StealthWatch & Point-of-Sale (POS) Malware
-
date post
19-Oct-2014 -
Category
Documents
-
view
2.468 -
download
4
description
Transcript of StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale Malware
Tom Cross Director of Security Research [email protected] (770) 225-6557
2
“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.” - FBI
3
Thinking about the attacker’s Kill Chain
• What steps did these attackers go through as they compromised the network and stole information?
4
Recon Exploitation
Initial
Infection
Internal Pivot
Data Preparation
& Exfiltration
Command and
Control
• Insecure Wifi – Albert Gonzales cracked WEP encrypted wifi to get into retail networks – Many retailers provide customer wifi
• SQL Injection – Albert Gonzales launched SQL Injection attacks against websites – Databases are where the data is – A database server driving a website can be a lilly pad used to hop
behind the firewall
• Malicious Insider – Malware can be walked into a retail establishment via USB key
• Compromised Insider – HVAC vendor was reportedly compromised to gain access to retail
network
5
What avenues have attackers used to exploit retail environments?
Basic Corporate Network Diagram
6 © 2013 Lancope, Inc. All rights reserved.
Web Server
Database Server
• Domain account with a weak password created by BMC Software Automation Suite – BMC issued a statement denying that this was true
• Compromise of point-of-sale software distribution system • Compromise of application whitelisting management software
• Worm-like propagation
7
Speculation about vulnerabilities: (I am skeptical about the veracity of these.)
Moving the data out:
8 © 2013 Lancope, Inc. All rights reserved.
Staging Server
POS Terminal
POS Terminal
POS Terminal
Exfiltration Server
Compromised Third-Party
Server
FTP
• Highly distributed network environment – Very expensive to deploy security solutions at each POP
• Point of sale terminals may be difficult to segment – PCIDSS does not require segmentation – Lack of segmentation capability in POP infrastructure – Need to interconnect with SIEM, inventory management, NTP
• Points of presence may not have full time IT staff – Increased possibility of misconfiguration
• Point of sale terminals may be difficult to patch – Windows XP anyone?
• Compliance focused approach to security – PCI-DSS is important, but it isn’t everything
9
Retailers face unique IT security challenges:
• Economical visibility from the infrastructure itself. – No need for a truck roll to deploy appliances at each POP.
• Network relationship monitoring that can provide virtual segmentation in environments where physical segmentation is difficult to achieve or unreliable. – Segmentation can be monitored from the comfort of the head office.
• Anomaly detection that can identify attacks that other security solutions miss. – Stealthwatch is designed to automatically identify suspicious
movement of data within networks.
• A historical perspective that can help investigate incidents. – Incidents can take months to identify – when they happen its
important to be able to go back and investigate the attack.
10
StealthWatch can help meet these challenges:
Retail Network Diagram
11 © 2013 Lancope, Inc. All rights reserved.
USA HQ
POS Terminal
POS Terminal POS Terminal
New York Branch
Atlanta Branch
London Branch
Your Infrastructure Provides the Source...
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow NetFlow
© 2013 Lancope, Inc. All rights reserved. 12
…for Total Visibility from Edge to Access.
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
© 2013 Lancope, Inc. All rights reserved. 13
Transactional Audits of ALL activities
14 © 2013 Lancope, Inc. All rights reserved.
15
Actually see what’s happening inside each POP:
Secure Zone
15 © 2013 Lancope, Inc. All rights reserved.
16
Flow Statistical Analysis
16 © 2013 Lancope, Inc. All rights reserved.
Automated Data Loss Detection
17 17 © 2013 Lancope, Inc. All rights reserved.
18 © 2013 Lancope, Inc. All rights reserved.
Suspect Data Hoarding
Unusually large amount of data inbound from other hosts
19 © 2013 Lancope, Inc. All rights reserved.
Target Data Hoarding
Unusually large amount of data outbound from a host to multiple hosts
20
Profile the relationships between host groups
Secure Zone
20 © 2013 Lancope, Inc. All rights reserved.
• Initial Compromise: July 16th 2013
• Attack Completes: October 30th 2013
• Informed of Unauthorized Card Activity: Mid-December 2013
• Discovered Attack: January 1st 2014
Source: http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114
21
Neiman Marcus Compromise Timeline
22
Hunting in the network audit trails
CrowdStrike identified three different IP addresses associated with BlackPOS: 199.188.204.182 50.87.167.144 63.111.113.99
Cisco Identity Services Engine (ISE) • Cisco ISE is a context aware, policy based 802.1x authentication solution • Detect
– Device type, operating system and patch level – Time and location from which user attempting to gain access
23
User Name MAC Address Device Type
Bob.Smith 8c:77:12:a5:64:05
(Samsung Electronics Co.,Ltd)
Android
John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone
24
User Reports
http://www.lancope.com
@Lancope (company) @netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas
Thank You
25 © 2013 Lancope, Inc. All rights reserved.
Tom Cross Director of Security Research, StealthWatch Labs
Thank You
Tom Cross, Director of Security Research [email protected] (770) 225-6557