Last week, Congress released the full Equifax Breach Report.
https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
To briefly recap the breach, attackers exploited an Apache Struts vulnerability on the Equifax ACIS web servers (accessed at ai.equifax.com). They then pivoted from these servers to gain further access and query multiple databases within Equifax. As a result, the personal information of 148 million US Citizens was stolen.
It’s a fantastic document that not only explains HOW the breach happened, but WHY it happened. It’s a document that everyone in IT, from the new Service Desk Tech to the seasoned CIO, should read.
The report explains that the breach was the result of many contributing factors that will be familiar to anyone who has worked in IT. Let’s go through the list.
- Large, complex IT systems whose growth outpaced security controls (p. 4, para. 2 and p. 18)
- Management that did not properly prioritize cyber security (p. 61, para. 1)
- Business critical applications running on legacy systems (p. 72, para. 3)
- Lack of proper network segregation (pp. 76-77)
- Lack of accountability (p. 4, para. 1 and pp. 55-60)
- Poor communication (p. 60, para. 6)
There’s a lot more to unpack in this report (Sun Servers? McAfee Vulnerability Manager?). But I wanted to focus on two lessons we can take away from this report to make our organizations more secure: 1) Fight for Visibility and 2) Make Network Segregation a Priority.
Fight For Visibility
Equifax had an IDS system monitoring inbound web traffic for their breached domain (ai.equifax.com). They also had an SSL inspection appliance to provide visibility into encrypted traffic (p. 34, figure 5). They even installed a Snort rule to detect the Apache Struts vulnerability just 7 days after the vulnerability was publicly disclosed (p. 30, para. 1).
All of that is great!
However, the certificates on the SSL inspection appliance had expired 19 months (yes, 19!) prior to the breach (p. 3, para. 2). So the IDS was blind to all SSL traffic going to ai.equifax.com. When the certificates were updated on July 29th, 2017, the breach was almost immediately detected (pp. 34-35).
This highlights how important visibility is for an IT organization. If the IT organization does not know what’s going in and out, criminals will use that blind spot to hide their activities. Criminals can dwell on networks for months or years. Knowing what traverses a network is essential. Without it, we will continue to see breaches like Equifax.
Questions we can ask ourselves
- Is all inbound traffic (SSL and non-SSL) being inspected by an up to date IDS or NGFW?
- Is proper Log Management in place and configured to collect logs from ALL sources?
- Are these logs being monitored for unusual activity by trained personnel?
- Is an EDR solution like Carbon Black Response or Crowdstrike Falcon used on servers and workstations?
All of these tools will increase visibility and dramatically reduce the time between breach and detection. In the case of Equifax, better visibility (i.e. updated SSL certificates) would have detected the initial breach on May 13th. Without properly configured SSL inspection, the attackers were able to exfiltrate data until July 29th.
As IT and Security professionals, we need to fight for tools that will give us the ability to protect the business. We need tools that will give us the visibility to detect malicious activity on our networks. If we get a “no”, we should continue to visit the subject. We should continue to develop new and compelling arguments to emphasize the value of visibility to an organization. We must use reports like this to strengthen our case. The point is to keep pressing and keep fighting.
Make Network Segmentation a Priority
This comes back to security 101 – enforce the Principle of Least Privilege. This concept was introduced way back in 1975 by Jerome Saltzer and Michael Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/
The paper defines “Least Privilege” as:
“Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur” (Section I.A.3.f)
In the case of Equifax, their ACIS system was running on old Sun servers that had access to everything on their network (p. 77, para. 3). Restricting these legacy systems might have prevented the breach. At the very least, it would have significantly reduced the scope of the breach.
Questions we can ask ourselves
- Are legacy systems isolated? Is access to and from them strictly defined and enforced?
- Is access to servers with sensitive data restricted to only the systems and people that are authorized to access them?
- Are external servers in a DMZ and restricted from accessing internal network assets?
If this seems basic, well, it is. But this basic, fundamental concept is still a struggle for most organizations.
While implementing Network Segmentation might require purchasing additional equipment, most of the basic controls can be implemented without spending money. It will just take the time of the IT Operations and Security teams. Priorities will have to be adjusted. Rather than adding another project to the team’s list, these basic controls should be implemented.
This might take convincing the CIO/CISO/CTO/CEO that network segmentation is important enough to delay other work. Admittedly, network segmentation might not help your metrics or show up on any end-of-year scorecard. But the Equifax report shows how absolutely necessary it is.
We should be very happy to have this report. Hats off to all of the people who worked on it. It is a clear, detailed, and engaging account of what happened. We should highly value reports like this and use them to make our organizations stronger.