Network Traffic Analysis Lessons from the Equifax Breach
Despite many years of corporate and cybersecurity industry focus on digital data breaches and what can be done to prevent them, significant compromises continue to occur. One particularly damaging breach that occurred in 2017 captured the attention of the U.S. Senate Committee on Homeland Security and Governmental Affairs: the Equifax breach that allowed hackers to steal highly sensitive data on more than 145 million American adults. The Senate committee’s Permanent Subcommittee on Investigations recently released its detailed report How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach.
In an article published by Ars Technica, Dan Goodwin wrote that this breach “very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be.”
Given the vast scope and the ongoing ramifications of this event, the Senate subcommittee felt a responsibility to investigate the incident and provide findings and recommendations to prevent another breach of this sort. The investigation concluded that the breach was “entirely preventable” and occurred because Equifax “failed to implement an adequate security program to protect this sensitive data.”
Most significantly, the report serves as a cautionary tale for CISOs, C-suite executives and boards whose own organizations’ security practices are often not much different from those at Equifax.
Picking apart the Equifax breach
According to the investigative report, Equifax “failed to prioritize cybersecurity” and suffered from a series of security failures. Investigators concluded that two primary issues and a host of poor decisions and misguided actions led to the breach:
- Equifax operated servers that were vulnerable to the Struts flaw discovered in Apache web servers. The U.S.-Computer Emergency Readiness Team (US-CERT) sent a public alert about the vulnerability on March 8, 2017. At that time, the tools necessary to exploit the vulnerability were already publicly available and easy to use. Despite an internal directive to upgrade to safer versions of the software within 48 hours, Equifax employees did not eliminate the vulnerability until at least five months later due to a lack of a comprehensive IT asset inventory. By this time, hackers had already exploited the flaw and entered the Equifax systems.
- Expired Secure Sockets Layer (SSL) certificates delayed Equifax’s ability to detect the breach for months. Equifax first observed suspicious activity from China on its online dispute portal on July 29, 2017, after updating an SSL certificate that had been expired for more than eight months. After gaining access to Equifax’s online dispute portal, the attackers were able to access a data repository containing the PII for approximately 145 million American consumers. Access to this information was possible due to Equifax’s failure to segment its systems by restricting unnecessary access to other systems once a user was inside the dispute portal.
The investigative report cites many other details that, collectively, enabled attackers to have free reign over key Equifax systems and to exfiltrate highly sensitive data for a sustained period of time. Most of them have to do with human and procedural failures, from having inadequate corporate policies pertaining to security, to asking developers to individually subscribe to push notifications about vulnerabilities, to failure to maintain appropriate security certificates, and more. Clearly, there is substantial room for improvement with people, policies—and technology.
Technology must play a role in cybersecurity
Rapid company growth has also been cited as a reason that Equifax failed to prioritize security. It’s always a challenge when IT systems grow larger and faster than the teams of people who must manage and secure them. The human capacity to manage and protect vast amounts of data doesn’t scale well. People don’t know about every vulnerable device in the environment because, in this day and age, systems spin up and down all the time without IT personnel – let alone security personnel – ever knowing. Shadow IT is quite common in every large organization.
Technology must play a role in continuously protecting an organization’s IT systems and the data they hold and process. For example, in Equifax’s case, the company could have benefited from solutions such as automated IT asset discovery to learn what systems they have; patch management software that automatically tracks known vulnerabilities and distributes patches to vulnerable systems; and certificate management software that is meant to ensure that critical security certificates aren’t allowed to lapse.
The Senate subcommittee report cited that Equifax used an intrusion detection system that gave the company confidence that it could identify and block exploit attempts. Obviously, full confidence in the IDS was misplaced, as the Equifax network was indeed infiltrated by malicious actors. While intrusion detection systems can be useful, they have limitations in that they are signature-based, meaning they must know what to look for. When unknown exploits or non-malware techniques are used – meaning there is no signature – an attacker can sail right past the IDS to get onto the network.
However, that is not to say network monitoring is ineffective. In the Equifax breach, as in many others, significant activity did take place at the network level, as for months the attackers moved from one system to another and explored for data to exfiltrate. Even if this activity escapes human eyes, the network sees it all, and data science techniques like artificial intelligence and machine learning can apply “humanesque” intuition at scale to determine there is unusual network traffic that is worthy of investigation. This technology, called network traffic analysis (NTA), can find even the most subtle anomalies and then notify security analysts, provide information to pinpoint the intruder’s activities – both now and in the past – and if desired, automate mitigation such as isolating victims from the rest of the network.
While human insight can never be replaced, modern NTA technology can augment the human staff and see what they can’t see. It allows us to move faster to identify things that need to be reviewed. If Equifax had had such a system in place and followed up on the intrusion alerts, it’s likely the breach could have been fully contained before any damage had been done.
Hindsight is 20/20, but foresight is invaluable. More organizations need the foresight to know their human limitations and deploy the intelligent network traffic analysis tools that can see what people can’t see to prevent the next data breach.
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…