© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Point-of-Sale System AttacksThe Role of Early Detection for Breach Prevention

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Table of Contents

Executive Summary

How POS Attacks Happen

Most Common Types of Threat Actions

The Anatomy of an Attack

Case Study #1—Large Retail Chain: Compromise of Business Systems for Access to Asset Management Servers

Case Study #2—Regional Retailer: Compromise of POS Systems through Wi-Fi.

Case Study #3—Mid-size Retailer: Catch the flag exercise in a POS network to study the effectiveness of deception to catch targeted attackers.

Recommendations

Conclusions

About Attivo Networks

Authored by: Attivo Networks Date: November 2016

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Executive SummaryThis report documents the discovery of serious security vulnerabilities at work in the nation’s largest point-of- sale (POS) systems. In the last ten years, there have been over 1,350 breaches made public within retail and business organizations. In 2016 alone, high-profile breaches from Wendy’s, Eddie Bauer, Vera Wang, and Omni Hotels have shaken these companies and left impacted customers angry and frustrated.

We predict 2017 will see a significant increase in high profile POS attacks, largely due to the high probability that larger retailers have already been breached and attackers are already active throughout many networks, undetected and unchecked.

This report explains why the infrastructure behind and inside POS systems and devices is vulnerable, the anatomy of attacks against them, and how undetected attack malware can extend communications with an attacker’s Command-and-Control (C2) points enabling them to feed a constant and varied flow of new malware actions and commands to exfiltrate data. It will also detail why these attacks can stay undetected for an average of over 5 months, and why 4 out of 5 attacks are detected by 3rd parties versus in-house. Finally, it will make recommendations on how security can be changed for POS systems to immediately provide visibility and protection against these new threats.

This report concludes that the overwhelming majority of POS devices deployed across the thousands of retail, hospitality, automotive, healthcare, and financial outlets across the globe are subject to the attacks documented herein. This is an extremely dangerous situation and one that should receive immediate attention and accompanying remediation.

POS System Christmas BreachesThere is a growing concern for a repeat surge of Holiday breaches like those in both late 2014 and 2015 when consumers purchasing was at an all-time high. In late 2014, we saw the breaches of high profile companies such as those disclosed by Target, Neiman Marcus, PF Changs, Home Depot, Goodwill, and Kmart, and in late 2015 substantial breaches were also acknowledged by Starwood Hotels, Hilton Hotels, Dungarees, Peppermill, and Landry’s, to name just a few. And if you think things are slowing down, there have been 122 reported breaches in this sector this year, and one could argue that companies, both large and small are not fully prepared for the next wave of attacks.

Notable POS attacks seen over last few years

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Is the state of security getting better, and are we more prepared as we move into 2017? Attacks are up 21% year over year in this sector and there is still a month left to go. Based on these findings, the loss of customer data in 2016 is destined to be exceeded in 2017, generating tens of millions in penalties, billions in lost revenue, millions in litigation, and possibly government intervention.

POS Under AttackPoint-of-Sale (POS) breaches are a major source contributing to credit card and personal information data loss, yet they remain one of the most difficult to protect because of historic vulnerabilities at the device endpoints, the inability to apply additional security measures such as encryption to transaction data, POS-laced macro threats, and the increased use of TOR networks to target this industry.

While DDOS attacks have drawn greater attention from the major outages they have caused, it is noteworthy that attackers are more interested in POS attacks because there is more to gain by stealing credit card information than in than simply denying a service.

In 2016, attackers appear to have shifted focus to the numerous small retailers, restaurants, and hotel chains, as their security is less robust. It is suspected, however, that this may be temporary and that the attackers are simply gearing up for a new wave of high-profile attacks since the costs and impact of these appear to be growing in severity. The average breach, for example, has risen to $165 per record, as stated in the 2015 Cost of Data Breach Study: Global Analysis.

How POS Attacks HappenIt is said that over 50% of the threats to retailers are from malicious code that steals login credentials, and malware that infects networks to watch and record specific transactions. The graphic on the following page highlights the spread of some of the POS malware over the last few years. Many of these families were found interconnected because they were used in similar types of targets, followed the same attack methodology and reused code extensively. Given the similarities in tactics, techniques, and procedures, one could surmise that multiple cybercriminal gangs might be collaborating. It also appears that, in many cases, malware is being modified from their original release and introduced as new variants.

The POS malware AbaddonPOS, aimed specifically at retailers and making a resurgence, is an example of such activity. First discovered in October 2015, it takes the form of an email campaign designed to drop TinyLoader and then the malware. The emails are highly personalized, with recipients’ names, key company details, and better-than-average grammar. Once the user clicks, the malware contacts C2 servers to download a new Abaddon version, which tests whitelist/blacklist implementations and changes the way it siphons credit card data to avoid detection. It is believed by many that the malware continues to be under active development, and companies can expect to see more advanced strains in the wild over the next few months.

SQL injection remains a tried and true attack vector and is the most common attack on web assets. It is also the attack method used in the second largest breach in 2016 and is responsible for the compromise of over 112 million records across all industries since 2011 according to IBM X-Force reporting.

hellshock is the number three attack vector and is recognized as the new SQL Slammer computer worm. Like SQL Slammer, Shellshock is popular because its exploitations are very effective and relatively simple to execute.

Retail is also seeing an increased amount of activity from TOR networks where attackers can hide or communicate and trade with each other without exposing the content of their transactions. This approach is also growing in popularity as a launch pad for attacks against surface web targets.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

The number of compromised retail records reported last year were down significantly, but does this point to better threat management control? Ironically, the number of retail security incidents reported as of November 30, 2015, surpassed 2012 and 2013 fiscal year-end disclosures. While more incidents reported but fewer records compromised may seem counter-intuitive, it can be explained by the percentage of 2015 incidents reported where the number of records compromised was not disclosed. As of November 30, that figure stood at a staggering 70 percent, much higher than in previous years. Clearly, attackers are continuing to penetrate the defenses of retail and the lack of reported record theft should not be confused with successful security.

Most Common Types of Threat ActionsTo begin an attack the threat actors must first establish a presence within the network, and for POS breaches the most common attack vectors include brute force, the use of stolen credentials, and offline cracking. It is interesting to note that the 2014 Verizon Data Breach Investigations Report (the latest update on POS specific information) found that only 2% of attacks involved the use of a backdoor or C2. Discussions with retailers and businesses in 2016 uncovered much deeper concerns for C2 attacks, based on their ability to control POS terminals that were mass infected by asset management systems.

Recent trends in POS attacks show a reduction of brute force attack tactics, indicating that users are avoiding default or easily guessed passwords. The increased presence of C2 and backdoor as top threats demonstrate that breaches now involve an active remote attacker, adapting the attack based on hurdles seen in the network.

Compromising a POS device is the beginning of the attack event chain, with attackers primarily using Random Access Memory (RAM) scraper malware. According to the latest Verizon Data Breach Investigations Report, from 2013 to 2015 this method comprised 98% of all threat actions detected in POS intrusions. Combined, C2 and backdoor communications have now risen to 61% of all the threat actions detected. This shift demonstrates that POS attack methods and actions are becoming more sophisticated and are much more challenging to defeat by prevention systems being used today.

1 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/2 http://www.verizonenterprise.com/resources/reports/rp_Verizon-DBIR-2014_en_xg.pdf

9%Offline cracking

38%Use of stolen credentials

9%Unknown

2%Use of backdoor or C2

<1%SQLi

53%Brute force

Hacking variety within POS Intrusions (n-187)

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Command-and-ControlRAM scraping malware parses the unencrypted memory of payment processing applications to gain access to the desired data. Technologically the data can and should remain encrypted, however due to financial concerns this doesn’t typically happen. Encryption at this stage would require the elimination of legacy systems and a heavy investment in new systems. In addition, there are currently no regulations to force this issue, paving the way for data to be easily harvested and exfiltrated for sale.

The Anatomy of an Attack As part of this research project, the transaction process was studied to understand the anatomy of an attack and the reasons how and why an attack can go undetected once it has bypassed attack prevention solutions and made its way inside the network.

Given our access to systems and information, we had the most input from larger retail chains that typically have an elaborate IT infrastructure and were open to using newer technologies to achieve a stronger security defense. Our findings were similar across POS systems and showed consistency on how and why major breaches continue to occur and remain undetected in companies around the world.

Point of Sale Transaction FlowIt is important to understand all the actors and constituents involved in a transaction that uses payment cards. At a very high level, there are four actors at play in a sale transaction, captured in the figure below. This shows each path the data (card details) travels. There are standards put in place to safeguard this data, but unfortunately, the standards came out later than the establishment of payment card processing, creating compliance challenges. Security challenges are also compounded since data is persistent at multiple points for the convenience and design of the computer applications.

The focus of this paper and use cases are on the merchant’s role since the greatest number of POS attacks are reported to happen due to exposure and theft of the card data from the merchant’s infrastructure. This payment infrastructure with the merchant (or retailer) includes several hardware and software components.

A retailer will employ different kinds of deployment models3 depending on several criteria, including the number of transactions, size and infrastructure of the retailer, and the number of interaction points. The deployment models are typically customized to make it more convenient for the shoppers but keep it scalable for the merchant.

3 Chapter 2, Hacking Point of Sale: Payment Application Secrets, Threats and Solutions, Slava Gomzin, 2014

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Essentially, a deployment consists of at least two functional types of computer systems. The various modules of the payment application depend on the software design. The very first functional unit is referred to as the Point-Of-Interaction (POI) where card details are collected. These are the usual POS terminals or PIN-based card machines that collect the card details to initiate a transfer. The second functional unit is the payment processing gateway, sometimes called electronic payment systems (EPS). The payment processing gateway handles the payment by routing the transaction for approval appropriately.

Deployment becomes progressively more complicated in cases where the merchant has multiple retail stores. These merchants use central asset management servers to deliver and receive data from POS devices, making them a high-value target for attackers who can use them to facilitate broad-scale malware deployments and activations.

Although POS systems are almost never connected directly to the internet, this is not a failsafe way to prevent an attack. Since the direct path is not available, attackers will instead compromise a business computer that is connected to the internet. Some of the most successful ways a merchant’s network can be compromised are phishing, driveby-downloads, compromising a partner/vendor, or exploiting a merchant’s internet facing servers.

Encrypting data should safeguard data within POS systems. However, the most critical vulnerability in POS systems comes from the lack of encryption at a key point in the transaction. Payment applications require card data (Track 1, 2, and PAN) in unencrypted form to achieve appropriate routing and authorization. Attacks have traditionally taken advantage of this.

Figure 1: Typical IT infrastructure in a retail enterprise

Example of a simple deployment model where a merchant has a single retail store

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Figure 2 presents various stages involved in a cyber-attack. In our research, we examined the stages highlighted in orange, known as “post compromise”. In a POS attack, the attacker spends the clear majority of the time in these stages, where the attacker maintains a cyclical process of finding computer systems that host payment processing applications and planting the malware for either timed or remote activations from C2.

During these stages, traditional security devices hosted on the periphery of an organization’s network are incapable of seeing any lateral movement or action leading up to an attacker dropping a RAM scraper.

In addition, the attack vector has no fixed length, as an attacker can linger in these stages undetected, taking as much time as is necessary to compromise a key asset (an Active Directory server, a patch management server, etc.) that will expose the payment processing gateway(s). Once identified, the attacker deploys malware through the patch-management software and then compromises the payment processing application using a RAM scraper as a final payload of the attack to steal and upload card data.

To make matters worse, many of today’s POS deployments continue to sit on Windows XP or DOS based systems. Since Microsoft is not patching XP vulnerabilities anymore, new vulnerabilities can be easily exploited

As cyber criminals grow their businesses, Point-Of-Sale (POS) attacks have become an essential part of their portfolio because they yield such high-value information. Well-organized criminal businesses have accepted stolen credit or debit card data for years. They, in turn, sell to carding sites (also known as dump shops) on the Dark Web. Reports indicate that these sites are becoming much more sophisticated.4

While there is a lot of documented information about POS breaches, there is not a lot of information about the detection of threats that have proven they can easily by-pass the prevention systems designed to protect POS networks. Early visibility into these threats and the reduction of dwell time can mean the difference between a minor incident or a wide scale public breach. In our research, we have studied how attacks move laterally through the network, why they are undetected by technology that is currently in place, and why traditional methods of detection have proven unreliable. The final element of the study was to introduce deception technology into POS networks to see if the act of creating decoys and planting deceptions could successfully trick attackers into revealing themselves.

4 https://www.youtube.com/watch?v=QG2YUlm92y4

Figure 2: Stages involved in a cyber-attack

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Case Study #1—Large Retail Chain: Compromise of Business Systems for Access to Asset Management ServersWe analyzed attacks at several of our retail customers over the course of last year. In the following sections, we share the more critical elements of what we found. It is important to note that these enterprises have existing infrastructures that were quite mature and a comprehensive portfolio of cyber protection products have already been deployed. This included firewalls, intrusion detection, endpoint security and anti-virus solutions.

The deception environment used to do the detection included endpoint lures as well as decoy engagement servers on the network. The decoy engagement servers were essential to facilitate open communications with C2 and our ability to record the next set of instructions or actions that were to take place. Additionally, endpoint lures in the form of deceptive credentials were placed strategically to attract attackers to the decoy engagement server. Any attempted use of these deceptive credentials would also reveal the attacker’s presence.

In each situation, malicious activity was detected in the system and alerts raised to notify the security teams of either malicious activity or misconfigurations that could lead to a breach. We saw native tools being used to deploy malware and scan the network to search and identify potential targets. One of the frequent ways that reconnaissance was performed was using the Windows “net view” command to discover resources on the network.

Over time, we watched as attacks delved deeper into the network and we studied how they harvested credentials from compromised machines. It was easy to identify the techniques used by attackers as we knew the credentials that were stolen and reused to move around. Many of the stolen credentials were the endpoint lures that had been planted in the memory of running processes. Attackers were most often seen to use password dumping tools, such as mimikatz or Windows Credentials Editor, to extract the tokens or passwords from compromised endpoints. They continuously moved by harvesting NTLM hashes or Kerberos tokens from LSASS memory to get access to admin level privileges that could lead them to high-value assets (Ex: Active Directory, Asset Management servers, etc.).

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

We also observed Man-In-The-Middle (MITM) attacks, where the attacker inserted himself in the communications path between two systems to intercept all the communications between them. Since the attacker had inserted himself between the client and server, he could harvest the credentials transmitted in the communications and re-use them. The MITM attacks occurred on the local network and were not visible to security solutions deployed at the perimeter, nor were anti-virus solutions effective at detecting this form of attack.

On numerous occasions, we saw attackers use stolen credentials to perform remote code execution with utilities like PsExec5 that use named pipe to execute commands on the remote systems. Figure 2 shows the code snapshot from an earlier malware, BlackPOS, that uses this utility to move laterally inside the network. Later this year we also saw strains of the modified Black POS, which included enhanced capabilities designed to capture card data from the physical memory of infected point-of-sale devices. This new version is also recognized for its ability to disguise the malware as an element of the anti-virus software running on the system.

The most important takeaway of the analysis from our engagement should not be centered on the specific flavor of malware found. Various versions of malware will always be around and could be a new zero-day form of malware, or malware that is several years old in original or mutated form to avoid detection. With deception technology, there is no reliance on known signatures or pattern matching an attack. With an approach based on attacker engagement, malware traps make for a highly efficient and accurate method of lateral movement detection, regardless of the malware’s heritage. Deception will also change the game by requiring attackers to be right 100% of the time or risk detection; one small mistake and they reveal their presence.

As confirmed by attacker interest and targeting, POS devices themselves create far broader exposure to the POS systems than trying to compromise standard information technology assets. The combination of fewer controls related to anti-virus on older systems and a trusted environment of management servers capable of pushing patches and downloads make for an ideal environment where attacks can move laterally through the system, launch persistent attacks, and go undetected for extended periods of time to exfiltrate high-value data. This exposure is not easily remediated, as wholesale replacement of POS systems is cost prohibitive, and even when the presence of malware is identified conclusively, it remains a constant challenge for organizations to have visibility into how broadly spread the attack may be how to conclusively shut down these attacks.

Figure 2: Using PsExec to execute commands

5 https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Case Study #2 Regional Retailer—Compromise of POS Systems through Wi-Fi.While the ideal win for an attacker is to take down a large multi-location retailer, there is an increasing interest in smaller retail organizations that have less mature infrastructure and are consequently easier targets to breach. A small retailer will typically have somewhere between 30,000 to 50,000 credit cards, on average, in their system. Each of these cards could sell at a dump shop for about $5-$10. This can yield an attacker payout anywhere from $150,000 to $500,000 USD from organizations like Rescator[dot]cc, an underground cybercrime shop. Although the payout is smaller, it can be gained more quickly and with less complexity than plotting a large-scale attack on a major retailer or business.

A regional retail Attivo customer was worried about a POS breach and didn’t have access to the additional budget, time, and resources to add complex monitoring and visibility security solutions to their infrastructure. With a limited staff, they also needed a solution that didn’t produce multiple alerts and a surge of log data to correlate daily. The retailer offered free Wi-Fi connectivity to customers in their lounge area. The presence of guests on the network was a point of concern for the retailer, so they had set up virtualized local area networks for each functional unit in their environment.

Attivo worked with this retailer to set up deception and decoys within their network to create traps around their uniCenta POS systems and other critical business assets. The Attivo solution detected attacker reconnaissance and attempted payload drops involving Huntpos malware as it attempted to scan all the running processes to collect and track data, establish an exfiltration launch pad, and as a point to communicate with C2. The security team was alerted to the attacker activity with an engagement based alert containing information on the infected system, the necessary attack information to block the attacker, and specifics to remediate the victim. In post-incident evaluation, it was determined that the use of weak passwords and a system misconfiguration created the opportunity for the attacker to evade their other security defenses.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Case Study #3 Mid-size Retailer—Catch the flag exercise in a POS network to study the effectiveness of deception to catch targeted attackers.In this case study, a mid-size retailer deployed deception technology to see how effective it can be in catching targeted attackers focused on stealing data from POS systems. The objective was to catch their experienced red team before they could get to the production POS systems.

A lab network was set up to test the effectiveness of deception in catching attackers targeting POS networks. The business network included typical systems seen in an enterprise network: Windows based Desktops, and Windows and Linux servers, web servers, database servers, DNS servers, printers with all systems managed by Active Directory. The POS systems were installed on a separate network with a firewall. The POS network had a patch management server for managing the software upgrades of devices in POS network. This retail customer had used NCR POS system with Windows 8 operating system.

Typically, as part of their initial compromise, an attacker will make their attempts through phishing emails, drive-by download, or USB access. In this case, the red team was given remote access to one of the windows machine on the business network to break into the POS system. The red team was aware that deception would be introduced for this exercise but was not given any specifics.

Deception was introduced into the business network as well as the POS network. Decoy systems included Windows and Linux VM’s which were an import of the systems used in the business network. In addition, the customer imported the Windows OS with Aloha POS software for deploying in the POS network.

Decoys were set up to resemble POS devices with deceptive credit card information loaded into POS software so that as the attacker tried to infect the decoy system to steal the data, an alert would be raised to the suspicious activity.

Endpoint lures were inserted into desktop and server computers and the lures included credentials for several applications, memory stored credentials, Kerberos tickets, SMB shares, cookies, etc. All endpoint lures would lead an attacker to the various decoy engagement systems. In addition, endpoint lures were setup to point to production systems and any attempt to use the false credentials would be detected by monitoring all logs that were captured by a SIEM. The endpoint lures were imported into the firewall as snort signatures to flag any attempted exfiltration of these credentials.

Within a day of the capture the flag exercise starting, decoy engagement systems in the business network reported reconnaissance activity and later saw events related to the use of endpoint credential lures against the Windows decoys.The SIEM integration also created an alert when stolen fake credentials were used against the production systems. Stealing credentials and using them for lateral movement is one of the most common methods employed in targeted attack.

ThreatStrike Credentials on Endpoint pointing to POS terminals

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

The test could have been stopped at this point since it was clearly a targeted attack using stolen credentials and the red team had been caught. However, since our intent was to catch all steps that could be employed by a potential attacker, we let the test progress.

Later, the POS decoy engagement systems received a payload drop which resulted in POS memory scraping alerts. All activity related to memory scraping and attempts to exfiltrate the credit card data were captured as forensic evidence for the customer.

Deception was introduced to see if the solution could reliably deceive a potential attacker into engaging with a POS decoy. There were several points where the deception platform detected the attack. The first was in the initial reconnaissance, when the decoy was scanned and an alert was raised notifying the security team to the presence of potentially malicious activity. The second detection occurred when false credentials were used to compromise a decoy engagement system. The third detection was raised when memory scraping malware was dropped onto the POS decoy engagement system. The goal was to see if the decoy appeared authentic enough to deceive the attacker, and based on the results, it unquestionably was. Some detection systems, once fingerprinted, can be avoided by an attacker. The solution, which was based on the Attivo ThreatDefend™ Deception and Response Platform, uses a technique called behavioral deception. This deception self-learns the environment for authenticity and then re-spins it after engagement to avoid being fingerprinted.

Dropped malware showing memory scraping behavior

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Detection Scenario 1The first detection scenario used POS terminal decoys, setting up decoy management server, and distributing deceptive credentials across various end-points to detect the lateral movement methods.

Attackers then stole deceptive credentials for some of the servers. We observed usage of stolen credentials in the form of following events.

Attackers also took the bait, infecting one of the decoy systems that was running POS software and installed malware on it. In this case, BlackPOS was the malware that was used. The POS decoy was configured to resemble a self-serve POS terminal, which used an operating system based on Windows XP Embedded SP3. Other popular Windows POS operating systems are Windows Embedded POSReady 2009, Windows Embedded POSReady 7, and Windows Embedded 8 Industry, but to match the environment we stayed with the version that best matched the production devices.

The result: It did not take long for the decoy system to become compromised and raise alerts.

Detection Scenario 2The second detection use case was all about studying the threats associated with small retailers. The Attivo BOTsink was used to roll out deception in the form of a decoy uniCenta POS server. The server running the uniCenta application was configured with simple dictionary passwords. The organization had set up a restricted virtual local area network (VLAN) for its POS network. However, there was a misconfiguration that left a gap open for the attacker to find entry into the business network from the Wi-Fi network.

Once on the business network, the attacker fell for the decoy uniCenta server that was advertised in their network and moved laterally into the POS network using brute force attempts. Following alerts were seen in the BOTsink events UI post-compromise. It shows attempts to scan and dump the memory of running processes.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

Detection Scenario 3When all else fails, protect your most critical assets, and in this case, it was protecting the management server that could be hijacked to download malware across multiple branch locations. To prove the effectiveness of this method, the red team was asked to simulate attacker behavior to steal the credit card data on test systems without getting detected. In this test, a customer’s “golden” POS image was imported so that the engagement server and decoys would appear identical to production assets. POS decoy engagement systems were added to patch management server so that they could receive management software patches and updates.

The result: As the attacker moved to the business network, there were three traps that were placed to detect him: a decoy designed to appear as the management server, a decoy designed to appear as a payment gateway, and deception credentials that were authenticated with Active Directory for additional attacker deception. The sequence of the attack was as follows:

• The initial reconnaissance scan in the business network was picked up by the Attivo Networks engagement server.

• Over time both the decoy management server and the gateways were hit with attempts to use the planted deception credentials.

• Eventually, the red team succeeded in compromising the patch management server after compromising the Active Directory server.

• Malware was distributed to the POS systems using patch management software. Since the decoy POS systems were part of the POS device inventory, malware was installed onto the decoy. The attack was permitted to safely play out in the engagement server with a path opened to C2 to capture the next moves of the red team. During this analysis, full tactics, techniques, and procedures (TTPs) were gathered about the attack.

The conclusion of the test demonstrated network resilience, visibility, and validation into the health of their POS and business network.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

RecommendationsOur experience and expertise in the POS systems, coupled with the findings outlined in this report, indicate that the following steps be taken immediately to protect against a large-scale breach.

Accept that you will be breached, if you haven’t been already, and take measures to gain visibility to know what threats are hiding in your network. Realize that stolen credentials provide access to central servers that can infect and re-infect all your POS terminals, if you don’t prevent this from happening. Adding detection will dramatically reduce the risk of your company becoming the next headline and experiencing the impact of angry consumers whose loyalty may never return.

It starts with real-time visibility to detect threats that are already in your network. This visibility will provide insight into your network with software that can show and analyze the lateral movement of any form of new or old threat that enters your network and threatens your POS installations. The solution you choose should be able to identify these threats without the need for signatures or the time to learn for pattern matching, and the alerts should be accurate and not generate false positive alerts or stream endless amounts of uncorrelated information to already overburdened security analysts.

Changing the Game with Deception for Early DetectionEnterprises are now using active deception systems for visibility into in-network threats, or the phase referred to as post infection compromise. These systems or platforms offer the ability to exercise deception at every layer of the information and network stacks. Deception can efficiently lead an attacker into revealing themselves, thereby helping an enterprise harden its infrastructure and discover the TTPs to stay alert and protect their assets effectively. Deception has been recognized as the most efficient method for detecting advanced threats by analysts at Gartner and Frost and Sullivan, and customer adoption is growing exponentially year over year.

Deception solutions provide clear value to organizations by proactively uncovering attackers as they try to advance in the enterprise and proving the information and tools to accelerate incident response.

Internal Recon: An attacker’s motivation while conducting an internal reconnaissance is to identify assets of higher value or with digital proximity to assets that are needed to fulfill their mission objectives. Deception platforms offer an extensive list of capabilities that can be used to deceive and identify attackers at this stage. A few examples of such capabilities are:

a. Deception lures present on the endpoints in the form of cached credentials pointing to engagement machines.

b. Deception entries available in the output of net view commands that display endpoints with relevant and attractive names that are actually engagement servers hosted within deception platforms. These deceptive names could be relevant to the POS application in use of the retailer or business.

c. Deception information is available on the network to attract an attacker when running discovery tools like nmap, zmap or masscan. This disinformation basically advertises remote services that appear real and relevant to the software and environment in use.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

This deception information, once relayed out to the attacker, is constantly being monitored by the deception systems. The deception system will automatically detect the use of deception information at any stage of the attack to drive further engagement and information collection. Engagement activity is used determine the TTP’s and eventually true motivation of an attacker on the network.

Lateral Movement: Having identified the key locations that might be helpful in fulfilling mission objectives, the next step for an attacker is to move to those locations for verification of their assumptions or execution of their objectives. These movements could either be in-place for escalation of privileges or remotely to a different endpoint for execution of their objectives. Either way, an attacker needs to harvest credentials to allow such movements. Some of the popular techniques used to harvest credentials are:

a. Use of tools like mimikatz to harvest a user’s password, hash, or Kerberos ticket from memory, and use of other tools to get passwords from applications like Outlook, database clients, browsers, FTP clients, etc.

b. Perform MITM attacks to capture credentials sent by victim machinesA deception system can play an important role in feeding misinformation to an attacker looking to get hold of credentials for lateral movement. The core principle remains the same as earlier: feed misinformation to the attacker and monitor the usage of deception information to detect these lateral movements.

Without the use of deception, detection of lateral movement throughout the network (referred to as east-west traffic) can be challenging. An active deception platform can accurately detect east-west traffic threats by identifying the infected clients being used by attackers to propagate the attack. This includes the detection of sleeper and time-triggered agents. These systems will also capture the tactics these attacks are using to help organizations understand the overall objective/intent of the attack. As a result, these systems significantly reduce detection time, providing the context organizations need for full remediation of an attack before it can cause damage.

Real Engagement: Employing deception and misinformation to misdirect attackers is the first step. Next, engaging with the attacker is an important step that helps make time to build a response to the incident. It can also prove invaluable in discovering the tactics, techniques, and procedures of the attacker to help identify the real actors behind the attack.

Exfiltration: It goes without saying that it is critical to stop an attacker from exporting data from an organization.

Deception platforms can provide valuable insight that cannot typically be gathered by simply blocking an attack. With the ability to gather information about the attack’s payload, its activities, and the C2 machines it is attempting to communicate with, these platforms can detect advanced attacks in a low-friction manner. The platform enables the attack to play out in a controlled, simulated environment, which collects the attack information while preventing the data from ever leaving the network.

Every attack is unique, but the stages involved in a POS attack are consistent, following the sequence as described in Figure 2 (page 8). Deception and misinformation throughout attack phases can prove to be invaluable in detecting these attacks early and as the attack propagates.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com

ConclusionThe benefits of breaching POS systems continue to make them prime targets, because of the financial gains to be made. The most recent report from The Identity Theft Resource Center shows that retail has dropped from the #1 most attacked industry in 2015, replaced by healthcare. The new discoveries of in-network threats could easily launch it back into the top spot in 2017. We certainly feel that the largest number of retail breaches are not behind us, but are ahead of us.

The impetus for this includes both the economic rewards and the relative ease with which attackers can collect data once they steal credentials and move laterally through the network to critical asset management servers. This is augmented by the continued lack of security sophistication at the POS terminal where the vulnerabilities of outdated Windows machines can easily be exploited.

In addition, sophisticated human threat actors who are inside the network can go for months without detection. The Verizon 2016 Breach report indicates that the average dwell time has been reduced, but attacker dwell time is still more than five months. The fact that lateral movement is nearly impossible to detect leaves attackers with the opportunity to exfiltrate data and remain undetected for months. In addition to new attacks, we also expect to see a resurgence of older modified latent attacks that will push the impact of these breaches much higher in 2017. With the value of this data on the DarkWeb commanding from $5 to $30 per stolen credit and debit card, the numbers will be staggering.

Botnet software detection works best if the external IP address is known as one used by attackers. Beyond this, only a very few select technologies, such as deception technology, can detect the lateral movement of a sophisticated human attacker within an internal network. Undetected, they can continue to infect POS terminals from the central Asset Management servers, which, by design, will defeat any attempts to remediate malware on individual devices.

According to a survey by ZDNet, over 66% of companies have increased their IT budgets this year. However, the percent of security budgets devoted to detection, the heart of the problem in POS breaches, is too low as a percentage of the overall budget, with prevention systems still grabbing the majority. Numerous CISOs have said it is not a matter of if they will be breaches, but when, and the dollars are beginning to shift over to detection, where attacks that defeat external defenses can be discovered and neutralized. With the adoption of high efficacy detection, the ever-expanding rate of financial and personal impact from POS breaches can be dramatically reduced and mass breaches avoided.

© 2017 Attivo Networks. All rights reserved. www.attivonetworks.comAttivo Networks, ThreatDefend, ThreatStrike, and ThreatPath are registered trademarks of Attivo Networks, Inc. Follow us on Twitter @attivonetworksAll other trademarks are of their respective companies.

About Attivo NetworksAttivo Networks® is the leader in dynamic deception technology for real-time detection, analysis, and accelerated response to advanced, credential, insider, and ransomware cyber attacks. The Attivo ThreatDefend™ Deception and Response Platform accurately detects advanced in-network threats and provides scalable continuous threat management for user networks, data centers, cloud, IoT, ICS-SCADA, and POS environments. www.attivonetworks.com

The Attivo ThreatDefend Deception Platform offers deception specifically designed for POS applications. It has delivered value in several of the use cases by realizing the following goals.

DISRUPT: The time taken to fulfill mission’s objective is dependent on the hurdles encountered in exploring, discovering, and moving to the relevant asset for objective fulfillment. By offering deceptions of the utmost authenticity and indistinguishable quality, an attacker is impacted severely in the time it can spend to achieve its mission. The attacker is forced to traverse through multiple paths and options as compared to the few paths seen when there is no deception. Attivo ThreatDefend platform offers self-learning and automated ways of building and deploying traps and deception across an organization’s cyber network in a frictionless and scalable way. It can be used to create many varieties of decoy POS systems that appear as production POS systems and, by design, they can be managed by enterprise software management tools enabling them to catch malware downloads.

REDIRECT: By use of deception and misdirection of an attack, the Attivo deception platform can constantly redirect attackers to its high interaction engagement servers, capable of tracking every action of the attacker and presenting it in multiple formats for automated incident response actions through integrations with third-party security devices.

DETECT: Usage of information implanted by Attivo ThreatDefend platform leads to detection of multiple attacks like Stolen Credentials, Man-In-The-Middle, Darknet Attacks, RAM scraping, and Lateral Movement. It’s also a powerful solution for uncovering insider threats that are attempting to harvesting critical information from the company.

DEFEND: The quality and depth of attack information gathered can substantially impact the time to remediation. Attivo ThreatStrike deception platform provides a catalog of all attack activity (attempted communications and propagation activity), which makes it easy for the retail enterprise to understand an attack’s anatomy and take remedial actions. Integrations with 3rd party security solutions also streamline incident response with automated response actions.