At the moment it seems like there's a breach announcement pretty much every day. And this year, there's been a big focus on retail breaches. Rather than pick on Home Depot or any of the other 1,555 breaches that have been documented this year, we want to break down how miscreants typically get into retail chains. While we don't know exactly what happened at Home Depot—yet—the method below is a pretty typical path of attack.
If you are at all familiar with PCI, you already know and appreciate this attack pattern. For those who haven't worked to protect payment cards, this is for you.
At the highest possible level, let's break down how attackers get in, get low, get wide access, stay quiet, then move and monetize their loot.
First, we should probably reframe your image of the attacker. This isn't a teenager hacking in his mom's basement, wearing a ski mask in the dark. Think of these attackers as business professionals. Just because they don't file tax returns on their paychecks doesn't mean they are not well organized, highly motivated, work with carefully vetted business partners.
Next, let's reconsider the attackers business model. Attacker ROI, or return on investment, is measured against risk and reward. In everyday business, we talk about won and lost sales, damaged relationships. Failed attacks often translate to jail time. Attackers seek to gather the maximum number of cards, as quietly as possible, and once they've gathered them, to move and sell them as efficiently as possible.
We continue with where attackers focus their energy.
Ignoring the initial entry point - it's a shame that there is no central repository for this information to be shared beyond the Verizon DBIR, I will blog about that another day. While we can acknowledge there are a number of routes in, and what do I have to offer the “People's Republic of Metasploit” on how to find a way into a network?
When you picture a major retailer, think about how many stores are in each town, in each state, in each country. Each of those stores is kind of like an island with no local IT support. That said, they do have access to network services, payment authorization, inventory and pricing updates, sales telemetry, and system updates for the point of sale and store management system—a treasure trove.
Once the attacker is on a network - the CLI command ‘whoami' is almost funny in light of the questions a successful attack must answer. What is the architecture and version of OS running? What defenses are running? How are configurations managed and deployed, what is the best way to maximize control on the network while keeping a low profile?
Even if I shouldn't, I often take this line of thought back to Oceans 11, there was this fun exchange over a poker table.
Topher Grace: Mr Ocean, what do you do for a living? If you don't mind me asking.
Danny: Why would I mind you asking? Two cards. I just got out of prison.
Topher Grace: Really?
Joshua Jackson: Well why were you in prison?
Danny: I stole things.
Shane West: You stole things? Like jewels?
Rusty: Incan matrimonial headmasks.
Shane West: Any money in those? Incan matrimonial
Danny: Headmasks. There's some.
Rusty: Don't let him fool you, there's boatloads. If you can move them. I'll take one. But you can't.
Danny: My fence seemed confident enough.
Rusty: Dealing in cash you don't need a fence.
Part of crime is in gathering something of value that doesn't belong to you. We call it stealing. The business challenge for our attacker here is that they have to MOVE the merchandise to monetize it. Credit cards are about as close as a ‘cyber criminal' can get without breaking into a bank and moving cash.
Once the attacker has siphoned credit card out of the retail chain, they will organize the cards and move them to sell. Once the cards start being used fraudulently, the clock starts ticking - the banks will be watching fraud alerts to triangulate the “common point of purchase” - where the breach occurred.
Credit cards have clear value, and are fast and efficient to monetize. With just four bits of information, value can be extracted whether in person or remotely.
- In person (card present transactions): miscreants need magnetic track data.
- Remote (card not present transactions): miscreants need the account number, expiration, CVV2/CVC verification code and a zip code.
- Note - the “verification code” is not included in the data stolen from compromised Point of Sale systems (e.g. Target, Nieman Marcus, Home Depot)
Attackers can create a fake (complete or partial) physical credit card and use it to buy gift cards, or large ticket items from big box stores. (Have you ever stopped to wonder where those large troves of expensive electronics at unbelievably low prices really come from on Craigslist?)
No, but seriously...WHY?
Like any water or any other business, attackers follow the path of least resistance. As organizations improve their security - other become targets. This can be hard to explain to executives, but asking the question ‘are we doing enough' cannot be answered by discussing current patching activities, or other programmatic program data points.
I believe this continues to happen because security investment has been focused on prevention, not detection and response.
As long as your business is handling high-value, or high-sensitivity data, products, or services—you will be a target. Your company will be observed, tracked, and tested… and this can be hard to prove. Worse still, you won't necessarily know when this has happened.
Unlike physical artifacts (broken locks or windows and stolen or missing inventory), digital assets can be copied. Best case scenario: You may have logs indicating the activity… if you're looking for them.
We face similar challenges. Prioritizing projects, relying upon borrowed resources, burning political capital for favors and escalations.
Technology evolves, which makes this game of cat and mouse hard. What's more is that there is no vetted, agreed upon, widely tried and tested framework for non-technical reporting on the health/status/performance of a security program.
At least not yet.
[UPDATE Sept 9: We've created an infographic to accompany this blog post--you can view the graphic here: Timeline of a Retail Credit Card Breach]