• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Diary of  Forensic Investigator
 

Diary of Forensic Investigator

on

  • 406 views

Here is the Foregenix presentation delivered by Andrew Henwood at PCI London on the 25th January 2012.

Here is the Foregenix presentation delivered by Andrew Henwood at PCI London on the 25th January 2012.

Statistics

Views

Total Views
406
Views on SlideShare
401
Embed Views
5

Actions

Likes
1
Downloads
4
Comments
0

3 Embeds 5

http://68.166.223.4 3
http://www.docshut.com 1
http://www.slashdocs.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Diary of  Forensic Investigator Diary of Forensic Investigator Document Transcript

    • 08/02/2012The diary of a forensic investigator:Secrets RevealedAndrew HenwoodDear Diary – who do ADCs affect?•  Smallest merchant•  Largest merchants with multitudes of sites•  Issuers and Acquirers IR Plan should be similar, irrespective of entity size! 1
    • 08/02/2012ADC Trends & Targets Cybercriminals are using: •  Same old vulnerabilities (SQL, backdoor trojans, malware etc). •  Increasingly sophisticated attack methods. •  Targeted attacks. •  More automated tools. •  Quicker developing trends. •  Repeat attacks to maximise harvest. •  Increasingly powerful systems and techniques. •  Decrease in time between compromise and fraud spend.ADC Trends & Targets …But the target remains the same. Cardholder Data. 2
    • 08/02/2012Dear Diary - How are ADC’s typically identified?•  Cardholders report fraud on their card => their card is compromised•  Issuers and/or Schemes trace back legitimate spend•  If multiple compromises, this trace identifies Common Points of Purchase (CPP)Compromise Timeline 7+:;A>-,*)B+(&); & !"#$%&9:-,,;5::%& 4"*-1+"$ & !"#$%&()*+,,-".&/0(1, & 5"0<0(+&);&=>/ & )33"4"&32!+5*66 ?90<"#>$:@9#1">A:4 0%783$9:; 7%&" !"#$%& /)23()2-,+1& ?4&?)(+",-*,& @"1+(<0% ()*+, !#",)*+ ! !"#$%&%()*+ --.. /"0%1"#2 &!"#$%& -B%:"A>9A%:- =#9C&- 4,,5+(,&6&7*8+2+,& 1+$+*$&/& 5:1%<"!+5=%#":>$0> 3
    • 08/02/2012How not to respondCompromise Penalties! 4
    • 08/02/2012Compromise Penalties!Type Initial Lack of Monthly Monthly Monthly PCIDSS Fine removing PCIDSS PCIDSS Violation SAD Violation Violation (>=6 months) (90 days) (4 months) (5 months)L1 !50,000 !30,000 !50,000 !75,000 !75,000L2 !25,000 !15,000 !25,000 !50,000 !50,000L3&4 !10,000 !5,000 !10,000 !15,000 !15,000Members !50,000 !30,000 !50,000 !75,000 !75,000PSPs !25,000 !15,000 !50,000 !30,000 !30,000Others !10,000 !5,000 !10,000 !25,000 !25,000Card Scheme / Acquirer vs. EntityPrioritiesIn most cases, these priorities are NOT aligned!•  Card Schemes & Acquirers •  Containment, Limit Exposure, Identify “At Risk” card data, Fines•  Entities •  Containment, root cause identification, remediation, get on with businessFor potentially compromised entities, ensure the PFIselected / engaged has your priorities at heart 5
    • 08/02/2012Facilitating a Forensic Investigation1.  Invoke IR plan2.  Engage a PFI (ASAP!)3.  Document and collate all current and ongoing events, all people involved, and all discoveries into a timeline for evidentiary use4.  Do not access or alter any aspect of the suspect system(s)5.  If you suspect the attack is currently ongoing, remove the system connectivity to the network. i.e. pull the network cable / down the adapter Do not power the system down!Facilitating a Forensic InvestigationRe-Emphasise: Do not access or alter any aspect of the suspect system(s) …or at least minimise access! 6
    • 08/02/2012PCI Forensics vs. Traditional Forensics1.  PCI Forensics does not equal traditional forensics2.  Majority of attacks are coordinated, focused, highly sophisticated and custom to the environment –  Custom malware (targeted memory scraping) –  Payment application manipulation (source code modifications and manipulation of limits / controls) –  Custom Rootkits and built in defense mechanisms –  Hacker SDLC –  Anti-ForensicsReal-World Forensic Statistics Affected Industry (example) Trustwave Verizon 7Safe Category (2011) (2011) (2010) Hospitality 10% 40% 5% Financial 6% 22% 7% Services Retail 18% 25% 69% Food and 57% ? ? Beverage Government 6% 4% 2% Education 1% ? ? Other ? ? ? * References to reports in conclusion of presentation 7
    • 08/02/2012Statistics & TrendsIndividual company statistics are “interesting” butimpossible to correlate except broadly!Statistics & Trends•  Utilise public combined sources: www.datalossdb.org http://www.privacyrights.org/ar/ChronDataBreaches.htm•  Hospitality / Food & Beverage / Retail compromised the most•  Majority of ADC are from external sources•  Majority of breaches are focused and well organised criminal businesses •  Majority of victims had evidence of the breach in their log files thus should have been aware! •  Majority of attacks were trivial •  Only a fraction reported in CEMEA 8
    • 08/02/2012GoldenDump.com (2011)GoldenDump.com (2011) 9
    • 08/02/2012GoldenDump.com (2011)IncidentIncident Overview•  Subject : Multi-national Issuer / Acquirer•  Incident Date : 2010•  Investigation Date : Late 2010•  Initial Vulnerability : SQL Injection•  Exploited Weaknesses : –  Poor network segregation –  Lack of log review –  Let down by security partners•  Exposure : –  2.4 million PAN –  780,000 Track 2 –  > ! 90,000 in cash 10
    • 08/02/2012 The Environment Backend Online Payment Systems Servers DEVDB DB04 DB03 AS400 DB02 DB01 Branch Application Internet Banking Offices Servers Servers DEVDB DB04 DB03 AS400 DB02 DB012010 11
    • 08/02/2012SO…..What went wrong? (Underlying Causes)•  Phase 1: Initial Compromise – SQL Injection –  The site had been tested by multiple external parties and had “passed” three penetration tests (Code had NOT changed since 2005!). –  Logs were collected (plenty of them – 4.5 Billion events) but never reviewed. –  Network architecture was “temporary” but never resolved. –  Poor password policies.•  Phase 2: Reconnaissance & Exploration –  Poor network architecture design decisions. –  Poor password policy. –  Lack of log review.•  Phase 3: Account Data Extraction (PAN) –  Inappropriate data retention policies. –  Lack of awareness regarding Account Data storage (where is it?) –  Poor system management.•  Phase 4: Account Data Extraction (Track 2) –  Inappropriate data retention policies (again). –  Poor network segmentation.•  Phase 5: Internet Banking Manipulation –  Application made “blind” use of data within a database. –  Application unable to detect “tampering”. –  Failed transfers were not reviewed or followed up. 12
    • 08/02/2012How could things have been Done? (Means of Reducing Exposure)•  Fundamentally – An awareness of Account Data –  Review & revise data retention policies. –  Know where the stuff is. (Get Rid)•  Regular & thorough testing of external attack surfaces. –  Reputable companies (not always the big players). –  Speak with your peers (word of mouth is invaluable).•  Log retention is great! Log review is better! Both are needed.•  Review & revise network architecture designs. Approach.....!•  PCI Prioritised by thesystem build policies (including password Review & revise VISA Also supp orted policies). Innovation Technology Program!None of this is new and should sound familiar proach.....! PCI Prioritised Ap e VISA Also supp orted by th vation Technology Inno Program! 13
    • 08/02/2012Means of Reducing Exposure•  Fundamentally – An awareness of Account Data –  Review & revise data retention policies. –  Know where the stuff is. (Get Rid) Milestone #1•  Regular & thorough testing of external attack surfaces. stone #2 / #6 –  Reputable companies (not always the big players). Mile –  Speak with your peers (word of mouth is invaluable). / #6 Milestone #4•  Log retention is great! Log review is better! Both are needed.•  Review & revise network architecture designs. / #2 Milestone #1•  Review & revise system build policies (including password policies). / #3 / #4 Milestone #2Summary•  Identify, remove / protect your sensitive data•  Segment / scope the network•  Regularly: Test & Review•  Maintain full logs but pointless if no review•  Define, build and test an incident response plan•  Build a partnership with a security business to independently review 14
    • 08/02/2012Stay Safe & Risk Aware www.foregenix.com 15