Published on September 8, 2017
The Equifax data breach that rocked the cyber security industry yesterday is not just another data breach, it’s the mother of all data breaches. This is not because of its sheer size - the number of people affected exceeds the working age population of the United States. We have, unfortunately, seen bigger ones. It’s because of the company it happened at. Equifax is a cornerstone of our digital infrastructure: from credit reports and loan applications to background checks and identity verification, it enables the fabric of our increasingly digitized lives. These services are based on the massive amount of confidential data that Equifax compiled on nearly every working American, past or present, with or without their knowledge. Names, addresses lived at, birth dates, Social Security and driver license numbers, even credit card accounts - you name it, Equifax had it. And now they lost it.
Equifax is a reputable company, and I’m sure people there are well aware of the seriousness of cyber security risks. There are likely all kinds of cyber security controls that a mature organization of this stature would deploy: perimeter defenses, data loss prevention, identity and access management (IAM), endpoint detection and response (EDR), security information and event management (SIEM), etc. What it seems to lack though, based on the very limited information available so far, is a comprehensive security analytics solution to tie all the bread crumbs together.
There are just too many behavioral indicators that had to be triggered by a data breach of this magnitude. Apparently, the entry point was a web application - was it the application itself or vulnerable web server components, was it an unpatched system or a zero-day exploit, we don’t know yet. There might have been an unknown process running on the system or unusual connection/port that security analytics could pick up on, but these are high volume systems with tons of traffic, so it’s a very noisy proposition. What we do know is that the Internet-facing applications are at the extreme risk from external attackers, and that’s why they are placed into the so called demilitarized zone (DMZ), a low-trust segment of the network separated from the internal company network. That’s where it gets interesting: contrary to the millions of Internet users accessing the application in every way possible and at any time of the day, the communication between the application on DMZ and internal systems and data sources is a lot more predictable. The frequency of access to specific systems, the type of connection and credentials used, volume, timing - these are all useful indicators to build an adaptive behavioral profile and detect anomalies.
Identity correlation and user and entity behavioral analytics (UEBA) can unveil another side of malicious activity: was the application/system account used to access backend data sources? Or was it a lateral movement followed by the privilege escalation? Any abnormal sources or destinations, connection types, failed logins or timing of the requests? Add to it data traffic analysis - spikes in volume, frequency of requests, the number of records accessed - and you’ve got a solid selection of behavioral indicators to plug into a hierarchical threat model for kill chain analysis, as well as to have a closer look at the entities (users, systems or applications) exhibiting higher than usual volumes of anomalous behavior. Yes, detecting a data breach is like finding a needle in a haystack, but there was an awful number of needles in this data breach, and a mature security analytics system shouldn’t have missed them.
For a detailed technical write-up, along with Securonix detection mechanisms click here.