Target puts a lot of trust in its cyberthreat intelligence, instituting processes throughout the organization to help it prioritize threats most likely to harm the retailer among a sea of malicious actors.
A pair of leaders on the company’s threat intelligence team explained how specialized systems bolster the company’s defenses during a presentation Tuesday at Mandiant’s mWISE Conference.
While threats and vulnerabilities swell — Target has more than 27,000 YARA rules to help it identify malware, for example — the most pressing and realistic threats get the greatest focus.
“We are not only striving to be intelligence driven, but striving to be intelligence driven in the right way,” said Derek Thomas, principal engineer on Target’s cyber threat intelligence team. “It’s not enough for us to focus on the bottom of the pyramid of pain. We also want to focus on the parts that matter, what we call behavioral indicators.”
These are four practices Target relies on to hit that objective.
Identify stakeholders and their unique needs
Identifying the appropriate stakeholders and their respective requirements is critical, said Matthew Brady, director of cyber threat intelligence at Target.
Target’s stakeholders across the cyber threat intelligence team include the red team, computer security incident response, enterprise incident management, insider threat protection, detection and visibility, and active vulnerability management.
To adequately defend Target, the company has to provide threat intelligence data and analysis to those teams in their preferred workflows.
The vulnerability management team is primarily interested in vulnerabilities that are being actively exploited because those details inform when patches for specific systems need to be expedited.
Incident responders want network or host-based indicators to hunt for activities and the detection and visibility team needs the behavioral intelligence that Target pulls in from Mandiant and other sources.
The onus falls on Target’s cyber threat intelligence team to identify each stakeholder’s proficiencies and deliver actionable data to each team accordingly, Brady said.
Map adversaries’ intents and capabilities
Target’s analysis model applies importance to threats and vulnerabilities based on their intents and capabilities.
“We want to focus first and foremost on what actors are most likely to target our industry, which is a U.S.-based retail company,” Brady said.
That analysis then extends to Target’s supply chain, a process that allows analysts to identify partners that might be actively targeted.
In addition to that constant threat landscape analysis, Target studies the capabilities of threat actors, including their ability to exploit zero days or their use of custom tooling.
Some adversaries are very high from an intents standpoint, but low in terms of capabilities, and vice versa, Brady said.
FIN7, a threat actor with high intent that actively targets the retail industry, gets careful consideration and study. “We want to know in real time what FIN7 is up to because they are a major player in targeting retailers,” Brady said.
As such, Target constantly looks at chatter on the dark web related to kits or tools FIN7 might be buying and new command and control servers that are spun up as part of the group’s infrastructure.
Don’t treat all threats equally
Target still allocates resources to maintain situational awareness of threat actors that don’t actively target the retail sector or its supply chain in the event those factors might change.
“There’s only so much time in a day for our analysts to be able to look at those threats,” Brady said.
Target’s threat heat map can be changed quickly when intelligence shows an adversary has shifted to target the retail industry, and the intent and capability assessments are reflected across Target’s entire intelligence ecosystem, Thomas said.
“We don’t treat all threats equally in terms of prioritizing them, but we do have the same framework in place to be able to gain the same level of visibility across the board for those threats.”
This allows analysts to see how the threat landscape evolves in a dynamic heat map, instead of relying on analysis that’s static and just a snapshot in time.
Share daily threat reports
Target shares daily threat reports across the organization and viewed by incident response teams, vendor security teams and technology leaders within the organization
Brady calls this a key differentiator. It places context around Target’s threat analysts’ assessments, including the relevance to the business and its supply chain partners, he said.
This analysis and behavioral intelligence gets passed to the cyber threat intelligence and detection teams in real time to reverse engineer payloads or determine if collection or detection signatures are in place to properly tag vulnerabilities of importance.
