In the past few months there has been a spate of attacks on large retail organizations that involved Point of Sale (POS) malware. Unfortunately, there may be more of these attacks in store for us in the future. Earlier this month the FBI issued a warning to the retail industry:
“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.”
Retail organizations have got to be asking themselves what steps they can take to prevent these attacks, and how they can detect and investigate them when they occur. Lancope’s StealthWatch Netflow monitoring and anomaly detection technology can help retail organizations gain visibility into events that are occurring in their networks. StealthWatch also creates audit trails that can be crucial investigative resources in the event of an attack.
Netflow provides an effective means of getting visibility into distributed networks. Large retail organizations often have networks with many physical points of presence in disparate locations, populated with POS terminals that could be targeted by attackers. It can be a rather expensive and time-consuming proposition to deploy network security appliances at each physical location. By collecting netflow directly from the existing routers and switches at each site, retail organizations have an effective and economical means to see and monitor their points of presence without a burdensome hardware deployment. The ability to monitor activity in real time and detect anomalies provides retail organizations with a greater level of assurance that they know what is going on in their networks.
Network Behavioral Anomaly Detection can highlight suspicious activity that other security technologies miss. Most network security tools are designed to identify known malware, exploits, and command and control channels. Sophisticated attackers have lots of experience evading these solutions with attack techniques that target new vulnerabilities, coupled with custom malware that anti-virus engines can’t detect. This is where behavioral analysis has a role to play – by profiling the normal behavior expected by hosts in the network and alarming on significant deviations from that behavior.
For example, StealthWatch automatically profiles the amount of data that each host in your network is sending to the Internet. Hosts that suddenly send more data than they usually do will fire an alarm. Cisco recommended this functionality in the context of fighting attacks on retailers in a blog post earlier this month. However, we know that in these retail attacks, data didn’t move to the Internet directly from Point of Sale terminals – an internal staging server was used to collect card data before sending it out to the Internet. That’s why StealthWatch 6.5 has a number of new capabilities for monitoring inside hosts in order to identify systems that are accumulating unusual amounts of data from their neighbors.
Relationship Maps – A Powerful Tool For Retailers. StealthWatch also enables administrators to identify groups of hosts on their internal networks and automatically monitor the traffic relationships between those groups of hosts, even if the hosts aren't separated by a router or firewall. StealthWatch profiles the normal behavior of these host group relationships and can identify situations where something out of the ordinary is happening. These tools can be used to closely monitor Point of Sale terminals for unusual communication with other internal hosts or spikes in the amount of data they are transferring.
A Historical Perspective: Netflow also aids in the forensic investigation of incidents. In fact, in a Ponemon Institute study of cyber security incident response preparedness commissioned by Lancope, survey respondents indicated that audit trails of netflow and packet captures were the most effective tools for investigating breaches like this. As details emerge about the recent security breaches among retailers, it’s useful to have historical records of what has happened on the network so you can check it for indicators of a compromise. Three IP addresses have been publicly disclosed that were associated with the attack on Target. These IPs are not in use by the attackers any more, but with StealthWatch in place, it is possible to see if your network was communicating with these addresses when they were active.
Unfortunately, incidents like this are oftentimes discovered long after the initial attack. The timeline of the Neiman Marcus compromise demonstrates the need for organizations to store long term forensic audit trails in order to investigate breaches. A report from Neiman Marcus indicated that the attack activity took place between July 16th and October 30th, 2013. However, the breach was not discovered until January of 2014. Audit trails would need to go back at least six months in order to capture the initial compromise in that example. This is difficult to achieve with full packet capture technologies due to cost and necessary storage capacity, but it is quite easily accomplished with netflow.
Summing it up: Retailers are under attack, and as the rate and severity of these attacks escalate, we need to look beyond the bare minimum requirements of the Payment Card Industry Data Security Standards. Lancope’s StealthWatch provides retailers with an effective and economical way to get comprehensive network visibility so that they can take control of what’s happening inside their organizations, detect suspicious data transfers, and create audit trails that enable them to investigate activity that might have occurred in the past. These capabilities are crucial ingredients in a comprehensive approach to defending retail networks against POS malware.