How Retailers Can Protect Themselves from POS Malware

The Target data breach continues to garner headlines, with the most recent news being the resignation of the CIO. But while the scale of the breach was large, Target is hardly the first and won't be the last to get hit with a persistent threat, according to Andrew Komarov of IntelCrawler: "More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them." Similarly, an FBI report released on January 17 warned, "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it."

This means that more retailers are likely currently compromised and we will likely see more theft of personal information as a result.

How Can Wire Data Analytics Help

Let's start with a brief description of what wire data is. When two systems communicate using TCP/IP or another transport protocol, that data has to touch the wire. What the ExtraHop platform does is collect, parse, and report on this data at tens-of-gigabit speeds. All IP communications up to layer 4, including port, server IP, client IP, process time, payload size (bytes), and TCP mechanisms such as retransmission timeouts are included. In addition, the ExtraHop platform provides Layer 7 visibility for protocols used by malware or malicious insiders, such as SQL (rouge queries that can steal data), HTTP (malware phoning home), FTP (which files are being sent), and DNS (text-based records that could be malware communications). Basically, the ExtraHop platform provides you the digital equivalent to CCTV with the added ability to make custom dashboards of all of the observed digital behavior based on what you are looking for.

• "Are my web servers suddenly acting like clients and connecting to China?"
• "What types of queries were run against my credit card database and from where did those queries originate?"
• "Has a new daemon sprung up on the web server in my DMZ?"

Malware cannot hide from ExtraHop: If it happened on the wire on a client/server with an IP address, we can see it and report on it. A brief example might help: A medium-sized organization had been blacklisted for sending out spam and used the ExtraHop platform to quickly identify and shut down the infected machine that was responsible. The culprit was easy to spot with ExtraHop, which showed that the device was sending more messages than the main mail server to domains such as hotmail.com, yahoo.com, etc. Not wanting to be caught unaware again, the network team set up a trend-based alert to fire when any device increased SMTP sends by 150 percent in a one-hour period.

ExtraHop's wire data platform is capable of parsing key L2-L7 metrics and trend-based alerts continuously in real time, at up to a sustained 20Gbps. In addition to recording events directly to the streaming datastore, the platform can send them through syslog to a SIEM platform such as ArcSight or Q1 Labs, or to a Big Data platform such as Splunk or vCenter Log Insight. And because ExtraHop listens passively via a port mirror, there is no need to install agents. This allows the appliance to monitor any system communicating on the network; the only prerequisite is an IP Address. Gone are the days when your monitoring was dependent on someone remembering to install an agent.

How Can ExtraHop Help with Infosec?

ExtraHop's wire data platform can integrate important new metrics into incumbent InfoSec practices, including valuable wire data about where connections are being made, over which ports, and using which protocols. I believe that operations staff, when provided with anomalies that are picked up instantly using wire data analytics, are positioned to detect and stop breaches that would not be detected otherwise. It's worth noting that Target was only notified to its data breach by a security researcher who was saw its stolen data offered for sale on criminal forums. ExtraHop, at its most basic level, can tell you every port and address used in IP-based communications, but also offers the ability to provide Layer 7 (application layer) information on HTTP, FTP, SQL, CIFS and SSL (including key lengths, expiration dates, and weak ciphers). ExtraHop also scales out so that you can gain a single pane of glass across distributed stores and datacenters.

Outsiders Infiltrate at Megabit Speeds and Steal at Gigabit Speeds

While there have been significant improvements in border and perimeter security, once malware or a bad actor is inside the network, they often have much greater freedom to propagate malware, gain access to additional systems, or exfiltrate data. We are never going to be able to write signatures for tomorrow's advanced persistent threat, but wire data can position you to detect behavior that does not belong. Using ExtraHop, you can see when a server suddenly starts an FTP daemon or see SQL queries made to your CRM database from a laptop in the mailroom, for example. You can send alerts to other InfoSec systems when large numbers of records are sent over the wire to an IP address that you are not familiar with; If a server opens port tcp/15632 to send 5GB of data to an IP address in Belarus, ExtraHop can let you know immediately.

We go to great lengths to keep bad actors out of our environments, but perhaps the time has come to expand our InfoSec practice with a strategy for monitoring egress traffic. Once malware is inside your network it can collect data at gigabit speeds, and you can't count on incumbent IPS/IDS systems to catch malware communications over approved ports and using approved protocols. Augmenting your existing InfoSec toolset with the ExtraHop wire data platform positions you to protect against tomorrows 17-year-old writing the next off-the-shelf malware tool.