Network Analysis of Point of Sale System Compromises

Similar documents
8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

Honeypots. Security on Offense. by Kareem Sumner

Guide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale

IPv4 Lecture 10a. COMPSCI 726 Network Defence and Countermeasures. Muhammad Rizwan Asghar. August 14, 2017

The Reconnaissance Phase

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

Why Firewalls? Firewall Characteristics

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Chapter 5 Network Layer

Firewall Identification: Banner Grabbing

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

AMP-Based Flow Collection. Greg Virgin - RedJack

Overview Intrusion Detection Systems and Practices

Network Intrusion Detection Systems. Beyond packet filtering

Technical Support Information

REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX

ICS 451: Today's plan

CSC Network Security

Chapter 5 OSI Network Layer

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

COMP2330 Data Communications and Networking

IPv6: Are we really ready to turn off IPv4?


Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

This tutorial will help you in understanding IPv4 and its associated terminologies along with appropriate references and examples.

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Internet Control Message Protocol (ICMP)

Certified Ethical Hacker

Information Systems Security

4. The transport layer

Usage of Honeypot to Secure datacenter in Infrastructure as a Service data

Configuring Firewall Filters (J-Web Procedure)

The Impact of Transport Header Encryption on Operation and Evolution of the Internet

IPv6 is Internet protocol version 6. Following are its distinctive features as compared to IPv4. Header format simplification Expanded routing and

Mapping Internet Sensors with Probe Response Attacks

Networking Technologies and Applications

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Network Security and Cryptography. December Sample Exam Marking Scheme

Datagram. Source IP address. Destination IP address. Options. Data

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Exam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.

Request for Comments: 8367 Category: Informational ISSN: April Wrongful Termination of Internet Protocol (IP) Packets

ECE 158A: Lecture 7. Fall 2015

VXLAN Overview: Cisco Nexus 9000 Series Switches

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

Basic Concepts in Intrusion Detection

BEng. (Hons) Telecommunications. Examinations for / Semester 2

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

CSC 574 Computer and Network Security. TCP/IP Security

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Mapping Internet Sensors with Probe Response Attacks

How to Configure Route 53 for F-Series Firewalls in AWS

IPSec. Overview. Overview. Levente Buttyán

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Intrusion Detection - Snort

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Computer Networks (Introduction to TCP/IP Protocols)

Sirindhorn International Institute of Technology Thammasat University

Vorlesung Kommunikationsnetze

Computer Network Vulnerabilities

TCP/IP Protocol Suite 1

Optimizing Security for Situational Awareness

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Lecture 9: Internetworking

Network Security: Firewall, VPN, IDS/IPS, SIEM

Internet Security: Firewall

Computer Security and Privacy

Distributed Denial of Service (DDoS)

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Review of Important Networking Concepts

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

ELEC5616 COMPUTER & NETWORK SECURITY

ECE 333: Introduction to Communication Networks Fall 2002

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Chapter 4 Network Layer: The Data Plane. Part A. Computer Networking: A Top Down Approach

Lab 8: Introduction to Pen Testing (HPING)

Network Element Configuration

Visual Security Event Analysis DefCon 13 Las Vegas

Computer Networks Security: intro. CS Computer Systems Security

Multiple unconnected networks

intelop Stealth IPS false Positive

The trace file is here:

tcp6 v1.2 manual pages

CS 3516: Computer Networks

Network Security and Cryptography. 2 September Marking Scheme

Networking Background

HAI Network Communication Protocol Description

Intrusion Detection - Snort

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Configuring Advanced Firewall Settings

RMIT University. Data Communication and Net-Centric Computing COSC 1111/2061. Lecture 2. Internetworking IPv4, IPv6

Transcription:

Network Analysis of Point of Sale System Compromises Operation Terminal Guidance Chicago Electronic & Financial Crimes Task Force U.S. Secret Service

Outline Background Hypothesis Deployment Methodology Data Analysis Findings Discussion

Investigative Goals Hypothesis: Remote attackers were not targeting point of sale (POS) system software. The underlying operating system and installed applications are not deployed in accordance with Payment Card Industry Data Security Standard POS system compromises are a result of automated scanning and vulnerability exploitation

Deployment Methodology Test Group Honeynet Control Group Honeynet Point of Sale Systems eth0 68.166.251.x ADSL Router/Modem Honeywall Firewall Point of Sale System ADSL Router/Modem VMnet 0 (Bridged to Host) Honeywall eth0 eth1 0.0.0.0 0.0.0.0 VMnet 2 eth0 68.166.251.x eth0 0.0.0.0 VMnet 0 (Bridged to Host) eth0 68.166.251.x eth1 0.0.0.0 VMnet 2 eth2 10.10.1.x eth1 eth0 192.168.1.1 192.168.1.x VMnet 3 eth2 10.10.1.x VMnet 4 eth0 10.10.1.x VMnet 4 eth0 68.166.251.x eth0 10.10.1.x *Each server represents a virtual machine Remote Management Remote Management *Each server represents a virtual machine Honeytoken

Control Group 0.3 Connection Attempts by port 0.25 Connection Frequency (Percentage) 0.2 0.15 0.1 POS A POS B POS C 0.05 0 1026 1027 1028 135 5901 445 139 80 Ports

Test Group 0.4 0.35 Connection Attempts by port Connection Frequence (Percentage) 0.3 0.25 0.2 0.15 0.1 POS A POS B POS C 0.05 0 135 139 445 1026 1394 5017 5900 Ports

Association rules Clustering Data Analysis T: Number of virtual POS systems with connection attempts from a single source n i : Number of packets from a source to a virtual POS system N: Total number of packets from a source to all three POS systems N= n i Support(R) = # connections (POS system A, B, and C) #connections Data analysis methodology from F. Pouget and M. Dacier. Honeypot Based Forensics.

Control Group Clusters Port Item Sets Support % Support % > 1% 80 Cluster 1: T=1, N=3 Cluster 2: T=1, N=1 Cluster 3: T=2, N=8 (n=5, n=3) 135 Cluster 4: T=1, N=1 Cluster 5: T=1, N=2 139 Cluster 6: T=1, N=2 Cluster 7: T=1, N=3 445 Cluster 8: T=1, N=1 Cluster 9: T=1, N=2 Cluster 10: T=1, N=3 43.5% 10.9% 4.3% 54.5% 22% 75% 10.1% 20% 70% 7.1% 1 2 1 2 1026 Cluster 11: T=1, N=1 53.5% 1 1027 Cluster 12: T=1, N=1 98% 1 1028 Cluster 13: T=1, N=1 83% 1 5901 Cluster 14: T=1, N=2 90.9% 1

Test Group Clusters Port Item Sets Support % Support % > 1% 445 Cluster 1: T=2, N=34 22.2% 0 1026 Cluster 2: T=2, N=3 Cluster 3: T=3, N=3 (n=1,n=1, n=1) Cluster 4: T=1, N=1 1394 Cluster 5: T=1, N=12 Cluster 6: T=1, N=15 Cluster 7: T=1, N=6 Cluster 8: T=1, N=9 2967 Cluster 9: T=3, N=8 (n=2, n=3, n=3) Cluster 10: T=3, N=30 (n=10, n=10, n=10) 1.8% 20% 50.9% 20% 16.7% 1.7% 16.7% 10% 10% 2 3 0 5900 Cluster 11: T=3, N=3 20% 0

Edit Distance Analysis Extract TCP payloads from previous identified cluster members Compare packets from each address against all others identified through clustering Source A <mss E..0..@.o.A.;W\. D..s.]... p...^2... <mss E..0..@.o.A.;W\. D..s.]... p...^2... Source B <mss E..0.{@.k.l\=.y. D..s...jd... p... <mss E..0.{@.k.l\=.y. D..s...jd... p... Attack Phrases

Control Group Phrase Distance Cluster Port Phrase Distance (Lines) Std Deviation Cluster 6 139 2 9 Cluster 7 139 1 5 Cluster 8 445 3 10 Cluster 9 445 5 8 Cluster 10 445 4 18 Cluster 11 1026 86 169 Cluster 13 1028 12 65 Cluster 14 5901 32 12 ***Clusters 1,2, 3,4,5, and 12 were discarded as not statistically significant

Test Group Phrase Distance Cluster Port Phrase Distance (Lines) Std Deviation Cluster 2 1026 324 238 Cluster 5 1394 360 85 Cluster 6 1394 280 170 Cluster 7 1394 529 136 Cluster 8 1394 1422 1143 Cluster 11 5900 240 257 ***Clusters 1,3,4,9,10 were discarded as not statistically significant

Network Traffic Overview POS A Control Group Packet Length Ethertype Version Header Length Differential Services Total Length ID Flags Fragment TTL Transport Protocol Header Checksum Source Address TCP Destination Source Address Port TCP Seq Destination Number Port UDP Source Port UDP Destination Port Visualization methodology from Greg Conti s. Security Data Visualization.

Source TCP Source Port TCP Destinatio n Port Source TCP Destination Port

The TCP outlier is associated with browsing public web site to ensure connectivity Uniform length of packets

TCP Packet Tree Map UDP Packet Tree Map

Examination of the UDP packets identified in the previous tree map revealed them to be spam targeting messenger applications

Findings Automated scanning of select set of ports Multiple exploits targeting multiple OS s from single source address Attackers not aware compromised system is a POS system until after compromise and exploit Insecure installation of operating system and applications lead to compromise

Discussion All references available upon request Ryan E. Moore Special Agent U.S. Secret Service 312-353-5431 ryan.moore@usss.dhs.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback