![Page 1: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/1.jpg)
Network Analysis of Point of Sale System Compromises
Operation Terminal GuidanceChicago Electronic & Financial Crimes
Task ForceU.S. Secret Service
![Page 2: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/2.jpg)
Outline
• Background• Hypothesis• Deployment Methodology• Data Analysis• Findings• Discussion
![Page 3: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/3.jpg)
Investigative Goals
• Hypothesis: Remote attackers were not targeting point of sale (POS) system software, rather POS system compromises are a result of insecure deployment of the underlying operating system by automated scanning and vulnerability exploitation
![Page 4: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/4.jpg)
Deployment Methodology
ADSL Router/Modem
Honeywall Point of Sale System
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth1192.168.1.1
eth068.166.251.x
VMnet 3
Firewall
eth0192.168.1.x
ADSL Router/Modem
Honeywall Point of Sale System
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth1192.168.1.1
eth068.166.251.x
VMnet 3
Firewall
eth0192.168.1.x
ADSL Router/Modem Honeywall
Point of Sale Systems
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth068.166.251.x
eth068.166.251.x
eth068.166.251.x
ADSL Router/Modem Honeywall
Point of Sale Systems
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth068.166.251.x
eth068.166.251.x
eth068.166.251.x
Test Group Honeynet Control Group Honeynet
Honeytoken
![Page 5: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/5.jpg)
Data Analysis
0
0.05
0.1
0.15
0.2
0.25
0.3
1026 1027 1028 135 5901 445 139 80
Ports
Con
nect
ion
Freq
uenc
y (P
erce
ntag
e) POS APOS BPOS C
Control GroupConnection Attempts
by port
![Page 6: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/6.jpg)
Data Analysis
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
135 139 445 1026 1394 5017 5900
Ports
Con
nect
ion
Freq
uenc
e (P
erce
ntag
e)
POS A
POS B
POS C
Test GroupConnection Attempts
by port
![Page 7: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/7.jpg)
Data Analysis• Association rules
– Clustering• T: Number of virtual POS systems with connection
attempts from a single source• ni: Number of packets from a source to a virtual
POS system• N: Total number of packets from a source to all
three POS systems• N=∑ ni
Support(R) = # connections (POS system A, B, and C)#connections
Data analysis methodology from F. Pouget and M. Dacier. “Honeypot Based Forensics.”
![Page 8: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/8.jpg)
Data Analysis
190.9%Cluster 14: T=1, N=25901183%Cluster 13: T=1, N=11028198%Cluster 12: T=1, N=11027153.5%Cluster 11: T=1, N=11026
220%70%7.1%
Cluster 8: T=1, N=1Cluster 9: T=1, N=2Cluster 10: T=1, N=3
445
175%10.1%
Cluster 6: T=1, N=2Cluster 7: T=1, N=3
139
254.5%22%
Cluster 4: T=1, N=1Cluster 5: T=1, N=2
135
143.5%10.9%4.3%
Cluster 1: T=1, N=3Cluster 2: T=1, N=1Cluster 3: T=2, N=8 (n=5, n=3)
80Support % > 1%Support %Item SetsPort
Control Group Clusters
![Page 9: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/9.jpg)
Data Analysis
020%Cluster 11: T=3, N=35900
010%10%
Cluster 9: T=3, N=8 (n=2, n=3, n=3)Cluster 10: T=3, N=30 (n=10, n=10, n=10)
2967
320%16.7%1.7%16.7%
Cluster 5: T=1, N=12Cluster 6: T=1, N=15 Cluster 7: T=1, N=6Cluster 8: T=1, N=9
1394
21.8%20%
50.9%
Cluster 2: T=2, N=3Cluster 3: T=3, N=3 (n=1,n=1, n=1)Cluster 4: T=1, N=1
1026
022.2%Cluster 1: T=2, N=34445
Support % > 1%Support %Item SetsPort
Test Group Clusters
![Page 10: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/10.jpg)
Data Analysis
• Edit Distance Analysis– Extract TCP payloads
from previous identified cluster members
– Compare packets from each IP address against all others identified through clustering
<mssE..0.{@.k.l\=.y.D..s.....jd.....p...............<mssE..0.{@.k.l\=.y.D..s.....jd.....p...............
<[email protected].;W\.D..s.]..........p...^2..........<[email protected].;W\.D..s.]..........p...^2..........
Source BSource A
Attack Phrases
![Page 11: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/11.jpg)
Data Analysis
12325901Cluster 14
65121028Cluster 13
169861026Cluster 11
184445Cluster 10
85445Cluster 9
103445Cluster 8
51139Cluster 7
92139Cluster 6
Std DeviationPhrase Distance (Lines)PortCluster
***Clusters 1,2, 3,4,5, and 12 were discarded as not statistically significant
Control Group Phrase Distance
![Page 12: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/12.jpg)
Data Analysis
2572405900Cluster 11
114314221394Cluster 8
1365291394Cluster 7
1702801394Cluster 6
853601394Cluster 5
2383241026Cluster 2
Std DeviationPhrase Distance (Lines)PortCluster
***Clusters 1,3,4,9,10 were discarded as not statistically significant
Test Group Phrase Distance
![Page 13: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/13.jpg)
Data Analysis
UDPSourcePort
UDPDestinationPort
TCPDestinationPort
SeqNumber
IPDestinationAddress
TCPSource
Port
IPHeaderChecksum
IPSourceAddress
TTL IPTransportProtocol
IP Flags
IPFragment
IP TotalLength
IP IDIP
HeaderLength
IP DifferentialServices
IP VersionEthertypePacket Length
Network Traffic OverviewPOS A – Control Group
Visualization methodology from Greg Conti’s. “Security Data Visualization.”
![Page 14: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/14.jpg)
Data Analysis
Source IP
TCP Source Port
TCP Destination Port
Source IP
TCP Destination Port
![Page 15: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/15.jpg)
Data Analysis
• The TCP outlier is associated with browsing public web site to ensure connectivity
• Uniform length of packets
![Page 16: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/16.jpg)
Data AnalysisTCP Packet Tree Map UDP Packet Tree Map
![Page 17: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/17.jpg)
Data Analysis
• Examination of the UDP packets identified in the previous tree map revealed them to be spam targeting messenger applications
![Page 18: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/18.jpg)
Findings
• Automated scanning of select set of ports• Multiple exploits targeting multiple OS’s
from single source IP address• Attackers not aware compromised system
is a POS system until after compromise and exploit
• Insecure installation of operating system and applications lead to compromise
![Page 19: Network Analysis of Point-of-Sale System Compromises · Honeywall Point of Sale System Remote Management VMnet 0 (Bridged to Host) VMnet 2 VMnet 4 eth2 10.10.1.x eth0 0.0.0.0 eth1](https://reader034.vdocuments.us/reader034/viewer/2022042323/5f0d1aaf7e708231d438b2e8/html5/thumbnails/19.jpg)
Discussion
Ryan E. MooreSpecial Agent
U.S. Secret Service312-353-5431
All references available upon request