Transcription
SERVICE DESCRIPTIONPCI Forensics InvestigationSpiderLabs DFIRTrustwave SpiderLabs is an industry leader in responding to providing incident response to customerswho have suffered data compromises or security breaches involving credit card fraud, unauthorizedaccess, data theft, insider threat, and malware outbreaks. Through its experience with incidentresponse investigations and digital forensics cases, Trustwave SpiderLabs has encountered a commontheme: most organizations were not adequately protected and were poorly prepared to respond tosecurity incidents.Trustwave has created a comprehensive program that blends the knowledge and experience ofincident response, proactive security testing, and first responder training.Trustwave’s SpiderLabs provide clients with Digital Forensics and Incident Response (DFIR)Consulting services with the following engagement principles: Work product built on the foundation of Trustwave’s industry expertise. Well-defined engagement model to ensure consistent client experience. Clarity of communication to ensure client understanding of complex technical findings. A rigorous quality assurance process to ensure standardized deliverables on a global scale. Prompt notification on identifying material, high, or critical risk issues affecting clients. Controlled assessments and methodologies. People, process, and technological innovation to continually improve Trustwave’s capabilitymaturity. Work will be conducted in accordance with an agreement between Trustwave and Client. Engagements are, unless otherwise mutually agreed, conducted within locally acceptedbusiness hours, with a minimum of continuous 8-hour window required.PCI Forensics InvestigationOverviewPayment Card Industry Forensics Investigations (PFIs) are conducted on behalf of organizations thathave a suspected compromise of their cardholder data environment. The Payment Card IndustrySecurity Standards Council (PCI SSC) lays out the requirements of a PFI; only companies who meetCopyright 2019 Trustwave Holdings, Inc. All rights reserved.1
SpiderLabs DFIR: PCI Forensic Investigationstringent requirements of the PCI SSC are able to carry out PFIs. Trustwave is approved to carry outPFIs globally.PFIs are designed to identify if, how, what, and for how long cardholder data has been compromisedand to provide recommendations to increase security. This investigation aids the payment industry inreducing fraud and assists merchants and service providers in improving security.Trustwave performs a PFI through a combination of investigative techniques, digital forensic imagingand malware reverse engineering to determine, where reasonably possible, the following materialaspects of a data compromise:1. Intrusion Analysis What was the initial point of intrusion used to gain a foothold into the environment? What sequence of security controls were circumvented by the attacker? What and how unauthorized access gained to ultimately compromise the data in question?2. Data Harvesting/Aggregation The nature of the cardholder data was exposed How was the information cardholder data harvested? Over what time-frames was the cardholder data at risk (window of exposure)?3. Exfiltration How the data in question was successfully extracted from the victim environment?As part of the PFI, Client will be given one year access to the TrustKeeper PCI Manager. This willenable Client to run monthly external vulnerability scans (PCI ASV Scan), as well as the followingservices: PCI Wizard and online Self-Assessment Questionnaire (SAQ) Security Awareness Training courses for managers and associates (up to 10 students) TrustKeeper Agent for PCI Monitoring (up to 10 agents)Trustwave is responsible for the secure handling of evidence in its possession and will securely destroyall evidence in-line with the Trustwave’s data retention policy.Copyright 2019 Trustwave Holdings, Inc. All rights reserved.2
SpiderLabs DFIR: PCI Forensic InvestigationPre-Engagement GuidanceTrustwave should be notified as soon as possible in the event of a suspected data compromise. Thisallows Trustwave SpiderLabs experts to provide advice and, if necessary, arrive on site as soon aspossible.In order to assist in the investigation, Trustwave recommends the following pre-engagement activitiesare performed:PFI RequirementsFor authorized PFIs, the following points must be understood and accepted: Trustwave is being engaged to establish an understanding of the extent of the potentialcompromise as required by Visa, MasterCard, American Express, Discover, and JCB. As part of a PFI engagement Trustwave has an obligation to provide regular updates toVisa, MasterCard, American Express, Discover, JCB and the acquiring bank (if thecompromised entity is a merchant) on request, as well as a copy of the final deliverable.Scope and Project PhasesProject ScopingTrustwave scopes PFIs in order to meet the requirements of PFI program. Primarily, this meansensuring that sufficient data is collected, and the data is investigated to sufficient depth in orderto provide the necessary information for the PCI Forensic Report. The PCI Forensic Reporttemplate is published and made available by the PCI Security Standards Council.Trustwave scopes PFIs based on information gathered from the compromised entity andstatements of understanding based on these. Trustwave provides a quote for a PFI based onthe statements of understanding being true. The compromised entity should confirm that thesestatements are correct as if evidence shows that they are not it may be necessary to revaluatethe scope of the investigation that may require additional statements of work.Data AcquisitionData from suspected compromised systems will be collected in a forensic manner. Forensicdata collection techniques commonly include full forensic imaging of suspected hard drive(s)and volatile memory of the in-scope system(s) in order to capture the current system state(s)and preserve evidence. Other types of data collection may be appropriate depending on thetypes of systems involved and the access available. The forensic images are copies on a bitlevel basis. This stage can be performed onsite or remotely depending on access limitations.Copyright 2019 Trustwave Holdings, Inc. All rights reserved.3
SpiderLabs DFIR: PCI Forensic InvestigationReasonable costs associated with storage media for collected evidence will be re-charged.Forensic AnalysisOff-line analysis of all the forensically acquired data is performed. The volume and type ofcompromised data will be expertly assessed. Further analysis includes the identification ofunauthorized files and programs including attacker tools such as root kits, malware and exploitcode. As part of this process operating system and application logs are reviewed to understandthe extent of the potential exposure.An itemized list of the at-risk cardholder data resident on the investigated systems will becollated.Communication RequirementsIt is important to both verify the investigation scope and for some parts of the PFI report to gainan understanding of the environment both before and after compromise notification. To achievethis goal, it is crucial that the relevant information is provided to Trustwave. This will usually bein the form of interviews conducted on site or via telephone. This commonly comprises: Interviews with key stakeholders regarding the notification of the potentialcompromise. Discussions with parties responsible for compromised systems to understand thenetwork topology and data processing flows. Documents that describe the cardholder data environment’s configuration andcardholder data flow. Details of the security improvements made since compromise notification to reducethe risk to cardholder data. A debriefing meeting or conference call to understand the remediation efforts thathave taken place to date.Payment Card Stakeholder LiaisonA Trustwave SpiderLabs representative will assume the role of liaison and advisor forcommunications related to this incident between the authorized stakeholders, including but notlimited to: The card brands, Visa, MasterCard, American Express, Discover, and JCB. The merchant or acquiring bank of the compromised entity.Monthly Vulnerability ScansAccess to the TrustKeeper PCI Manager portal for 12 months is included in the PFI service. TheTrustkeeper PCI Manager account allows monthly ASV scans to be scheduled. The results ofthese scans can be obtained on a self-service basis via the portal. Helpdesk support for theportal is included as part of this service.Copyright 2019 Trustwave Holdings, Inc. All rights reserved.4
SpiderLabs DFIR: PCI Forensic InvestigationDeliverablesAt the end of the engagement a PCI Forensic Investigation Report will be completed. As required bythe PCI SSC the following will be delivered:Preliminary report: Within 5 business days of engagementFinal report: Within 10 days of completion of investigationCopyright 2019 Trustwave Holdings, Inc. All rights reserved.5
Access to the TrustKeeper PCI Manager portal for 12 months is included in the PFI service. The Trustkeeper PCI Manager account allows monthly ASV scans to be scheduled. The results of these scans can be obtained on a self-service basis via the portal. Helpdesk su
