BrutPOS From a Security Practioner's Perspective

Today, FireEye Labs posted a technical blog on the malware for a botnet that we call BrutPOS. With a lot of attention focused on data breaches in retail, BrutPOS gives us a chance to look retrospectively on the state of retail security.

The popular phrase “a chain is only as strong as its weakest link” has great relevance in the information security world.  There are a large number of ways to compromise a business network, yet attackers are quite successful in this endeavor using fairly pedestrian methods of attack.  This raises the important question: Why is this the case?  Part of the answer lies in the fact that attackers don’t feel a great need to use particularly sophisticated attack methods.  In other words, if attackers can succeed using fairly elementary attack methods, why should they work any harder?  Let’s examine this principle through the example of the BrutPOS malware.

Most businesses use Microsoft’s Remote Desktop Protocol (RDP) as an integral part of their day-to-day business operations.  RDP allows for remote login to Windows systems.  This has many legitimate uses, such as an administrator logging on to a system remotely to update a software package.  Like any legitimate service, attackers are also quite happy to leverage RDP for their own nefarious purposes.  An example of this is the BrutPOS malware, the analysis of which was detailed in a FireEye blog post today. At a high level, the purpose of the BrutPOS malware is to compromise Point of Sale (POS) terminals through the use of the remote desktop protocol (RDP).  The malware aims to steal payment card information from those compromised POS terminals.  There is no need for the attackers to write a sophisticated protocol for their malware to log on to systems remotely – the RDP works quite nicely.

There are many approaches an organization can take to better manage the risk presented in the BrutPOS malware. One of those approaches is to go back to basics and remember some important foundational tenets of information security.  This approach involves ensuring that authentication and authorization policies are sensible and enforced across the organization.  For example, some simple steps an organization can take to improve its defenses against threats such as BrutPOS include (but are not limited to):

• Not allowing administrative access to systems, with the exception of special administrative accounts for administrators
• Locking out accounts after N number of incorrect login attempts
• Not allowing RDP login by default on systems, but rather, granting it on an as needed basis
• Limiting or eliminating the use of shared or group accounts
• Monitoring authentication logs for repetitive failed login attempts to one system or multiple systems

As organizations look to continually improve their information security postures, it’s important to remember that foundational tenets are as valid as ever.  We do need to ensure that we have a variety of defensive measures in our arsenal, but it’s important to remember that not all of them need be cutting edge.  Sometimes, foundational best practices can provide us with straightforward approaches to mitigating risk posed by modern threats.