By James Parry, Technical Manager, Auriga
It’s happened before but no-one expected it to happen again quite so soon… and in the same sector.
Last week it emerged that the Marriot, Hyatt, Starwood and IHG, all of which come under the HEI Hotels management business, were subjected to a hack attack via their Point of Sale (PoS) system in an attack remarkably reminiscent of that carried out against the Hilton and the Mandarin hotel groups late last year. Like that attack, malware was installed via the PoS in a bid to carry out unauthorised credit card transactions. A spokesman revealed that up to 20,000 cards may have been compromised although the number of transactions is unknown.
So what does this tell us? Firstly, that lessons are not being learnt DESPITE disclosure. There’s always been a general consensus that what is standing in the way of better security practice is more shared information. But the hospitality sector was alerted to the dangers of malware via PoS some nine months ago and yet was unable to better secure this weak point in the chain.
Secondly, it illustrates the futility of relying on compliance as a means of protection. PCI DSS can only go so far in safeguarding the business and the cardholder. At the end of the day, it’s not designed to fend off such malware attacks which were reportedly introduced onto the network at specific locations, possibly with the assistance of insiders.
Thirdly, the dangers posed by an extended supply chain. These hotels have fallen foul of their reliance on a third party system. Although details are still emerging, the attack is not dissimilar to that carried out against the Target retail group in the US in 2013 which saw a HVAC supplier provide the foothold needed to access the PoS in an audacious multi-step attack. Again, that attack has been well-documented, with the kill chain helping inform security process.
Finally, it’s clear this intelligence is not being actioned upon. Somewhere along the line, this information is being missed or even disregarded. Which is why threat intelligence is NOT just about information: it’s about the way that information is analysed and interpreted and made meaningful to the organisation.
News stories aside, this kind of organised attack will undoubtedly create ripples. Perhaps during a mutation in malware is picked up by AV or during the reconnaissance phase, when a probe attack seeks to look at weaknesses to exploit within the organisation. These small events are often so numerous that on their own they won’t trigger an alert. But taken together, all of these issues could have provided an indication of a possible attack.
That’s here that data analysts come into their own. Automated threat intelligence gets you so far, combing the network for anomalies and suspicious behaviours, but to interpret those and determine how an attack may manifest itself there is still no substitute for the human brain.
This combination of machine learning and human interpretation and escalation is commonly referred to as a hybrid approach and it’s currently the most effective means of threat intelligence at our disposal. It can enable us to learn from and interpret attacks and even forecast how they might happen, and could potentially give organisations such as HEI Hotels the time needed to proactively head-off such an attack.