Cracking Retail and Hospitality: Insider Tips for Endpoint...

Cracking Retail and Hospitality: Insider Tips for Endpoint Security

eBook

Cracking Retail and Hospitality: Insider Tips for Endpoint Security 2

eBook | Cracking Retail and Hospitality: Insider Tips for Endpoint Security

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Your Endpoints Are Vulnerable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

How Vulnerable is Your Endpoint Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Inside the Head of an Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Insider Tips for Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

The Endpoint in Focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Stopping Attacks at Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

How Carbon Black Can Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18



IntroductionDespite decades of attacks, retail and hospitality organizations continue to struggle with the fundamentals of endpoint security .

IT organizations, large and small, continue to wrestle with basic endpoint challenges such as understanding what applications

are running in their environment, who has administrative privileges, and what versions of software are installed on endpoints .

According to the 2015 Verizon Data Breach Investigations Report,

retail and hospitality businesses continue to be highly targeted .

This is not likely to change, as the nature of endpoints and servers

have evolved from simple transactional execution to links to a

customer’s loyalty and behavioral history across all channels . As

retailers race to deliver a more customized shopping experience,

create multi-channel/omni-channel merchandising and supply

networks and drive efficient operations, the attack surface continues

to expand at a rapid pace . Cyber criminals today are more

sophisticated and are launching higher profile, more coordinated

attacks . The Internet of Things, cloud and mobility are introducing a new web of connected devices that require a change in

the threat focus from just protecting the network and perimeter to extending protection to endpoints and servers . In addition to

the traditional virus and DDoS attacks, the industry is falling victim to anti-malware, advanced persistent threats (APT), zero-day

and unknown attacks .

As the threat landscape has evolved, corporate servers and endpoints — and the employees operating them — have become

the primary target of attack .

This eBook will outline the strategies and tactics cyber criminals use to attack corporate endpoints and servers and provide

you with strategies and solutions your organization can use to arm your endpoints against these attacks .

More than 70% of breaches

in the retail sector hit

point-of-sale machines .

— Verizon 2015 Data Breach Investigations Report



Your Endpoints Are Vulnerable

While the motivation behind individual attacks may vary, the object is always the same: to steal your organizations most

valuable data .

In the past, the impact of cybercrime was limited to an individual level with limited strategic scope or impact . However,

with the rise of organized cybercrime and state-sponsored actors attacks today have organizational, even national security

level impacts .

Since 2009, servers and end-user endpoints have risen to become the preferred point of entry for today’s cyber criminals to

gain a foothold in your corporate network . As a defender, it is useful to understand this information as it can help shed light on

gaps you may have in your current security program and where you need to implement extra protection .

As the crown jewels of corporate data, servers have always been the number one asset cyber criminals want to breach .

However, as organizations move to adopt cloud and other web powered services, end user devices are growing in favor as

they can often serve as a backdoor into an organization’s corporate server system and are more likely to be managed by

individuals susceptible to social engineering attacks .

Server

KioskPerson

Network

User Devices

800

600

400

200

2009 2010 2011 2012 2013

Figure 1

Source: Verizon 2014 Data Breach Investigations Report



How Vulnerable is Your Endpoint Software?Cyber criminals often leverage vulnerabilities in software already running on a system to gain access and establish persistence

on a machine .

Figure 2 lists the top 18 programs from Secunia’s 2015 Vulnerability Review, Top 50 Software Portfolio . It shows the type of

program (Microsoft or third-party), the 2014 market share, and the number of vulnerabilities affecting the software programs in

2013 and 2014 .

For example, Adobe Reader with an 85 .6 percent market share had:

• Five Secunia Advisories (an approximation of the number of security events in a given period)

• 43 Secunia Vulnerability Count (VULNS: the number of vulnerabilities covered by the Secunia Advisory) .

We all remember when Adobe announced that their software was compromised in October 2013 . Eventually 38 million

accounts were affected.

According to the same report, 1,348 vulnerabilities were discovered in 17 products from seven desktop vendors in 2013 in the

Top 50 portfolio, including the most used operating systems, Microsoft Windows 7. This is a 42 percent increase in a five-year

trend and an 11 percent increase from 2013 to 2014 . In addition the combined number of ‘Highly Critical’ and ‘Extremely Critical’

vulnerabilities in the Top 50 represents 74 .6 percent of all vulnerabilities .

Figure 2: The Top Software Portfolio

Source: 2015 Secunia Vulnerability Review

RANK TYPE PROD SHARE ADVS VULNS

1 MS MICROSOFT WINDOWS SCRIPT CONTROL 99 .9% 0 0

2 MS MICROSOFT XML CORE SERVICES (MSXML) 99 .9% 3 3

3 MS MICROSOFT NET FRAMEWORK 99 .5% 5 8

4 MS MICROSOFT WINDOWS MEDIA PLAYER 99 .3% 0 0

5 TP MICROSOFT INTERNET EXPLORER 99 .1% 13 289

6 MS MICROSOFT VISUAL C++ REDISTRIBUTABLE 96 .1% 0 0

7 TP ADOBE FLASH PLAYER 96 .1% 20 99

8 MS MICROSOFT SILVERLIGHT 85 .6% 0 0

9 MS ADOBE READER 85 .3% 5 43

10 TP MICROSOFT WINDOWS DEFENDER 81 .0% 1 1

11 MS ORACLE JAVA RE 79 .1% 4 119

12 MS WINDOWS POWERSHELL 76 .1% 0 0

13 MS WINDOWS DVD MAKER 75 .5% 0 0

14 MS MICOSOFT WORD 75 .1% 6 13

15 MS MICROSOFT EXCEL 74 .3% 1 2

16 MS MICROSOFT POWERPOINT 72 .4% 0 0

17 MS MICROSOFT XPS-VIEWER 69 .8% 0 0

18 NMS GOOGLE CHROME 65 .6% 23 504



Social EngineeringMore often than not, cyber criminals target people rather than technology because they are far easier to manipulate .

Why break through a wall if you can convince someone to open the door?

Cyber criminals understand this so they are increasingly using social engineering and phishing attacks to obtain stolen

credentials and open a doorway into corporate networks . According to the Verizon Data Breach Investigations Report for 2015,

credentials were the second most common type of record stolen by crimeware . Weak or stolen credentials are also the leading

cause of point-of-sale compromises and account for over 50 percent of breaches involving Web applications .

The reality in today’s world is that cyber criminals have learned that the weakest link in the security chain is the end user

because they are often naive and gullible to social engineering tactics . Whether it is a mobile device or a traditional endpoint —

such as workstation or laptop — cyber criminals are leveraging the end user as a primary vector to gain access — initially to

a single system and ultimately to the larger corporate infrastructure .



The Cyber Kill ChainWhen cyber criminals seek to infiltrate an organization, they follow a sophisticated, well-defined process that enables them to

leverage their skills effectively to quickly identify their targeted assets and avoid detection.

To help security practitioners better understand and defend against this process, Lockheed Martin researchers Eric Hutchins,

Mike Cloppert, and Rohan Amin, developed a model known as the Cyber Kill Chain . Widely recognized as a foundational model

for information security, the Cyber kill Chain is an invaluable tool for helping security professionals understand the process and

techniques cyber criminals use to plan and conduct an attack .

While the specifics and flow will vary from one attack to the next, the Cyber Kill Chain provides a model for understanding the

techniques cyber criminals will use to break into your environment .

Figure 4: The Cyber Kill Chain1

1 http://digital-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain

Exploitation

Delivery C & C

Exfiltration

Reconnaissance

Weaponization

Phases of the Cyber Kill Chain

ReconnaissanceSmart military planners never act without knowledge of the enemy’s defenses and tactics . This is just as true in the domain of

cyber warfare as cyber criminals today spend extensive resources to understand the tactics and environment of their targets .

The first step of reconnaissance is to identify appropriate targets that, if compromised, would meet the attacker’s objectives.

For example, an attacker seeking to infiltrate a retailer’s POS system could do basic research to learn how a retailer interacts

with its third party vendors and suppliers to look for points of entry into the retailer’s systems .

After they’ve selected a target, cyber criminals then attempt to gather as much intelligence as possible to inform the next

stages of their attack . This can include gleaning information from public websites, social networking, media reports, and other

sources . The attackers seek to learn as much as possible about their target before launching any form of attack .

WeaponizationAfter attackers have identified and researched an appropriate target, they then develop a weapon custom-tailored to their

target. They analyze the information systems used by the attacker and select an exploit that affects an operating system

or application known to be used by the intended victim . For example, in the case of the Target breach, sending an email

containing malware to a third-party vendor . Malware installed on vendor machine contains a password-stealing bot program

that steals the credentials to an online vendor portal .

Attackers are reluctant to use zero-day vulnerabilities against all but the most valuable target . Each time they launch a

zero-day exploit, they run the risk of the attack being detected and made known to the security community . After this occurs,

the zero-day attack loses its effectiveness as a weapon.



When an exploit is selected, it must be embedded in a delivery mechanism appropriate to the exploit and target . For example,

the attacker may embed code exploiting a vulnerability in Adobe Reader in a PDF file. Java exploits then may be coded into a

website that uses Java technology .

DeliveryAfter carefully selecting a target and weapon, a cyber criminal must then deliver the weapon to the intended target . Common

delivery mechanisms include the following:

• Sending a carefully designed spear phishing message that tricks the target into clicking a link

• Placing an infected file on a USB drive and getting it into the target’s hands as a gift or leave-behind

• Storing the infected file on a website known to be frequented by the target

• Sharing an infected file with the target through a cloud-based file sharing mechanism

• SQL-injection attacks, where users try to send malformed data to database and backend-systems via websites

and online forms to try to gain access or retrieve data

Unlike the phishing messages some attackers send to large numbers of individuals seeking to find a couple of unwitting

victims, the spear phishing messages used by advanced threats are carefully designed to look like legitimate email sent

directly to the intended victim . They make use of information that the attacker gathered during the reconnaissance phase to

increase the likelihood that the target will act on the message .

ExploitationAfter malware is delivered to a target system, the malware engages the selected exploit mechanism to gain control of the

system . The exploit gives the weapon the ability to manipulate the target system with administrative privileges . This level of

access enables the weapon to configure system settings, install additional malware, and perform other actions normally limited

to system administrators .

Command and ControlAfter a system is compromised, cyber criminals typically attempt to establish outbound connections to command-and-control

servers . These command links provide attackers with a way to communicate with the software on their victim systems without

establishing a direct inbound connection .

The connections made to command-and-control servers often use standard HTTPS connections to emulate normal web

browsing activity . Because the connections are encrypted, they’re indistinguishable from any other HTTPS connection, other

than the fact that their destination isn’t a normal website . This approach allows cyber criminals to limit the likelihood of their

detection by intrusion detection systems monitoring traffic on the victim organization’s network.

In addition to bypassing intrusion detection systems, the command-and-control connection is also designed to evade firewall

controls on the victim network. While most network firewalls are set to block unsolicited inbound connections from the

Internet, they often allow unrestricted or minimally restricted access to Internet sites when a system on the internal network

initiates the connection . The attacker may then use this command-and-control connection to deliver instructions to the

compromised system .

ExfiltrationThe ultimate goal of the attack, exfiltration, is the stealing and removal of corporate or consumer data from your network.

Having established persistence, the cyber criminal can and will remain present inside your corporate network for weeks,

months, or years at a time to slowly exfiltrate organizational data. According to a 2015 Ponemon report on advanced threats

in retail companies, on average, it take 197 days to detect a threat in the retail industry .



Inside the Head of an AttackerTo help you understand how each of these phases is executed, we will describe a fictional attack so you can see the Cyber Kill Chain in action.

Step 1 — Reconnaissance

Joe is a hacker and looking to infiltrate Retailer X. He uses Google to identify the way the retailer interacts with vendors and

suppliers . He starts stalking employees from those vendors on LinkedIn, Twitter, Facebook, and their blogs . He sees that

several employees announce on Foursquare when they go to the Starbucks location next to their company headquarters for

lunch. Joe goes to this Starbucks and watches the employees work on their laptops. He starts to sniff traffic using tools like

Firesheep and sees some of the basic information that they are sending across the untrusted network .

Soon, Joe is grabbing data off the open network. He now has a few email addresses and knows what web sites the employees

are visiting including retailandhospitality .com . With more reconnaissance work on LinkedIn, Google Groups, Facebook, and

Maltego, Joe knows who knows whom and begins to build an idea of how these employees operate and what goes on in

their lives .

Joe then calls the organization’s help desk and gets information about the standard builds on the company’s endpoints . He

goes to online support forums to see if any of these employees have ever posted anything .

Step 2 — Weaponization and Delivery

Once Joe has enough information, he is ready to take

the next step — a spear-phishing attack . This takes the

form of a personalized email from employee #1 (one of the

employees he tracked on-line at Starbucks) to employee

#2 (Joe obtained this email address during reconnais-

sance) . The email is very personal and very casual . It says,

“Hey, here is a Retail and Hospitality catalog that I found

and it happens to have a discount code in it .”

Using social media, industry events, and information on

the company website, Joe will work hard to embellish

the “lure” in this spear-phishing tactic to build a message

that appears familiar and relevant to their target . In some

extremely sophisticated attacks, Joe may even attend

corporate or industry events in which their target participates .

Captured: Email address ([email protected]) Friend’s email ([email protected])Interests (www.techstuff.com)

Spoofed, of course

Most certainly clicking here



With a tailored subject line and message, the “lure” will contain a malformed document or perhaps a spreadsheet or it will

prompt the recipient to visit a dummy website or to run a program .

If the employees do not take the initial lure, Joe will continue to try him at different times with tweaked subject lines, messages

and payload vehicles .

Step 3 — Exploitation

When employee #2 clicks on the spear phishing email link, the attachment is not a PDF but AN EVIL PDF with embedded

malicious code that secretly drops an unknown malicious payload onto employee #2’s machine. Clicking on this PDF, kick-offs

a chain reaction which provides Joe with a foothold into the corporate environment and achieves his first necessary first-step,

persistence . This chain-reaction can include the dropping of additional payloads, automated lateral movements to other

network machines, and ultimately an attempt to connect outside the network, on a different communication channel, to Joe to

kick-off “Step 4”, command and control.

Step 4 — Command and Control

Having infected employee #2’s machine and successful established both persistence on the system and outbound

connectivity, Joe is able to step into the drivers seat . Having established outbound connectivity and remote control over

employee #2’s system, Joe can now initiate a plethora of future malicious activities to advanced his goals .

He could begin recording employee #2’s activity and conversations by copying emails, keystrokes or even accessing his

computer’s camera and microphone . He could attempt to move laterally and establish additional infections on corporate

servers or another high-target user’s machine, such as executives, to gain access to log-in credentials or files of particular

interest or value .

Step 5 — Exfiltration

Once Joe has located targeted data, he will begin leveraging his C&C connections to exfiltration data. This could be done in a

single push, but is more commonly done over a period of weeks or months to avoid detection .

Having established persistence within a network, Joe will often bounce between step 4 and step 5 as new information of value

is discovered or as new infections are made . Key to this point understands that the advancement of an attack to step 5, the

exfiltration of data, does not constitute the end of an attack. In fact, often it can just be the beginning as attackers continue to

leverage their foothold to steal new information or compromise additional systems, both inside or outside of your organization .



Insider Tips for Endpoint SecurityIn order to detect and stop cyber-attacks, you must have “empathy” with the cyber criminal, get into the head of the attacker,

and figure out how he or she thinks. As in a combat situation, it is useful to think like your adversary and have a model, such as

The Cyber Kill Model, to align your defense to reflect the realities of the war you are fighting.

Bear in mind that you have the home field advantage and can acquire various tools to detect and deny attacks by disrupting

or degrading the attack and deceiving the cyber criminal . Your objective is to respond to attacks by actively engaging with the

cyber criminal . In this way, you can reduce the time it takes to detect and respond to an attack from days or weeks to seconds .

The Reconnaissance Phase

The reconnaissance phase is an important part of this model for the cybercriminal but unfortunately, you as the victim do not

have a view into it . If a cybercriminal is using Shodan, Google, or searching sites like LinkedIn trying to get information about you,

you do not necessarily know it . However, you can use one little trick to get a clue if somebody is doing reconnaissance on you .

For example Frank, a security professional, knows that cybercriminals search technical forums looking for instances where

administrators are careless when asking questions – perhaps they post sensitive data such as a router configuration, etc. Frank

put together a fake router configuration for a Cisco router. This contained an access password and IP address that he posted

within a question to one of the forums. The fake router config actually pointed to a honeypot that Frank’s team created. When

someone came into the honeypot, logging in with the user name and password that was included in the fake router config, it

signaled Frank that someone was actively performing reconnaissance on the company’s network .

There are opportunities to detect this kind of behavior if you execute security strategies like this . In addition, you can set up tar

pits and make sure that you are alerted when people do Google-style reconnaissance on you .

The Weaponization Phase

Obviously, as an intended victim, you do not have any direct visibility into this phase . However, it is important that you understand

what is happening as it can provide intelligence you can use to prevent future attacks .

Even the most sophisticated cybercriminals have a tendency to reuse certain toolkits and techniques . If you have an

understanding of these, you can leverage this intelligence to detect an attack at the next phase, which is delivery .

Insider Tip: Leverage intelligence sharing communities, such as ISACs, to stay-up-to date on the latest cyber war weapons .

Adversary Activity Potential Intelligence for Defender

Research IP Addresses

Identification and Selection of Targets Identifying Agent Strings or Referrals

Website Crawling, Googling, etc . Unique Browser/Crawler Behavior

Areas of Focus


Creating a Deliverable Payload Trojan Toolkits

Scripting Actions Obfuscation Techniques

Crafting Phish Bait

Setting Up a Waterhole



The Delivery Phase

The Delivery Phase is the first time where an attack comes into your realm of control. This is the point where a spear phishing

email is delivered or someone receives a link over Twitter, Instant Messaging, or Skype . The attack can also be a waterhole

attack where delivery is multi-staged . For example, the cybercriminal may pose as someone the victim knows and ask a

question to entice conversation via several emails back and forth . Eventually, the cybercriminal sends an email with a link or

attachment — the attack payload . It is important that you are aware of these kinds of social engineering tactics .

The Exploitation Phase

Many times, traditional endpoint defenses are incapable of preventing exploitation from advanced attacks . However, there are

actions your organization can take to reduce your attack surface such as rapidly installing updates / patches and deploying

application control solutions that only allow trusted software to execute . Regardless of your current capabilities, you can

get a decent amount of intelligence from this phase . If you have real-time visibility into your endpoints, you will know what

vulnerabilities and exploit techniques the cyber criminal used. You can also identify techniques or specific malware signatures

that the cyber criminal may reuse on other devices inside your organization .

The exploitation phase is where endpoint security comes into play because it involves dropping files, making a registry change,

stealing a cookie, or any activity that establishes a persistence mechanism or potential means to access your system .

If you can consistently stop a targeted attack at this phase, you can reduce the risk of a data breach . Network defenses, such as

sandboxes, can provide a first line of defense. These technologies can give the cyber criminal the impression that he achieved

a successful installation, but ultimately you must secure the endpoint as it is the primary target of an attack .

This is a very good example of using deception to trick the cyber criminal and let him think he actually reached the C&C phase .

Unfortunately, in most cases, sandboxing will not stop an application from executing in your environment, but can help you

identify malicious activity faster . Ideally, your organization should deploy an endpoint solution that integrates with your network

security defenses to coordinate the identification and blocking of malicious software.


Transmission of Weapon to Target Environment IP Addresses

Sending an Attachment via Email Hostnames

Sending a link via Twitter, IM, Email Email Senders

Attacking a Webserver Identifying Browser Information

Might be Multi-Stage Handles on Twitter, IM, etc .

Payload Characteristics

Filenames

Targeted Individuals

. . . and more


Weapon Will Exploit a Vulnerability or Flaw Vulnerability Details

Tricking a User Exploit Techniques

Installation of RAT or Backdoor Social Engineering Techniques

Change to System Configuration Details of Malware

Changes to System Configuration



Command and Control Phase

This phase is your last chance to stop an attack before your network and systems are compromised . Using available tools, you

can detect when something beacons out and block it, or detect when something beacons out and quarantine the host . Either

way, you break the kill chain . While IP blacklisting and IP anomaly detection systems can help, cyber criminals have developed

ever increasingly sophisticated techniques to evade these types of traditional network alerting systems .

Exfiltration

This is the final phase of the Cyber Kill Chain. The cyber criminal now has a foothold on an endpoint or a server and he owns

that machine. He is exfiltrating data out of your organization. At this point, you have been breached and the Cyber Kill Chain

ends . Now, the question you ask yourself is not Will there be damage but rather How great will the damage be?

From this point, the cybercriminal can go many different ways. For example, he might:

• Focus on privilege escalation and getting information off the machines he has compromised

• Start scanning or trying to enumerate the network from the inside

• Use this opportunity to study the network to launch a more complex attack

• Already have stolen credentials and attempts to use them


Research IP Addresses

Identification and Selection of Targets Identifying Agent Strings or Referrals

Website Crawling, Googling, etc . Unique Browser/Crawler Behavior

Areas of Focus


Achieve Original Objectives Adversary’s Information Targets

Privilege Escalation Additional Tools Used

Internal Reconnaissance

Lateral Movement

Data Collection

Data Exfiltration



The Endpoint in FocusThere are several ways you can prevent exploitation . First, minimize your attack surface by keeping software up-to-date and

implementing solutions that only allow trusted software to execute . In the past when Microsoft released security updates and

patches, most IT teams installed them on a handful of workstations or non-essential servers and waited for two weeks before

installing the update across the entire fleet. Today, that is not the case. When security updates drop, you must get them in

place within 24 hours for servers, 48 hours for desktops .

Today, Microsoft does extremely good regression testing and we do not see security updates that have a major operational

impact . However, if you are six months behind in updates, that may not be the case - another reason why it we recommend that

you stay on top of updates and patches . It is worth investing time to achieve the level of operational excellence you need to get

updates and patches installed quickly .

When Microsoft makes it Patch Tuesday announcements, always refer to their Exploitability Index . This helps you prioritize

security bulletin deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security

update will be exploited2 .

If you see something that is potentially exploitable, even if it has not been seen in the wild3, you can assume it will be

exploited quickly .

To prevent the installation of malware, there are several approaches that vendors incorporate into their security solutions:

• Signature-based Blacklisting

• Application Containers

• Trust-based Application Control

2 http://technet.microsoft.com/en-us/security/cc998259.aspx 3 http://searchsecurity.techtarget.com/definition/in-the-wild

Figure 5: Example of an Exploitability Assessment

Bulletin Vulnerability Title CVE ID

Exploitability Assessment for Latest

Software Release

Expolitability Assessment for Older

Software Release

Denial of Service Expolitability Assessment

Key Notes

MS14-

xxx

User After Free

Vulnerability

CVE-

2014-

XXXX

2 - Exploitation

Less Likely

1 - Exploitation

More LikelyTemporary



Signature-based Blacklisting, or traditional anti-virus software,

stops malware installation based on a default-allow approach .

This means the software has a list of known bad conditions and

if an attack matches a bad condition, the anti-virus software will

not allow it to run .

Today, the blacklist approach is rarely effective and only of

real use against nuisance malware . Advanced cyber criminals

will use various packing techniques to get past most antivirus

software and go undetected . While there is no reason not

to filter against known bad, you cannot count on it as your

only approach and should be integrated with signature-less

approaches to advanced threat prevention, such as application

whitelisting .

Application Containers are an increasingly popular approach

that has been gaining in popularity and leading endpoint

providers offer integrations to take advantage of network-based

sandbox technologies . While containers can be useful, most

of these solutions do not natively protect your organizations

endpoints from advanced attacks . While a few select vendors have attempted to bring containers, or micro-virtualization, to the

endpoint, these solutions are often Windows-only and even then protect only a select list of applications . With these limitations

they cannot stop all zero-day attacks or attacks targeting vulnerabilities in unprotected applications .

Last but most importantly, there are trust based approaches that stop the installation of malware based on a default deny

approach . For any application or condition to run, it has to be approved by name, by publisher, by reputation or via other

mechanisms. Proven to be effective against advanced attacks, trust-based solutions are the best way to prevent, detect, and

respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility .

100%

% A

V V

END

OR

S D

ETEC

TIN

G

0

10

0

20

0

30

0

DAYS TO DETECTION

90%

80%

1st Percentile - Least Detected Malware(Advanced Attacks)

70%

60%

50%

40%

30%

20%

10%

0%

AV Can’t Keep Up:The majority of antivirus vendors take more than 250 days to detect the kind of customized malware most likely used in advanced attacks.

140,000,000

120,000,000

100,000,000

80,000,000

60,000,000

40,000,000

20,000,000

New Malware 200

6 -

200

7 -

200

8 -

200

9 -

2010

-

2011

-

2012

-

2013

-

2014

-



Stopping Attacks at DeliveryA very effective technology to stop attacks at delivery is network detonation. Detonation software, FireEye or Palo Alto Network

Wildfire, sees executable code coming over the network, determines whether it is malware (based on what it does versus

matching against a signature), and if bad, detonates it . Network detonation software is incredibly useful and moderately

effective at protecting activity for devices inside a corporate network. However, network detonation solutions will not protect

a device when an employee is working offline – an increasingly common scenario with mobile employees. In addition, many

solutions monitor the network passively and are not in line . In these instances, there can be a lag between execution and

detonation . This lag can provide an opportunity for an attacker to deploy a secondary payload that can go undetected . To help

address this issue, leading endpoint security solutions offer integrations with network detonation services to extend these

capabilities beyond the network by sending files from off-network endpoints for analysis..

Even if any employee is working online, bad conditions do not always present initially on the network. If a file comes in over an

encrypted tunnel, like SSL, and you do not have a SSL man in the middle, you might not see it. If that file comes in some type of

sandbox, like a ZIP, RAR, or 7Z file for example, the network detonation software cannot examine that sandbox and will let a bad

condition get into the network. Lastly, a USB stick with a Trojan virus is also going to be first seen at the endpoint.

United Experts and Knowledge

United Systems

Open API, Automation, and Orchestration

Network Security SIEM and Analytics Threat Intelligence Custom/Services

Cb EnterpriseProtection Cb Threat Intel

Cb EnterpriseResponse

10,000 Practitioners70+ IR and MSSP Partners

2000+ Customers

Policies & RulesPatterns of CompromiseConnectors & Code

Multiple Prevention Strategies

Compliance and Reporting

Windows, Mac, Linux

System-of-Record Continuous Recording

IT and Security Ops Team Reputation, Indicators, Classification SOC IR & Threat Hunting Teams

Kill Chain Visualization Attack Remediation

Root Cause Analysis



How Carbon Black Can HelpThe Carbon Black Security Platform provides real-time visibility, detection, response, and proactive, customizable signature-less

prevention from advanced persistent threats . At the heart of the Carbon Black Security Platform is a unique policy-driven

approach to application control. It combines real-time visibility and a file discovery agent, with IT-driven controls aided by trust

ratings from the Carbon Black Threat Intel solution, to help organizations simplify and automate the set-up and administration

of a secure whitelisting platform . This results in a customizable application control solution that combines the highest level of

advanced threat protection with minimal end-user impact and administrative overhead .

With Carbon Black Enterprise Protection, you get multiple levels of protection . Most application whitelisting solutions require

organizations to adopt a “one size fits all” threat prevention strategy, leaving users frustrated and overwhelming security teams.

With Cb Enterprise Protection, organizations can apply application whitelisting to certain systems while also choosing from a

suite of additional prevention options to find the right balance between organizational culture and risk posture.

To learn more about the Carbon Black Security Platform, please visit https://www .carbonblack .com/solutions/endpoint-security/

Medium Enforcement

High EnforcementLow Enforcement

Stops banned filestracking all activity

Stops untrusted files and asksusers for permission

Stops untrusted files and onlyallows it to run after IT approval

Visibility

Fixed-function Devices ServersDesktopsLaptops

Collects data in a real-time catalog ofwhat’s on the endpoint

Dial-up and dial-down your endpoint protection policies.

1100 Winter Street Waltham, MA 02451 USA

P 617.393.7400 F 617.393.7499

www.carbonblack.com

About Carbon Black

Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy

the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the

balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint

activity, making it easy to track an attacker’s every action, instantly scope every incident, unravel entire attacks

and determine root causes. Carbon Black also offers a range of prevention options so organizations can match

their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident

response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling

security teams to: Disrupt. Defend. Unite.

2016 © Carbon Black is a registered trademark of Carbon Black. All other company or product names may be the trademarks of their

respective owners. 20160228 MMC

SummaryToday, cyber criminals are more sophisticated using complex attack strategies and social engineering tactics to get into

corporate networks . The reality in today’s world is that cyber criminals target your endpoints and end users to gain access to

your company’s most critical and valuable data . Many times, your employees are not diligent about data protection, are naïve

about hacker strategies, or too trusting in the Internet of Everything world. It is getting more difficult to keep up with cyber

criminals’ exploits, particular in large distributed environments where you have thousands of global users .

To ensure the protection of your endpoints, your organization must execute several strategies:

• Incorporate the Cyber Kill Chain into your strategy . This model will help you identify and determine how far an attack has

progressed and where / how the damage occurs .

• To take advantage of the information you can gather via the Cyber Kill Chain, acquire the tools you need to detect and

deny attacks by disrupting or degrading the attack and deceiving and engaging with the cyber criminal . This can help

reduce the time it takes to detect and respond to an attack from days or weeks to seconds .

• Be sure to quickly install updates and patches to reduce your attack surface .

• To prevent the installation of malware, install an application control solution that only allows trusted software to execute .

Today, there are three types of data protection software:

• Anti-virus software is a blacklisting approach that is rarely effective and only stops nuisance malware. Cyber criminals

can use various packing techniques to get past most antivirus software and go undetected . While valuable at stopping

nuisance malware, organizations should look to leverage antivirus solutions that are integrated with next-generation

endpoint protection platforms .

• While application containers can be useful, most of these solutions cannot protect your organization’s endpoints from

zero-day attacks, attacks targeting unpatched vulnerabilities, non-Windows machines, or actors in lateral movement .

Many also do not provide real-time visibility into endpoint activity .

• Trust based approaches that stop the installation of malware based on a default deny approach are the best way to

prevent, detect, and respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility .

• Some organizations cannot implement default-deny especially in cases where IT doesn’t have full control over the

software on a given endpoint and must allow end users to install software on-demand . In those cases, multistage detect

deny and detonate and deny are the best strategies to bridge this gap .

• Lastly, it is important that you integrate your entire security stack so that your network devices and endpoint security

solutions pass information back and forth . Intelligence is useful but can have a short life . The sooner you know that a

security breach has happened, the sooner you can stop it .

Cracking Retail and Hospitality: Insider Tips for Endpoint...

Documents

Transcript of Cracking Retail and Hospitality: Insider Tips for Endpoint...