Cisco Subnet An independent Cisco community View more

Breach! Defending Point of Sale Networks and Systems

Given the Point of Sale (PoS) attacks in the news lately I'm sure many of you are thinking about, or acting on, architecting better defenses.  I recently worked with a team at Cisco to perform this same analysis on how to properly defend point-of-sale networks from attack.  The attack scenarios we used were modeled after the recent breaches, blackpos and other PoS malware attacks.  In a nutshell, we analyzed the threats found within the point of sale environment and architected a Cisco security solution that would provide the biggest impact with the lowest disruption to the PoS environment.   We put a few tenets in place to ensure we ended up with the best solution:

  • Rapidity and Ease of Deployment was a high priority
  • Focus on defending against targeted attacks utilizing custom malware or day zero methods
  • Ensure coverage for the complete attack lifecycle; The Before, During and After phases an attack

These design goals led us to three cisco security solutions that can be used stand-alone or together as a system depending on your environment, budget and risk profile.  The three security solutions that best meet the above design goals are:

  1. Cisco Cyber Threat Defense (CTD)
  2. Cisco Sourcefire Advanced Malware Prevention (AMP) 
  3. Cisco Sourcefire Next Generation IPS (NGIPS)

These three solutions cover the full attack continuum: Before, during and after (BDA).   Here is a description of each phase:

attack continuum

This next graphic shows a mapping of the most common security solutions to the BDA continuum.  CTD can also be useful in the before phase as well.  Read on for more on that.

Before Phase

attack continuum extended
Cisco CTD allows you to create security zone rules and will alert you if traffic flow breaks a zone rule.  This allows you to setup a pci zone with rules that would prohibit the transfer of data from PCI zone to any other zone for example.  CTD uses the network as a sensor, specifically Netflow, to obtain an untainted view of real-time traffic flow.  This solution meets all three of our tenents.  It is non-intrusive, and not inline, since it uses netflow data that is already available in your Cisco network. It can be installed very easily and zones created quickly.  And finally it is excellent at finding targeted or zero day attacks since it is watch for bad/out of policy behavior of network traffic.  

Here is a screenshot of CTD with some zones setup in the easy to use relationship map:

CTD Zones

During Phase

The during phase utilizes all three solutions: CTD, AMP and NGIPS.  Again, these solutions can work together or seperate.   In this phase CTD provides an powerful out of the box feature called 'suspect data loss'.  This feature uses zones to determine if an abnormal amount or type of data is leaving your organization in an anomalistic way.  So when malware goes to exfiltrate stolen data CTD sees this upload, via netflow, and will alert.  AMP is able to detect malware in the during phase.  AMP looks at the reputation and behavior of files as they traverse the network or drop onto a client running an AMP client.  If a file has not been seen before then it is uploaded to the amp client automatically for analysis, sandboxing and a verdict is passed back to AMP.  Malicious files can be dropped at the network appliance or at the AMP client.  FireAMP currently runs on any sourcefire NGIPS or NGFW appliance.  The final solution for during is NGIPS, this applies snort rules to traffic to find malware or malware like activity.  All of the known variants of PoS malware already have snort signatures.  NGIPS also includes layer 7 application visibility and control for 100's of apps which will allow it to detect many of the data exfiltration and command&control methods even zero-day malware will use.  All of these solutions incorporate multiple types of context into their alarms and data.  Username, device type, location, traffic types, apps used, and much more.  For CTD, Cisco ISE can even feed data over.

CTD suspect data loss and alarm trends

Here is a screenshot of CTD suspect data loss and alarm trends.  You can clearly see the FTP upload in the graph:

Cisco Sourcefire Defense Center dashboard

Here is a screenshot of Cisco Sourcefire Defense Center dashboard.  Defense center manages both NGIPS and AMP, as well as NGFW which we won't talk about in this blog.  You can quickly see the threats and risky applications on your PoS network.

Cisco AMP (advanced malware protection) dashboard

Here is a partial screenshot of the Cisco AMP (advanced malware protection) dashboard.  

Here are the multiple analysis methods that Cisco Sourcefire AMP uses to defeat malware

SourceFire Advanced Malware Protection (AMP)

After Phase

The after phase is about scoping the extent of the damage, containing the attack, and remediating and cleaning the mess.  Understanding exactly what happened, how big the infection is and ensuring a thorough clean up are very tall orders for IT departments.  This is where both the CTD and AMP solution differentiate themselves.  Both solutions inherently provide visibility over time, not just point in time.  CTD creates all sorts of historical analytics suchs as baselines, anomaly, behavior analysis, flow rates, application types, and most importantly it remembers the network data flows from host to host throughout the network.  CTD also has built in rules to detect worm propogation and other malware like behaviors.  AMP watches all files as they are passed throught the network from clients, servers, www, storage, etc.  AMP understands the reputation threat, risk and behavior of each file in extreme detail, right down to memory usage, system calls, etc.  Because AMP never looses track of where files are you can perform file trajectory to track down patient zero of a malware outbreak, find all infected hosts and who infected them, find files that were created by other files such as droppers and generally see everything the malware files did on a system.  These two solutions, CTD and AMP, will ensure that you can get through the after phase and be confident that you got it all when your done cleaning up the mess.  

Here is a screenshot of AMP file trajectory.  Notice the file starts out as unknown and is shown as a gray circle.  Once the analysis is done is quickly turns to a red circle.  You can then track its propogation throughout the network and hosts as shown with the lines and arrows.  This shows you exactly how it spread, what other files it dropped and/or created, what those files then did, etc. etc.  Essentially AMP provides always-on, just in time, malware forensic analysis.

AMP file trajectory

Here is a look at Cisco Cyber Threat Defense worm propogation events and map:

There is so much more detail behind these three solutons: CTD, AMP and NGIPS.  If you would like to learn more on how to use them to defend point of sale networks you can listen to my webinar on-demand just Register to watch: http://cs.co/90005SII 

Cisco Cyber Threat Defense

  The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

Jamey’s Blog for more articles on security.

Go to

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.