December’s Target credit card breach attracted my attention because it used FTP to send files from an “exfiltration” server at Target to criminals.
Could managed file transfer (MFT) have prevented the attackers from sending (via “exfiltration“) Target’s sensitive data?
The Target Hack Depended on File Transfer
The Target attack was complex and required both skill on the part of the hackers and complicity on the part of Target. Failure to detect strange flows of data to the exfiltration server and the use of modified malware that escaped antivirus detection are among the factors that contributed to the attack. There is an ongoing debate about what may have prevented the penetration or the exploit, but all published analyses now agree that the captured credit cards were eventually “file transferred” to a Windows share, and then FTP’ed out the front door.
The Target Hackers’ Managed File Transfer Workflow
The final step of the hackers’ attack was a classic managed file transfer workflow:
- Receive files from an array of internal resources,
- consolidate received files and
- then FTP them out.
Where Were the Egress Filters?
The hackers were only allowed to use FTP to send files out of the network because the firewall allowed them to open FTP connections. It may come out someday that Target’s firewall configuration or infrastructure was hacked, but at the moment it appears that limits on outbound connections (or “egress filters“) that we might expect to have been there were just not there.
How Could Managed File Transfer Have Helped?
If Target had committed to managed file transfer, it would likely have committed itself to centralizing and controlling automated transfers such as FTP. It may also have surfaced a requirement to secure (if not replace) FTP throughout the organization. Either way, an MFT-aware Target would have taken a suspicious view of outbound firewall rules allowing non-secure FTP connections from any internal machine.
Would Any Particular MFT Solution Have Helped?
Unfortunately, no, there isn’t a single MFT product that would have helped in Target’s case. Instead, it would have been the MFT philosophy and implementation of centralization and technology or protocol controls that would have kept Target safe.
That said, there are a few types of MFT technology that help implement centralization.
- The first is automation or orchestration technology to replace scattered and vulnerable FTP scripts.
- A second is a powerful and secure FTP server (usually with a secure web interface) to consolidate and replace scattered FTP servers.
- A third is a web-based FTP client and/or FTP proxy if you still need to allow individual end users to perform manual FTP operations. (This is optional.)
In Target’s case, implementing the first and third of these types of managed file transfer technology (i.e., file transfer automation and/or web-based FTP or an FTP proxy) along with appropriate egress filters would likely have prevented this particular attack on Target.
How Can File Transfer Consulting Help?
File Transfer Consulting can help your organization prepare for and implement a complete managed file transfer solution because we do more than set up the technology and run. Instead, we help you take a strategic view of your MFT operations, from design (network, services, cloud resources), through implementation and on to procedure and training.
Our holistic approach also makes us the capability leader in environments with complex needs, such as consolidation, automation or products from multiple vendors, and our low-overhead consulting model allows us to achieve reliable results at affordable prices. Contact us today!