Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Network Analysis of Point of Sale System Compromises
Operation Terminal GuidanceChicago Electronic & Financial Crimes
Task ForceU.S. Secret Service
Outline
• Background• Hypothesis• Deployment Methodology• Data Analysis• Findings• Discussion
Investigative Goals
• Hypothesis: Remote attackers were not targeting point of sale (POS) system software, rather POS system compromises are a result of insecure deployment of the underlying operating system by automated scanning and vulnerability exploitation
Deployment Methodology
ADSL Router/Modem
Honeywall Point of Sale System
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth1192.168.1.1
eth068.166.251.x
VMnet 3
Firewall
eth0192.168.1.x
ADSL Router/Modem
Honeywall Point of Sale System
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth1192.168.1.1
eth068.166.251.x
VMnet 3
Firewall
eth0192.168.1.x
ADSL Router/Modem Honeywall
Point of Sale Systems
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth068.166.251.x
eth068.166.251.x
eth068.166.251.x
ADSL Router/Modem Honeywall
Point of Sale Systems
Remote Management
VMnet 0(Bridged to Host)
VMnet 2
VMnet 4
eth210.10.1.x
eth00.0.0.0
eth10.0.0.0
eth010.10.1.x
*Each server represents a virtual machine
eth068.166.251.x
eth068.166.251.x
eth068.166.251.x
Test Group Honeynet Control Group Honeynet
Honeytoken
Data Analysis
0
0.05
0.1
0.15
0.2
0.25
0.3
1026 1027 1028 135 5901 445 139 80
Ports
Con
nect
ion
Freq
uenc
y (P
erce
ntag
e) POS APOS BPOS C
Control GroupConnection Attempts
by port
Data Analysis
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
135 139 445 1026 1394 5017 5900
Ports
Con
nect
ion
Freq
uenc
e (P
erce
ntag
e)
POS A
POS B
POS C
Test GroupConnection Attempts
by port
Data Analysis• Association rules
– Clustering• T: Number of virtual POS systems with connection
attempts from a single source• ni: Number of packets from a source to a virtual
POS system• N: Total number of packets from a source to all
three POS systems• N=∑ ni
Support(R) = # connections (POS system A, B, and C)#connections
Data analysis methodology from F. Pouget and M. Dacier. “Honeypot Based Forensics.”
Data Analysis
190.9%Cluster 14: T=1, N=25901183%Cluster 13: T=1, N=11028198%Cluster 12: T=1, N=11027153.5%Cluster 11: T=1, N=11026
220%70%7.1%
Cluster 8: T=1, N=1Cluster 9: T=1, N=2Cluster 10: T=1, N=3
445
175%10.1%
Cluster 6: T=1, N=2Cluster 7: T=1, N=3
139
254.5%22%
Cluster 4: T=1, N=1Cluster 5: T=1, N=2
135
143.5%10.9%4.3%
Cluster 1: T=1, N=3Cluster 2: T=1, N=1Cluster 3: T=2, N=8 (n=5, n=3)
80Support % > 1%Support %Item SetsPort
Control Group Clusters
Data Analysis
020%Cluster 11: T=3, N=35900
010%10%
Cluster 9: T=3, N=8 (n=2, n=3, n=3)Cluster 10: T=3, N=30 (n=10, n=10, n=10)
2967
320%16.7%1.7%16.7%
Cluster 5: T=1, N=12Cluster 6: T=1, N=15 Cluster 7: T=1, N=6Cluster 8: T=1, N=9
1394
21.8%20%
50.9%
Cluster 2: T=2, N=3Cluster 3: T=3, N=3 (n=1,n=1, n=1)Cluster 4: T=1, N=1
1026
022.2%Cluster 1: T=2, N=34445
Support % > 1%Support %Item SetsPort
Test Group Clusters
Data Analysis
• Edit Distance Analysis– Extract TCP payloads
from previous identified cluster members
– Compare packets from each IP address against all others identified through clustering
<mssE..0.{@.k.l\=.y.D..s.....jd.....p...............<mssE..0.{@.k.l\=.y.D..s.....jd.....p...............
<[email protected].;W\.D..s.]..........p...^2..........<[email protected].;W\.D..s.]..........p...^2..........
Source BSource A
Attack Phrases
Data Analysis
12325901Cluster 14
65121028Cluster 13
169861026Cluster 11
184445Cluster 10
85445Cluster 9
103445Cluster 8
51139Cluster 7
92139Cluster 6
Std DeviationPhrase Distance (Lines)PortCluster
***Clusters 1,2, 3,4,5, and 12 were discarded as not statistically significant
Control Group Phrase Distance
Data Analysis
2572405900Cluster 11
114314221394Cluster 8
1365291394Cluster 7
1702801394Cluster 6
853601394Cluster 5
2383241026Cluster 2
Std DeviationPhrase Distance (Lines)PortCluster
***Clusters 1,3,4,9,10 were discarded as not statistically significant
Test Group Phrase Distance
Data Analysis
UDPSourcePort
UDPDestinationPort
TCPDestinationPort
SeqNumber
IPDestinationAddress
TCPSource
Port
IPHeaderChecksum
IPSourceAddress
TTL IPTransportProtocol
IP Flags
IPFragment
IP TotalLength
IP IDIP
HeaderLength
IP DifferentialServices
IP VersionEthertypePacket Length
Network Traffic OverviewPOS A – Control Group
Visualization methodology from Greg Conti’s. “Security Data Visualization.”
Data Analysis
Source IP
TCP Source Port
TCP Destination Port
Source IP
TCP Destination Port
Data Analysis
• The TCP outlier is associated with browsing public web site to ensure connectivity
• Uniform length of packets
Data AnalysisTCP Packet Tree Map UDP Packet Tree Map
Data Analysis
• Examination of the UDP packets identified in the previous tree map revealed them to be spam targeting messenger applications
Findings
• Automated scanning of select set of ports• Multiple exploits targeting multiple OS’s
from single source IP address• Attackers not aware compromised system
is a POS system until after compromise and exploit
• Insecure installation of operating system and applications lead to compromise
Discussion
Ryan E. MooreSpecial Agent
U.S. Secret Service312-353-5431
All references available upon request