Key note in nyc the next breach target and how oracle can help - nyoug
The Target Breach - Bucks County Community College · Introduction to the Target Breach The...
Transcript of The Target Breach - Bucks County Community College · Introduction to the Target Breach The...
Improve your AIX Security by learning from the analysis of this breach
Stephen Dominguez, WW AIX and LoP Security Lead for IBM Lab Services
Sept 21st, 2016
The Target Breach – Case Study, Lessons Learned and the Lockheed Martin Intrusion Kill Chain Model
Who am I ?
Peyton Manning/Broncos fan and also love jazz
World-wide AIX and Linux on Power Security Lead for IBM Lab Services
Worked with Power for 19 years, specifically security for 13
I've worked with around 400+ corporate customers throughout the world
Obtained US Top Secret Security Clearance in 2011
I have a security blog, www.securitysteve.net
Who am I ?
I have a security blog, www.securitysteve.net
You can follow me on twitter, @Secur1tySteve
IBM Lab Services is a cost center that works closely with IBM
development to assist Power customers with their systems
To learn about all Lab Services' security services:
www.securitysteve.net/consulting-services/
We have several flexible funding IBM programs available to provide
security consulting services at no charge to eligible customers
If you'd like for me to setup a conference call so we can chat about
security, shoot me an email at [email protected]
Agenda
Recent statistics on security breaches
Introduction to the Target Breach
The Lockheed Martin Intrusion Kill Chain Model
The 13 Phases of the Breach
5 Major Lessons from the Target Breach
Countering the Breach in AIX
Recent Statistics on Security Breaches
From the June 2016 Ponemon Institute's:“2016 Cost of Data Breach Study: Global Analysis”
Abstract of Ponemon Institute's Findings
383 companies surveyed from 12 different countries
Average cost of security breach of large company globally: $4 million
Since 2013, the costs have risen globally by 29%
Average cost of stolen record globally is $158
Ponemon Institute's 7 Global Megatrends
1. The cost of a data breach hasn't fluctuated significantly since startingresearch
2. The biggest financial consequence to organizations that experienceda data breach is lost business ie regain and retain customers' trust
3. Most data breaches continue to be caused by criminal and maliciousattacks. These breaches also take the most time to detect and contain. They have the highest cost per record.
4. Investments are being made in technologies and in-house expertiseto reduce the time to detect and contain
5. Regulated industries, such as healthcare and financial services, havethe most costly data breaches
6. Improvements in data governance programs will reduce the cost of adata breach. For example: Incident response plans, appointment ofa CISO, employee training and awareness programs
7. Investment in certain data loss prevention controls and activities suchas encryption and endpoint security solutions are important forpreventing data breaches.
Introduction to the Target Breach
Primary Reference
• Main reference for this session is “Case Study: Critical Controls that Could
Have Prevented Target Breach” by Teri Radichel, [email protected]
• Permission has been obtained from Teri to abstract from her case study
• Target never released official details of the breach. This reference
references around 50 other references.
• You can download the PDF of the case study off of:
www.securitysteve.net/links
9
Secondary Reference
• Secondary reference for this session is “The Target Store Data Breaches –
Examination and Insight” by Marianna Hardy
• This is a book available from Amazon
10
Third Reference
• Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains by Lockheed Martin Corp
• Whitepaper. There's a link for this from my links section of my blog,
www.securitysteve.net/links/
11
Abstract
• In December 2013, 40 millions credit card numbers were stolen from 2000
Target stores by accessing data on point of sale (POS) systems
• On January 10th Target also announced that PII data ie names, addresses,
phone numbers, and email addresses of up to 70 million customers was
stolen
• There was an overlap of 12 million people between the two types of data
stolen, so 98 million people total were affected in one way or the other
• 11 GB of data was stolen
• The customer data was sold on online black market forums known as
“card shops”
• The Senate Committee on Commerce in March 2014 concluded that
Target missed opportunities to prevent the breach
• Target reported the breach cost them $61 million
12
Abstract continued ...
• The Target security staff made their misgivings known about the
vulnerabilities of their POS systems before the breach
• The attackers had access to Target systems for over a month
• Independent sources make a rough estimate as to the cost of fraudulent
charges resulting from the stolen credit card numbers from $250 million
to $2.2 billion
• 80 lawsuits filed against Target
• The Payment Cards Industry (PCI) Council could have fined Target $400
million to $1.1 billion
• This was among the largest data breaches in U.S. history
13
Breach Aftermath
• CEO and CIO lost their jobs
• Target's board of directors were threatened with removal
• Banks payed $200 million to customers affected by the breach
• Banks sued Target's PCI compliance auditor, Trustwave
• Target has dealt with investigations from the Department of Justice,
the FTC, and SEC.
• Target hit by PCI compliance fines and State fines
14
The Lockheed Martin Intrusion Kill Chain Model
From Intelligence-Driven Computer Network Defense Informed by Analysis of AdversaryCampaigns and Intrusion Kill Chains
Advanced Persistent Threat (APT)
• Initial security threats posed from self-propagating code (virus).
Anti-virus technology has reduced that risk.
• A new class of threat has emerged, the APT
• The APT is when an adversary is well funded, highly skilled, focuses their
attack manually (not-automated), and can attack over months or years
“In February 2010, iSec Partners noted that current approaches
such as anti-virus and patching are not sufficient, end users are
directly targeted, and threat actors are after sensitive intellectual
property. (Stamos, 2010)” - from Lockheed White Paper
• The Lockheed Whitepaper says:
“Yet APT actors continually demonstrate the capability to compromise
systems by using advanced tools, customized malware, and
'zero day' exploits that anti-vrus and patching cannot detect
or mitigate.”
• The Target hackers used “advanced tools, customized malware
and 'zero day' exploits that anti-virus and patching cannot detect ..” 16
What is a Kill Chain
• “A kill chain is a systematic process to target and engage an adversary
to create desired effects”.
• The kill chain concept comes from the military
• Lockheed adapted the Kill chain concept for providing a structure to
analyze intrusions
• We can use kill chains to understand how to deploy Computer Network
Defense (CND). CND is a set of processes used to detect, monitor,
analyze, and defend against network intrusions.
• The kill chain is an end-to-end, integrated process where a deficiency
in one segment of the chain can interrupt the entire process.
• Multiple kill chains can occur within an adversary's campaign
• Helps understand the iterative nature of intelligence gathering
17
Breach Phase 4: Establish a C2 System
• Attacks used the vendor portal as a pivot to other systems
• The attackers performed reconnaissance from this C2 to system
to look for vulnerabilities on other systems
• The attackers further infiltrated the target network from this system
• Attackers performed additional reconnaissance from the system
using network command tools
• Attackers downloaded additional hacking tools to the system
• Kill Chain 1 Phase 7 (Actions on Objectives)
• Kill Chain 2 Phase 1 (Reconnaissance)
19
The 13 Phases of the Breach
Breach Phase 1: Reconnaissance
• Google search used to learn about Target interacts with vendors
• Search revealed information about a vendor portal and a list of HVAC
and refrigeration companies
• Google search also revealed a case study on Microsoft site that described
Target's use of Microsoft virtualization software, centralized name
resolution, and Microsoft System Center Configuration Manager (SCCM),
to deploy patches.
• This Microsoft case study revealed Target's technical infrastructure,
including POS system information, in significant detail
• Kill Chain 1 Phase 1 - Reconnaissance
23
Breach Phase 2: Phishing Attack
• Email sent to refrigeration vendor, Fazio Mechanical, 2 months before
the breach
• Fazio could have prevented the malware via real-time malware prevention
tooling. Instead, they were using the free version of Malwarebytes
Anti-Malware
• Malware, believed to be Citadel, installed on vendor computer.
• Malware embedded in PDF or Microsoft document
• Citadel is a password-stealing bot program
• Citadel obtained the login credentials for the online vendor portal
• Kill Chain1 Phase 2 & 3 (Weaponization & Delivery)
24
Breach Phase 3: Access Target via Vendor Portal
• Attackers use stolen login credentials to gain initial Target network access
• A former Target security team member indicated that it was probably
Target's web portal: Ariba external billing system
• According to the same source, this portal was not fully isolated from
the rest of Target's network
• The attackers used an administrative application BMC account with
its default username and password to move within the network.
• By using possibly NetCat.exe raw commands were issued on various
systems. NetCat.exe could have been used to load hacking related
commands to compromised systems
• Access to the Target network was first gained on Nov 12th 2013
• The attack used this initial C2 system to gain access to more sensitve
parts of the Target network that stored customer data. This is a
network segmentation problem.
• Kill Chain 1 Phase 4, 5 & 6 (Exploitation, Installation, & C2) 25
Breach Phase 5: Vulnerable Domain Controller
• Believed that attackers found a vulnerable Windows Domain Controller
that was used to gain access to the POS systems
• Each retail store was an autonomous unit except for centralized
authentication, domain name resolution, and endpoint monitoring
• The Microsoft case study could have keyed the attackers to look for this
centralized pivot point
• Kill Chain 2 Phase 1 (Reconnaissance)
26
Breach Phase 6: POS Malware Deployed
• The malware was probably distributed by an automated update process
• It is believed SCCM, Microsoft System Center Configuration Manager,
was the deployment method
• The malware was a custom type of “BlackPOS” malware undetectable
by virus scanners. This malware was sold on the black market for
$1800-$2300 (US dollars)
• The malware was first installed on POS systems starting Nov 15 2013
• The majority of Target POS systems had this malware installed by
Nov 30th
• Kill Chain 2 Phase 2 & 3 (Weaponization & Delivery)
27
Breach Phase 7: C2 Dump Server
• Another server with network access to the POS systems served as
a C2 system to the POS Malware infected systems
• This C2 Dump server used a 3rd malware to retrieve data from
POS systems to the dump server
• Kill Chain 2 Phase 5 & 6 (Installation & C2)
28
Breach Phase 8: C2 Dump Moves Data
• The data was taken from memory as cards were swiped
• The data was stored to a .dll file and stored in a temporary NetBios
share over ports 139, 443, & 80
• C2 Dump server used its malware to retrieve customer data
• Kill Chain 2 Phase 4 & 7 (Exploitation & Action)
29
Breach Phase 9: Signaling of Data Movement
• Attackers used customized ping packets to signal when data moved from
a POS machine to a compromised machine on the Target LAN
• Netcat.exe is a Windows tool they may have used. It writes data to TCP
and UDP connections.
• Kill Chain 3 Phase 1 (Reconnaissance)
30
Breach Phase 10: C2 Exfiltration Server
• On the Target network, there was a “exfiltration” server that the attackers
hijacked and used to install a 4th type of malware that provided data
extraction functionality for stolen customer data through the Target network and
Target's firewall out to external ftp servers
• Data was retrieved using the default administrative user name, Best1_user,
and default password, BackupU$r” for BMC's Performance Assurance for
Microsoft Servers
• Data was exfiltrated from 10am to 6pm to obscure their work.
• From Nov 30th to Dec 2nd, The attackers updated this data exfiltration
malware several times. Target's FireEye intrusion detection system
triggered urgent alerts each time the malware was updated, but the
Target security team neither reacted nor allowed FireEye to remove the
identified malware
• Target's Symantec antivirus software also detected malicious behavior
on this same server around Nov 2
• Kill Chain 3 31
Breach Phase 11: Data Moved to Drop Locations
• On Dec 2nd, The Target server with the data exfiltration malware send
customer data to an external ftp server which was used to send data to
hacked servers all over the world
• The Dell SecureWorks article, “Inside a Targeted Point-of-Sale Breach”,
indicates 3 legitimate FTP servers were the drop locations
• The hackers obtained compromised credentials to these servers and
retrieved the data with the stolen credentials
• The servers were believed to be in Eastern Europe
• The data was transmitted in clear text
• Target's FireEye software detected this exfiltration malware and the
destinations that the exfiltration malware was sending data to
32
Breach Phase 12: Breach Detection Ignored
• Target's security monitoring software, “FireEye”, alerted staff in India
• The Indian staff notified the Minneapolis staff but no action taken
• The Minneapolis staff simply did nothing
33
Breach Phase 13: Cards on Black Market
• Customer credit cards were sold on the black market
34
5 Major Lessons from the Target Breach
Lesson 1: Compliance Isn't Everything
• Target passed their PCI compliance audits prior to the breach.
John Mulligan, Target's Executive Vice President and Chief Financial
Officer testified that they had been certified in Sept 2013 as compliant with
PCI-DSS
• Fazio Mechanical also stated they were compliant
The SANS report says:
'We can learn from the Target breach that compliance with baseline
standards isn't enough. A comprehensive approach to security will
consider all assets, not just those that fall under compliance
regulations … As demonstrated in this breach, many different assets
were used to move throughout the network, so consideration of the
POS systems alone would not address the root causes that led up
to this attack.'
36
Lesson 2: Holistic Security is the Answer
• A holistic approach to information security is more effective to protecting
an organization from security breaches
• The SANS study recommended Risk Management and Defense in Depth
The SANS Study defines Risk Management as:
'Risk management assesses and prioritizes security needs based
on what can cause the most damage to a company, rather than
relying on legal or industry standard compliance.'
The SANS Study defines Defense in Depth as:
'Defense in depth makes use of multiple layers of protection.'
37
Lesson 3: Risk Management Recommendations
• Perform organization-wide risk management activities on a regular basis
SANS report recommends:
• 'PCI compliance alone is not a risk management strategy.'
• 'Vulnerabilities and Threats for all systems, not just those within scope
for compliance audits, are identified.'
• 'Threats and vulnerabilities are then prioritized and fixed to limit risk to
an acceptable level.'
• 'Constant re-evaluation is required as the threat landscape is always
changing.'
• 'Businesses need to employ an adequate number of security
professionals who understand the business, the risks and the potential
loss.'
• 'Security staff needs to be vigilant to understand new potential threats
and vulnerabilities when they appear.'38
Lesson 4: Insufficient Defense in Depth
• Target had several layers of security defenses. They had firewalls,
malware detection software, intrusion detection and prevention capabilities
and data loss prevention tools.
• But they needed better quality of implementation and more layers
The SANS report said:
• 'Although some level of segregation likely existed, vulnerable configuration
and accounts allowed segregation strategies to be bypassed.'
• 'Despite the fact that they purchased expensive monitoring software, staff
was not sufficient, not well-trained or inadequate processes turned those
systems into a liability rather than an asset when it was determined that
Target was notified, but did nothing to stop the breach.'
39
Lesson 5: Intelligence-Based CND
• The Lockheed white paper indicated:
“As conventional, vulnerability-focused processes are insufficient,
understanding the threat itself, its intent, capability, doctrine, and
patterns of operation is required to establish resilience.”
• Traditional security measures may be sufficient for thwarting the
average hacker, but not the APT.
40
Countering the Breach in AIX
If the Target systems were all AIX partitions, how could we counter the attack
42
Attack Phase AIX Countermeasures
Phase 1 & 2 N/A
43
Attack Phase AIX Countermeasures
Phase 3: Access Target via vendor portal
Multi-factor Authentication with RSA PAM Module
44
Attack Phase AIX Countermeasure
Phase 4: Establish a C2 System
AIX Role-based Access Control – limit access to privileged commands
AIX Trusted Execution –control foreign command execution & lock policies in kernel
45
Attack Phase AIX Countermeasure
Phase 5: Vulnerable Domain Controller
Security Hardening with PowerSC Security and Compliance Automation
PowerSC Trusted Network Connect and Patch Management
Network Segmentation via VLANs. MSAD shouldn'tHave access to PCI and non PCI networks
46
Attack Phase AIX Countermeasures
Phase 6: Malware Deployed
AIX Trusted Execution with TEP
Phase 7: C2 Dump Server AIX Enhanced RBAC & Multi-factor Authentication
47
Attack Phase AIX Countermeasures
Phase 8: C2 Dump moves data
AIX Role-based Access control to eliminate unnecessary administrative access
AIX Trusted Execution to prevent malware execution and any hacking tools
48
Attack Phase AIX Countermeasures
Phase 9: Signaling of data movement
AIX Role-based Access Control
AIX Trusted Execution
49
Attack Phase AIX Countermeasures
Phase 10: C2 Exfiltration Server
AIX Role-based Access control to eliminate unnecessary administrative access
Password controls implemented with PowerSC Security and Compliance Automation
Multi-factor Authentication with AIX PAM module
50
Attack Phase AIX Countermeasures
Phase 11: Data moved to drop locations
Implement separation of Duties feature for ftp with AIX Role-based Access Control
Password controls implemented with PowerSC Security and Compliance Automation
AIX Auditing to detect ftp
51
Attack Phase AIX Countermeasures
Phase 12: Breach Detection Ignored
Use runtime preventative execution functionality in AIX Trusted Execution
PowerSC Real Time Compliance
Summary
• Ponemon Institute indicates costs with security breaches are
staying consistent
• Target breach involved many phases
• Many layers of defense were either missing or lacking in Target's defenses
• Security compliance isn't everything, as Target was PCI compliant
• Defense in depth and a Risk Management approach is the answer to best
preventing breaches
• If the breach happened with an AIX environment, the key countermeasures
are: multi-factor authentication, AIX Role-based access control, AIX Trusted
Execution, and PowerSC patching, monitoring and security hardening
52
53
54
IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible
http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html
AIX Security Assessment with PCI 3.2
Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.
Overview:
Companies frequently and unknowingly can employ weak security practices that are exposing their company to high risk. The ramifications of a security breach could be unforeseeable litigation, identity theft, the bringing down of networks, and harm to a company’s brand. As described by the Jericho Forum, a company shouldn’t solely depend on perimeter security for their security. The AIX Security Assessment is the best way to identify weak AIX security practices that may be exposing your company to high risk. This assessment is a comprehensive assessment of how you are implementing AIX security.
• At least one AIX or VIOS partition is assessed
• A set of documents detail the results of the assessment
• The assessment details how the security settings correspond to PCI 3.2
• Learn about AIX solutions available to reduce operational expense
• Learn about PowerSC solutions available to assist you with security &
compliance
• Short overviews can be provided to help the customer understand
recommended solutions, such as RBAC and LDAP
• Customers wanting to learn about securing VIOS partitions
• The assessment only reads existing security settings --- no settings are altered
on the assessment partition
WHO benefits from this assessment and WHY?• Customers wanting to improve their AIX Security configurations
• Customers wanting to stay abreast of the latest AIX security solutions
• Customers wanting a security baseline for defining standard builds
• Clients wanting to learn about ways to simplify the management of their AIX
security environment
Duration
• At least 1 day on-site
Phase 1 – Preparation (remote):Conference calls are held prior to the service to validate the scope, agenda, schedule and required materials.
• Client provides overview of their current AIX Security environment
• IBM team prepares the service agenda/schedule
• IBM team details security data collection process
• IBM team provides customer security questionnaire
• Identify required materials / Finalize key players
Phase 2 – AIX Security Assessment (on-site):Review the Results of the Assessment with CustomerExample Tasks
• Consultant reviews the results of the security assessment with
customer staff
• Customer reserves conference room with projector and invites
relevant staff
• Customer staff can ask questions about the details of the assessment
• Customer staff can ask questions about the security
recommendations
• Additional presentations can be provided to expound upon various
technologies that may be recommended
Deliverables – Detailed AIX Security Assessment Findings document, Heat
Map, Executive Summary
References:
The Jericho Forum:
http://en.wikipedia.org/wiki/Jericho_Forum
Erin M. Hansen - PowerCare Opportunity Manager [email protected] Hoben – Opportunity Manager [email protected] 1-720-395-0556Stephen Brandenburg – Opportunity Manager [email protected] 1-301-240-2182
IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible
IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible
http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html
RHEL Security Assessment
Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.
Overview:As detailed in the Ponemon Institute's survey, “2015 Cost of Data Breach Study”, the average cost of a computer breach at a large company globally was $3.79 million. For U.S.-based companies, the average cost was much higher, 6.5 million. These costs have risen globally 23% since 2013. In the “2014 Global Report on the Cost of Cyber Crime”, the Ponemon Institute, a security research center, recommends that deployment of security intelligence systems and maintaining a strong security posture makes a difference and moderates the cost of cyber attacks.
IBM Lab Services is providing the following services to help you reduce your security risk and improve the security of your information assets. These services are being provided to help you deploy the type of security intelligence systems and achieve the strong security posture recommended by the Ponemon Institute.
The RHEL Security Assessment's goal is to identify effective security controls for your company to utilize which will significantly reduce your security risk.
This service is designed for IBM Power Systems customers. The security controls have been recommended for Red Hat Enterprise Linux by the United States NSA Information Assurance Directorate. The controls are primarily based on Red Hat and security community concesus-based recommendations.
Client Benefits• Helps achieve regulatory compliance, such PCI, HIPAA, etc
• Helps improve RHEL security configurations and lower risk
• Helps promote the adoption of the latest RHEL security solutions
• Provides a baseline for defining standard RHEL image builds
• Learn of hundreds of security controls to reduce security risk
Duration
• Time varies depending on scope requested: 1-3 days on-site
Phase 1 – Preparation (remote):Conference calls are held prior to the service to validate the scope, agenda,
schedule and required materials.
Client provides overview of their current RHEL security environment
IBM team prepares the service agenda/schedule
IBM team details security data collection process
IBM team provides customer security questionnaire
Identify required materials / Finalize key players
Phase 2 – RHEL Security Assessment (on-site):
Assessment Phase
• Partition data is collected
• Data is processed and assessment documents are created
Review Phase
• Consultant holds a review of the results of the assessment with key
customer staff
• Additional presentations may be provided on recommended security
solutions
Deliverables – Detailed RHEL Security Assessment Findings
document, Heat Map, Executive Summary
References:
NSA RHEL Guidelines
https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guid
es/operating_systems.shtml
Erin M. Hansen - PowerCare Opportunity Manager [email protected] Hoben – Opportunity Manager [email protected] 1-720-395-0556Stephen Brandenburg – Opportunity Manager [email protected] 1-301-240-2182
IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible
56
Stephen Dominguez
www.securitysteve.net
If you'd like for me to setup a conference call so we can chat about security, shoot me an email at [email protected]
Let’s Stay in Touch!