StealthWatch & Point-of-Sale (POS) Malware


Published on

Retailers are under cyber-attack at an alarming rate. Day after day, we hear of another major national retail chain experiencing a colossal data breach.
Learn key concepts and techniques that will help you rapidly enhance your current cyber security efforts.
• Get a complete view what is currently happening in the retail industry
• Understand the concepts of NetFlow and how it can greatly enhance security efforts
• Learn how attacks are injected into the network from the POS system, and ways to detect and remediate these attacks
• Establish a means to recognize data exfiltration and learn techniques to prevent it

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

StealthWatch & Point-of-Sale (POS) Malware

  1. 1. StealthWatch & Point-of-Sale Malware Tom Cross Director of Security Research (770) 225-6557
  2. 2. 2
  3. 3. “The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financiallymotivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.” - FBI 3
  4. 4. Thinking about the attacker’s Kill Chain Recon Exploitation Initial Infection Command and Control Internal Pivot Data Preparation & Exfiltration • What steps did these attackers go through as they compromised the network and stole information? 4
  5. 5. What avenues have attackers used to exploit retail environments? • Insecure Wifi – Albert Gonzales cracked WEP encrypted wifi to get into retail networks – Many retailers provide customer wifi • SQL Injection – Albert Gonzales launched SQL Injection attacks against websites – Databases are where the data is – A database server driving a website can be a lilly pad used to hop behind the firewall • Malicious Insider – Malware can be walked into a retail establishment via USB key • Compromised Insider – HVAC vendor was reportedly compromised to gain access to retail network 5
  6. 6. Basic Corporate Network Diagram Web Server Database Server © 2013 Lancope, Inc. All rights reserved. 6
  7. 7. Speculation about vulnerabilities: (I am skeptical about the veracity of these.) • Domain account with a weak password created by BMC Software Automation Suite – BMC issued a statement denying that this was true • Compromise of point-of-sale software distribution system • Compromise of application whitelisting management software • Worm-like propagation 7
  8. 8. Moving the data out: Compromised Third-Party Server POS Terminal FTP POS Terminal Exfiltration Server © 2013 Lancope, Inc. All rights reserved. Staging Server POS Terminal 8
  9. 9. Retailers face unique IT security challenges: • Highly distributed network environment – Very expensive to deploy security solutions at each POP • Point of sale terminals may be difficult to segment – PCIDSS does not require segmentation – Lack of segmentation capability in POP infrastructure – Need to interconnect with SIEM, inventory management, NTP • Points of presence may not have full time IT staff – Increased possibility of misconfiguration • Point of sale terminals may be difficult to patch – Windows XP anyone? • Compliance focused approach to security – PCI-DSS is important, but it isn’t everything 9
  10. 10. StealthWatch can help meet these challenges: • Economical visibility from the infrastructure itself. – No need for a truck roll to deploy appliances at each POP. • Network relationship monitoring that can provide virtual segmentation in environments where physical segmentation is difficult to achieve or unreliable. – Segmentation can be monitored from the comfort of the head office. • Anomaly detection that can identify attacks that other security solutions miss. – Stealthwatch is designed to automatically identify suspicious movement of data within networks. • A historical perspective that can help investigate incidents. – Incidents can take months to identify – when they happen its important to be able to go back and investigate the attack. 10
  11. 11. Retail Network Diagram USA HQ POS Terminal New York Branch Atlanta Branch POS Terminal © 2013 Lancope, Inc. All rights reserved. London Branch POS Terminal 11
  12. 12. Your Infrastructure Provides the Source... 3560-X Atlanta San Jose NetFlow Internet NetFlow NetFlow NetFlow 3925 ISR WAN NetFlow New York NetFlow ASR-1000 NetFlow NetFlow Cat6k ASA NetFlow NetFlow Datacenter NetFlow UCS with Nexus 1000v Cat4k Cat6k NetFlow DMZ NetFlow Access NetFlow NetFlow NetFlow 3850 Stack(s) © 2013 Lancope, Inc. All rights reserved. 12
  13. 13. …for Total Visibility from Edge to Access. 3560-X Internet Atlanta ASR-1000 San Jose WAN 3925 ISR Cat6k New York Datacenter UCS with Nexus 1000v © 2013 Lancope, Inc. All rights reserved. Cat4k Cat6k ASA DM Z Access 3850 Stack(s) 13
  14. 14. Transactional Audits of ALL activities © 2013 Lancope, Inc. All rights reserved. 14
  15. 15. Actually see what’s happening inside each POP: Secure Zone © 2013 Lancope, Inc. All rights reserved. 15 15
  16. 16. Flow Statistical Analysis © 2013 Lancope, Inc. All rights reserved. 16 16
  17. 17. Automated Data Loss Detection © 2013 Lancope, Inc. All rights reserved. 17 17
  18. 18. Suspect Data Hoarding Unusually large amount of data inbound from other hosts © 2013 Lancope, Inc. All rights reserved. 18
  19. 19. Target Data Hoarding Unusually large amount of data outbound from a host to multiple hosts © 2013 Lancope, Inc. All rights reserved. 19
  20. 20. Profile the relationships between host groups Secure Zone © 2013 Lancope, Inc. All rights reserved. 20 20
  21. 21. Neiman Marcus Compromise Timeline • Initial Compromise: July 16th 2013 • Attack Completes: October 30th 2013 • Informed of Unauthorized Card Activity: Mid-December 2013 • Discovered Attack: January 1st 2014 Source: 21
  22. 22. Hunting in the network audit trails CrowdStrike identified three different IP addresses associated with BlackPOS: 22
  23. 23. Cisco Identity Services Engine (ISE) • • Cisco ISE is a context aware, policy based 802.1x authentication solution Detect – Device type, operating system and patch level – Time and location from which user attempting to gain access User Name MAC Address Device Type Bob.Smith 8c:77:12:a5:64:05 (Samsung Electronics Co.,Ltd) Android John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone 23
  24. 24. User Reports 24
  25. 25. Thank You Tom Cross Director of Security Research, StealthWatch Labs @Lancope (company) @netflowninjas (company blog) © 2013 Lancope, Inc. All rights reserved. 25
  26. 26. Thank You Tom Cross, Director of Security Research (770) 225-6557