1//24/2014 By: Arvind Jain
By now we all know that passionate hackers are very smart and they will always have a edge over whatever known systems we can create (Firewall, IPS etc). Even the best SIO (Security Intelligence Operations) team cannot possibly know of each and every malware in advance so a traditional approach of IPS or Malware detection based on signature is so stone age thing now.
By now we all know that passionate hackers are very smart and they will always have a edge over whatever known systems we can create (Firewall, IPS etc). Even the best SIO (Security Intelligence Operations) team cannot possibly know of each and every malware in advance so a traditional approach of IPS or Malware detection based on signature is so stone age thing now.
So what could have been done at Target? I am sure many experts
are pondering over it but here is my simple thinking. A combination of proactive
people, process and tools would have prevented it.
We need people for behavior analysis or analytics. BlackPOS creators and Hackers in general know
what a Firewall can do. So they timed data transfer to normal business hours,
merged it with FTP traffic and used internal dump servers in Targets own
network. This is what I gathered from iSight comment in the WSJ
article today.
"ISight, hired by the Secret Service and Department of
Homeland Security to help with the investigation, said the bug had a "zero
percent antivirus detection rate," meaning even updated security software
couldn't tell it was harmful. So a
endpoint security system or antivirus software would also have been ineffective
to detect the malware.
This is where you need a joint effort on part of system,
people, and process to detect anomalies. Something like a Cyber Threat Defense solution
(like the one offered by Cisco) is a good way to detect patterns and flag them.
The hack involved several tools, a Trojan horse scanned the
point-of-sale system's memory for card data which was stored unencrypted in
memmory. Another logged when the stolen data was stashed inside Target's network.
Yet another sent the stolen data to a computer outside the company. The
coordination of those functions was complex and sophisticated, but could have
been easily seen as an anomalous pattern.
Like if there is traffic jammed up in freeway you know something
is wrong ahead. For that matter if all traffic goes to a different side than
normal for that route then also you know something is not right. To detect
anomalous activity, you have to look at traffic timing, volume, direction etc.
to detect activity.
These are good indicator that something has happened and potentially
it requires immediate attention from people and processes. You could then take
the traffic flow (using a tool like NetFlow) and look for anomalous traffic
patterns. You would have encountered
something that is never before seen and that would have triggered deep packet
inspection of dump files.
Typically Malwares siphoned data and stored
it in local Intranet (to disguise it as internal traffic over a temporary
NetBIOS share to an internal host inside the compromised network) and then
attempt to send the data to the attacker over a legitimate call like via FTP or
HTTP. Compromised
data was collected in .DLL files (in this case, track data, which includes
all of the information within the magnetic strip) and is periodically relayed
to an affected “dump” server over a temporary NetBIOS share drive. In this particular case the DLLs weren't
malicious (they just contained normal data so no system could have tracked it
without insight from people or Target IT staff).
Tools like Lancope StealthWatch help you detect such anomaly.
The dump server was not a host that the POS systems were required to
communicate with. So when POS systems attempt to communicate to one another or
to a unidentified server a Host Lock Violation alarm is generated. Similarly once
the data started to be sent to the dump server, it could have triggered a Relationship
High Traffic or potentially a Relationship New Flows alarm.
Internet Control Message Protocol (ICMP) is one of the main
protocols of the Internet Protocol Suite used by network devices, like routers,
to send error messages indicating, for example, that a requested service is not
available or that a host or router could not be reached. ICMP anomalies can be
detected using network-monitoring tools provided by companies like Cisco or its
recent acquisition
So you do have all the tools at your disposal, all that was
needed was a good brain with commonsense to do correlation between the series
of activities that were happening anomalously and could have been detected by monitoring
tools.
Of course if you do not have time for all these or the tools
or the in-house security expertise, Cisco Advanced Services for Managed Cyber Security
is at your service. Feel free to reach out to me for recommendations.
Arvind