Network Analysis of Point of Sale System Compromises Operation - PowerPoint PPT Presentation

Network Analysis of Point of Sale System Compromises Operation Terminal Guidance Chicago Electronic & Financial Crimes Task Force U.S. Secret Service

Outline • Background • Hypothesis • Deployment Methodology • Data Analysis • Findings • Discussion

Investigative Goals • Hypothesis: Remote attackers were not targeting point of sale (POS) system software, rather POS system compromises are a result of insecure deployment of the underlying operating system by automated scanning and vulnerability exploitation

Deployment Methodology Control Group Honeynet Test Group Honeynet Point of Sale Systems Point of Sale Systems ADSL ADSL Point of Sale Point of Sale Honeywall Honeywall Firewall Firewall Router/Modem Router/Modem System System eth0 eth0 68.166.251.x 68.166.251.x eth0 eth0 eth1 eth1 eth0 eth0 68.166.251.x 68.166.251.x 192.168.1.1 192.168.1.1 192.168.1.x 192.168.1.x eth0 eth0 eth1 eth1 ADSL ADSL Honeywall Honeywall 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Router/Modem Router/Modem VMnet 0 VMnet 0 VMnet 2 VMnet 2 VMnet 0 VMnet 0 VMnet 2 VMnet 2 VMnet 3 VMnet 3 eth0 eth0 eth1 eth1 (Bridged to Host) (Bridged to Host) eth0 eth0 (Bridged to Host) (Bridged to Host) 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 eth2 eth2 68.166.251.x 68.166.251.x 10.10.1.x 10.10.1.x eth2 eth2 VMnet 4 VMnet 4 10.10.1.x 10.10.1.x VMnet 4 VMnet 4 eth0 eth0 10.10.1.x 10.10.1.x eth0 eth0 68.166.251.x 68.166.251.x eth0 eth0 10.10.1.x 10.10.1.x Remote Management Remote Management Remote Management Remote Management *Each server represents a virtual machine *Each server represents a virtual machine *Each server represents a virtual machine *Each server represents a virtual machine Honeytoken

Data Analysis Control Group Connection Attempts 0.3 by port 0.25 POS A Connection Frequency (Percentage) POS B 0.2 POS C 0.15 0.1 0.05 0 1026 1027 1028 135 5901 445 139 80 Ports

Data Analysis Test Group 0.4 Connection Attempts by port 0.35 0.3 Connection Frequence (Percentage) 0.25 POS A POS B 0.2 POS C 0.15 0.1 0.05 0 135 139 445 1026 1394 5017 5900 Ports

Data Analysis • Association rules – Clustering • T: Number of virtual POS systems with connection attempts from a single source • n i : Number of packets from a source to a virtual POS system • N: Total number of packets from a source to all three POS systems • N= ∑ n i Support(R) = # connections (POS system A, B, and C) #connections Data analysis methodology from F. Pouget and M. Dacier. “Honeypot Based Forensics.”

Data Analysis Control Group Clusters Item Sets Support % Support % > 1% Port 80 Cluster 1: T=1, N=3 43.5% 1 Cluster 2: T=1, N=1 10.9% Cluster 3: T=2, N=8 (n=5, n=3) 4.3% 135 Cluster 4: T=1, N=1 54.5% 2 Cluster 5: T=1, N=2 22% 139 Cluster 6: T=1, N=2 75% 1 Cluster 7: T=1, N=3 10.1% 445 Cluster 8: T=1, N=1 20% 2 Cluster 9: T=1, N=2 70% Cluster 10: T=1, N=3 7.1% 1026 Cluster 11: T=1, N=1 53.5% 1 1027 Cluster 12: T=1, N=1 98% 1 1028 Cluster 13: T=1, N=1 83% 1 5901 Cluster 14: T=1, N=2 90.9% 1

Data Analysis Test Group Clusters Port Item Sets Support % Support % > 1% 445 Cluster 1: T=2, N=34 22.2% 0 1026 Cluster 2: T=2, N=3 1.8% 2 Cluster 3: T=3, N=3 (n=1,n=1, n=1) 20% Cluster 4: T=1, N=1 50.9% 1394 Cluster 5: T=1, N=12 20% 3 Cluster 6: T=1, N=15 16.7% Cluster 7: T=1, N=6 1.7% Cluster 8: T=1, N=9 16.7% 2967 Cluster 9: T=3, N=8 (n=2, n=3, n=3) 10% 0 Cluster 10: T=3, N=30 (n=10, n=10, n=10) 10% 5900 Cluster 11: T=3, N=3 20% 0

Data Analysis • Edit Distance Analysis Source A Source B – Extract TCP payloads <mss <mss from previous identified E..0..@.o.A.;W\. E..0.{@.k.l\=.y. D..s.].......... D..s.....jd..... cluster members p...^2.......... p............... – Compare packets from <mss <mss each IP address E..0..@.o.A.;W\. E..0.{@.k.l\=.y. against all others D..s.].......... D..s.....jd..... identified through p...^2.......... p............... clustering Attack Phrases

Data Analysis Control Group Phrase Distance Cluster Port Phrase Distance (Lines) Std Deviation Cluster 6 139 2 9 Cluster 7 139 1 5 Cluster 8 445 3 10 Cluster 9 445 5 8 Cluster 10 445 4 18 Cluster 11 1026 86 169 Cluster 13 1028 12 65 Cluster 14 5901 32 12 ***Clusters 1,2, 3,4,5, and 12 were discarded as not statistically significant

Data Analysis Test Group Phrase Distance Cluster Port Phrase Distance (Lines) Std Deviation Cluster 2 1026 324 238 Cluster 5 1394 360 85 Cluster 6 1394 280 170 Cluster 7 1394 529 136 Cluster 8 1394 1422 1143 Cluster 11 5900 240 257 ***Clusters 1,3,4,9,10 were discarded as not statistically significant

Data Analysis Network Traffic Overview POS A – Control Group IP IP IP Seq UDP Packet Ethertype IP IP TTL TCP UDP IP Version IP IP IP IP IP TCP Total ID Differential Destination Length Flags Fragment Source Number Source Header Source Destination Destination Header Transport Length Services Port Checksum Address Port Port Port Length Protocol Address Visualization methodology from Greg Conti’s. “Security Data Visualization.”

Data Analysis Source TCP TCP IP Source Destinatio Source TCP Destination Port n Port IP Port

Data Analysis • The TCP outlier is associated with browsing public web site to ensure connectivity • Uniform length of packets

Data Analysis TCP Packet Tree Map UDP Packet Tree Map

Data Analysis • Examination of the UDP packets identified in the previous tree map revealed them to be spam targeting messenger applications

Findings • Automated scanning of select set of ports • Multiple exploits targeting multiple OS’s from single source IP address • Attackers not aware compromised system is a POS system until after compromise and exploit • Insecure installation of operating system and applications lead to compromise

Discussion All references available upon request Ryan E. Moore Special Agent U.S. Secret Service 312-353-5431 ryan.moore@usss.dhs.gov