Equifax breach: 2018 in review, part 4

Welcome back to my series of blog posts on the key cybersecurity lessons we need to take to heart from 2018. The posts draw from a webcast I hosted with Microsoft MVP and Windows security expert Randy Franklin Smith. So far, we’ve dived into several specific threats: the Spectre and Meltdown vulnerabilities of modern computer chips, the ongoing saga of serious weaknesses in Adobe Flash, and finally the devastating NotPetya attack that crippled Ukraine and caused damage around the world.

Today, I’m going to tackle one of the largest breaches in history — the Equifax data breach — and explore how it should inform every organization’s cybersecurity strategy moving forward. Like the NotPetya attack, the Equifax breach actually happened in 2017, but I’m including it here because it took time to understand the full scope of the breach and exactly what went wrong. In September 2018, the U.S. General Accounting Office (GAO) released a comprehensive report analyzing the massive breach.

A quick recap of what happened

Like most companies today, Equifax has servers that interface with users on the internet. In particular, they have an online portal where consumers can dispute entries in their credit reports — and in July 2017, Equifax system administrators discovered that attackers had gained access to that portal. From that foothold, they had moved laterally within the network and eventually gained access to the company’s credit reporting databases, chock full of valuable information.

Finally, six weeks after discovery, Equifax disclosed the breach. According to the GAO report, it exposed the personally identifiable information (PII) of at least 145 million people — various combinations of their credit card numbers, driver’s license data, Social Security numbers, dates of birth, phone numbers and email addresses.

The top points of failure — and how to avoid them

How could a single internet-facing web server lead to such a massive breach? Well, not surprisingly, there were major missteps at many points along the way — largely related to failures to follow well-known security best practices and establish proper internal controls. Here are some of the most egregious issues, along with what we should learn from them.

Keep your systems up to date.

The GAO report confirms that the root of the Equifax data breach was a single internet-facing web server with out-of-date software. Specifically, the attackers exploited a known vulnerability in software running on Equifax’s online dispute portal to obtain access to the system. It seems mind-boggling, but apparently one of the largest credit-reporting agencies in the world was relying on manual processes to keep their systems up to date. A central team was responsible for monitoring security bulletins from software vendors, matching them against a list of installed products and notifying local administrators to update their systems. Something went wrong somewhere and a known vulnerability sat there on an internet-facing server, ripe for attackers to exploit.

What should we learn from this? Well, as they say, hope is not a strategy. You can’t simply hope that the right people are on the email distribution list and hope that they all follow through on each email in a timely manner. It doesn’t take a lot of imagination to see easy ways for this process to fail: What if someone is on vacation or out sick, or the email gets caught in a spam filter? Patching need to be a priority, and it needs to be centrally managed and controlled.

Proactively look for vulnerabilities on a regular basis

Moreover, it’s not just that the server was never patched. Mistakes happen, and you need to be able to catch them. Apparently, Equifax did have vulnerability scanning, but it did not catch the fact that the critical server was not patched. Clearly, best-in-class tools are well worth the investment.

Segment your network.

Once the attackers got into the web server hosting the consumer portal, they were able to move laterally within the network and hit a number of database servers, including database servers that were unrelated and did not need to be accessible to that particular portal server. As I’ve noted in the previous blog posts in this series, proper network segmentation is a critical best practice, and it’s especially important for servers exposed to the internet; those servers should to be able to access the bare minimum of second-tier systems.

Monitor and alert on activity in your network.

The unauthorized data access at Equifax went undetected for 76 days, starting in mid-May. During that period, attackers made some 9,000 database queries that should have been flagged as suspicious but went unnoticed, for several reasons. First, the certificate their network monitoring tool needed to decrypt network traffic had expired, so the tool was blind to traffic going to and from the portal server. Once the IT team fixed that issue, they immediately saw abnormal queries going on. But here's the thing: it went unnoticed for months, which means nobody was monitoring the operating system logs; otherwise, they would have seen arbitrary commands being executed from the compromised component. Moreover, they had only one layer of monitoring, network monitoring. Evidently there was no database log monitoring or someone would have seen abnormal queries and abnormal quantity of queries running on each of the compromised databases.

The key lesson here is not to limit your security strategy to network security— you need comprehensive Active Directory security. You can’t just go out and buy a network security tool, plug it in, and pat yourself on the back. Rather, you need to involve system admins and database admins and web server admins, because there’s a lot you can’t see if you're looking at network traffic only. Moreover, you need Active Directory auditing that enables you to keep a close eye on activity across your IT environment and alerts you to events that could put security or availability at risk. Even better, you want a solution that can baseline normal behavior and detect threats.

Rigorously enforce the least-privilege principle and protect credentials.

During the breach, attackers accessed a database that contained unencrypted credentials, which they used to access other internal databases. I’ve emphasized this in the previous blogs, but it’s worth repeating: Active Directory is the beating heart of any Windows environment, and proper Active Directory management is your single best defense against the insider threat — whether it’s employees taking deliberate malicious actions or just making mistakes, or an outside attacker who has weaseled their way inside your network. It’s essential to limit the reach of each user account and, especially, each admin account, to only the resources required to do the job, and to protect those credentials with proper Group Policy management.

Conclusion

With those key lessons from the Equifax data breach under our belt, it’s time to turn to our last topic in this series of blog posts: data gleaned from patches. Stay tuned to this Bat Channel for that post coming soon!

In the meantime, check out our ebook, “Enhancing Active Directory Security & Lateral Movement Detection.” As the title suggests, it’s highly pertinent to today’s post, since the Equifax breach depended on attackers not just breaching the perimeter but being able to move around undetected for so long and access systems far removed from the server hosting the consumer portal. I’m confident you’ll find it well worth your time.

Read the white paper

Anonymous