Retail Cyber Crime Module User Guide
Abnormal Common Event
This pair of AI Engine rules works by building a whitelist of common events observed where the origin or impacted host is part of the payment system or POS environment. Any new activity such as an interactive vs. service login will raise an alarm.
Requirements
The Retail Cyber Crime POS Endpoints list must be populated with POS endpoint hosts and/or the Back Office Payment Systems list must be populated with payment systems.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | RCC: POS Abnormal CE | 528 |
AIE Rule | RCC: Back Office Abnormal CE | 521 |
What to Do When This Rule Fires
An alarm generated by one of these rules indicates that unusual activity has been observed on the indicated host. Based on the Common Event that triggered the alert, an analyst should be able to determine whether the activity is high risk or not – a new Operational Common Event may not be suspicious, but a User Logon Failure : Bad Password may indicate an attempt at unauthorized access.
Abnormal Network Communications
These AI Engine rules profile the pattern of network communications that happens in the POS endpoint and Payment Systems environments. They build a whitelist of unique pairs of hosts which are allowed to communicate and then alarm any time network traffic is seen passing between an unapproved pair of hosts.
Requirements
- The Retail Cyber Crime POS Endpoints list must be populated with POS endpoint hosts and/or the Back Office Payment Systems list must be populated with payment systems.
- Network traffic logs must be collected by LogRhythm and analyzed by AI Engine.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | RCC: Back Office Abnormal Network Comms | 527 |
AIE Rule | RCC: POS Abnormal Network Comms | 520 |
What to Do When This Rule Fires
One of these AI Engine rules alarming indicates that network traffic was seen between a POS or payment system and a previously unseen host. It is advised to determine the nature of the new host initially. If the host is new to the network it may be malicious. If it is an existing host it may have been compromised and repurposed for malicious activity. Run investigations against both hosts to examine for unusual authentication or process activity.
File System Modified
The AI Engine rules listed below alarm when unexpected file activity is observed on a POS endpoint or payment system host. Files being created or modified could indicate that a host was compromised and malicious processes are being set up to capture data. Attribute or permissions changes could indicate that someone is performing data exfiltration.
Requirements
- The Retail Cyber Crime POS Endpoints list must be populated with POS endpoint hosts and/or the Back Office Payment Systems list must be populated with payment systems.
- File Integrity Monitoring must be configured to monitor files on the POS endpoint and/or payment system.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | RCC: Back Office File System Modified | 531 |
AIE Rule | RCC: POS File System Modified | 524 |
What to Do When This Rule Fires
An alarm from one of these two rules may signal a compromised host. Investigate the host for unusual authentication or process activity. Check the listed user for other suspicious behavior.