08/02/2012

1

Andrew Henwood

The diary of a forensic investigator: Secrets Revealed

Dear Diary – who do ADCs affect?

•  Smallest merchant •  Largest merchants with multitudes of sites •  Issuers and Acquirers

IR Plan should be similar, irrespective of entity size!

08/02/2012

2

Cybercriminals are using: •  Same old vulnerabilities (SQL, backdoor trojans,

malware etc). •  Increasingly sophisticated attack methods. •  Targeted attacks. •  More automated tools. •  Quicker developing trends. •  Repeat attacks to maximise harvest. •  Increasingly powerful systems and techniques. •  Decrease in time between compromise and fraud

spend.

ADC Trends & Targets

…But the target remains the same. Cardholder Data.

ADC Trends & Targets

08/02/2012

3

Dear Diary - How are ADC’s typically identified?

•  Cardholders report fraud on their card => their card is compromised

•  Issuers and/or Schemes trace back legitimate spend •  If multiple compromises, this trace identifies Common

Points of Purchase (CPP)

!"#$%&'%(')*+'!#",)*+' --..' /"0%1"#2'

!"#$%&'()*+,,-".&/0(1,&)33"4"&32'!+5'*66'

0%783$9:;'!"#$%&

/)23()2-,+1&

4,,5+(,&6&7*8+2+,&1+$+*$&/''&

5:1%<"'!+5'=%#":>$0>'

!"#$%&9:-,,;5::%&5"0<0(+&);&=>/&

?90<"#>'$:'@9#1">A:4'7%&"'

'?4&?)(+",-*,&@"1+(<0%'

7+:;A>-,*)B+(&);&4"*-1+"$&

Compromise Timeline

-B%:"A>9A%:-'' =#9C&-'&!"#$%&'

()*+,!

08/02/2012

4

How not to respond

Compromise Penalties!

08/02/2012

5

Compromise Penalties!

Type Initial Fine

Lack of removing SAD (90 days)

Monthly PCIDSS Violation (4 months)

Monthly PCIDSS Violation (5 months)

Monthly PCIDSS Violation (>=6 months)

L1 !50,000 !30,000

!50,000

!75,000

!75,000

L2 !25,000

!15,000

!25,000

!50,000

!50,000

L3&4 !10,000 !5,000

!10,000 !15,000 !15,000

Members !50,000

!30,000

!50,000

!75,000

!75,000

PSPs !25,000 !15,000 !50,000 !30,000 !30,000

Others !10,000 !5,000 !10,000 !25,000 !25,000

Card Scheme / Acquirer vs. Entity Priorities

In most cases, these priorities are NOT aligned!

•  Card Schemes & Acquirers •  Containment, Limit Exposure, Identify “At Risk” card data, Fines

•  Entities •  Containment, root cause identification, remediation, get on with

business

For potentially compromised entities, ensure the PFI selected / engaged has your priorities at heart

08/02/2012

6

Facilitating a Forensic Investigation

1.  Invoke IR plan 2.  Engage a PFI (ASAP!) 3.  Document and collate all current and ongoing events, all people

involved, and all discoveries into a timeline for evidentiary use 4.  Do not access or alter any aspect of the suspect system(s) 5.  If you suspect the attack is currently ongoing, remove the system

connectivity to the network. i.e. pull the network cable / down the adapter

Do not power the system down!

Facilitating a Forensic Investigation

Re-Emphasise:

Do not access or alter any aspect of the suspect system(s) …or at least minimise access!

08/02/2012

7

PCI Forensics vs. Traditional Forensics

1.  PCI Forensics does not equal traditional forensics 2.  Majority of attacks are coordinated, focused, highly sophisticated

and custom to the environment –  Custom malware (targeted memory scraping) –  Payment application manipulation (source code modifications and

manipulation of limits / controls) –  Custom Rootkits and built in defense mechanisms –  Hacker SDLC –  Anti-Forensics

Real-World Forensic Statistics Affected Industry (example)

Category Trustwave (2011)

Verizon (2011)

7Safe (2010)

Hospitality 10% 40% 5%

Financial Services 6% 22% 7%

Retail 18% 25% 69%

Food and Beverage 57% ? ?

Government 6% 4% 2%

Education 1% ? ?

Other ? ? ?

* References to reports in conclusion of presentation

08/02/2012

8

Statistics & Trends

Individual company statistics are “interesting” but impossible to correlate except broadly!

Statistics & Trends

•  Utilise public combined sources: www.datalossdb.org http://www.privacyrights.org/ar/ChronDataBreaches.htm

•  Hospitality / Food & Beverage / Retail compromised the most •  Majority of ADC are from external sources •  Majority of breaches are focused and well organised criminal

businesses •  Majority of victims had evidence of the breach in their log files thus

should have been aware! •  Majority of attacks were trivial •  Only a fraction reported in CEMEA

08/02/2012

9

GoldenDump.com (2011)

GoldenDump.com (2011)

08/02/2012

10

GoldenDump.com (2011)

Incident Overview •  Subject : Multi-national Issuer / Acquirer •  Incident Date : 2010 •  Investigation Date : Late 2010 •  Initial Vulnerability : SQL Injection •  Exploited Weaknesses :

–  Poor network segregation –  Lack of log review –  Let down by security partners

•  Exposure : –  2.4 million PAN –  780,000 Track 2 –  > ! 90,000 in cash

Incident

08/02/2012

11

DB03

Internet Banking Servers

DB01 DB02

DB04 DEVDB

AS400

Online Payment Servers

Backend Systems

Application Servers

Branch Offices

The Environment

2010

DB03

DB01 DB02

DB04 DEVDB

AS400

08/02/2012

12

SO…..What went wrong? (Underlying Causes) •  Phase 1: Initial Compromise – SQL Injection

–  The site had been tested by multiple external parties and had “passed” three penetration tests (Code had NOT changed since 2005!).

–  Logs were collected (plenty of them – 4.5 Billion events) but never reviewed.

–  Network architecture was “temporary” but never resolved. –  Poor password policies.

•  Phase 2: Reconnaissance & Exploration –  Poor network architecture design decisions. –  Poor password policy. –  Lack of log review.

•  Phase 3: Account Data Extraction (PAN) –  Inappropriate data retention policies. –  Lack of awareness regarding Account Data storage (where is it?) –  Poor system management.

•  Phase 4: Account Data Extraction (Track 2) –  Inappropriate data retention policies (again). –  Poor network segmentation.

•  Phase 5: Internet Banking Manipulation –  Application made “blind” use of data within a database. –  Application unable to detect “tampering”. –  Failed transfers were not reviewed or followed up.

08/02/2012

13

How could things have been Done? (Means of Reducing Exposure) •  Fundamentally – An awareness of Account Data

–  Review & revise data retention policies. –  Know where the stuff is. (Get Rid)

•  Regular & thorough testing of external attack surfaces. –  Reputable companies (not always the big players). –  Speak with your peers (word of mouth is invaluable).

•  Log retention is great! Log review is better! Both are needed. •  Review & revise network architecture designs. •  Review & revise system build policies (including password

policies).

None of this is new and should sound familiar

PCI Prioritised Approach.....!

Also supported by the VISA

Technology Innovation

Program!

PCI Prioritised Approach.....!

Also supported by the VISA

Technology Innovation

Program!

08/02/2012

14

Means of Reducing Exposure •  Fundamentally – An awareness of Account Data

–  Review & revise data retention policies. –  Know where the stuff is. (Get Rid)

•  Regular & thorough testing of external attack surfaces. –  Reputable companies (not always the big players). –  Speak with your peers (word of mouth is invaluable).

•  Log retention is great! Log review is better! Both are needed. •  Review & revise network architecture designs. •  Review & revise system build policies (including password

policies).

Milestone #1

Milestone #2 / #6

Milestone #4 / #6

Milestone #1 / #2

Milestone #2 / #3 / #4

Summary •  Identify, remove / protect your sensitive data •  Segment / scope the network •  Regularly: Test & Review •  Maintain full logs but pointless if no review •  Define, build and test an incident response plan •  Build a partnership with a security business to

independently review

08/02/2012

15

Stay Safe & Risk Aware

www.foregenix.com