When setting up monitoring, many people look at the IT assets inside the organization and set up alerts to identify attackers coming after those precious resources. It’s certainly important to be alerted when, say, an unknown user is being added to a Domain Administrator group. It’s a serious threat that’s easy to detect and address.
But if your alerts simply look for specific signatures, you’re never going to be able to detect all of the attacks on your systems. You need to understand what is normal so you can look for and alert on anomalies.
The SageNet team just got back from Conexxus, which was held at the Loews Chicago O’Hare this year. Conexxus is the only annual event dedicated to IT issues and trends in the convenience store and fuel retailing industry. Not surprisingly, several of the conference sessions were related to the security of point-of-sale (POS) systems. By virtue of their function, these systems are notoriously difficult to lock down either physically or logically.
Cyber criminals figured out several years ago that POS systems are vulnerable to malware. In fact, one of the most notorious payment card data breaches involved POS malware back in 2013. POS malware scans memory looking for data that follows the same pattern as credit card track information (the data stored in the magnetic stripe of a credit card). When it finds such data, the malware sends it on to a command-and-control server.
POS malware has gotten significantly more sophisticated in the past few months. In January, security researchers discovered that LockPOS (a POS malware strain first identified in 2017) is now using an injection technique that bypasses antivirus systems. The technical details of how it does that is beyond the scope of this post, but suffice to say that traditional signature-based detection tools are useless against this “silent” malware injection.
A number of technologies have emerged that look for anomalies rather than signatures. For example, the latest endpoint detection and response (EDR) tools monitor activity on endpoints such as POS devices, and send the collected data to a central database. Using behavioral analytics, heuristics and threat intelligence, EDR looks for abnormal activity and issues an alert if it’s detected.
These are incredibly helpful tools when set up correctly, but they are also quite expensive. How do you get visibility on a budget?
Here are three traffic patterns to look out for:
- Firewall failures/new destinations, (Besides a clearinghouse, your cardholder data environment doesn’t need to talk to many places.)
- Uptick in traffic flow from previous hour/day. (Think standard deviation.)
- A slow trickle. (Remember those command-and-control servers we were talking about.)
Bonus, if you have host visibility:
- Low-count processes. (You’ve configured all the POS devices the same, so they should have the same processes running on them, right?)
That’s why you need to know what’s normal in your cardholder data environment and look for anomalies. In the case of POS malware, the most valuable alert could be that data is leaving the organization. You may not be able to detect when the malware comes in, but it still has to connect to its command-and-control server to exfiltrate the credit card data.
Rather than asking what they will do if they get breached, companies need to ask, “How will I know when I’ve been breached?” Signature-based alerts are helpful when you’re looking for something that’s been observed out in the wild (as many malware variants have), but you also need to look for anomalies to detect and rapidly respond to today’s threats.