Forensic Investigations in the Payment Card Industry
One of our running challenges is how do you demonstrate the value of Cyber Detection and Prevention Software, like Serengeti, to a potential client who does not understand that there has been a paradigm shift in defensive and protective security – detecting and containing "indicators of compromise" - especially in the Payments Sector?
We have recently been asked to help several companies who have been identified as “Common Points of Purchase” for a load of fraud on credit cards - and suspected of being the victim of a payment card compromise. What this means is that the card schemes (Visa/MasterCard/AMEX etc) have identified fraud on a bunch of cards, analysed the transaction data and found that a specific organisation is the “Common Point of Purchase” (CPP) and therefore the most likely point at which the cards were stolen.
The standard requirement by the card schemes is that the CPP organisations have to engage with a PCI Forensic Investigator, such as Foregenix, to:
- Identify if there is evidence of intrusion.
- Identify what was stolen and when.
- Work out how it was stolen.
- Find out who stole it.
- CONTAIN the situation so that no more card data is stolen.
There is the Traditional Forensic Method - and then there is the new, quicker, more effective way: The Foregenix Way.
Traditional Forensics – the standard way
Traditional forensics – within the Payment Card Industry – is a skillful art that requires meticulous attention to detail, extremely skilled understanding of systems, networking, applications, encryption, malware reverse engineering, patience and focus.
It takes time (and a great deal of skill and experience) to deliver quality work week in and week out - we know all about this as one of the leading PCI Forensic Investigators globally. Like the physical world, artifacts are transient, but unlike the physical world “stealing” data can be the equivalent of taking a photograph…
The process forensic teams in the industry usually follow includes the following steps:
- Onsite interviews and data collection – imaging of hard disks of all systems suspected of being in scope of the investigation - this usually involves most of the systems in the payment channel related to the suspected breach. Depending on the machines that are being “imaged”, this could take anywhere from a few minutes to a few hours per machine – we usually have several on the go at once to save time!
- Transport the images back to the forensic lab and “check in” the evidence – this is validating, transferring and correctly recording the evidence.
- Begin analysis of the evidence – depending on the information provided in the interviews (and our understanding and experience of how a potential breach may have transpired within the organisation), we start working on the most obvious data. Most often, there is one, sometimes possibly two or more forensic analysts working on a case. Larger ones can have several, however, in the analysis phase there is usually a team lead who is managing and directing the investigation. Each system can take up to 2-3 days to fully analyse before moving onto the next. It can take time, especially with more complex scenarios.
- Containment – from the card scheme and industry view point, the most critical part of the investigation. As soon as the breach is identified and confirmed, we work to establish how it transpired and alert the victim organization with advice on how to contain the situation so that no more cardholder data is stolen.
- Reporting - with the analysis completed we produce a detailed report on the case. Case closed.
The most crucial part of the process just described is the “CONTAINMENT” section – up until that point the organisation is most likely still “bleeding” cardholder data – this is driving up the potential fraud liabilities/fines etc that the organisation may face. There are a lot of figures estimated for the average fraud cost per card, averaging just below $1,000/compromised card – for any business, that is enough incentive to get control of the situation ASAP!
In a traditional forensic model time from engaging a PCI Forensic Investigator until CONTAINMENT can be weeks - with the bleed continuing and fraud losses mounting while the forensic company works on identifying the issues.
So how has the paradigm shifted?
The Foregenix Way
Our forensic process has evolved from that of the rest of the industry. How?
We follow this route:
- Deploy Serengeti – our Cybercrime Detection and Prevention Solution - to the transaction environment.
- Telemetry - within minutes of deploying Serengeti, we begin to receive telemetry on the systems – processes running, configuration settings, in and outbound communications and many other key metrics and reference checks. We use this to *very quickly* understand the health of each system.
- Malware - we also immediately check for all known and variant versions of malware that have been used as a part of malware attacks to steal cardholder data.
A regular question is: But what about the Victim’s anti-virus/anti-malware solution?
---
In nearly every case we have conducted in the last 2 years that has involved the use of malware – even well known malware such as Dexter, JackPOS and others, the Victim’s anti-virus/anti-malware solution has failed to notice anything untoward.
---
Why?
All the attackers have to do is make a slight modification to the malware package and it takes on a new look, feel and smell to the anti-virus/anti-malware solutions - it no longer triggers a warning response and therefore passes undetected.
---
How do we find Malware? We use heuristic, behavioural and signature-based real-time analysis to find these nasty little applications.
And we are very good at it.
- Containment - If a previously seen piece of malware is detected – Serengeti immediately contains it. If a new type of malware is detected, our team automatically pull it back to the lab analyse it, understand how to neutralise it and update Serengeti to contain it.
This all happens within the first hour or so of deploying Serengeti. In most cases, the situation is contained within the first 24 hours of contacting Foregenix and having Serengeti deployed.
- Onsite Interviews and Data Collection - with the detailed telemetry from Serengeti, we focus the investigation on the systems that exhibit indicators of compromise. This means we are more accurate, quicker to resolution and therefore complete the investigation in a lower overall cost.
- Transport the images back to the forensic lab and “check in” the evidence – this phase is the same as the "Traditional Way" and includes validating, transferring and correctly recording the evidence.
- Analysis Phase - this process is the same as the "Traditional Way", although with the focus on the key systems exhibiting indicators of compromise, we're usually able to accelerate this process.
- Reporting - with the detailed, pre-defined reporting requirements set by the PCI Security Standards Council, this phase is the same as the "Traditional Way" although, once again, with the key systems as the focus of the entire process, this phase has been streamlined.
The Foregenix Way vs The Traditional Way
Comparing the Foregenix Way with the Traditional Forensic Way, there are a few key differences:
- Time to Containment - we are usually able to contain the situation in less than 24 hours VERSUS days or (usually) weeks following the Traditional Way.
- Laser focus - we immediately know which are the affected systems exhibiting signs of compromise – therefore the forensic investigation focuses on these systems. Not the rest of the network. This results in a massively reduced forensic investigation bill and extremely quick containment.
- Back to business quickly - with a contained environment, the Victim organisation can get their focus back on their business quicker, while the investigation can proceed quickly and efficiently with minimal disruption to the Victim's operations.
The Paradigm Shift
So the paradigm shift that we’re educating our acquiring bank partners and potential forensic clients on is that the traditional forensic route will continue to work, but it is slower to result, slower to react, generally more expensive and susceptible to scope creep. There is a better way.
Using Foregenix with our Serengeti Cybercrime Detection and Prevention software:
- The situation is rapidly contained
- The investigation focuses only on those machines affected; and
- The client can get back to business quickly.
Get in touch if you want to find out more about our Incident Response Services and Serengeti.