On September 7, 2017, Equifax announced it had suffered a cybersecurity incident resulting in the download of millions of consumers’ personal information from mid-May through late July. Last month, The Equifax Data Breach 96-page, majority staff report was released by the U.S. House of Representatives Committee on Oversight and Government Reform. It states that Equifax had a “culture of cybersecurity complacency” and claims that the “breach was entirely preventable.”
From a certain perspective, these statements appear justified as the breach was theoretically preventable, although, it was likely preventable in the same way that obesity is “entirely preventable.”
A consumer, after reading most press accounts of the incident, could be forgiven for believing that Equifax was simply negligent. That they had the metaphorical key in hand to lock the basement door they knew thieves were going to use to sneak in and steal from them, but couldn’t be bothered to walk down two flights of stairs and perform the necessary security action.
Equifax did a lot of things prior to the breach that don’t look like the actions of a complacent organization:
- March 8: DHS/US-CERT sent out an alert for an Apache Struts vulnerability (CVE-2017–5638)
- March 9: Equifax vuln team sent email to 400+ recipients, “…it is rated at a critical risk and requires patching within 48 hours as per the security policy.” Scans were run and no externally facing systems containing the Apache Struts vulnerability were found.
- March 14: Equifax installed a Snort rule on intrusion detection and prevention systems to detect Apache Struts exploitation attempts.
- March 15: Equifax used another tool with a new signature rule to detect vulnerable versions of Apache Struts to scan 958 external-facing IPs (twice), but again found nothing.
- March 16: The vuln team emphasized the Struts vuln at a regular monthly meeting.
So, what went wrong? If we extend to Equifax cybersecurity staff the benefit of the doubt, assume they were hard-working folks going to work each day and executing their jobs in a reasonably professional manner, how did the breach happen?
The simple answer is that cybersecurity– especially patching at the enterprise level — is hard.
A more in-depth summary answer should probably include the observations that at the time of the breach, Equifax:
- was not (and is not) a static organization in size, personnel, and operational scope.
- was two years into Project Bluebird, a migration plan to move all company applications off legacy servers because “threat vectors were changing too quickly and this [was] one way to mitigate risk.”
- was making progress remedying eight key findings from a 2015 internal audit of their patch management process.
Equifax knew it had cybersecurity concerns but was unable to fix the short-comings in their IT environment and processes before the clock ran out for them on May 13, 2017. Many reasons have been suggested for this including, a lack of cybersecurity emphasis/spending at the strategic level, a disjointed reporting structure, legacy equipment, etc. We will very briefly explore what are likely the most important tactical reason and most important strategic reason for this particular breach.
”This is a football.”
On the first day of training camp in 1961, Vince Lombardi picked up a football, held it aloft, and said, “Gentlemen, this is a football.” He wasn’t being funny or ironic. He was reminding his team that the basics matter; that until the fundamentals are mastered, more complex actions cannot be routinely executed at a high level.
The most fundamental requirement for organizational cybersecurity is awareness/visibility of all assets within the IT infrastructure. Equifax’s lack of a global IT infrastructure view was one of the eight findings from their 2015 internal audit, but inexplicably, it was prioritized as last to be fixed. The others — publish Windows server hardening standards, implement automated patching tools, retire legacy systems as quickly as possible, etc. — were certainly important, but not more important.
In the days immediately after the Apache Struts vuln was disclosed, Equifax scanned for, but was unable to find the server requiring patching that would be the entry point for the hackers. Even more dismaying, two days after the 29 July discovery of the breach, admins realized that they had successfully applied a previous Apache Struts patch to that very system back in January. Somehow, between January and March, they had lost visibility of the server.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks.”
The quote above concludes the executive summary of the congressional majority report. It rings true. It’s also sufficiently general that it could be used exactly as written with any other organization that suffers any size cybersecurity incident — it’s axiomatic. Of course, wording scrutiny aside, the report is trying to make the point that a good understanding of risk is the essential strategic aspect of good cybersecurity. A poor understanding of cybersecurity risk leads to a failure to protect first what matters most.
The day after Equifax received the DHS/US-CERT Apache Struts alert, it took actions that it likely takes every time it receives this kind of alert. The problem with this approach is that studies have shown that all vulns — even vulns assigned high severity scores — do not receive equal attention from hackers. In fact, most disclosed vulnerabilities (96+%) are never exploited in the wild. While organizations should do their best to patch all known vulnerabilities as part of normal business, cybersecurity leaders need a way to identify those vulns which carry real world risk of exploitation so they can ask additional questions and wisely choose moments to spot-check their regular business processes.
Given that Equifax had so recently (January) applied patches to Apache Struts, it seems likely that heightened concern over the March Apache Struts vuln alert and some probing questions from cybersecurity leaders would have led to an awareness that something was missed — just as added scrutiny in July led to the realization that patching had occurred back in January.
CYR3CON provides cyber threat intelligence through advanced machine learning and data mining of deep-/dark-web information. A key actionable and practical result of this curated intelligence is an understanding of the actual threat of vuln exploitation. Given this intel, vulnerability management teams can effectively prioritize remediation efforts and cybersecurity leaders can know when to scrutinize those efforts more closely.