Detecting Malware Such as BlackPOS with ExtraHop

A short time ago, Ken Westin at Tripwire wrote a great article about the high-profile credit card breach at Target. I've investigated how retailers design their systems to support large numbers of similar stores with few IT staff in each store, and Ken's description of Target's network sounded very familiar to me. While Target isn't (yet) an ExtraHop customer, I could picture how our wire data-based operational intelligence platform could have helped to detect this breach in real time and support forensic investigation.

At ExtraHop, we know that the truth is on the wire. Even when an intrusion is able to fool firewalls, signature-based IDS/IPS gear, applications, and operating systems, it's going to be very difficult—too difficult for most criminals—to cover their tracks in an environment monitored by ExtraHop. The continuous and pervasive wire data analysis performed by ExtraHop could mean the difference between discovering a breach quickly or letting it continue for weeks and affecting a third of the people in America, as in the case of the Target breach.

How to Set Up Wire Data Analytics for Distributed Retail Environments

Ken describes Target's IT infrastructure layout as a highly virtualized, standardized stack with two servers per store, which, in his words ...

… leverage virtualization to run a custom point-of-sale solution that manages up to 30 registers, along with applications to manage inventory, stock replenishment, pharmacy data (if they have one), infrastructure as well as databases.

When Ken mentioned infrastructure management tools, I thought of an ExtraHop virtual appliance, such as the EH2000v, running inside a virtual container alongside the virtual database server and the virtual point-of-sale (POS) environment. The virtual switch on the virtual host would be configured to forward a copy of all network traffic between the guests to the ExtraHop platform. The ExtraHop would perform full-stream reassembly on the traffic to recreate the state of each virtual device, extract L2-L7 metrics in real time, and then write that to an on-box datastore that not only records detailed metrics but build trends and fire alerts on anomalous behavior.

In addition to having an ExtraHop virtual appliance in the store stack, most of our retail customers also have something like an EH6000 rack-mounted in their central datacenter, spanned off their core switch pair. That way, in addition to wire data derived from intra-store traffic, Target's IT organization would also have a real time view of all the devices in their centralized infrastructure: authentication, DNS, storage, logging—you name it. With our federated management server that aggregates this analysis, Target would have a 360-degree view of communications between all their devices and applications.

Creating Rule Sets to Define and Alert on Abnormal Activity

The power of ExtraHop's wire data analytics lies in the ability of IT organizations to easily extend the platform to answer specific questions and integrate with existing IT management systems, such as SIEM platforms. To answer the question, "Are my systems infected by malware?", nationwide retailers such as Target would use ExtraHop in the following manner:

1. Create an activity map of the local store network that reveals all network-connected devices and their communications. With ExtraHop, this is a push-button report.
2. Define what the dependencies in the activity map represent in terms of application functionality. For example, each point-of-sale system should connect to a certain set of servers using specified protocols.
3. Create a rule set based on those definitions, adding parameters for what normal activity should look like. For example, one of our engineers has written a trigger that detects credit card information passing in the clear using Luhn's algorithm, which should never happen. The rule set should also define geographies for data in egress, which would have identified the FTP uploads to a server in Russia in the case of the BlackPOS malware that hit Target, according to Mr. Westin. Repeated failed logins or other retailer-specific, anomalous behavior could be defined in these rule sets, too.
4. Finally, the ExtraHop platform can be configured to send real-time alerts to a SIEM platform through syslog to terminate connections or kick off a packet capture for forensics.

Equipped with this type of operational intelligence, Target would have been able to detect the data breach much earlier instead of after nearly three weeks of undetected activity. It's true that the most sophisticated attack methodologies have some ways of sneaking traffic by devices that are intended to look at the wire and see everything, but the recent attacks being described are based on semi-publically available malware that falls far short of the level of sophistication of NSA/PLA 61398-level players and the most advanced criminals.

I am truly excited to welcome John Smith to the ExtraHop Solution Architecture team. He has long been an evangelist of the wire data movement and of the ExtraHop message, and I was intrigued by the "armchair architect" article that he wrote about the healthcare.gov rollout, where he hooked up an ExtraHop virtual appliance to his local network, surfed the ACA Web site, showed what insight the ExtraHop platform afforded him into the application delivery chain, and imagined what else the ExtraHop would see if it was deployed inside the healthcare.gov perimeter, where it belongs. I'm looking forward to the next post in this series on wire data analytics for security, where John will explain why Infosec teams need a strategy for monitoring data going out of their environment.