In this post, we get insights from Brian Hussey, Global Director of Incident Response & Readiness for Trustwave SpiderLabs. He will present “The Real Life Story Behind Credit Card Hacks” at the European Community Meeting in Edinburgh.
What do you see as the biggest threat to organizations when it comes to protecting against “credit card hacks”?
I think the biggest threat is simply the resiliency of our adversaries. As soon as we settle into a solid defense against today’s threat landscape, they have already pivoted and are taking a new and innovative approach to steal our data. Late in 2015 the big concern was with unsecured third parties accessing corporate networks, in early 2016 resellers and integrator hacks were the big thing. Just recently, we’ve seen a significant uptick in Exploit Kit based attacks dropping payloads that automatically search for and compromise E-Commerce and POS servers. This may be an emerging trend in late 2016 and early 2017. But from a big picture point of view, I feel the biggest threat is simply the speed and efficiency of how the hackers change tact and find new ways to attack us.
What top tips can you give for protecting against malware?
That is a big question and I wish I could serve up the perfect panacea. However, there is no simple approach. The time honored security mantra of “defense-in-depth” is as valid now as it was decades ago but the elements of it have changed. Now, there is so much more than just firewalls and IDS/IPS to consider. We should all have a solid endpoint solution that enables threat hunting and remote forensic investigation. We should engage in frequent penetration testing and Incident Response Plan attack simulations. We should take advantage of a hybrid manager security service provider approach that offloads challenging parts of our security infrastructure but still takes full advantage of our internal corporate network knowledge and experience. These are only a few elements but they are a step in the direction of making ourselves very hard targets.
The time it takes criminals to compromise an organization is days or less, if not minutes or less. Why is it that still takes organization weeks or even months to discover a breach?
The easiest and most obvious time to catch an attacker is when they first penetrate network perimeter defenses and when they install their malware on an internal system. Once they get a foothold inside the network and have confirmed that their tools are not caught by antivirus, then it is much more difficult to catch them. They will likely attempt to move laterally and conduct reconnaissance to identify the high value targets, but this activity can often appear quite similar to normal system activity. Also, the longer an attacker is on the system, the more their activity becomes part of the accustomed baseline and the more intimate they become with the network. This makes them even more stealthy. This is why we are such a proponent of proactive threat hunting at Trustwave. We should be actively working to identify malicious activity on our networks, even if we don’t have positive indications of a current attack.
How do you move from having an incident response plan to putting that plan into action?
The model Trustwave uses with our Incident Readiness Programme is to 1. Create the Incident Response Plan, 2. Educate the stake holders about the plan, 3. Conduct table top exercises to foster higher level thinking about how to respond in extreme and unpredictable situations, 4. Conduct attack simulations to test your plan and your team’s ability to respond to them, 5. Review the response, identify gaps, edit the incident response plan. Then the whole process starts over. This is a model we’ve had great success with for our clients.
What’s the key thing you want attendees to take away from your presentation at the PCI Europe Community Meeting?
I’m going to give a behind-the-scenes look at both the underground world of cybercrime and many elements of a forensic investigation. I want my viewers to see just how sophisticated our adversaries have become and the extraordinary lengths we go to investigate them. Some people may be surprised to know just how easy it is to buy and sell stolen information on the web. Sun Tzu, in the Art of War, pointed out the importance of knowing our enemy and this maxim holds true in cyberwar as well. I want to bring the enemy to light and show what we can do to protect ourselves.
Learn more about the European Community Meeting here: