Speeding up a PCI Forensic Investigation

Serengeti for Acquiring Banks

Notification that one of your merchants has been identified as a CPP will general come via one of the card schemes. The affected merchant will be advised of the situation and instructed to engage with one of a relatively small number of PCI Forensic Investigators (PFI’s) who are certified to undertake forensic work in defined geographical areas.  The said merchant will be provided with a short list of approved organisations, with whom they will be required to negotiate and contractually engage.

Whilst time is clearly of the essence, the current investigation process is slow. The priority within any such engagement is to firstly contain the breach and then establish which cards could have been breached. This information serves to quantify the extent of the breach and prevent further fraud using the compromised card data.

In parallel, investigators will look to establish the root cause of the breach and make sure that further cards are not compromised. Having quantified and contained the situation further work is undertaken to try and identify the culprits, although this can prove extremely challenging.

From such investigation, the PFI will sometimes identify new tools and techniques that are being used to perpetrate such attacks. The investigation itself, requires a specialist understanding of the card payments industry and is undertaken by experienced consultants, skilled in the art of piecing together the evidence required to establish the cause and effect of a card data compromise.

A meticulous attention to detail and thorough understanding of payment system, networking applications, encryption and malware all contribute to a successful investigation.

Putting aside the fact that it is not uncommon for compromises to go undetected for many months, the investigation is often a protracted challenge to a business. Once we are contractually engaged and a consultant has be scheduled to handle the engagement, the process typically involves: 

1. Onsite interviews and data collection: Imaging of hard disks of all systems suspected of being in scope of the investigation - this usually involves most of the systems in the payment channel related to the suspected breach. Depending on the machines that are being “imaged”, this could take anywhere from a few minutes to a few hours per machine – we usually have several on the go at once to save time!
2. Transport the images: The images go  back to the forensic lab and the evidence is "checked-in" – which means validating, transferring and correctly recording the evidence.
3. Analysis of the evidence: Depending on the information provided in the interviews (and our understanding and experience of how a potential breach may have transpired within the organisation), we start working on the most obvious data. Most often, there is one, sometimes possibly two or more forensic analysts working on a case. Larger ones can have several, however, in the analysis phase there is usually a team lead who is managing and directing the investigation. Each system can take up to 2-3 days to fully analyse before moving onto the next. It can take time, especially with more complex scenarios.
4. Containment: From the card scheme and industry view point, the most critical part of the investigation. As soon as the breach is identified and confirmed, we work to establish how it transpired and alert the victim organization with advice on how to contain the situation so that no more cardholder data is stolen.
5. Reporting: With the analysis completed we produce a detailed report on the case. Case closed.

The crucial part of the process described is the “CONTAINMENT” section, the point at which the victim of the attack stops “bleeding” cardholder data. Prior to this the the potential fraud liabilities/fines will be escalating. With the estimated average fraud cost per card compromised in the region of £650 ($1,000) /compromised card – there is clearly a strong financial incentive to get control of the situation and contain it! Especially in a high transaction volume business.

As one of the world’s leading PFIs Foregenix is shifting the paradigm when it comes to undertaking forensic work for the payments industry. By deploying Serengeti, a solution which has evolved from our own intimidate understanding of the challenges associated with forensic work within the payments industry,

Foregenix is able to significantly reduce the elapsed time between a merchant:

1. Being identified as a CPP
2. The point at which the breach is considered to be contained.

Aside from the reduction in the exploitation window during which card data can be compromised, Serengeti is remotely deployed so saving on the logistical costs associated with on-site data collection, a significant component of such an engagement.

Within minutes of deployment, Serengeti is providing our consultants with telemetry on the health of the systems at the heart of the breach – processes running, configuration settings, outbound communications and many other metrics and reference checks.  The compilation of this telemetry enables us to rapidly identify indicators of compromise.

Importantly it facilitates a rapid check for all known and variant versions of malware strains that have been used to steal cardholder data. Indeed it is worth pointing out here that our experience shows that mainstream anti-virus/anti-malware solutions are not picking up malware found at the heart of many of today’s compromises.

See Serengeti neutralising and removing Dexter POS Malware:

Simple variations on existing malware packages render them undetectable by the victim’s existing defence mechanisms (anti-virus/anti-malware).

By using heuristic, behavioral and signature-based real-time analysis, we these identify the malware (known and variants) very quickly. We are very good at it.

Community Health

Serengeti also serves to protect the Foregenix client community health - applying containment of new Malware strains to all clients.

What’s more this happens very quickly, often within an hour of deployment.

Comparing this with the traditional forensic route, there are a few key differences:

1. Time to Containment : We are usually able to contain the situation in less than 24 hours VERSUS days or (usually) weeks following the traditional forensic approach.
2. Laser focus : We immediately know which are the affected systems exhibiting signs of compromise – therefore the forensic investigation focuses on these systems. Not the rest of the network. This results in a massively reduced forensic investigation bill and extremely quick containment.
3. Back to business quickly: With a contained environment, the Victim organisation can get their focus back on their business quicker, while the investigation can proceed quickly and efficiently with minimal disruption to the Victim's operations.