Improve your AIX Security by learning from the analysis of this breach

Stephen Dominguez, WW AIX and LoP Security Lead for IBM Lab Services

Sept 21st, 2016

The Target Breach – Case Study, Lessons Learned and the Lockheed Martin Intrusion Kill Chain Model

Who am I ?

Peyton Manning/Broncos fan and also love jazz

World-wide AIX and Linux on Power Security Lead for IBM Lab Services

Worked with Power for 19 years, specifically security for 13

I've worked with around 400+ corporate customers throughout the world

Obtained US Top Secret Security Clearance in 2011

I have a security blog, www.securitysteve.net

Who am I ?

I have a security blog, www.securitysteve.net

You can follow me on twitter, @Secur1tySteve

IBM Lab Services is a cost center that works closely with IBM

development to assist Power customers with their systems

To learn about all Lab Services' security services:

www.securitysteve.net/consulting-services/

We have several flexible funding IBM programs available to provide

security consulting services at no charge to eligible customers

If you'd like for me to setup a conference call so we can chat about

security, shoot me an email at sdoming@us.ibm.com

Agenda

Recent statistics on security breaches

Introduction to the Target Breach

The Lockheed Martin Intrusion Kill Chain Model

The 13 Phases of the Breach

5 Major Lessons from the Target Breach

Countering the Breach in AIX

Recent Statistics on Security Breaches

From the June 2016 Ponemon Institute's:“2016 Cost of Data Breach Study: Global Analysis”

Abstract of Ponemon Institute's Findings

383 companies surveyed from 12 different countries

Average cost of security breach of large company globally: $4 million

Since 2013, the costs have risen globally by 29%

Average cost of stolen record globally is $158

Ponemon Institute's 7 Global Megatrends

1. The cost of a data breach hasn't fluctuated significantly since startingresearch

2. The biggest financial consequence to organizations that experienceda data breach is lost business ie regain and retain customers' trust

3. Most data breaches continue to be caused by criminal and maliciousattacks. These breaches also take the most time to detect and contain. They have the highest cost per record.

4. Investments are being made in technologies and in-house expertiseto reduce the time to detect and contain

5. Regulated industries, such as healthcare and financial services, havethe most costly data breaches

6. Improvements in data governance programs will reduce the cost of adata breach. For example: Incident response plans, appointment ofa CISO, employee training and awareness programs

7. Investment in certain data loss prevention controls and activities suchas encryption and endpoint security solutions are important forpreventing data breaches.

Introduction to the Target Breach

Primary Reference

• Main reference for this session is “Case Study: Critical Controls that Could

Have Prevented Target Breach” by Teri Radichel, teri@radicalsoftware.com

• Permission has been obtained from Teri to abstract from her case study

• Target never released official details of the breach. This reference

references around 50 other references.

• You can download the PDF of the case study off of:

www.securitysteve.net/links

9

Secondary Reference

• Secondary reference for this session is “The Target Store Data Breaches –

Examination and Insight” by Marianna Hardy

• This is a book available from Amazon

10

Third Reference

• Intelligence-Driven Computer Network Defense Informed by Analysis of

Adversary Campaigns and Intrusion Kill Chains by Lockheed Martin Corp

• Whitepaper. There's a link for this from my links section of my blog,

www.securitysteve.net/links/

11

Abstract

• In December 2013, 40 millions credit card numbers were stolen from 2000

Target stores by accessing data on point of sale (POS) systems

• On January 10th Target also announced that PII data ie names, addresses,

phone numbers, and email addresses of up to 70 million customers was

stolen

• There was an overlap of 12 million people between the two types of data

stolen, so 98 million people total were affected in one way or the other

• 11 GB of data was stolen

• The customer data was sold on online black market forums known as

“card shops”

• The Senate Committee on Commerce in March 2014 concluded that

Target missed opportunities to prevent the breach

• Target reported the breach cost them $61 million

12

Abstract continued ...

• The Target security staff made their misgivings known about the

vulnerabilities of their POS systems before the breach

• The attackers had access to Target systems for over a month

• Independent sources make a rough estimate as to the cost of fraudulent

charges resulting from the stolen credit card numbers from $250 million

to $2.2 billion

• 80 lawsuits filed against Target

• The Payment Cards Industry (PCI) Council could have fined Target $400

million to $1.1 billion

• This was among the largest data breaches in U.S. history

13

Breach Aftermath

• CEO and CIO lost their jobs

• Target's board of directors were threatened with removal

• Banks payed $200 million to customers affected by the breach

• Banks sued Target's PCI compliance auditor, Trustwave

• Target has dealt with investigations from the Department of Justice,

the FTC, and SEC.

• Target hit by PCI compliance fines and State fines

14

The Lockheed Martin Intrusion Kill Chain Model

From Intelligence-Driven Computer Network Defense Informed by Analysis of AdversaryCampaigns and Intrusion Kill Chains

Advanced Persistent Threat (APT)

• Initial security threats posed from self-propagating code (virus).

Anti-virus technology has reduced that risk.

• A new class of threat has emerged, the APT

• The APT is when an adversary is well funded, highly skilled, focuses their

attack manually (not-automated), and can attack over months or years

“In February 2010, iSec Partners noted that current approaches

such as anti-virus and patching are not sufficient, end users are

directly targeted, and threat actors are after sensitive intellectual

property. (Stamos, 2010)” - from Lockheed White Paper

• The Lockheed Whitepaper says:

“Yet APT actors continually demonstrate the capability to compromise

systems by using advanced tools, customized malware, and

'zero day' exploits that anti-vrus and patching cannot detect

or mitigate.”

• The Target hackers used “advanced tools, customized malware

and 'zero day' exploits that anti-virus and patching cannot detect ..” 16

What is a Kill Chain

• “A kill chain is a systematic process to target and engage an adversary

to create desired effects”.

• The kill chain concept comes from the military

• Lockheed adapted the Kill chain concept for providing a structure to

analyze intrusions

• We can use kill chains to understand how to deploy Computer Network

Defense (CND). CND is a set of processes used to detect, monitor,

analyze, and defend against network intrusions.

• The kill chain is an end-to-end, integrated process where a deficiency

in one segment of the chain can interrupt the entire process.

• Multiple kill chains can occur within an adversary's campaign

• Helps understand the iterative nature of intelligence gathering

17

Breach Phase 4: Establish a C2 System

• Attacks used the vendor portal as a pivot to other systems

• The attackers performed reconnaissance from this C2 to system

to look for vulnerabilities on other systems

• The attackers further infiltrated the target network from this system

• Attackers performed additional reconnaissance from the system

using network command tools

• Attackers downloaded additional hacking tools to the system

• Kill Chain 1 Phase 7 (Actions on Objectives)

• Kill Chain 2 Phase 1 (Reconnaissance)

19

The 13 Phases of the Breach

Breach Phase 1: Reconnaissance

• Google search used to learn about Target interacts with vendors

• Search revealed information about a vendor portal and a list of HVAC

and refrigeration companies

• Google search also revealed a case study on Microsoft site that described

Target's use of Microsoft virtualization software, centralized name

resolution, and Microsoft System Center Configuration Manager (SCCM),

to deploy patches.

• This Microsoft case study revealed Target's technical infrastructure,

including POS system information, in significant detail

• Kill Chain 1 Phase 1 - Reconnaissance

23

Breach Phase 2: Phishing Attack

• Email sent to refrigeration vendor, Fazio Mechanical, 2 months before

the breach

• Fazio could have prevented the malware via real-time malware prevention

tooling. Instead, they were using the free version of Malwarebytes

Anti-Malware

• Malware, believed to be Citadel, installed on vendor computer.

• Malware embedded in PDF or Microsoft document

• Citadel is a password-stealing bot program

• Citadel obtained the login credentials for the online vendor portal

• Kill Chain1 Phase 2 & 3 (Weaponization & Delivery)

24

Breach Phase 3: Access Target via Vendor Portal

• Attackers use stolen login credentials to gain initial Target network access

• A former Target security team member indicated that it was probably

Target's web portal: Ariba external billing system

• According to the same source, this portal was not fully isolated from

the rest of Target's network

• The attackers used an administrative application BMC account with

its default username and password to move within the network.

• By using possibly NetCat.exe raw commands were issued on various

systems. NetCat.exe could have been used to load hacking related

commands to compromised systems

• Access to the Target network was first gained on Nov 12th 2013

• The attack used this initial C2 system to gain access to more sensitve

parts of the Target network that stored customer data. This is a

network segmentation problem.

• Kill Chain 1 Phase 4, 5 & 6 (Exploitation, Installation, & C2) 25

Breach Phase 5: Vulnerable Domain Controller

• Believed that attackers found a vulnerable Windows Domain Controller

that was used to gain access to the POS systems

• Each retail store was an autonomous unit except for centralized

authentication, domain name resolution, and endpoint monitoring

• The Microsoft case study could have keyed the attackers to look for this

centralized pivot point

• Kill Chain 2 Phase 1 (Reconnaissance)

26

Breach Phase 6: POS Malware Deployed

• The malware was probably distributed by an automated update process

• It is believed SCCM, Microsoft System Center Configuration Manager,

was the deployment method

• The malware was a custom type of “BlackPOS” malware undetectable

by virus scanners. This malware was sold on the black market for

$1800-$2300 (US dollars)

• The malware was first installed on POS systems starting Nov 15 2013

• The majority of Target POS systems had this malware installed by

Nov 30th

• Kill Chain 2 Phase 2 & 3 (Weaponization & Delivery)

27

Breach Phase 7: C2 Dump Server

• Another server with network access to the POS systems served as

a C2 system to the POS Malware infected systems

• This C2 Dump server used a 3rd malware to retrieve data from

POS systems to the dump server

• Kill Chain 2 Phase 5 & 6 (Installation & C2)

28

Breach Phase 8: C2 Dump Moves Data

• The data was taken from memory as cards were swiped

• The data was stored to a .dll file and stored in a temporary NetBios

share over ports 139, 443, & 80

• C2 Dump server used its malware to retrieve customer data

• Kill Chain 2 Phase 4 & 7 (Exploitation & Action)

29

Breach Phase 9: Signaling of Data Movement

• Attackers used customized ping packets to signal when data moved from

a POS machine to a compromised machine on the Target LAN

• Netcat.exe is a Windows tool they may have used. It writes data to TCP

and UDP connections.

• Kill Chain 3 Phase 1 (Reconnaissance)

30

Breach Phase 10: C2 Exfiltration Server

• On the Target network, there was a “exfiltration” server that the attackers

hijacked and used to install a 4th type of malware that provided data

extraction functionality for stolen customer data through the Target network and

Target's firewall out to external ftp servers

• Data was retrieved using the default administrative user name, Best1_user,

and default password, BackupU$r” for BMC's Performance Assurance for

Microsoft Servers

• Data was exfiltrated from 10am to 6pm to obscure their work.

• From Nov 30th to Dec 2nd, The attackers updated this data exfiltration

malware several times. Target's FireEye intrusion detection system

triggered urgent alerts each time the malware was updated, but the

Target security team neither reacted nor allowed FireEye to remove the

identified malware

• Target's Symantec antivirus software also detected malicious behavior

on this same server around Nov 2

• Kill Chain 3 31

Breach Phase 11: Data Moved to Drop Locations

• On Dec 2nd, The Target server with the data exfiltration malware send

customer data to an external ftp server which was used to send data to

hacked servers all over the world

• The Dell SecureWorks article, “Inside a Targeted Point-of-Sale Breach”,

indicates 3 legitimate FTP servers were the drop locations

• The hackers obtained compromised credentials to these servers and

retrieved the data with the stolen credentials

• The servers were believed to be in Eastern Europe

• The data was transmitted in clear text

• Target's FireEye software detected this exfiltration malware and the

destinations that the exfiltration malware was sending data to

32

Breach Phase 12: Breach Detection Ignored

• Target's security monitoring software, “FireEye”, alerted staff in India

• The Indian staff notified the Minneapolis staff but no action taken

• The Minneapolis staff simply did nothing

33

Breach Phase 13: Cards on Black Market

• Customer credit cards were sold on the black market

34

5 Major Lessons from the Target Breach

Lesson 1: Compliance Isn't Everything

• Target passed their PCI compliance audits prior to the breach.

John Mulligan, Target's Executive Vice President and Chief Financial

Officer testified that they had been certified in Sept 2013 as compliant with

PCI-DSS

• Fazio Mechanical also stated they were compliant

The SANS report says:

'We can learn from the Target breach that compliance with baseline

standards isn't enough. A comprehensive approach to security will

consider all assets, not just those that fall under compliance

regulations … As demonstrated in this breach, many different assets

were used to move throughout the network, so consideration of the

POS systems alone would not address the root causes that led up

to this attack.'

36

Lesson 2: Holistic Security is the Answer

• A holistic approach to information security is more effective to protecting

an organization from security breaches

• The SANS study recommended Risk Management and Defense in Depth

The SANS Study defines Risk Management as:

'Risk management assesses and prioritizes security needs based

on what can cause the most damage to a company, rather than

relying on legal or industry standard compliance.'

The SANS Study defines Defense in Depth as:

'Defense in depth makes use of multiple layers of protection.'

37

Lesson 3: Risk Management Recommendations

• Perform organization-wide risk management activities on a regular basis

SANS report recommends:

• 'PCI compliance alone is not a risk management strategy.'

• 'Vulnerabilities and Threats for all systems, not just those within scope

for compliance audits, are identified.'

• 'Threats and vulnerabilities are then prioritized and fixed to limit risk to

an acceptable level.'

• 'Constant re-evaluation is required as the threat landscape is always

changing.'

• 'Businesses need to employ an adequate number of security

professionals who understand the business, the risks and the potential

loss.'

• 'Security staff needs to be vigilant to understand new potential threats

and vulnerabilities when they appear.'38

Lesson 4: Insufficient Defense in Depth

• Target had several layers of security defenses. They had firewalls,

malware detection software, intrusion detection and prevention capabilities

and data loss prevention tools.

• But they needed better quality of implementation and more layers

The SANS report said:

• 'Although some level of segregation likely existed, vulnerable configuration

and accounts allowed segregation strategies to be bypassed.'

• 'Despite the fact that they purchased expensive monitoring software, staff

was not sufficient, not well-trained or inadequate processes turned those

systems into a liability rather than an asset when it was determined that

Target was notified, but did nothing to stop the breach.'

39

Lesson 5: Intelligence-Based CND

• The Lockheed white paper indicated:

“As conventional, vulnerability-focused processes are insufficient,

understanding the threat itself, its intent, capability, doctrine, and

patterns of operation is required to establish resilience.”

• Traditional security measures may be sufficient for thwarting the

average hacker, but not the APT.

40

Countering the Breach in AIX

If the Target systems were all AIX partitions, how could we counter the attack

42

Attack Phase AIX Countermeasures

Phase 1 & 2 N/A

43

Attack Phase AIX Countermeasures

Phase 3: Access Target via vendor portal

Multi-factor Authentication with RSA PAM Module

44

Attack Phase AIX Countermeasure

Phase 4: Establish a C2 System

AIX Role-based Access Control – limit access to privileged commands

AIX Trusted Execution –control foreign command execution & lock policies in kernel

45

Attack Phase AIX Countermeasure

Phase 5: Vulnerable Domain Controller

Security Hardening with PowerSC Security and Compliance Automation

PowerSC Trusted Network Connect and Patch Management

Network Segmentation via VLANs. MSAD shouldn'tHave access to PCI and non PCI networks

46

Attack Phase AIX Countermeasures

Phase 6: Malware Deployed

AIX Trusted Execution with TEP

Phase 7: C2 Dump Server AIX Enhanced RBAC & Multi-factor Authentication

47

Attack Phase AIX Countermeasures

Phase 8: C2 Dump moves data

AIX Role-based Access control to eliminate unnecessary administrative access

AIX Trusted Execution to prevent malware execution and any hacking tools

48

Attack Phase AIX Countermeasures

Phase 9: Signaling of data movement

AIX Role-based Access Control

AIX Trusted Execution

49

Attack Phase AIX Countermeasures

Phase 10: C2 Exfiltration Server

AIX Role-based Access control to eliminate unnecessary administrative access

Password controls implemented with PowerSC Security and Compliance Automation

Multi-factor Authentication with AIX PAM module

50

Attack Phase AIX Countermeasures

Phase 11: Data moved to drop locations

Implement separation of Duties feature for ftp with AIX Role-based Access Control

Password controls implemented with PowerSC Security and Compliance Automation

AIX Auditing to detect ftp

51

Attack Phase AIX Countermeasures

Phase 12: Breach Detection Ignored

Use runtime preventative execution functionality in AIX Trusted Execution

PowerSC Real Time Compliance

Summary

• Ponemon Institute indicates costs with security breaches are

staying consistent

• Target breach involved many phases

• Many layers of defense were either missing or lacking in Target's defenses

• Security compliance isn't everything, as Target was PCI compliant

• Defense in depth and a Risk Management approach is the answer to best

preventing breaches

• If the breach happened with an AIX environment, the key countermeasures

are: multi-factor authentication, AIX Role-based access control, AIX Trusted

Execution, and PowerSC patching, monitoring and security hardening

52

53

54

IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible

http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html

AIX Security Assessment with PCI 3.2

Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.

Overview:

Companies frequently and unknowingly can employ weak security practices that are exposing their company to high risk. The ramifications of a security breach could be unforeseeable litigation, identity theft, the bringing down of networks, and harm to a company’s brand. As described by the Jericho Forum, a company shouldn’t solely depend on perimeter security for their security. The AIX Security Assessment is the best way to identify weak AIX security practices that may be exposing your company to high risk. This assessment is a comprehensive assessment of how you are implementing AIX security.

• At least one AIX or VIOS partition is assessed

• A set of documents detail the results of the assessment

• The assessment details how the security settings correspond to PCI 3.2

• Learn about AIX solutions available to reduce operational expense

• Learn about PowerSC solutions available to assist you with security &

compliance

• Short overviews can be provided to help the customer understand

recommended solutions, such as RBAC and LDAP

• Customers wanting to learn about securing VIOS partitions

• The assessment only reads existing security settings --- no settings are altered

on the assessment partition

WHO benefits from this assessment and WHY?• Customers wanting to improve their AIX Security configurations

• Customers wanting to stay abreast of the latest AIX security solutions

• Customers wanting a security baseline for defining standard builds

• Clients wanting to learn about ways to simplify the management of their AIX

security environment

Duration

• At least 1 day on-site

Phase 1 – Preparation (remote):Conference calls are held prior to the service to validate the scope, agenda, schedule and required materials.

• Client provides overview of their current AIX Security environment

• IBM team prepares the service agenda/schedule

• IBM team details security data collection process

• IBM team provides customer security questionnaire

• Identify required materials / Finalize key players

Phase 2 – AIX Security Assessment (on-site):Review the Results of the Assessment with CustomerExample Tasks

• Consultant reviews the results of the security assessment with

customer staff

• Customer reserves conference room with projector and invites

relevant staff

• Customer staff can ask questions about the details of the assessment

• Customer staff can ask questions about the security

recommendations

• Additional presentations can be provided to expound upon various

technologies that may be recommended

Deliverables – Detailed AIX Security Assessment Findings document, Heat

Map, Executive Summary

References:

The Jericho Forum:

http://en.wikipedia.org/wiki/Jericho_Forum

Erin M. Hansen - PowerCare Opportunity Manager erinh@us.ibm.comLinda Hoben – Opportunity Manager hoben@us.ibm.com 1-720-395-0556Stephen Brandenburg – Opportunity Manager sbranden@us.ibm.com 1-301-240-2182

IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible

IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible

http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html

RHEL Security Assessment

Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.

Overview:As detailed in the Ponemon Institute's survey, “2015 Cost of Data Breach Study”, the average cost of a computer breach at a large company globally was $3.79 million. For U.S.-based companies, the average cost was much higher, 6.5 million. These costs have risen globally 23% since 2013. In the “2014 Global Report on the Cost of Cyber Crime”, the Ponemon Institute, a security research center, recommends that deployment of security intelligence systems and maintaining a strong security posture makes a difference and moderates the cost of cyber attacks.

IBM Lab Services is providing the following services to help you reduce your security risk and improve the security of your information assets. These services are being provided to help you deploy the type of security intelligence systems and achieve the strong security posture recommended by the Ponemon Institute.

The RHEL Security Assessment's goal is to identify effective security controls for your company to utilize which will significantly reduce your security risk.

This service is designed for IBM Power Systems customers. The security controls have been recommended for Red Hat Enterprise Linux by the United States NSA Information Assurance Directorate. The controls are primarily based on Red Hat and security community concesus-based recommendations.

Client Benefits• Helps achieve regulatory compliance, such PCI, HIPAA, etc

• Helps improve RHEL security configurations and lower risk

• Helps promote the adoption of the latest RHEL security solutions

• Provides a baseline for defining standard RHEL image builds

• Learn of hundreds of security controls to reduce security risk

Duration

• Time varies depending on scope requested: 1-3 days on-site

Phase 1 – Preparation (remote):Conference calls are held prior to the service to validate the scope, agenda,

schedule and required materials.

Client provides overview of their current RHEL security environment

IBM team prepares the service agenda/schedule

IBM team details security data collection process

IBM team provides customer security questionnaire

Identify required materials / Finalize key players

Phase 2 – RHEL Security Assessment (on-site):

Assessment Phase

• Partition data is collected

• Data is processed and assessment documents are created

Review Phase

• Consultant holds a review of the results of the assessment with key

customer staff

• Additional presentations may be provided on recommended security

solutions

Deliverables – Detailed RHEL Security Assessment Findings

document, Heat Map, Executive Summary

References:

NSA RHEL Guidelines

https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guid

es/operating_systems.shtml

Erin M. Hansen - PowerCare Opportunity Manager erinh@us.ibm.comLinda Hoben – Opportunity Manager hoben@us.ibm.com 1-720-395-0556Stephen Brandenburg – Opportunity Manager sbranden@us.ibm.com 1-301-240-2182

IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible

56

Stephen Dominguez

www.securitysteve.net

If you'd like for me to setup a conference call so we can chat about security, shoot me an email at sdoming@us.ibm.com

Let’s Stay in Touch!