LATEST INTELLIGENCE
Follow the Money:
Dissecting the
Operations of the Cyber
Crime Group FIN6 Building a Network
Forensics Storage
Architecture: 4 Things
to Consider
Reports on payment card intrusions and theft are often
fragmentary. The focus is on various pieces of the attack and less
about capturing the end-to-end cycle of compromise, data theft,
illicit sale and use. The full scope of attacker activity traditionally
occurs beyond the view of any one group of investigators. Incident
response teams may have visibility into the technical aspects of the
breach itself, while cyber crime researchers monitor the movement
and sale of stolen data in the criminal underground. A global bank has just discovered that someone has compromised its
IT infrastructure and immediately begins investigating the attack.
FireEye Threat Intelligence and iSIGHT Partners recently
combined our research to illuminate the activities of one
particular threat group: FIN6. This combined insight has
provided unique and extensive visibility into FIN6’s operations,
from initial intrusion to the methods used to navigate the
victims’ networks to the sale of the stolen payment card data in
an underground marketplace. In this report, we describe FIN6’s
activities and tactics, techniques and procedures (TTPs), and
provide a glimpse into the criminal ecosystem that supports the
“payoff” for their operations.
FIN6 is a cyber criminal group intent on stealing payment card
data for monetization. In 2015, FireEye Threat Intelligence
supported several Mandiant Consulting investigations in the
hospitality and retail sectors where FIN6 actors had aggressively
targeted and compromised pointof-sale (POS) systems, making
off with millions of payment card numbers. Through iSIGHT, we
learned that the payment card numbers stolen by FIN6 were sold
on a “card shop” — an underground criminal marketplace used to
sell or exchange payment card data.
As a first step, the security operations team reviews its packet
capture stores to evaluate the scale and scope of the breach. These
stores – records of everything that entered, exited, or traveled
through the network – provide up to a week’s worth of detailed
evidence. Security teams can reconstruct what happened, when it
happened, and what systems are affected.
One problem: the attack has been in the network for months,
not just a week. The typical intrusion lasts for 205days before it is
detected. And more than two-thirds of the time, organizations do
not know about the breaches until an outside entity, such as law
enforcement, brings it to their attention.
With only a week’s worth of data, bank executives cannot fully
report to the board of directors or customers about what happened,
the scope of the attack, and whether it is truly resolved. Worse,
without knowing how the attack started or played out, the bank
finds itself breached through the same vulnerability months later.
This scenario is hardly unique. In fact, it plays out every day across
companies of all sizes and industries across the world. Drawing
from the combined experience of FireEye and consultants from
Mandiant, a FireEye company, this paper discusses factors to
consider when building and maintaining a networkforensics storage
architecture. It also highlights best practices for storing and retaining
network forensics data – and pitfalls to avoid.
Download white papers free from www.intelligentcio.com/me/whitepapers/
www.intelligentcio.com
INTELLIGENTCIO
15