Jim Jaeger, chief cyber services strategist with Fidelis Cybersecurity (recently part of General Dynamics), has been on the ground with a number of major enterprises that have suffered a high profile breach.
When the Fidelis Cybersecurity team were called in to investigate the Global Payments breach six years after the TJX breach, credit cards were being encrypted throughout the process; however, "there is a brief flash of a second where you decrypt and re-encrypt the data and it's not written in a file. It occurs in a second," Jaeger said. That second was all the criminals needed.
[ PART 1: Lessons learned in the aftermath of a breach ]
"There is a class of network tools called scrapers or RAM scrapers targeting the processing for random access memory in a computer, not collecting the data in transit," said Jaeger, and that’s what happened with the second breach.
Coverage of the breach went on for months with updates of the increasing number of credit cards that had been compromised. The problem was that the first forensics team only found half the breach. “They found one set of malware and blocked that activity, but didn’t find the other package of malware,” Jaeger said.
Two months later, credit card companies were again seeing indications that the breach was still ongoing. Within six hours of being brought in, Jaeger’s team found the second breach. “We understood scrapers and reverse engineered the malware and determined that the hackers were only taking about one in five cards being processed,” Jaeger said.
A scraper, if running wide open, will essentially double the work load of the server, Jaeger explained. For every legitimate transaction, the scraper is running a duplicate copy and exfiltrating it, thereby doubling the workload of the server.
One of the worst things a company can do when they announce a breach is to have to go back out and announce it’s a bigger pattern than they originally thought. Organizations really need to understand the capabilities and limitations of the incident response teams that they use. These two examples lost tens of millions of dollars because they were using the wrong forensics teams.
How do you know if you’re choosing the right forensics teams? They are incident response experts. “Talk to companies in your industry in particular companies that have had breaches. They can give you the pros and cons of the team they used.
Security teams need to be aware of the risks and the on-going changes to the threat landscape. “Ransom, for example, was mostly a problem for small business or private individuals, but we are seeing an increase. Criminals are starting to move up the food chain and getting more medium sized businesses now,” Jaeger said.
One of the trends that is most concerning is the proliferation of destructive/disruptive attacks.
Jaeger noted, “I’m not sure we have done much to advance information sharing. What isn’t working is the sharing of trends and results. The analytic trend is not being shared effectively. With that too, there is some good sharing being done in the financial industry, not so much in retail.
For those who are new to security and attending RSA this week, take advantage of this opportunity to learn and network. Continue to develop your skills and advance your education by getting involved in cyber competitions, and learn more at the Cybersecurity Education and Workforce Development for the Nation, Feb. 29 from 4 p.m. to 5 p.m..
This article is published as part of the IDG Contributor Network. Want to Join?