4 Phases of a POS Attack and Countermeasures to Protect Against Each

August 3, 2016 |
4 Cyber Monday Shopping Security Tips

In another example of a data breach, Wendy’s in early July publicly identified over 1,000 U.S. franchised locations that were affected by two variants of point-of-sale (POS) malware discovered in May. SC Magazine reported that the disclosed information “sheds new light on a previous warning from the fast-food giant that the true number of compromised locations were “considerably higher” than the 300 originally estimated.”

Wendy’s confirmed that there were two variants of malware that stole specific payment card information, including cardholder names, credit and debit card numbers, expiration dates, cardholder verification values and service codes.

The attacks began back in late fall 2015, and both variants of malware were introduced into Wendy’s POS systems via a compromised third-party vendor’s credentials.

As POS data breaches becoming increasingly common, secure network access becomes essential. I don’t often write about how our technology applies, but in this instance, I want to highlight areas that AppGate, our network access software, can block the adversary at several stages of a POS breach.

4 Stages of a POS Breach and AppGate Countermeasures

Generally, there is some consistency in the methodology used by hackers targeting POS systems. According to a report issued by Trustwave Holdings in 2013, the phases include infiltration, propagation, aggregation, and exfiltration.

Phase 1: Infiltration

The infiltration phase is where the attacker conducts reconnaissance to find and exploit an access point. There are a variety of methods an attacker can use to gain access to a corporate network. They can look for weaknesses in external-facing systems, such as using  SQL injection on a web server or finding a periphery device that still uses the default manufacturer password. Alternatively they can attack from within by sending a spear-phishing email to an individual within the organization. The spear-phishing email could contain a malicious attachment or a link to a website which installs a back door program onto the victim’s computer. In the case of Wendy’s, the attackers obtained access through compromised third-party credentials, which is a very common (and unfortunately effective) vulnerability.

AppGate blocks the attacker at the infiltration phase by enforcing multi-factor authentication and dynamically checking contextual variables to determine and limit access. AppGate also restricts network access by insiders, privileged users, or third parties to only those services needed for business use – all other network services are hidden and inaccessible.

Phase 2: Propagation

Once inside the network, the attackers’ next step is to gain access to their ultimate targets–the POS systems. Attackers will typically use a variety of tools to map out the network to locate systems within the card data environment (CDE). While they may exploit vulnerabilities or use other techniques to gain access to these systems, often the simplest method of gaining access is by obtaining user credentials. User credentials may be obtained through keylogging Trojans, password-hash extraction, cracking, and/or replaying captured login sequences, or even brute force password attacks. Eventually, the attackers may obtain administrative-level credentials. The attackers may even gain control of a domain controller, giving them full access to all computers in the network. Once in control, they can then gain access to the CDE even if it is in a segmented network by using network and data pathways established for existing business purposes. Once inside the CDE, they can then install malware which allows them to steal card data from the POS systems.

AppGate blocks the attacker at the propagation phase by restricting POS system access from the internet by applying dynamic firewalls with a default-deny rule that drops all traffic except from users that are explicitly allowed. AppGate also isolates critical services, such as file, mail, web, and database servers, on separate logical segments, creating strict network segmentation, for example for PCI Cardholder Data Environments. AppGate can also enforce multi-factor authentication prior to access, to minimize the risk of stolen credentials.

Phase 3: Aggregation

After the infiltration phase, attackers often consolidate data from compromised target systems onto an aggregated location, in advance of exfiltrating the data. This is an optional step, but one that attackers may take to avoid directly connecting from high-value assets to the Internet, which may raise security alerts. Aggregation may take the form of simple consolidation, or may take more complex steps to disguise or encrypt the data.

AppGate impedes aggregation by enforcing strict, fine-grained segmentation of servers and ensuring that user context is taken into consideration before allowing access. Polices can prevent user access from off-network IP addresses, at abnormal hours, or at least require multi-factor authentication. All of these will make aggregation more difficult for an attacker.

Phase 4: Exfiltration

After the desired information is collected, they’ll use one or more mechanisms to extract the data to an external location. This step is where a security monitoring system, such as a SIEM, is useful – extracting large amounts of data should be readily detectable by these types of systems.

While AppGate doesn’t have a direct role to play in stopping data exfiltration, it is part of a sound defense in depth approach. AppGate will make it much more difficult for an attacker to obtain data to exfiltrate in the first place. AppGate also complements other security solutions, such as SIEMs, by feeding them detailed information about users, context, and network activity, enabling them to more quickly and accurately detect malicious behavior.

Additional Benefits of Reducing Work Required to Comply with PCI DSS: 

AppGate can also reduce the scope of the PCI audit for companies that handle credit card data. This reduces audit workload.

1. Reduce PCI Scope:

According to the PCI DSS version 3.0, segmenting may reduce:

  • The scope of the PCI DSS assessment
  • The cost of the PCI DSS assessment
  • The cost and difficulty of implementing and maintaining PCI DSS controls
  • The risk to an organization by consolidating cardholder data into fewer, more controlled locations

AppGate can be used to isolate the PCI environment and control access, reducing the scope of PCI audits.

2. Reduce Work to Produce PCI Audit Reports:

AppGate’s reporting features reduce the amount of work necessary to demonstrate that only authorized users had access to the CDE. Instead of correlating IP addresses to CDE access, AppGate produces a CDE access report with user information that is pre-correlated.. This reduces the work required to produce reports that demonstrate PCI compliance.

AppGate is a powerful tool that can help in a POS data breach and with PCI compliance. Learn more.


Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *