SlideShare une entreprise Scribd logo

StealthWatch & Point-of-Sale (POS) Malware

Lancope, Inc.
Lancope, Inc.

Retailers are under cyber-attack at an alarming rate. Day after day, we hear of another major national retail chain experiencing a colossal data breach. Learn key concepts and techniques that will help you rapidly enhance your current cyber security efforts. • Get a complete view what is currently happening in the retail industry • Understand the concepts of NetFlow and how it can greatly enhance security efforts • Learn how attacks are injected into the network from the POS system, and ways to detect and remediate these attacks • Establish a means to recognize data exfiltration and learn techniques to prevent it

1  sur  26
Télécharger pour lire hors ligne
StealthWatch & Point-of-Sale Malware Tom Cross Director of Security Research tcross@lancope.com (770) 225-6557
2
“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financiallymotivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.” - FBI 3
Thinking about the attacker’s Kill Chain Recon Exploitation Initial Infection Command and Control Internal Pivot Data Preparation & Exfiltration • What steps did these attackers go through as they compromised the network and stole information? 4
What avenues have attackers used to exploit retail environments? • Insecure Wifi – Albert Gonzales cracked WEP encrypted wifi to get into retail networks – Many retailers provide customer wifi • SQL Injection – Albert Gonzales launched SQL Injection attacks against websites – Databases are where the data is – A database server driving a website can be a lilly pad used to hop behind the firewall • Malicious Insider – Malware can be walked into a retail establishment via USB key • Compromised Insider – HVAC vendor was reportedly compromised to gain access to retail network 5
Basic Corporate Network Diagram Web Server Database Server © 2013 Lancope, Inc. All rights reserved. 6
Speculation about vulnerabilities: (I am skeptical about the veracity of these.) • Domain account with a weak password created by BMC Software Automation Suite – BMC issued a statement denying that this was true • Compromise of point-of-sale software distribution system • Compromise of application whitelisting management software • Worm-like propagation 7
Moving the data out: Compromised Third-Party Server POS Terminal FTP POS Terminal Exfiltration Server © 2013 Lancope, Inc. All rights reserved. Staging Server POS Terminal 8
Retailers face unique IT security challenges: • Highly distributed network environment – Very expensive to deploy security solutions at each POP • Point of sale terminals may be difficult to segment – PCIDSS does not require segmentation – Lack of segmentation capability in POP infrastructure – Need to interconnect with SIEM, inventory management, NTP • Points of presence may not have full time IT staff – Increased possibility of misconfiguration • Point of sale terminals may be difficult to patch – Windows XP anyone? • Compliance focused approach to security – PCI-DSS is important, but it isn’t everything 9
StealthWatch can help meet these challenges: • Economical visibility from the infrastructure itself. – No need for a truck roll to deploy appliances at each POP. • Network relationship monitoring that can provide virtual segmentation in environments where physical segmentation is difficult to achieve or unreliable. – Segmentation can be monitored from the comfort of the head office. • Anomaly detection that can identify attacks that other security solutions miss. – Stealthwatch is designed to automatically identify suspicious movement of data within networks. • A historical perspective that can help investigate incidents. – Incidents can take months to identify – when they happen its important to be able to go back and investigate the attack. 10
Retail Network Diagram USA HQ POS Terminal New York Branch Atlanta Branch POS Terminal © 2013 Lancope, Inc. All rights reserved. London Branch POS Terminal 11
Your Infrastructure Provides the Source... 3560-X Atlanta San Jose NetFlow Internet NetFlow NetFlow NetFlow 3925 ISR WAN NetFlow New York NetFlow ASR-1000 NetFlow NetFlow Cat6k ASA NetFlow NetFlow Datacenter NetFlow UCS with Nexus 1000v Cat4k Cat6k NetFlow DMZ NetFlow Access NetFlow NetFlow NetFlow 3850 Stack(s) © 2013 Lancope, Inc. All rights reserved. 12
…for Total Visibility from Edge to Access. 3560-X Internet Atlanta ASR-1000 San Jose WAN 3925 ISR Cat6k New York Datacenter UCS with Nexus 1000v © 2013 Lancope, Inc. All rights reserved. Cat4k Cat6k ASA DM Z Access 3850 Stack(s) 13
Transactional Audits of ALL activities © 2013 Lancope, Inc. All rights reserved. 14
Actually see what’s happening inside each POP: Secure Zone © 2013 Lancope, Inc. All rights reserved. 15 15
Flow Statistical Analysis © 2013 Lancope, Inc. All rights reserved. 16 16
Automated Data Loss Detection © 2013 Lancope, Inc. All rights reserved. 17 17
Suspect Data Hoarding Unusually large amount of data inbound from other hosts © 2013 Lancope, Inc. All rights reserved. 18
Target Data Hoarding Unusually large amount of data outbound from a host to multiple hosts © 2013 Lancope, Inc. All rights reserved. 19
Profile the relationships between host groups Secure Zone © 2013 Lancope, Inc. All rights reserved. 20 20
Neiman Marcus Compromise Timeline • Initial Compromise: July 16th 2013 • Attack Completes: October 30th 2013 • Informed of Unauthorized Card Activity: Mid-December 2013 • Discovered Attack: January 1st 2014 Source: http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114 21
Hunting in the network audit trails CrowdStrike identified three different IP addresses associated with BlackPOS: 199.188.204.182 50.87.167.144 63.111.113.99 22
Cisco Identity Services Engine (ISE) • • Cisco ISE is a context aware, policy based 802.1x authentication solution Detect – Device type, operating system and patch level – Time and location from which user attempting to gain access User Name MAC Address Device Type Bob.Smith 8c:77:12:a5:64:05 (Samsung Electronics Co.,Ltd) Android John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone 23
User Reports 24
Thank You Tom Cross Director of Security Research, StealthWatch Labs http://www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas © 2013 Lancope, Inc. All rights reserved. 25
Thank You Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557

Recommandé

PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Bangladesh Network Operators Group
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SWITCHPOINT NV/SA
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 

Recommandé

PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Bangladesh Network Operators Group
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SWITCHPOINT NV/SA
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionGiovanni Giovannelli
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Sophos Utm Presentation 2016
Sophos Utm Presentation 2016Sophos Utm Presentation 2016
Sophos Utm Presentation 2016InformatikaFortuno
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsRahul Neel Mani
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiShah Sheikh
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
XG Firewall
XG FirewallXG Firewall
XG FirewallDeServ - Tecnologia e Servços
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 
POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?Cysinfo Cyber Security Community
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 

Contenu connexe

Tendances

This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionGiovanni Giovannelli
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsRahul Neel Mani
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiShah Sheikh
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 

Tendances (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser Protection
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Sophos Utm Presentation 2016
Sophos Utm Presentation 2016Sophos Utm Presentation 2016
Sophos Utm Presentation 2016
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of Botnets
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
XG Firewall
XG FirewallXG Firewall
XG Firewall
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGA
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nube
 

En vedette

Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecCheapSSLsecurity
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Russia
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Informationjenkoon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log DecoderSusam Pal
 

En vedette (20)

POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
 
Fire Eye Appliance Quick Start
Fire Eye Appliance Quick StartFire Eye Appliance Quick Start
Fire Eye Appliance Quick Start
 

Similaire à StealthWatch & Point-of-Sale (POS) Malware

Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Mouaz Alnouri
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Big Data Analytics for Real-time Operational Intelligence with Your z/OS DataBig Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Big Data Analytics for Real-time Operational Intelligence with Your z/OS DataPrecisely
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk
 
How to Bring Shadow IT to the Light
How to Bring Shadow IT to the LightHow to Bring Shadow IT to the Light
How to Bring Shadow IT to the LightRackspace
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança Cisco do Brasil
 

Similaire à StealthWatch & Point-of-Sale (POS) Malware (20)

Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Big Data Analytics for Real-time Operational Intelligence with Your z/OS DataBig Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
 
How to Bring Shadow IT to the Light
How to Bring Shadow IT to the LightHow to Bring Shadow IT to the Light
How to Bring Shadow IT to the Light
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança
 

Plus de Lancope, Inc.

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 

Plus de Lancope, Inc. (15)

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 

StealthWatch & Point-of-Sale (POS) Malware

  • 1. StealthWatch & Point-of-Sale Malware Tom Cross Director of Security Research tcross@lancope.com (770) 225-6557
  • 2. 2
  • 3. “The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financiallymotivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.” - FBI 3
  • 4. Thinking about the attacker’s Kill Chain Recon Exploitation Initial Infection Command and Control Internal Pivot Data Preparation & Exfiltration • What steps did these attackers go through as they compromised the network and stole information? 4
  • 5. What avenues have attackers used to exploit retail environments? • Insecure Wifi – Albert Gonzales cracked WEP encrypted wifi to get into retail networks – Many retailers provide customer wifi • SQL Injection – Albert Gonzales launched SQL Injection attacks against websites – Databases are where the data is – A database server driving a website can be a lilly pad used to hop behind the firewall • Malicious Insider – Malware can be walked into a retail establishment via USB key • Compromised Insider – HVAC vendor was reportedly compromised to gain access to retail network 5
  • 6. Basic Corporate Network Diagram Web Server Database Server © 2013 Lancope, Inc. All rights reserved. 6
  • 7. Speculation about vulnerabilities: (I am skeptical about the veracity of these.) • Domain account with a weak password created by BMC Software Automation Suite – BMC issued a statement denying that this was true • Compromise of point-of-sale software distribution system • Compromise of application whitelisting management software • Worm-like propagation 7
  • 8. Moving the data out: Compromised Third-Party Server POS Terminal FTP POS Terminal Exfiltration Server © 2013 Lancope, Inc. All rights reserved. Staging Server POS Terminal 8
  • 9. Retailers face unique IT security challenges: • Highly distributed network environment – Very expensive to deploy security solutions at each POP • Point of sale terminals may be difficult to segment – PCIDSS does not require segmentation – Lack of segmentation capability in POP infrastructure – Need to interconnect with SIEM, inventory management, NTP • Points of presence may not have full time IT staff – Increased possibility of misconfiguration • Point of sale terminals may be difficult to patch – Windows XP anyone? • Compliance focused approach to security – PCI-DSS is important, but it isn’t everything 9
  • 10. StealthWatch can help meet these challenges: • Economical visibility from the infrastructure itself. – No need for a truck roll to deploy appliances at each POP. • Network relationship monitoring that can provide virtual segmentation in environments where physical segmentation is difficult to achieve or unreliable. – Segmentation can be monitored from the comfort of the head office. • Anomaly detection that can identify attacks that other security solutions miss. – Stealthwatch is designed to automatically identify suspicious movement of data within networks. • A historical perspective that can help investigate incidents. – Incidents can take months to identify – when they happen its important to be able to go back and investigate the attack. 10
  • 11. Retail Network Diagram USA HQ POS Terminal New York Branch Atlanta Branch POS Terminal © 2013 Lancope, Inc. All rights reserved. London Branch POS Terminal 11
  • 12. Your Infrastructure Provides the Source... 3560-X Atlanta San Jose NetFlow Internet NetFlow NetFlow NetFlow 3925 ISR WAN NetFlow New York NetFlow ASR-1000 NetFlow NetFlow Cat6k ASA NetFlow NetFlow Datacenter NetFlow UCS with Nexus 1000v Cat4k Cat6k NetFlow DMZ NetFlow Access NetFlow NetFlow NetFlow 3850 Stack(s) © 2013 Lancope, Inc. All rights reserved. 12
  • 13. …for Total Visibility from Edge to Access. 3560-X Internet Atlanta ASR-1000 San Jose WAN 3925 ISR Cat6k New York Datacenter UCS with Nexus 1000v © 2013 Lancope, Inc. All rights reserved. Cat4k Cat6k ASA DM Z Access 3850 Stack(s) 13
  • 14. Transactional Audits of ALL activities © 2013 Lancope, Inc. All rights reserved. 14
  • 15. Actually see what’s happening inside each POP: Secure Zone © 2013 Lancope, Inc. All rights reserved. 15 15
  • 16. Flow Statistical Analysis © 2013 Lancope, Inc. All rights reserved. 16 16
  • 17. Automated Data Loss Detection © 2013 Lancope, Inc. All rights reserved. 17 17
  • 18. Suspect Data Hoarding Unusually large amount of data inbound from other hosts © 2013 Lancope, Inc. All rights reserved. 18
  • 19. Target Data Hoarding Unusually large amount of data outbound from a host to multiple hosts © 2013 Lancope, Inc. All rights reserved. 19
  • 20. Profile the relationships between host groups Secure Zone © 2013 Lancope, Inc. All rights reserved. 20 20
  • 21. Neiman Marcus Compromise Timeline • Initial Compromise: July 16th 2013 • Attack Completes: October 30th 2013 • Informed of Unauthorized Card Activity: Mid-December 2013 • Discovered Attack: January 1st 2014 Source: http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114 21
  • 22. Hunting in the network audit trails CrowdStrike identified three different IP addresses associated with BlackPOS: 199.188.204.182 50.87.167.144 63.111.113.99 22
  • 23. Cisco Identity Services Engine (ISE) • • Cisco ISE is a context aware, policy based 802.1x authentication solution Detect – Device type, operating system and patch level – Time and location from which user attempting to gain access User Name MAC Address Device Type Bob.Smith 8c:77:12:a5:64:05 (Samsung Electronics Co.,Ltd) Android John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone 23
  • 25. Thank You Tom Cross Director of Security Research, StealthWatch Labs http://www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas © 2013 Lancope, Inc. All rights reserved. 25
  • 26. Thank You Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557