The 2017 Equifax Breach
In 2017, Equifax, one of the world’s largest credit reporting agencies suffered a cyber breach of unprecedented impact and scale. More than 145 million records of personal identifiable information were stolen by cyber criminals. Because of the nature of this breach, the CEO of Equifax resigned, a congressional investigation commenced, Equifax’s stock took a hit and a 50-state class action lawsuit was filed.
On March 2nd 2017, a vulnerability in a web application called Apache Tomcat Struts 2 was discovered by a security researcher and identified as vulnerability CVE-2017–5638. This web application was used by Equifax to allow consumers to submit credit report discrepancies. Days after the vulnerability was discovered a software patch was made available on March 7, 2017 and made public. Within 24 hours of the patch, a blog post went up on a website on how to exploit this vulnerability to gain remote access to computers running the unpatched software. On March 10th of 2017, the exploit was released as a plug-in to the popular open source exploit toolkit called Metasploit and hackers began using that tool to scan the Internet for servers that had this vulnerability. Sometime mid-May of 2017, hackers got a hit and the server happened to belong to Equifax. Unauthorized access was obtained and the hackers remained inside Equifax’s network, exfiltrating data until they were discovered on July 29th, 2017.
Why Did The Breach Occur?
One would think, that an organization the size of Equifax and in charge of protecting the data of 145 million Americans, would have been able to detect this breach before data was stolen, let alone being unware for 2.5 months. So, what happened? According to reports, Equifax was made aware of the vulnerability, however did not take action to patch the server. Once the server went unpatched and hackers started exploiting the vulnerability, “suspicious alerts” went off but Equifax did not take action. To paraphrase the former CEO of Equifax, they receive thousands of alerts every year and it’s hard to quantify the important ones from the not so important ones. This clearly highlights a security tools problem and a people problem. The tools that organizations deploy today have a difficult time in identifying critical events from the not so critical events and there will always be human error and not enough people to respond to threats.
What Could Have Been Done?
For starters, human error could have been avoided if Equifax would have paid attention to the vulnerability bulletin labeled CVE-2017–5638 and quickly patched their servers. Secondly, organizations need to start expiring antiquated tools that give organizations a false sense of security for new ones that address the modern-day problem. Tools such as Intrusion Detection Systems (IDS), Security Information & Event Managers (SIEM) & Malware Sandbox’s that are operating independently from each other and placed non-pervasively within the infrastructure will only lead to alert noise, blind spots and limited detection capability. With IDS systems, they are largely designed around signature based detection, which means they can detect known attacks. IDS systems are inadequate for detecting Zero-Day vulnerabilities, where there is no signature available for a new attack method. SIEM tools have become dumping grounds for logs, logs and more logs. These SIEM tools, although useful have to be programed to run queries to look for things you want to find. But again, what about the unknown things that are malicious that you want to find.
One method that could have been taken, is to have had a visibility framework deployed pervasively throughout the Equifax infrastructure to eliminate blind spots, collect multiple types of infrastructure data and then run machine learning algorithms on top of the data set to spot abnormalities. These new frameworks are being called Breach Detection Systems and are being built around big data technology and artificial intelligence.
What we have all learned in the industry of cybersecurity is that data breaches are inevitable, networks are in a constant state of change, there will never be 100% protection and each year we will see an increase in cyber-attacks. Given this, organizations need to constantly look to new ways of protecting its valuable data. At Stellar Cyber we believe the breach detection tools in use today, like IDS, APT, and SIEM, will transform and look radically different in the near future.