Could Managed File Transfer Have Prevented the Target Credit Card Breach?

December’s Target credit card breach attracted my attention because it used FTP to send files from an “exfiltration” server at Target to criminals.

From SecurityIntelligence.com

Could managed file transfer (MFT) have prevented the attackers from sending (via “exfiltration“) Target’s sensitive data?

The Target Hack Depended on File Transfer

The Target attack was complex and required both skill on the part of the hackers and complicity on the part of Target. Failure to detect strange flows of data to the exfiltration server and the use of modified malware that escaped antivirus detection are among the factors that contributed to the attack. There is an ongoing debate about what may have prevented the penetration or the exploit, but all published analyses now agree that the captured credit cards were eventually “file transferred” to a Windows share, and then FTP’ed  out the front door.

The Target Hackers’ Managed File Transfer Workflow

The final step of the hackers’ attack was a classic managed file transfer workflow:

  1. Receive files from an array of internal resources,
  2. consolidate received files and
  3. then FTP them out.

Where Were the Egress Filters?

The hackers were only allowed to use FTP to send files out of the network because the firewall allowed them to open FTP connections. It may come out someday that Target’s firewall configuration or infrastructure was hacked, but at the moment it appears that limits on outbound connections (or “egress filters“) that we might expect to have been there were just not there.

How Could Managed File Transfer Have Helped?

If Target had committed to managed file transfer, it would likely have committed itself to centralizing and controlling automated transfers such as FTP. It may also have surfaced a requirement to secure (if not replace) FTP throughout the organization. Either way, an MFT-aware Target would have taken a suspicious view of outbound firewall rules allowing non-secure FTP connections from any internal machine.

Would Any Particular MFT Solution Have Helped?

Unfortunately, no, there isn’t a single MFT product that would have helped in Target’s case. Instead, it would have been the MFT philosophy and implementation of centralization and technology or protocol controls that would have kept Target safe.

That said, there are a few types of MFT technology that help implement centralization.

  1. The first is automation or orchestration technology to replace scattered and vulnerable FTP scripts.
  2. A second is a powerful and secure FTP server (usually with a secure web interface) to consolidate and replace scattered FTP servers.
  3. A third is a web-based FTP client and/or FTP proxy if you still need to allow individual end users to perform manual FTP operations.  (This is optional.)

In Target’s case, implementing the first and third of these types of managed file transfer technology (i.e., file transfer automation and/or web-based FTP or an FTP proxy) along with appropriate egress filters would likely have prevented this particular attack on Target.

How Can File Transfer Consulting Help?

File Transfer Consulting can help your organization prepare for and implement a complete managed file transfer solution because we do more than set up the technology and run.  Instead, we help you take a strategic view of your MFT operations, from design (network, services, cloud resources), through implementation and on to procedure and training.

Our holistic approach also makes us the capability leader in environments with complex needs, such as consolidation, automation or products from multiple vendors, and our low-overhead consulting model allows us to achieve reliable results at affordable prices.  Contact us today!

About Jonathan Lampe

Andy White and I started File Transfer Consulting in 2011 to solve secure file transfer and managed file transfer issues through strategic analysis, training, integration and custom development. Our unique approach allows us to address complicated issues like no one else.

Before FTC I created and then led the development of Ipswitch's MOVEit managed file transfer software for ten exciting years, including three as VP for R&D and Product Management at Ipswitch (WS_FTP, MessageWay and hosted services). I also served for VP for Product Management for RhinoSoft (Serv-U), where I guided the development of managed file capabilities and marketing that led to its eventual sale to SolarWinds.

Come meet me on Google+ or LinkedIn today!