EventTracker Knowledge Update ET75ASIG - 004 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com
Released on: 25 February 2014 Applies to Versions: 7.5 All Builds Knowledge Update: ET75ASIG-004 Download Abstract: File Name: Published Date: This Attack Signature pack contains signature rule to detect VISA Data Security Alert on Point of Sales (PoS) systems. Threat-Memory parsing malware attack detection.iscat Jan-2013 Reference: http://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks- 04112013.pdf Summary PoS is a computerized network operated by a main computer and linked to several checkout terminals. Visa has seen an increase in network intrusions involving grocery merchants. Inside a merchant s network, hackers install memory-parsing malware on Windows-based cash register systems or back-of-house (BOH) servers to extract full magnetic-stripe data. Hackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., white list malware files) to avoid detection. Who should read this document? Customers who use 7.5 All Builds and have PoS installed in their systems. Severity Medium 1
Prerequisites Change Audit and EventTracker Agent should be installed on target systems. Process to use this ASIG 1. Download the update. 2. Extract the zip file. 3. To import the category file into EventTracker using Export Import Utility. Please follow the steps given below. a. Launch EventTracker Control Panel. b. Double click Import Export Utility, and then click the Import tab. c. To import Category, click Category option, and then click the browse button. d. Locate the file Threat-Memory parsing malware attack detection.iscat, and then click the Open button. e. Click the Import button to import the categories. Figure 1 2
The categories are imported successfully. a. To view the categories imported, click the Admin menu and then click Category. b. Expand Threat Intelligence node. The relevant categories are displayed. Figure 2 4. You can do a Log Search to detect memory parsing malware threats. a. To do a Log Search, click the Search menu. b. Expand All categories node, expand Threat Intelligence node. c. Select the relevant category and then click the Search button. 3
Figure 3 5. You can add category in Security Dashboard to detect memory parsing malware threats. a. Logon to EventTracker Enterprise. b. Select the Dashboard menu and then select Security. c. To configure Security Dashboard, select Security drop down, and then select Configure. Configure Dashlets window displays. d. Enter Title of the dashlet. e. Select Category tab and Search for the category Threat: Memory-parsing malware attack detection. f. Click the Configure button. g. Select Security drop down and then select Customize. Available dashlets window displays. h. Select Threat: Memory-parsing malware attack detection option and then click the Add button. The respective details display in Security dashlet. 4
6. You can schedule reports to detect memory parsing malware threats. a. Logon to EventTracker Enterprise. b. Click the Reports menu and then select Dashboard. c. In the Reports Dashboard pane, click the New button. EventTracker :: Reports window displays. d. Select Alphabetical tab, and search for the category Threat: Memory-parsing malware attack detection. e. Select the imported category and then select the Scheduled button. Click the Next>> button. Reports Wizard displays. f. Select the Groups/Systems/All Systems for analysis, and then click the Next >> button. g. Select the Schedule report and More options, and then click the Next >>button. h. Enter Refine and Filter criteria, and then click the Next >>button. i. Enter Title and description for the analysis, and then click the Next >>button. j. Crosscheck Disk cost analysis details. Configure the Publishing options as required, and then click the Next >>button. k. Click the Schedule button. EventTracker displays message box. If any threats are detected, then information is displayed accordingly in Reports dashboard. Support Customers in the USA and Canada can receive support by calling Prism Microsystems at 877-333-1433. International customers can receive support by calling at +1-410-953-6776. All customers can get updates at http://www.eventtracker.com or contact Technical Support via e-mail at support@eventtracker.com. 5