Equifax, one of the Big Three credit reporting bureaus that maintains sensitive personal and financial information on just about every adult (and many children) in America, recently revealed that it was the victim of a data breach. An estimated 143 million people had their information exposed after attackers compromised a vulnerable web application and gained access to Equifax data by exploiting a flaw in Apache Struts that was disclosed in March. The investigation is ongoing and the dust hasn’t fully settled, so there will still be revelations and lessons learned from Equifax, but one thing seems true so far – the damage could have been minimized had the breach been detected earlier.
Equifax dropped the ball. The fact that Equifax had not yet patched all public-facing web applications for a widely-publicized vulnerability that had a patch available for about four months before the breach happened is simply poor security. That is probably why the Chief Information Officer and Chief Security Officer of Equifax have abruptly “retired” in the wake of this incident.
Effective patch management will still only get you so far, though. Of course, organizations have to do the basic things it takes to prevent attacks – keep servers and applications patched and updated, use firewalls and endpoint security tools, etc.. However, that is the bare minimum and even with better than average security in place, let’s just agree that for all intents and purposes it is essentially a foregone conclusion you will be breached.
The challenge is to detect and respond to the breach as quickly as possible. The average time it takes an organization to detect a breach once attackers have infiltrated is somewhere in the neighborhood of six months. That’s an eternity in internet time. Many of the high profile breaches in recent years actually took longer to detect – Michael’s Stores was 8 months, PF Chang’s was 11 months, and Trump Hotels was over a year. That is simply not acceptable.
With Equifax, the Wall Street Journal reported that the attackers were in the network for approximately four months before they were detected, with the first interactions as early as March 10, 2017. Mandiant analysis indicates that the attackers used traditional lateral movement techniques to escalate privileges, maintain presence, steal credentials, and exfiltrate data. With that much time undetected, the attackers were able to access numerous database tables in several databases.
As seen above, long dwell times can cause significant damage. The average dwell time needs to be measured in minutes or hours, not weeks or months. The best way to reduce the time it takes to detect a breach is to use deception. Most companies are still built primarily around a perimeter defense model, and they have little – if any – visibility of internal network traffic and activity.
Deception-based threat detection is designed to simultaneously detect the presence of an attacker and slow the attack down at the same time. Decoy systems intended to misdirect attackers and deception credentials designed to bait and lure attackers quickly identify suspicious or malicious activity. The decoy systems and credentials are designed to blend in seamlessly with the legitimate network resources, but no valid process or user would access the decoy resources.
If Equifax had deception-based threat detection in place, this data breach would have been detected much earlier—and possibly avoided entirely. Because Equifax didn’t update Apache Struts, the attackers would still have been able to exploit the flaw to gain initial access. However, once inside their reconnaissance activities and lateral movement in the network would have tripped over deception resources and inadvertently revealed their presence on the network. Equifax would have known about the initial compromise and would have been able to respond immediately instead of months after the fact.
Not to preach doom and gloom, but it truly is more a matter of “when” than “if” when it comes to getting breached. No security is impenetrable. The tools may change, but the attack techniques stay constant. When you combine skilled and dedicated adversaries with common configuration issues and simple human error, it’s really sort of a minor miracle if you haven’t already been breached.
There’s still a lot of speculation and many unanswered questions about the Equifax data breach. Regardless of any other revelations, though, we can safely say that it took too long to detect that unauthorized access or the malicious activity that followed. Employing deception-based threat detection could have reduced months to minutes and prevented 143 million consumer accounts from being compromised.