Detect Credit Card Numbers using Luhn Algorithm

Description

Detect if any log file in Splunk contains Credit Card numbers.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Compliance

Category

Best Practices

Security Impact

Unfortunately it is relatively common for companies to get fined for having exposed Credit Card information. One common mistake is to accidentally have debug logs enabled for an application in production which might dump out PII and Credit Card information into various log files. The fines for a breach like that could be huge and you should have security controls in place to prevent it from happening and additionally you should have monitoring in place to detect it if it does happen. This detection can be run on a daily or weekly schedule and should include locations and files where you could possibly find Credit Card being present.

In addition to developer mistakes, an attacker might stage Credit Card and PII data in a location before it is being exfiltrated.

Alert Volume

Low

SPL Difficulty

Hard

Journey

Stage 1

MITRE ATT&CK Tactics

Collection

MITRE ATT&CK Techniques

Data Staged
Local Data Staging

MITRE Threat Groups

APT28
APT3
Dragonfly 2.0
FIN5
Honeybee
Lazarus Group
Leviathan
Machete
Patchwork
Soft Cell
TEMP.Veles
Threat Group-3390
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Any Splunk Logs
App Server
Application Data
Backup

   How to Implement

Onboard application logs, debug logs and other locations where log files could be written. The you should modify the first line in the detection to include all locations.

   Known False Positives

The false positive rate for this should be low although it is not impossible for a number series to appear in a log file that happens to be a valid CC number.

   How To Respond

Immediately find the offending log file and investigate how the Credit Card numbers got written there. It might be an application or an attacker that have placed the numbers in the file.

   Help

Detect Credit Card Numbers using Luhn Algorithm Help

The detection first detects Credit Cards using a regex. It then applies the Luhn algorithm to validate if the number extracted is valid or not.

SPL for Detect Credit Card Numbers using Luhn Algorithm

Live Data

First we select a few sources that might contain dumped Credict Card numbers.