StealthWatch & Point-of-Sale (POS) Malware
Upcoming SlideShare
Loading in...5
×
 

StealthWatch & Point-of-Sale (POS) Malware

on

  • 2,357 views

Retailers are under cyber-attack at an alarming rate. Day after day, we hear of another major national retail chain experiencing a colossal data breach. ...

Retailers are under cyber-attack at an alarming rate. Day after day, we hear of another major national retail chain experiencing a colossal data breach.
Learn key concepts and techniques that will help you rapidly enhance your current cyber security efforts.
• Get a complete view what is currently happening in the retail industry
• Understand the concepts of NetFlow and how it can greatly enhance security efforts
• Learn how attacks are injected into the network from the POS system, and ways to detect and remediate these attacks
• Establish a means to recognize data exfiltration and learn techniques to prevent it

Statistics

Views

Total Views
2,357
Views on SlideShare
329
Embed Views
2,028

Actions

Likes
0
Downloads
14
Comments
0

7 Embeds 2,028

http://www.lancope.com 1891
http://lancope.com 83
http://23.253.126.248 45
http://50.56.184.89 4
http://www.slideee.com 2
http://fiddle.jshell.net 2
http://static.lancope.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware Presentation Transcript

  • StealthWatch & Point-of-Sale Malware Tom Cross Director of Security Research tcross@lancope.com (770) 225-6557
  • 2
  • “The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financiallymotivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.” - FBI 3
  • Thinking about the attacker’s Kill Chain Recon Exploitation Initial Infection Command and Control Internal Pivot Data Preparation & Exfiltration • What steps did these attackers go through as they compromised the network and stole information? 4
  • What avenues have attackers used to exploit retail environments? • Insecure Wifi – Albert Gonzales cracked WEP encrypted wifi to get into retail networks – Many retailers provide customer wifi • SQL Injection – Albert Gonzales launched SQL Injection attacks against websites – Databases are where the data is – A database server driving a website can be a lilly pad used to hop behind the firewall • Malicious Insider – Malware can be walked into a retail establishment via USB key • Compromised Insider – HVAC vendor was reportedly compromised to gain access to retail network 5
  • Basic Corporate Network Diagram Web Server Database Server © 2013 Lancope, Inc. All rights reserved. 6
  • Speculation about vulnerabilities: (I am skeptical about the veracity of these.) • Domain account with a weak password created by BMC Software Automation Suite – BMC issued a statement denying that this was true • Compromise of point-of-sale software distribution system • Compromise of application whitelisting management software • Worm-like propagation 7
  • Moving the data out: Compromised Third-Party Server POS Terminal FTP POS Terminal Exfiltration Server © 2013 Lancope, Inc. All rights reserved. Staging Server POS Terminal 8
  • Retailers face unique IT security challenges: • Highly distributed network environment – Very expensive to deploy security solutions at each POP • Point of sale terminals may be difficult to segment – PCIDSS does not require segmentation – Lack of segmentation capability in POP infrastructure – Need to interconnect with SIEM, inventory management, NTP • Points of presence may not have full time IT staff – Increased possibility of misconfiguration • Point of sale terminals may be difficult to patch – Windows XP anyone? • Compliance focused approach to security – PCI-DSS is important, but it isn’t everything 9
  • StealthWatch can help meet these challenges: • Economical visibility from the infrastructure itself. – No need for a truck roll to deploy appliances at each POP. • Network relationship monitoring that can provide virtual segmentation in environments where physical segmentation is difficult to achieve or unreliable. – Segmentation can be monitored from the comfort of the head office. • Anomaly detection that can identify attacks that other security solutions miss. – Stealthwatch is designed to automatically identify suspicious movement of data within networks. • A historical perspective that can help investigate incidents. – Incidents can take months to identify – when they happen its important to be able to go back and investigate the attack. 10
  • Retail Network Diagram USA HQ POS Terminal New York Branch Atlanta Branch POS Terminal © 2013 Lancope, Inc. All rights reserved. London Branch POS Terminal 11
  • Your Infrastructure Provides the Source... 3560-X Atlanta San Jose NetFlow Internet NetFlow NetFlow NetFlow 3925 ISR WAN NetFlow New York NetFlow ASR-1000 NetFlow NetFlow Cat6k ASA NetFlow NetFlow Datacenter NetFlow UCS with Nexus 1000v Cat4k Cat6k NetFlow DMZ NetFlow Access NetFlow NetFlow NetFlow 3850 Stack(s) © 2013 Lancope, Inc. All rights reserved. 12
  • …for Total Visibility from Edge to Access. 3560-X Internet Atlanta ASR-1000 San Jose WAN 3925 ISR Cat6k New York Datacenter UCS with Nexus 1000v © 2013 Lancope, Inc. All rights reserved. Cat4k Cat6k ASA DM Z Access 3850 Stack(s) 13
  • Transactional Audits of ALL activities © 2013 Lancope, Inc. All rights reserved. 14
  • Actually see what’s happening inside each POP: Secure Zone © 2013 Lancope, Inc. All rights reserved. 15 15
  • Flow Statistical Analysis © 2013 Lancope, Inc. All rights reserved. 16 16
  • Automated Data Loss Detection © 2013 Lancope, Inc. All rights reserved. 17 17
  • Suspect Data Hoarding Unusually large amount of data inbound from other hosts © 2013 Lancope, Inc. All rights reserved. 18
  • Target Data Hoarding Unusually large amount of data outbound from a host to multiple hosts © 2013 Lancope, Inc. All rights reserved. 19
  • Profile the relationships between host groups Secure Zone © 2013 Lancope, Inc. All rights reserved. 20 20
  • Neiman Marcus Compromise Timeline • Initial Compromise: July 16th 2013 • Attack Completes: October 30th 2013 • Informed of Unauthorized Card Activity: Mid-December 2013 • Discovered Attack: January 1st 2014 Source: http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114 21
  • Hunting in the network audit trails CrowdStrike identified three different IP addresses associated with BlackPOS: 199.188.204.182 50.87.167.144 63.111.113.99 22
  • Cisco Identity Services Engine (ISE) • • Cisco ISE is a context aware, policy based 802.1x authentication solution Detect – Device type, operating system and patch level – Time and location from which user attempting to gain access User Name MAC Address Device Type Bob.Smith 8c:77:12:a5:64:05 (Samsung Electronics Co.,Ltd) Android John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone 23
  • User Reports 24
  • Thank You Tom Cross Director of Security Research, StealthWatch Labs http://www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas © 2013 Lancope, Inc. All rights reserved. 25
  • Thank You Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557