SlideShare a Scribd company logo

Diary of Forensic Investigator

F
FGXPreso

This document discusses trends in account data compromises and provides advice for forensic investigators. It notes that while attack methods are becoming more sophisticated, the target remains cardholder data. The document outlines best practices for responding to an incident such as engaging a forensic investigator, documenting events, and avoiding altering compromised systems. It emphasizes that response priorities for payment entities and card schemes may not be aligned. Statistics show retail and food/beverage industries experience most compromises. The document examines an incident involving a multi-national issuer and provides recommendations for reducing risk like reviewing data policies and network architecture.

TechnologyNews & Politics
1 of 15
Download to read offline
08/02/2012 The diary of a forensic investigator: Secrets Revealed Andrew Henwood Dear Diary – who do ADCs affect? •  Smallest merchant •  Largest merchants with multitudes of sites •  Issuers and Acquirers IR Plan should be similar, irrespective of entity size! 1
08/02/2012 ADC Trends & Targets Cybercriminals are using: •  Same old vulnerabilities (SQL, backdoor trojans, malware etc). •  Increasingly sophisticated attack methods. •  Targeted attacks. •  More automated tools. •  Quicker developing trends. •  Repeat attacks to maximise harvest. •  Increasingly powerful systems and techniques. •  Decrease in time between compromise and fraud spend. ADC Trends & Targets …But the target remains the same. Cardholder Data. 2
08/02/2012 Dear Diary - How are ADC’s typically identified? •  Cardholders report fraud on their card => their card is compromised •  Issuers and/or Schemes trace back legitimate spend •  If multiple compromises, this trace identifies Common Points of Purchase (CPP) Compromise Timeline 7+:;A>-,*)B+(&); & !"#$%&9:-,,;5::%& 4"*-1+"$ & !"#$%&'()*+,,-".&/0(1, & 5"0<0(+&);&=>/ & )33"4"&32'!+5'*66' ?90<"#>'$:'@9#1">A:4' 0%783$9:; ' 7%&" ' !"#$%& /)23()2-,+1& '?4&?)(+",-*,& @"1+(<0% ' ()*+, !#",)*+ ! ' !"#$%&'%(')*+' --.. ' /"0%1"#2' &!"#$%& -B%:"A>9A%:-' ' ' =#9C&-' 4,,5+(,&6&7*8+2+,& 1+$+*$&/''& 5:1%<"'!+5'=%#":>$0>' 3
08/02/2012 How not to respond Compromise Penalties! 4
08/02/2012 Compromise Penalties! Type Initial Lack of Monthly Monthly Monthly PCIDSS Fine removing PCIDSS PCIDSS Violation SAD Violation Violation (>=6 months) (90 days) (4 months) (5 months) L1 !50,000 !30,000 !50,000 !75,000 !75,000 L2 !25,000 !15,000 !25,000 !50,000 !50,000 L3&4 !10,000 !5,000 !10,000 !15,000 !15,000 Members !50,000 !30,000 !50,000 !75,000 !75,000 PSPs !25,000 !15,000 !50,000 !30,000 !30,000 Others !10,000 !5,000 !10,000 !25,000 !25,000 Card Scheme / Acquirer vs. Entity Priorities In most cases, these priorities are NOT aligned! •  Card Schemes & Acquirers •  Containment, Limit Exposure, Identify “At Risk” card data, Fines •  Entities •  Containment, root cause identification, remediation, get on with business For potentially compromised entities, ensure the PFI selected / engaged has your priorities at heart 5
08/02/2012 Facilitating a Forensic Investigation 1.  Invoke IR plan 2.  Engage a PFI (ASAP!) 3.  Document and collate all current and ongoing events, all people involved, and all discoveries into a timeline for evidentiary use 4.  Do not access or alter any aspect of the suspect system(s) 5.  If you suspect the attack is currently ongoing, remove the system connectivity to the network. i.e. pull the network cable / down the adapter Do not power the system down! Facilitating a Forensic Investigation Re-Emphasise: Do not access or alter any aspect of the suspect system(s) …or at least minimise access! 6
08/02/2012 PCI Forensics vs. Traditional Forensics 1.  PCI Forensics does not equal traditional forensics 2.  Majority of attacks are coordinated, focused, highly sophisticated and custom to the environment –  Custom malware (targeted memory scraping) –  Payment application manipulation (source code modifications and manipulation of limits / controls) –  Custom Rootkits and built in defense mechanisms –  Hacker SDLC –  Anti-Forensics Real-World Forensic Statistics Affected Industry (example) Trustwave Verizon 7Safe Category (2011) (2011) (2010) Hospitality 10% 40% 5% Financial 6% 22% 7% Services Retail 18% 25% 69% Food and 57% ? ? Beverage Government 6% 4% 2% Education 1% ? ? Other ? ? ? * References to reports in conclusion of presentation 7
08/02/2012 Statistics & Trends Individual company statistics are “interesting” but impossible to correlate except broadly! Statistics & Trends •  Utilise public combined sources: www.datalossdb.org http://www.privacyrights.org/ar/ChronDataBreaches.htm •  Hospitality / Food & Beverage / Retail compromised the most •  Majority of ADC are from external sources •  Majority of breaches are focused and well organised criminal businesses •  Majority of victims had evidence of the breach in their log files thus should have been aware! •  Majority of attacks were trivial •  Only a fraction reported in CEMEA 8
08/02/2012 GoldenDump.com (2011) GoldenDump.com (2011) 9
08/02/2012 GoldenDump.com (2011) Incident Incident Overview •  Subject : Multi-national Issuer / Acquirer •  Incident Date : 2010 •  Investigation Date : Late 2010 •  Initial Vulnerability : SQL Injection •  Exploited Weaknesses : –  Poor network segregation –  Lack of log review –  Let down by security partners •  Exposure : –  2.4 million PAN –  780,000 Track 2 –  > ! 90,000 in cash 10
08/02/2012 The Environment Backend Online Payment Systems Servers DEVDB DB04 DB03 AS400 DB02 DB01 Branch Application Internet Banking Offices Servers Servers DEVDB DB04 DB03 AS400 DB02 DB01 2010 11
08/02/2012 SO…..What went wrong? (Underlying Causes) •  Phase 1: Initial Compromise – SQL Injection –  The site had been tested by multiple external parties and had “passed” three penetration tests (Code had NOT changed since 2005!). –  Logs were collected (plenty of them – 4.5 Billion events) but never reviewed. –  Network architecture was “temporary” but never resolved. –  Poor password policies. •  Phase 2: Reconnaissance & Exploration –  Poor network architecture design decisions. –  Poor password policy. –  Lack of log review. •  Phase 3: Account Data Extraction (PAN) –  Inappropriate data retention policies. –  Lack of awareness regarding Account Data storage (where is it?) –  Poor system management. •  Phase 4: Account Data Extraction (Track 2) –  Inappropriate data retention policies (again). –  Poor network segmentation. •  Phase 5: Internet Banking Manipulation –  Application made “blind” use of data within a database. –  Application unable to detect “tampering”. –  Failed transfers were not reviewed or followed up. 12
08/02/2012 How could things have been Done? (Means of Reducing Exposure) •  Fundamentally – An awareness of Account Data –  Review & revise data retention policies. –  Know where the stuff is. (Get Rid) •  Regular & thorough testing of external attack surfaces. –  Reputable companies (not always the big players). –  Speak with your peers (word of mouth is invaluable). •  Log retention is great! Log review is better! Both are needed. •  Review & revise network architecture designs. Approach.....! •  PCI Prioritised by thesystem build policies (including password Review & revise VISA Also supp orted policies). Innovation Technology Program! None of this is new and should sound familiar proach.....! PCI Prioritised Ap e VISA Also supp orted by th vation Technology Inno Program! 13
08/02/2012 Means of Reducing Exposure •  Fundamentally – An awareness of Account Data –  Review & revise data retention policies. –  Know where the stuff is. (Get Rid) Milestone #1 •  Regular & thorough testing of external attack surfaces. stone #2 / #6 –  Reputable companies (not always the big players). Mile –  Speak with your peers (word of mouth is invaluable). / #6 Milestone #4 •  Log retention is great! Log review is better! Both are needed. •  Review & revise network architecture designs. / #2 Milestone #1 •  Review & revise system build policies (including password policies). / #3 / #4 Milestone #2 Summary •  Identify, remove / protect your sensitive data •  Segment / scope the network •  Regularly: Test & Review •  Maintain full logs but pointless if no review •  Define, build and test an incident response plan •  Build a partnership with a security business to independently review 14
08/02/2012 Stay Safe & Risk Aware www.foregenix.com 15

Recommended

Aggregating capital
Aggregating capitalAggregating capital
Aggregating capital
Cynthia Thyfault
 
Fam de beer deel 7
Fam de beer deel 7Fam de beer deel 7
Fam de beer deel 7
simslovin
 
Fam de beer deel 1
Fam de beer deel 1Fam de beer deel 1
Fam de beer deel 1
simslovin
 
Fam de beer deel 6
Fam de beer deel 6Fam de beer deel 6
Fam de beer deel 6
simslovin
 
Fam de beer deel 3
Fam de beer deel 3Fam de beer deel 3
Fam de beer deel 3
simslovin
 
Fam de beer deel 5
Fam de beer deel 5Fam de beer deel 5
Fam de beer deel 5
simslovin
 
Fam de beer deel 2
Fam de beer deel 2Fam de beer deel 2
Fam de beer deel 2
simslovin
 
Fam de beer deel 8
Fam de beer deel 8Fam de beer deel 8
Fam de beer deel 8
simslovin
 

Recommended

Aggregating capital
Aggregating capitalAggregating capital
Aggregating capital
Cynthia Thyfault
 
Fam de beer deel 7
Fam de beer deel 7Fam de beer deel 7
Fam de beer deel 7
simslovin
 
Fam de beer deel 1
Fam de beer deel 1Fam de beer deel 1
Fam de beer deel 1
simslovin
 
Fam de beer deel 6
Fam de beer deel 6Fam de beer deel 6
Fam de beer deel 6
simslovin
 
Fam de beer deel 3
Fam de beer deel 3Fam de beer deel 3
Fam de beer deel 3
simslovin
 
Fam de beer deel 5
Fam de beer deel 5Fam de beer deel 5
Fam de beer deel 5
simslovin
 
Fam de beer deel 2
Fam de beer deel 2Fam de beer deel 2
Fam de beer deel 2
simslovin
 
Fam de beer deel 8
Fam de beer deel 8Fam de beer deel 8
Fam de beer deel 8
simslovin
 
Consumer Life Cycle Research - Brand Pioneers 2012
Consumer Life Cycle Research - Brand Pioneers 2012Consumer Life Cycle Research - Brand Pioneers 2012
Consumer Life Cycle Research - Brand Pioneers 2012
Panelteam
 
Retail Cyberthreat Summit: Insights and Strategies from Industry Experts
Retail Cyberthreat Summit: Insights and Strategies from Industry ExpertsRetail Cyberthreat Summit: Insights and Strategies from Industry Experts
Retail Cyberthreat Summit: Insights and Strategies from Industry Experts
Tripwire
 
Mobile World Congress 2011 - MWC
Mobile World Congress 2011 - MWCMobile World Congress 2011 - MWC
Mobile World Congress 2011 - MWC
Stephen Gay
 
Tripwire Retail Cyberthreat Summit
Tripwire Retail Cyberthreat SummitTripwire Retail Cyberthreat Summit
Tripwire Retail Cyberthreat Summit
Rippleshot
 
AUDITO TOOLS
AUDITO TOOLSAUDITO TOOLS
AUDITO TOOLS
Rozaliyana Aushuria
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
Emily2014
 
Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...
Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...
Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...
Sustainable Brands
 
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas JamborData Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Turner and Associates, Inc.
 
Win and keep your customers in changing markets
Win and keep your customers in changing markets Win and keep your customers in changing markets
Win and keep your customers in changing markets
The BrainLink Group
 
GraphDay Stockholm - Levaraging Graph-Technology to fight Financial Fraud
GraphDay Stockholm - Levaraging Graph-Technology to fight Financial FraudGraphDay Stockholm - Levaraging Graph-Technology to fight Financial Fraud
GraphDay Stockholm - Levaraging Graph-Technology to fight Financial Fraud
Neo4j
 
Community Attractiveness for Newcomers pt.2
Community Attractiveness for Newcomers pt.2Community Attractiveness for Newcomers pt.2
Community Attractiveness for Newcomers pt.2
OntarioEast
 
Government Webinar: Alerting and Reporting in the Age of Observability
Government Webinar: Alerting and Reporting in the Age of ObservabilityGovernment Webinar: Alerting and Reporting in the Age of Observability
Government Webinar: Alerting and Reporting in the Age of Observability
SolarWinds
 
Keys to Successful M&A: Transparency, Security, and Process
Keys to Successful M&A: Transparency, Security, and ProcessKeys to Successful M&A: Transparency, Security, and Process
Keys to Successful M&A: Transparency, Security, and Process
SecureDocs
 
Neo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4j
Neo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4jNeo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4j
Neo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4j
Neo4j
 
Fighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees VegterFighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees Vegter
Neo4j
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 
How to manage Crowdfunding for artists and musicians
How to manage Crowdfunding for artists and musiciansHow to manage Crowdfunding for artists and musicians
How to manage Crowdfunding for artists and musicians
Virginie BERGER
 
Conflict Minerals Survey -- Tulane University
Conflict Minerals Survey -- Tulane University Conflict Minerals Survey -- Tulane University
Conflict Minerals Survey -- Tulane University
Matt Whitteker
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
dsapps
 
GraphTalks Italy - Using graphs to fight financial fraud
GraphTalks Italy - Using graphs to fight financial fraudGraphTalks Italy - Using graphs to fight financial fraud
GraphTalks Italy - Using graphs to fight financial fraud
Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 

More Related Content

Similar to Diary of Forensic Investigator

Retail Cyberthreat Summit: Insights and Strategies from Industry Experts
Retail Cyberthreat Summit: Insights and Strategies from Industry ExpertsRetail Cyberthreat Summit: Insights and Strategies from Industry Experts
Retail Cyberthreat Summit: Insights and Strategies from Industry Experts
Tripwire
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
Emily2014
 
Community Attractiveness for Newcomers pt.2
Community Attractiveness for Newcomers pt.2Community Attractiveness for Newcomers pt.2
Community Attractiveness for Newcomers pt.2
OntarioEast
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 
Conflict Minerals Survey -- Tulane University
Conflict Minerals Survey -- Tulane University Conflict Minerals Survey -- Tulane University
Conflict Minerals Survey -- Tulane University
Matt Whitteker
 

Similar to Diary of Forensic Investigator (20)

Consumer Life Cycle Research - Brand Pioneers 2012
Consumer Life Cycle Research - Brand Pioneers 2012Consumer Life Cycle Research - Brand Pioneers 2012
Consumer Life Cycle Research - Brand Pioneers 2012
 
Retail Cyberthreat Summit: Insights and Strategies from Industry Experts
Retail Cyberthreat Summit: Insights and Strategies from Industry ExpertsRetail Cyberthreat Summit: Insights and Strategies from Industry Experts
Retail Cyberthreat Summit: Insights and Strategies from Industry Experts
 
Mobile World Congress 2011 - MWC
Mobile World Congress 2011 - MWCMobile World Congress 2011 - MWC
Mobile World Congress 2011 - MWC
 
Tripwire Retail Cyberthreat Summit
Tripwire Retail Cyberthreat SummitTripwire Retail Cyberthreat Summit
Tripwire Retail Cyberthreat Summit
 
AUDITO TOOLS
AUDITO TOOLSAUDITO TOOLS
AUDITO TOOLS
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...
Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...
Supplier Innovation 2.0: Transparency and Effective Utilization of Scorecard ...
 
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas JamborData Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
 
Win and keep your customers in changing markets
Win and keep your customers in changing markets Win and keep your customers in changing markets
Win and keep your customers in changing markets
 
GraphDay Stockholm - Levaraging Graph-Technology to fight Financial Fraud
GraphDay Stockholm - Levaraging Graph-Technology to fight Financial FraudGraphDay Stockholm - Levaraging Graph-Technology to fight Financial Fraud
GraphDay Stockholm - Levaraging Graph-Technology to fight Financial Fraud
 
Community Attractiveness for Newcomers pt.2
Community Attractiveness for Newcomers pt.2Community Attractiveness for Newcomers pt.2
Community Attractiveness for Newcomers pt.2
 
Government Webinar: Alerting and Reporting in the Age of Observability
Government Webinar: Alerting and Reporting in the Age of ObservabilityGovernment Webinar: Alerting and Reporting in the Age of Observability
Government Webinar: Alerting and Reporting in the Age of Observability
 
Keys to Successful M&A: Transparency, Security, and Process
Keys to Successful M&A: Transparency, Security, and ProcessKeys to Successful M&A: Transparency, Security, and Process
Keys to Successful M&A: Transparency, Security, and Process
 
Neo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4j
Neo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4jNeo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4j
Neo4j GraphTalks - Fighting fraud with Neo4j - Kees Vegter, Neo4j
 
Fighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees VegterFighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees Vegter
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
How to manage Crowdfunding for artists and musicians
How to manage Crowdfunding for artists and musiciansHow to manage Crowdfunding for artists and musicians
How to manage Crowdfunding for artists and musicians
 
Conflict Minerals Survey -- Tulane University
Conflict Minerals Survey -- Tulane University Conflict Minerals Survey -- Tulane University
Conflict Minerals Survey -- Tulane University
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
GraphTalks Italy - Using graphs to fight financial fraud
GraphTalks Italy - Using graphs to fight financial fraudGraphTalks Italy - Using graphs to fight financial fraud
GraphTalks Italy - Using graphs to fight financial fraud
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Diary of Forensic Investigator

  • 1. 08/02/2012 The diary of a forensic investigator: Secrets Revealed Andrew Henwood Dear Diary – who do ADCs affect? •  Smallest merchant •  Largest merchants with multitudes of sites •  Issuers and Acquirers IR Plan should be similar, irrespective of entity size! 1
  • 2. 08/02/2012 ADC Trends & Targets Cybercriminals are using: •  Same old vulnerabilities (SQL, backdoor trojans, malware etc). •  Increasingly sophisticated attack methods. •  Targeted attacks. •  More automated tools. •  Quicker developing trends. •  Repeat attacks to maximise harvest. •  Increasingly powerful systems and techniques. •  Decrease in time between compromise and fraud spend. ADC Trends & Targets …But the target remains the same. Cardholder Data. 2
  • 3. 08/02/2012 Dear Diary - How are ADC’s typically identified? •  Cardholders report fraud on their card => their card is compromised •  Issuers and/or Schemes trace back legitimate spend •  If multiple compromises, this trace identifies Common Points of Purchase (CPP) Compromise Timeline 7+:;A>-,*)B+(&); & !"#$%&9:-,,;5::%& 4"*-1+"$ & !"#$%&'()*+,,-".&/0(1, & 5"0<0(+&);&=>/ & )33"4"&32'!+5'*66' ?90<"#>'$:'@9#1">A:4' 0%783$9:; ' 7%&" ' !"#$%& /)23()2-,+1& '?4&?)(+",-*,& @"1+(<0% ' ()*+, !#",)*+ ! ' !"#$%&'%(')*+' --.. ' /"0%1"#2' &!"#$%& -B%:"A>9A%:-' ' ' =#9C&-' 4,,5+(,&6&7*8+2+,& 1+$+*$&/''& 5:1%<"'!+5'=%#":>$0>' 3
  • 4. 08/02/2012 How not to respond Compromise Penalties! 4
  • 5. 08/02/2012 Compromise Penalties! Type Initial Lack of Monthly Monthly Monthly PCIDSS Fine removing PCIDSS PCIDSS Violation SAD Violation Violation (>=6 months) (90 days) (4 months) (5 months) L1 !50,000 !30,000 !50,000 !75,000 !75,000 L2 !25,000 !15,000 !25,000 !50,000 !50,000 L3&4 !10,000 !5,000 !10,000 !15,000 !15,000 Members !50,000 !30,000 !50,000 !75,000 !75,000 PSPs !25,000 !15,000 !50,000 !30,000 !30,000 Others !10,000 !5,000 !10,000 !25,000 !25,000 Card Scheme / Acquirer vs. Entity Priorities In most cases, these priorities are NOT aligned! •  Card Schemes & Acquirers •  Containment, Limit Exposure, Identify “At Risk” card data, Fines •  Entities •  Containment, root cause identification, remediation, get on with business For potentially compromised entities, ensure the PFI selected / engaged has your priorities at heart 5
  • 6. 08/02/2012 Facilitating a Forensic Investigation 1.  Invoke IR plan 2.  Engage a PFI (ASAP!) 3.  Document and collate all current and ongoing events, all people involved, and all discoveries into a timeline for evidentiary use 4.  Do not access or alter any aspect of the suspect system(s) 5.  If you suspect the attack is currently ongoing, remove the system connectivity to the network. i.e. pull the network cable / down the adapter Do not power the system down! Facilitating a Forensic Investigation Re-Emphasise: Do not access or alter any aspect of the suspect system(s) …or at least minimise access! 6
  • 7. 08/02/2012 PCI Forensics vs. Traditional Forensics 1.  PCI Forensics does not equal traditional forensics 2.  Majority of attacks are coordinated, focused, highly sophisticated and custom to the environment –  Custom malware (targeted memory scraping) –  Payment application manipulation (source code modifications and manipulation of limits / controls) –  Custom Rootkits and built in defense mechanisms –  Hacker SDLC –  Anti-Forensics Real-World Forensic Statistics Affected Industry (example) Trustwave Verizon 7Safe Category (2011) (2011) (2010) Hospitality 10% 40% 5% Financial 6% 22% 7% Services Retail 18% 25% 69% Food and 57% ? ? Beverage Government 6% 4% 2% Education 1% ? ? Other ? ? ? * References to reports in conclusion of presentation 7
  • 8. 08/02/2012 Statistics & Trends Individual company statistics are “interesting” but impossible to correlate except broadly! Statistics & Trends •  Utilise public combined sources: www.datalossdb.org http://www.privacyrights.org/ar/ChronDataBreaches.htm •  Hospitality / Food & Beverage / Retail compromised the most •  Majority of ADC are from external sources •  Majority of breaches are focused and well organised criminal businesses •  Majority of victims had evidence of the breach in their log files thus should have been aware! •  Majority of attacks were trivial •  Only a fraction reported in CEMEA 8
  • 10. 08/02/2012 GoldenDump.com (2011) Incident Incident Overview •  Subject : Multi-national Issuer / Acquirer •  Incident Date : 2010 •  Investigation Date : Late 2010 •  Initial Vulnerability : SQL Injection •  Exploited Weaknesses : –  Poor network segregation –  Lack of log review –  Let down by security partners •  Exposure : –  2.4 million PAN –  780,000 Track 2 –  > ! 90,000 in cash 10
  • 11. 08/02/2012 The Environment Backend Online Payment Systems Servers DEVDB DB04 DB03 AS400 DB02 DB01 Branch Application Internet Banking Offices Servers Servers DEVDB DB04 DB03 AS400 DB02 DB01 2010 11
  • 12. 08/02/2012 SO…..What went wrong? (Underlying Causes) •  Phase 1: Initial Compromise – SQL Injection –  The site had been tested by multiple external parties and had “passed” three penetration tests (Code had NOT changed since 2005!). –  Logs were collected (plenty of them – 4.5 Billion events) but never reviewed. –  Network architecture was “temporary” but never resolved. –  Poor password policies. •  Phase 2: Reconnaissance & Exploration –  Poor network architecture design decisions. –  Poor password policy. –  Lack of log review. •  Phase 3: Account Data Extraction (PAN) –  Inappropriate data retention policies. –  Lack of awareness regarding Account Data storage (where is it?) –  Poor system management. •  Phase 4: Account Data Extraction (Track 2) –  Inappropriate data retention policies (again). –  Poor network segmentation. •  Phase 5: Internet Banking Manipulation –  Application made “blind” use of data within a database. –  Application unable to detect “tampering”. –  Failed transfers were not reviewed or followed up. 12
  • 13. 08/02/2012 How could things have been Done? (Means of Reducing Exposure) •  Fundamentally – An awareness of Account Data –  Review & revise data retention policies. –  Know where the stuff is. (Get Rid) •  Regular & thorough testing of external attack surfaces. –  Reputable companies (not always the big players). –  Speak with your peers (word of mouth is invaluable). •  Log retention is great! Log review is better! Both are needed. •  Review & revise network architecture designs. Approach.....! •  PCI Prioritised by thesystem build policies (including password Review & revise VISA Also supp orted policies). Innovation Technology Program! None of this is new and should sound familiar proach.....! PCI Prioritised Ap e VISA Also supp orted by th vation Technology Inno Program! 13
  • 14. 08/02/2012 Means of Reducing Exposure •  Fundamentally – An awareness of Account Data –  Review & revise data retention policies. –  Know where the stuff is. (Get Rid) Milestone #1 •  Regular & thorough testing of external attack surfaces. stone #2 / #6 –  Reputable companies (not always the big players). Mile –  Speak with your peers (word of mouth is invaluable). / #6 Milestone #4 •  Log retention is great! Log review is better! Both are needed. •  Review & revise network architecture designs. / #2 Milestone #1 •  Review & revise system build policies (including password policies). / #3 / #4 Milestone #2 Summary •  Identify, remove / protect your sensitive data •  Segment / scope the network •  Regularly: Test & Review •  Maintain full logs but pointless if no review •  Define, build and test an incident response plan •  Build a partnership with a security business to independently review 14
  • 15. 08/02/2012 Stay Safe & Risk Aware www.foregenix.com 15