I have blogged many times before about how Malware Management helps information security professionals and organizations improve their detection, Active Defense and Incident Response capabilities. The Hyatt breach and MODPoS proves yet again Malware Management would have saved Hyatt and many other retailers after Jan 2014. Retailers must evolve or continue to be compromised. For that matter, all of us must evolve our detection capabilities or suffer a breach at some point. The ultimate goal of security operations is to detect an intrusion BEFORE the mass loss of data resulting in a breach and your firms name in the news and possibly new employment opportunities for you.
In October 2015 iSight Partners released another good analysis report on the MODPoS malware. Much like their first report from Jan 2014 on BlackPoS, one of the main conclusions is the same, the malware installed a new service!
For the love humanity information security professionals, monitor your systems for the creation of new services! This is Malicious Detection 101 people. The one item that by default is enabled and available on Windows systems are the events for services starting, stopping, changing and installing. Yes, there were many more artifacts in these two malware reports, but one thing is common in both and many other malware reports, a new service was installed and is the core persistence mechanism used in retail Point of Sale (PoS) infections. Many advanced malware attacks also use a new or existing service to maintain persistence, it's very common technique.
Detect Event ID 7045 or a change of a service state Event ID 7040 and you can detect and stop PoS malware and many other advanced malware dead in their mag stripes.
Take it from someone who has lived there, too many times and caught the malwarians within an hour or so of the initial compromise. You CAN detect most advanced attacks and many commodity malware infections, but you must practice Malware Management. Read the malware analyst reports these experienced and seasoned professionals create, for the very reason of educating all of us to improve from real world events and experiences.
Read more on Malware Management here:
Read more on Windows Logging and use several cheat sheets we created to help you begin and refine your Windows logging ability available here:
And of course, use LOG-MD to audit your system, help setup proper logging to gather the needed log data. Even if you have a Log Management solution, use LOG-MD to refine your logging improving what you collect and help you reduce the noise, the quantity of events and help you reduce your license and storage requirements. You can get LOG-MD here:
In October 2015 iSight Partners released another good analysis report on the MODPoS malware. Much like their first report from Jan 2014 on BlackPoS, one of the main conclusions is the same, the malware installed a new service!
For the love humanity information security professionals, monitor your systems for the creation of new services! This is Malicious Detection 101 people. The one item that by default is enabled and available on Windows systems are the events for services starting, stopping, changing and installing. Yes, there were many more artifacts in these two malware reports, but one thing is common in both and many other malware reports, a new service was installed and is the core persistence mechanism used in retail Point of Sale (PoS) infections. Many advanced malware attacks also use a new or existing service to maintain persistence, it's very common technique.
Detect Event ID 7045 or a change of a service state Event ID 7040 and you can detect and stop PoS malware and many other advanced malware dead in their mag stripes.
Malware Management to the rescue!
Take it from someone who has lived there, too many times and caught the malwarians within an hour or so of the initial compromise. You CAN detect most advanced attacks and many commodity malware infections, but you must practice Malware Management. Read the malware analyst reports these experienced and seasoned professionals create, for the very reason of educating all of us to improve from real world events and experiences.
Read more on Malware Management here:
Read more on Windows Logging and use several cheat sheets we created to help you begin and refine your Windows logging ability available here:
And of course, use LOG-MD to audit your system, help setup proper logging to gather the needed log data. Even if you have a Log Management solution, use LOG-MD to refine your logging improving what you collect and help you reduce the noise, the quantity of events and help you reduce your license and storage requirements. You can get LOG-MD here:
So come on retailers, it is time to get with the times and read the malware reports on your own breaches to learn and improve and better defend yourselves. Everyone else too.
- iSight Partners report on ModPoS - Oct 2015
- iSight Partners report on BlackPos - Jan 2014
More Malware Analyst reports are available on our website:
Happy Hunting!