4 Phases of a POS Attack and Countermeasures to Protect Against Each
In another example of a data breach, Wendy’s in early July publicly identified over 1,000 U.S. franchised locations that were affected by two variants of point-of-sale (POS) malware discovered in May. SC Magazine reported that the disclosed information “sheds new light on a previous warning from the fast-food giant that the true number of compromised locations were “considerably higher” than the 300 originally estimated.”
Wendy’s confirmed that there were two variants of malware that stole specific payment card information, including cardholder names, credit and debit card numbers, expiration dates, cardholder verification values and service codes.
The attacks began back in late fall 2015, and both variants of malware were introduced into Wendy’s POS systems via a compromised third-party vendor’s credentials.
As POS data breaches becoming increasingly common, secure network access becomes essential. I don’t often write about how our technology applies, but in this instance, I want to highlight areas that AppGate, our network access software, can block the adversary at several stages of a POS breach.
4 Stages of a POS Breach and AppGate Countermeasures
Generally, there is some consistency in the methodology used by hackers targeting POS systems. According to a report issued by Trustwave Holdings in 2013, the phases include infiltration, propagation, aggregation, and exfiltration.
Phase 1: Infiltration
The infiltration phase is where the attacker conducts reconnaissance to find and exploit an access point. There are a variety of methods an attacker can use to gain access to a corporate network. They can look for weaknesses in external-facing systems, such as using SQL injection on a web server or finding a periphery device that still uses the default manufacturer password. Alternatively they can attack from within by sending a spear-phishing email to an individual within the organization. The spear-phishing email could contain a malicious attachment or a link to a website which installs a back door program onto the victim’s computer. In the case of Wendy’s, the attackers obtained access through compromised third-party credentials, which is a very common (and unfortunately effective) vulnerability.
AppGate blocks the attacker at the infiltration phase by enforcing multi-factor authentication and dynamically checking contextual variables to determine and limit access. AppGate also restricts network access by insiders, privileged users, or third parties to only those services needed for business use – all other network services are hidden and inaccessible.
Phase 2: Propagation
Once inside the network, the attackers’ next step is to gain access to their ultimate targets–the POS systems. Attackers will typically use a variety of tools to map out the network to locate systems within the card data environment (CDE). While they may exploit vulnerabilities or use other techniques to gain access to these systems, often the simplest method of gaining access is by obtaining user credentials. User credentials may be obtained through keylogging Trojans, password-hash extraction, cracking, and/or replaying captured login sequences, or even brute force password attacks. Eventually, the attackers may obtain administrative-level credentials. The attackers may even gain control of a domain controller, giving them full access to all computers in the network. Once in control, they can then gain access to the CDE even if it is in a segmented network by using network and data pathways established for existing business purposes. Once inside the CDE, they can then install malware which allows them to steal card data from the POS systems.
AppGate blocks the attacker at the propagation phase by restricting POS system access from the internet by applying dynamic firewalls with a default-deny rule that drops all traffic except from users that are explicitly allowed. AppGate also isolates critical services, such as file, mail, web, and database servers, on separate logical segments, creating strict network segmentation, for example for PCI Cardholder Data Environments. AppGate can also enforce multi-factor authentication prior to access, to minimize the risk of stolen credentials.
Phase 3: Aggregation
After the infiltration phase, attackers often consolidate data from compromised target systems onto an aggregated location, in advance of exfiltrating the data. This is an optional step, but one that attackers may take to avoid directly connecting from high-value assets to the Internet, which may raise security alerts. Aggregation may take the form of simple consolidation, or may take more complex steps to disguise or encrypt the data.
AppGate impedes aggregation by enforcing strict, fine-grained segmentation of servers and ensuring that user context is taken into consideration before allowing access. Polices can prevent user access from off-network IP addresses, at abnormal hours, or at least require multi-factor authentication. All of these will make aggregation more difficult for an attacker.
Phase 4: Exfiltration
After the desired information is collected, they’ll use one or more mechanisms to extract the data to an external location. This step is where a security monitoring system, such as a SIEM, is useful – extracting large amounts of data should be readily detectable by these types of systems.
While AppGate doesn’t have a direct role to play in stopping data exfiltration, it is part of a sound defense in depth approach. AppGate will make it much more difficult for an attacker to obtain data to exfiltrate in the first place. AppGate also complements other security solutions, such as SIEMs, by feeding them detailed information about users, context, and network activity, enabling them to more quickly and accurately detect malicious behavior.
Additional Benefits of Reducing Work Required to Comply with PCI DSS:
AppGate can also reduce the scope of the PCI audit for companies that handle credit card data. This reduces audit workload.
1. Reduce PCI Scope:
According to the PCI DSS version 3.0, segmenting may reduce:
- The scope of the PCI DSS assessment
- The cost of the PCI DSS assessment
- The cost and difficulty of implementing and maintaining PCI DSS controls
- The risk to an organization by consolidating cardholder data into fewer, more controlled locations
AppGate can be used to isolate the PCI environment and control access, reducing the scope of PCI audits.
2. Reduce Work to Produce PCI Audit Reports:
AppGate’s reporting features reduce the amount of work necessary to demonstrate that only authorized users had access to the CDE. Instead of correlating IP addresses to CDE access, AppGate produces a CDE access report with user information that is pre-correlated.. This reduces the work required to produce reports that demonstrate PCI compliance.
AppGate is a powerful tool that can help in a POS data breach and with PCI compliance. Learn more.