Would you like a cyber attack with that burger and fries? No, thanks.
Fast food chain Wendy’s has fallen victim to a sustained cyber attack, affecting over 1,000 of its franchised restaurants across the US and breaching customers’ payment card data. Malware was installed on point of sale (POS) devices, possibly as a result of compromising the login credentials of external service providers, in the fall of 2015.
Stealing or compromising the login credentials of third parties that have access to a large organization’s network is a well-proven technique: it’s how the hackers behind the high-profile attack on retail giant Target managed to get into the company’s payments network. It’s often easier to find weaknesses in the networks of small suppliers, and use them as a stepping-stone to get to their intended victim. Once the attackers are inside the main network, they can move laterally to identify and quietly steal the data they want.
What’s particularly interesting in this case is that two separate waves of the cyber attack were identified by the investigating team – the first discovered in March 2016, and the second in May, after a new variant of the malware was discovered in the company’s networks. It’s believed the first attack had been under way for some five months before being stopped – highlighting how difficult it can be for companies that have been breached to detect that there is a problem.
Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, said it well in a Bank Info Security article: “Wendy's is not in business to audit its systems beyond what PCI requires, and stealthy criminals don't leave many traces of their activities. This lack of effective auditing and monitoring is also why the breach went on so long unnoticed."
So how can organizations detect signs that they may have been compromised, and move quickly to close off a breach? First, we blogged recently about how ‘seeing is understanding.’ To get a comprehensive understanding of your information security resilience and risk profile, you need to have true end-to-end visibility of what’s happening on your network. If you can map and monitor all traffic across your network, you can build a picture of what ‘normal’ traffic looks like for your business. As a result, it’s easier to spot any deviations from those normal patterns which could be a sign of an ongoing cyber attack – such as data is being extracted or moved in unusual ways – which should act as a trigger for the IT security team to investigate. Complete network visibility certainly helps IT teams spot the symptoms of an attack.
Second, long-term sustained cyber attacks such as these involve sensitive data being sent out of the organization, to the criminals’ IP addresses. Using a Threat Intelligence gateway for IP address filtering, such as Ixia’s ThreatARMOR, can automatically detect and stop this happening. While the main purpose of these gateways is to filter known bad traffic trying to get into your network from malicious IP addresses that have been used for DDoS attacks, or harbor malware, the gateway works both ways. It can also detect traffic that is being sent from your network to known bad IP addresses. It also raises an alert when suspicious activity is taking place, so that IT teams can properly investigate.
Cyber criminals are getting stealthier in their tactics, trying to evade detection for as long as possible so they can steal as much as possible. The only way to bring these activities out of the shadows is to have better visibility across your networks of what constitutes ‘normal’ traffic, to help identify the subtle signs of an otherwise stealthy attack.