Have You Already Been Compromised?
My client called CDW after the company experienced a series of unusual events affecting its point-of-sale systems around the world. Some of these events included random reboots of its POS terminals and the infamous “blue screen of death” on other systems in remote locations. The initial investigation revealed anomalous network traffic originating from user segments of the company’s internal network to systems that processed and stored credit card data in remote locations.
Once onsite, we learned that the organization had deployed an endpoint detection and response solution to some segments of its network, but those efforts hadn’t yet reached remote locations where POS terminals and other sensitive systems resided. We worked with the company to immediately deploy the EDR solution to the affected networks to increase visibility, which ultimately produced indicators that attackers had indeed compromised several of the company’s POS networks at remote locations. Further analysis of the collected network and endpoint telemetry also indicated ongoing and successful exfiltration of a significant amount of credit card information.
This news was obviously devastating for the client, which now had a Payment Card Industry Data Security Standard breach on its hands. Compounding the situation, our forensic analysis discovered that the attackers had infiltrated the network over a year earlier and had maintained a persistent compromise for months, siphoning off track 1 and track 2 credit card data (which includes the cardholder’s name, account number and other highly sensitive information) as it arrived.
My takeaway from this engagement is simple: Effective incident response requires proper preparedness and planning. While that sounds like a common-sense conclusion, the stark reality is that many organizations simply don’t have a solid incident response capability, and that fundamental gap limits their ability to even determine whether they’ve been compromised. I’m certain that other organizations have suffered similar compromises and simply haven’t discovered them yet.
5 Steps to an Effective IR Plan
Robust approaches to incident response require a combination of procedures, technical capabilities and skilled professionals. Here are five of the crucial steps that I advise my clients to cover:
- Identify key incident response team members and ensure that they have the authority to make difficult and timely decisions.
- Document, test and train team members on incident response policy and procedures.
- Build an inventory of sensitive information assets.
- Deploy a detection stack that provides the visibility and response capabilities needed to properly protect the organization’s systems and data.
- Integrate incident response efforts with the organization’s disaster recovery plan.
Incident response is a complex undertaking, and I encourage organizations to start their work before a cyberattack occurs. This allows leaders to make preplanned decisions during a period of calm and avoid making rash decisions when responding to a security incident.