Could an Equifaxsized data breach happen again? - 2018 Spotlight Report - Vectra AI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
I am artificial intelligence. The driving force behind the hunt for cyberattackers. I am Cognito. Could an Equifax- sized data breach happen again? 2018 Spotlight Report
TABLE OF CONTENTS
Anatomy of a cyberattack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Analysis of the financial industry for
six months after the Equifax breach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Hidden data-exfiltration tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Good vs. bad tunnels.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Vectra | Could an Equifax-sized data breach happen again? | 2Financial services organizations have the largest non-government While financial services firms don’t experience the same volume
cybersecurity budgets in the world. of breaches as other industries, the ones that do happen have
caused exponential damage along with far-reaching consequences
Bank of America invested over $600 million on cybersecurity
and public scrutiny.
annually and declared it has an unlimited budget to fight
cyberattacks. JPMorgan Chase spends $500 million annually Despite monumental efforts to fortify security infrastructure,
on cybersecurity. cyberattacks and breaches still occur.
Although smaller in stature than these two banking powerhouses, For example, Equifax had the budget, manpower and a
Equifax, which suffered a massive breach in 2017, has a sophisticated security operations center. Nonetheless,
substantial cybersecurity budget at $85 million annually. That’s 145.5 million Social Security numbers, around 17.6 million driver’s
12% of its total IT spend. license numbers, 20.3 million phone numbers, and 1.8 million
email addresses were stolen.
According to Homeland Security Research Corp., the 2015 U.S.
financial services cybersecurity market reached $9.5 billion, making How could this happen? Could a breach of this magnitude occur
it the largest in the private-sector. If money could buy security, at other financial services firms?
these would be the safest places in the world.
All this points to one painful fact: The largest enterprise
organizations in the world remain lucrative targets for sophisticated
cyberattackers. Security breaches across multiple industries forge
ahead in an upward trajectory, and the financial services industry
is no exception.
Number of data breaches in the United States from 2014 to 2017, by industry
1000
870
750
495
500
376 374
333
312
277
258
250
134 127
98 92
71 72 74
43 52 57 58 63
0
Business Medical/Healthcare Banking/Credit/Finance Educational Government/Military
2014 2015 2016 2017
Sources: Identity Theft Resource Center; CyberScout Additional Information: United States; Identity Theft Resource Center;
© Statista 2018 CyberScout; 2014 to 2017
Vectra | Could an Equifax-sized data breach happen again? | 3Anatomy of a cyberattack* Eventually, the intruders installed more than 30 web shells, each
with a different web address, which created multiple hidden
On an average day in 2017, the Equifax Cyber Threat Center
tunnels. If one was discovered, the others could continue to
captured 2.5 billion logs, monitored more than 50,000
operate. This attack phase is known as command-and-control.
cybersecurity events per second, received over 43,000 security
device health checks, analyzed over 250 internet domains, and Once inside the network, the attackers had time to customize their
queried over 2,200 cyber-intel forums. Despite this effort, the hacking tools to efficiently exploit Equifax software and query and
breach that occurred in 2017 went undetected for 78 days. analyze dozens of databases to determine which ones held the
most valuable data. This attack phase is called reconnaissance.
The initial infection that led to the Equifax breach occurred
when the cyberattacker exploited a web server to access to the The attackers used special tunneling tools to evade firewalls,
company’s network. Although vulnerabilities are commonplace analyzing and cracking one database after another while
on any network, the actions and behaviors of the attackers are of stockpiling data in the company’s own storage systems. This
greater interest. attack phase is known as lateral movement.
The attackers avoided using certain hacking tools that would The attackers collected a trove of data so large that it had to be
expose them to the Equifax security operations team. However, broken up into small stockpiles to avoid tripping anomaly detection
one of the tools the attackers did use enabled them to build hidden and data-loss prevention systems. Once this was done, attackers
command-and-control tunnels into Equifax. left with the data. This attack phase is called data exfiltration.
March 10: Attackers exploit a vulnerability Attackers customize tools to efficiently exploit The trove of data the attackers collected
in the Apache Struts Web Framework to gain Equifax’s software, and to query and analyze was so large it had to be broken up into
root access to online dispute web application dozens of databases to decide which held the smaller pieces to avoid triggering as an
most valuable data (Port Sweep, Port Scan, anomalous behavior (Data Smuggler, Hidden
Internal Darknet Scan, Kerberos HTTPS Tunnel)
Account Scan)
Infection Reconaissance Exfiltration
Command & Control Lateral
Attackers set up about 30 web shells that May 13 - July 30: Attackers used hidden
were accessed from around 35 distinct public tunnels to bypass firewalls, analyzing and
IP addresses – China Chopper (External cracking one database after the next while
Remote Access, Suspect Domain Activity, stockpiling data on the company’s own
Hidden HTTPS Tunnel) storage systems (Suspicious Admin)
*Sources:
“Global Security from Equifax,” Coppin University, https://www.coppin.edu/download/downloads/id/1405/the_work_number_-_security_overview_brochure.pdf
Chicago Tribune, http://www.chicagotribune.com/business/ct-equifax-hack-state-sponsored-pros-20171002-story.html
The Wall Street Journal, https://www.wsj.com/articles/hackers-entered-equifax-systems-in-march-1505943617
Risk Based Security, https://www.riskbasedsecurity.com/2017/09/equifax-breach-updated-timeline-phishing-regulation-and-a-roundup/
Vectra | Could an Equifax-sized data breach happen again? | 4Analysis of the financial industry for The analysis of this metadata provides a better understanding
six months after the Equifax breach about attacker behaviors and trends as well as business risks,
enabling Vectra customers to avoid catastrophic data breaches.
The information in this spotlight report is based on observations
and data from the RSA Conference Edition of the Attacker Vectra found the same type of attacker behaviors across the
Behavior Industry Report from Vectra®. The report reveals attacker financial services industry as those that led to the Equifax breach.
behaviors and trends in networks from 246 opt-in customers in
financial services and 13 other industries. Every industry has a profile of network and user behaviors that
relate to specific business models, applications and users. Through
From August 2017 through January 2018, the Cognito™ careful observation, attackers can mimic and blend-in with these
cyberattack-detection and threat-hunting platform from Vectra behaviors, making them difficult to expose.
monitored network traffic and collected rich metadata from more
than 4.5 million devices and workloads from customer cloud, data What stood out the most, shown in Figure 1, is the presence of
center and enterprise environments. hidden tunnels, which attackers use to get into networks that have
strong access controls. Hidden tunnels also enable attackers to
sneak out of networks with stolen data, undetected.
Figure 1: Financial industry attacker behaviors per 10,000 devices
Command and Control Lateral Movement
C&C Hidden HTTPS Tunnel 23
External Remote Access 56
Suspect Domain 86 Suspicious Admin 27
Reconaissance Data Exfiltration
Hidden HTTPS Tunnel Exfiltration 5
Internal Darknet Scan 74
Post Sweep 139
Port Scan 52 Data Smuggler 47
Vectra | Could an Equifax-sized data breach happen again? | 5With the rise of web applications, the use of SSL/TLS encryption However, Vectra Cognito detected significantly more hidden
has become widespread. Today, HTTPS traffic is the norm and tunnels per 10,000 devices in financial services than all other
HTTP traffic is the exception. Certificate pinning is also widely industries combined.
used to prevent network security systems from performing
For every 10,000 devices across all industries, 11 hidden HTTPS
man-in-the-middle decryption to inspect packets for threats.
tunnels were detected. But in financial services, that number more
The high volume of traffic from web-based enterprise applications than doubled to 23. Hidden HTTP tunnels jumped from seven per
creates a perfect opportunity to hide command-and-control, 10,000 devices to 16 in financial services.
data exfiltration and other attacker communications from network
Hidden tunnels are difficult to detect because communications are
security tools.
concealed within multiple connections that use normal, commonly-
While many attackers use SSL/TLS, the most adept attackers will allowed protocols. For example, communications can be
also create their own encryption schemes. Custom encryption embedded as text in HTTP-GET requests, as well as in headers,
is especially difficult to detect, because the protocol might be cookies and other fields. The requests and responses are hidden
unidentifiable and use any available port. among messages within the allowed protocol.
Hidden command-and-control tunnels
Compared to the combined industry average, there are fewer
overall command-and-control behaviors in financial services,
as shown in Figure 2. Suspicious HTTP command-and-control
communications are significantly lower in financial services.
Figure 2: Command-and-control communications per 10,000 devices
500
11
19
400
73
300
12
12
188 56
200 11
63
11
23
100 16
122
86
0
Combined industry average Financial services
Malware Update Suspect Domain C&C Hidden DNS Tunnel C&C Hidden HTTP Tunnel
C&C Hidden HTTPS Tunnel Suspicious HTTP Peer-to-Peer Pulling Instructions
External Remote Access Stealth HTTP Post TOR Connection Relay
Vectra | Could an Equifax-sized data breach happen again? | 6Hidden data-exfiltration tunnels Good vs. bad tunnels
Once attackers locate key assets to steal, the focus shifts to In many cases, hidden tunnels are applications used for legitimate
accumulating those assets and smuggling them out. In this exfiltration purposes, like stock ticker feeds, internal financial management
phase, attackers control the transmission of large data flows from the services, third-party financial analytics tools and other cloud-based
network and into the wild. financial applications.
As shown in Figure 3, Vectra Cognito detected more than twice as These legitimate applications use hidden tunnels to circumvent security
many hidden tunnels per 10,000 devices in financial services than all controls that would otherwise limit their ability to function. This is the
other industries combined. same reason attackers use hidden tunnels, which were employed in
the Equifax data breach.
For every 10,000 devices across all industries, two hidden HTTPS
tunnels were detected. But in financial services, that number more than
doubled to five. Hidden HTTP tunnels doubled from two per 10,000
devices to four in financial services.
Figure 3: Data exfiltration per 10,000 devices
80
70
60 31
50 47
40
30
42
20
17
10
5
2 4
2
0
Combined industry average Financial services
Hidden HTTP Tunnel Exit Hidden HTTPS Tunnel Exit Smash and Grab Data Smuggler
Vectra | Could an Equifax-sized data breach happen again? | 7Conclusion
Financial services showed higher than normal rates of hidden tunnels,
which are nearly impossible to detect using signatures, reputation lists,
sandboxes and anomaly detection systems.
Because hidden tunnels carry traffic from legitimate financial services
applications, anomaly detection systems struggle to discern normal
traffic from attacker communications that are concealed among them.
To find these advanced hidden threats, Vectra has created highly
sophisticated mathematical algorithms to identify hidden tunnels within
HTTP, HTTPS and DNS traffic. Although the traffic appears to be
normal, there are subtle abnormalities, such as slight delays or unusual
patterns in requests and responses that indicate the presence of
covert communications.
To learn more about other cyberattacker behaviors seen in
real-world cloud, data center and enterprise environments, get the
2018 RSA Conference Edition of the Attacker Behavior Industry Report
from Vectra.
Vectra | Could an Equifax-sized data breach happen again? | 8I am artificial intelligence.
The driving force behind the hunt for cyberattackers.
I am Cognito.
Emailinfo@vectra.ai Phone +1 408-326-2020
vectra.ai
© 2018 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat
Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.You can also read
