APT in action: The Heartland breach

Heartland Payment Systems CTO Kris Herrin talks about the attack that changed his views on data security

In late 2008, a group of hackers succesfully broke into the network of Princeton, N.J.-based payment processing giant Heartland Payment Systems. The hackers stole data from more than 100 million credit and debit cards on the company's network that serves the card-processing needs of restaurants, retailers and other merchants.

The hackers spent weeks gathering intelligence on Heartland's networks, systems, corporate structure and employee roles, according to Kris Herrin, the company's chief technology officer. This level of persistence defines the new threat landscape for all businesses today, Herrin says, and dramatically changes how organizations need to think about data security. Security leaders today need to assume their systems and networks are compromised and begin focusing on securing—or getting rid of—the data itself, he says.

A clear-eyed view of APT (CSO Insider digital spotlight)

We spoke with Herrin about the new threat landscape and how the 2008 breach transformed his outlook on data security.

CSO: Tell us what tactics hackers used to successfully infiltrate Heartland's systems.

Kris Herrin: Ukrainian hackers, led by Albert Gonzalez, spent about six months on our corporate network, mapping out who does what in terms of employee roles, the network layout and design, as well as our security defenses. They were essentially gathering intelligence to get from our corporate network to our processing network, which are very different and separate from each other.

CSO: Was this a combination of social engineering and technology-based hacking?

Herrin:The initial breach was through SQL injection, but they also used social mining and data gathering to figure out, for instance, who the developers were who had access to code and systems.

CSO: Would you classify this as an advanced persistent threat (APT)?

Herrin: As a security guy, I don't like the term APT. I think it misses the point and gets overused quite a bit. So, no—our breach was not an example of APT the way the media uses that term. What's more interesting to me—and what's changed the security landscape—is not how advanced the attack is; it's the persistence that's the important part of attacks today, and that quality was absolutely part of our breach.

[Also see CSO's roundup of award-winning security case studies]

We know that the very first breach to our corporate network was December 2007. It was detected at the time, and we believed it was cleaned up, but it wasn't completely. It turned out to be much more persistent than anyone thought. They spent a lot of time avoiding detection and finding new ways to move around laterally and get into information.

It shows that "advanced" is not the concern—it's the resources, time, effort and energy that hackers are willing to spend to try to get to your data. They won't just try a few times, quit and give up. They'll spend months and years mapping information about the network, mining data, studying the personnel database, finding the right person to spearfish. That's the critical part of the threat landscape today.

So to me, APT refers to any hacker that will spend a lot of time, effort and energy finding weaknesses, and once they're in, they'll insert multiple hooks and multiple ways to get back in.

CSO: Who is at risk?

Herrin: Gonzalez broke into hundreds of companies, and some were our customers and merchants. They'll target Joe's Pizzeria with 10 tables if they find the point of sale system is insecure, or they'll put a card skimmer on a gas pump to siphon data. The majority of compromised credit cards comes from small companies, not large. For everyone, APT is now the norm. Attacks will become more persistent, harder to detect and more difficult to get rid of.

CSO: How do threats from Eastern Europe and the Ukraine differ from those from China?

Herrin:They're very different kinds of threats, but there are common threads. Both will come up with creative ways to target individuals through social engineering and placing multiple hooks in your environment. But Ukrainian threats—and by this I'm also referring to Eastern Europe and Russia—are more "smash and grab."

They're after a specific set of data, and after they get it, they're out. In our case, they were looking for track data [the information encoded on the magnetic strip on the back of a credit card]. They knew how to monetize it, so once they found it, they were finished because that's what they were after.

Chinese threats are more geared toward espionage and intelligence-gathering. They're hanging around the network for a long, long time and working to steal intellectual property or economic information—they don't have one thing they're after. They tend to target the defense industry and possibly have more state sponsorship, depending on what you read.

CSO: How does APT change how companies should approach data security?

Herrin: Companies need to start from the premise of, "assume your systems are compromised." Stop trying to keep the bad guys out—assume you're compromised and get rid of the data they're after.

You can replace sensitive data with tokens, encrypted values or other enabling technologies. These approaches will protect against threats not only from APT but also consumerization of IT, people bringing in their own iPhones, data moving to the cloud or employees getting into social media.

I'm not saying to do away with the antivirus, network security, identity and access management systems—those are the minimum standard. But you're kind of saying, "I can't protect all the iPhones and Androids that can download everything from an app store." Instead, you need to focus your limited resources on ensuring that valuable data is safely handled so you don't have to worry about it being lost.

This also means getting rid of the data you don't need to be handling. Look at your legacy processes and find ways to reduce the scope of the data. Remember when Social Security numbers were used for everything? Now, we have to do the same thing with the rest of the data the business handles. Merchants and call centers should be asking, "Why do I need the full credit card number?" They don't—they just need a reference or a token.

CSO: So, the focus needs to move to encryption and key management?

Herrin: Key management is actually a much harder problem than trying to protect servers and networks. You need to look at your applications and how they use the data so you can protect the data in a way that the application can still use it. For instance, how do you search for something if the data is encrypted? But that's where it's going—finding ways to keep data usable for business processes but taking away the data's value from the bad guys.

Our E3 technology uses a format that encrypts a credit card number so it still looks like a credit card number. We do that for the legacy applications out there so you don't have to rewrite them. All that old logic in the application still works.

CSO: This sounds like a big job for the smaller companies that, as you say, are also at risk of APT breaches.

Herrin: Joe's Pizzeria doesn't care about security; it cares about selling pizza. So we took the concept of "assume you're compromised and stop trying to keep the bad guys out," applied that to merchants and came up with end-to-end encryption, which encrypts data as soon as the card is swiped at the POS terminal. You can take the credit card data away from the merchant so they no longer have to worry about it. And that's a big deal for our merchants. They don't want to worry about Ukrainian hacker stuff. We now have merchants banging on our doors to get rid of this data.

Lots of people want to do payments through mobile devices. If you encrypt the data as soon as the card is swiped, you don't have to worry about the device at all because the technology ensures it's encrypted before it gets to the device.

CSO: Are there new APT security solutions that can also help?

Herrin: There are lots of good technologies that try to find APT threats and do sandboxing of executables. We use those technologies, but none of it actually solves the problem. The solution is getting rid of the data where it's not needed and taking the data out of scope.

Can you ever fully solve the problem? For some merchants with just credit card processing functions, you can. For more complex process, no. But you can get to a much, much smaller risk profile if you focus on the data.

CSO: How can law enforcement agencies around the world help with APT?

Herrin: They can play a very important role, but there are limitations. If you believe you've had an attack or see threat indicators, plugging into law enforcement is critical—they need this kind of stuff reported to them, and they get federal dollars to help protect us. So the more we educate them on the threats out there, the better.

On the flipside, if they're working on an investigation like a Gonzalez-style case, there are realities having to do with jurisdictions and victim organizations that we've seen. Setting up partnerships with other companies is just as important.

CSO: What types of partnerships can be effective?

Herrin: This is something we took leadership on and that others are focusing on, too. Historically, as payment processors, we all shared the same threat, but we didn't share information on these threats. It was all very siloed because of the legal and competitive implications. But it reached the point where we could either get picked off one by one, or we could come together and work against these threats.

That's why we formed the Payments Processing Information Sharing Council. We've opened the kimono and even shared a sample of the malware that was part of our breach. We can report when we see a certain kind of phishing attempt or share tactics and techniques of how to better defend ourselves from attacks. We also do table-top exercises, where we conduct an attack and see how we'd respond.

We saw in our breach that Gonzalez and crew made changes to the malware as they went along, but they were fairly small changes. There were definitive indicators that did not change. When hackers have a bag of tools, they won't change them for every job they do. So just sharing that is helpful to other companies to know this is the known bad stuff to look for.

Two years in, this is a phenomenal group that shares threat intelligence on a daily basis. Now, when there's an incident, there are people to reach out to, both for help and to see if they're also seeing things. Many other groups—even in the defense industry—are doing the same thing now.

Tearing down the walls and barriers is a must. We can't be silenced—the bad guys are talking to each other all day long.

Copyright © 2012 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.