Retailers are under cyber-attack at an alarming rate. Day after day, we hear of another major national retail chain experiencing a colossal data breach.
Learn key concepts and techniques that will help you rapidly enhance your current cyber security efforts.
• Get a complete view what is currently happening in the retail industry
• Understand the concepts of NetFlow and how it can greatly enhance security efforts
• Learn how attacks are injected into the network from the POS system, and ways to detect and remediate these attacks
• Establish a means to recognize data exfiltration and learn techniques to prevent it
3. “The growing popularity of this type of malware, the
accessibility of the malware on underground forums,
the affordability of the software and the huge
potential profits to be made from retail POS systems
in the United States make this type of financiallymotivated cyber crime attractive to a wide range of
actors. We believe POS malware crime will continue
to grow over the near term despite law enforcement
and security firms’ actions to mitigate it.” - FBI
3
4. Thinking about the attacker’s Kill Chain
Recon
Exploitation
Initial
Infection
Command
and
Control
Internal
Pivot
Data
Preparation
& Exfiltration
• What steps did these attackers go through as they
compromised the network and stole information?
4
5. What avenues have attackers used to
exploit retail environments?
• Insecure Wifi
– Albert Gonzales cracked WEP encrypted wifi to get into retail networks
– Many retailers provide customer wifi
• SQL Injection
– Albert Gonzales launched SQL Injection attacks against websites
– Databases are where the data is
– A database server driving a website can be a lilly pad used to hop
behind the firewall
• Malicious Insider
– Malware can be walked into a retail establishment via USB key
• Compromised Insider
– HVAC vendor was reportedly compromised to gain access to retail
network
5
7. Speculation about vulnerabilities:
(I am skeptical about the veracity of these.)
• Domain account with a weak password created by BMC
Software Automation Suite
– BMC issued a statement denying that this was true
• Compromise of point-of-sale software distribution system
• Compromise of application whitelisting management software
• Worm-like propagation
7
9. Retailers face unique IT security challenges:
• Highly distributed network environment
– Very expensive to deploy security solutions at each POP
• Point of sale terminals may be difficult to segment
– PCIDSS does not require segmentation
– Lack of segmentation capability in POP infrastructure
– Need to interconnect with SIEM, inventory management, NTP
• Points of presence may not have full time IT staff
– Increased possibility of misconfiguration
• Point of sale terminals may be difficult to patch
– Windows XP anyone?
• Compliance focused approach to security
– PCI-DSS is important, but it isn’t everything
9
10. StealthWatch can help meet these challenges:
• Economical visibility from the infrastructure itself.
– No need for a truck roll to deploy appliances at each POP.
• Network relationship monitoring that can provide virtual
segmentation in environments where physical segmentation
is difficult to achieve or unreliable.
– Segmentation can be monitored from the comfort of the head office.
• Anomaly detection that can identify attacks that other
security solutions miss.
– Stealthwatch is designed to automatically identify suspicious
movement of data within networks.
• A historical perspective that can help investigate incidents.
– Incidents can take months to identify – when they happen its
important to be able to go back and investigate the attack.
10
21. Neiman Marcus Compromise Timeline
• Initial Compromise: July 16th 2013
• Attack Completes: October 30th 2013
• Informed of Unauthorized Card Activity: Mid-December 2013
• Discovered Attack: January 1st 2014
Source: http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114
21
22. Hunting in the network audit trails
CrowdStrike identified three
different IP addresses
associated with BlackPOS:
199.188.204.182
50.87.167.144
63.111.113.99
22
23. Cisco Identity Services Engine (ISE)
•
•
Cisco ISE is a context aware, policy based 802.1x authentication solution
Detect
– Device type, operating system and patch level
– Time and location from which user attempting to gain access
User Name
MAC Address
Device Type
Bob.Smith
8c:77:12:a5:64:05
(Samsung
Electronics Co.,Ltd)
Android
John.Doe
10:9a:dd:27:cb:70
(Apple Inc)
Apple-iPhone
23