many situations. It is unlikely to make all nations work together when many may want to allow such attacks to occur.
I believe this type of incident that occurred against Target could be handled on the organizational, industry, or the national level. The fastest way would be internal to the organization, which is how this was resolved in reality. An investigation occurred and Target made changes within their organization to improve their cyber security and try to prevent this from occurring again. This would allow them to make their own policy swiftly; however, that policy still may not be up to a certain standard the industry or nation would have. Part of this attack, the best option would be on the organization level, specifically the ability to define password regulations. Since this aspect was how the adversary was able to get into the Target network, Target should create password policy and phishing prevention techniques for their network and any third parties that connect into their network. Additionally, employees can be the company’s weakest leak. (Manworren) This can be addressed with an organizational policy and training developed to help prevent phishing attacks or knowing signs of an insider threat.
At the industry level, there can be more collaboration to define industry standards. At this level there is still no way to enforce these standards, but corporations involved are usually wanting to participate in was is decided. The other part of the adversary being able to install the malware and send back out, was due to not having network segregation and not enforcing strict whitelists for their point of sale devices. This is something that can be solved by being included in industry standards of when and how to use whitelists in certain situations as well as how an organization should implement network segregation to different areas.cyber
When analyzing a solution at the national level, this level would do a good job to be able to enforce consequences if an organization wasn’t in compliance. This level of action needed would take a lot of time and work to make happen. There is also the possibility of the politicians being incompetent and not including experts when creating the legislation that could create loopholes and work around.
References
https://landing.joinbrix.com/posts/target-security-breach-overview.html
https://jise.org/Volume29/n1/JISEv29n1p11.html
https://www.researchgate.net/publication/295394659_Why_you_should_care_about_the_Target_data_breach
This work is licensed under a Creative Commons Attribution 4.0 International License.