Thoughts on the Equifax 2017 Breach Report

The United States Government Accountability Office (GAO) recently released a report on the 2017 Equifax data breach. The GAO report documents a number of shortcomings in Equifax’s infrastructure and can be used to identify lessons that should be learned.

In a perfect storm of conditions, an outdated email list prevented necessary personnel from receiving a patch instruction, and an expired certificate on a security device that was configured to fail open allowed attackers to perform undetected activities.

These failures allowed attackers to breach Equifax and remain undetected for almost three months. Specifically:

  • A vulnerability scan that did not detect Apache Struts 2 on the online dispute portal.
  • An outdated email list of systems administrators.
  • An expired security certificate on a security device, preventing inspection of encrypted traffic.
  • A security device configured to continue to allow communication in the event it could not inspect traffic.

Below are our observations and recommendations based our analysis here at DCSO.

Background

On March 8, 2017, the United States Computer Emergency Response Team posted an advisory for the popular Java application framework Apache Struts 2.1 Two days later, attackers discovered that the online dispute portal of the consumer credit reporting giant Equifax was vulnerable. Barely more than one month later, on May 13, 2017, the same attackers exploited this vulnerability, gaining access to Equifax’s infrastructure.

The attackers proceeded to exfiltrate data without being detected until July 29, 2017, nearly three months after the initial intrusion. The breach was reported to Equifax’s CEO on July 31, 2017, two full days after detection.2

Contributing Factors

In the days leading up to the detection of the breach, Equifax took a number of steps to secure its vulnerable systems against exploitation. Equifax performed a scan of its systems, searching for the vulnerable Apache Struts 2 software, yet failed to find the online dispute portal systems. Equifax then sent a patch notification via email to its systems administrators; however, the mailing list was not accurate nor up-to-date. As a result of that, the people responsible for patching the infrastructure of the online dispute portal never received the notification.

In addition to these procedural shortcomings, a network security device (possibly an inline Intrusion Prevention System) configured to inspect encrypted traffic had an expired security certificate and was configured to allow encrypted traffic to pass uninspected in the event of a problem.

Once the attackers gained access to the online dispute portal systems, they were able to access a database that contained unencrypted credentials used to access other databases on the Equifax network. To exfiltrate the data, the attackers purportedly used existing encrypted communications channels between systems and ordinary HTTPS to the internet.

Lessons Learned

Information Security Management Process and the Importance of Alerting

Had administrators responsible for the upkeep of the online dispute portal received the patch notification, the intrusion may have been wholly prevented. Email distribution lists should be regularly reviewed as part of the ISM process, concurrently with reviews of policies and infrastructure implementations.

Had the certificate’s expiration been tracked and alerted as part of the ISM process, or had the security device been configured to raise a critical alarm upon the certificate’s expiration or fail open condition, Equifax’s staff may have been able to detect the intrusion earlier.

Vulnerability Management and Patch Management Process

Use the ISM process and the vulnerability management process to keep your front-line staff properly informed of potential areas of interest in order to ensure a holistic understanding of your infrastructure. A gap analysis should result in a list of systems that should be considered at higher risk, while the ISM process should strive to ensure that they have a correspondingly increased security posture.

Any effective vulnerability management process will include a gap analysis, conducted at the same time as vulnerability scans and assessments. The gap analysis should clearly document any systems that may not be scanned through automatic means, and should include specific administrator awareness training to ensure personnel who are responsible for the upkeep of those systems are aware of what software is running on those systems.

The systems, network, and security administrators in any organization are wholly capable of acting as the first line of defense, as seen with Equifax: a network administrator reported unusual activity during a routine check in their area of responsibility.

Security Device Configuration and the Importance of Proper Implementation

Inline security devices that inspect encrypted traffic with the intention of preventing exposure of PII, exfiltration of trade secrets, or otherwise misuse of data should be configured to fail closed, thereby fulfilling their intended purpose. In the case with Equifax, incorrect configuration allowed attackers to conduct their activities without Equifax staff being able detect them.

A security device is only as effective as its configuration, placement, and curation within an organization.

Conclusions

The 2017 Equifax data breach provides a number of lessons, most notably that if a gap analysis is not conducted in combination with the traditional ISM process, overlapping gaps could leave holes large enough for attackers to slip through undetected. DCSO recommends:

  • Updating email distribution lists regularly
  • Conducting a gap analysis at the same time as the vulnerability assessment
  • Conducting specific user awareness training for administrators responsible for systems processing confidential data
  • Segmenting network, systems, and access rights to hinder or prevent lateral movement
  • Ensuring that alerting is performed if a security device encounters an error such as an expired certificate
  • Configuring inline security devices to fail closed, unless loss of life is a potential factor
Who we are

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.

1 US-CERT, August 3, 2018, “Apache Software Foundation Releases Security Updates” https://www.us-cert.gov/ncas/current-activity/2017/03/08/Apache-Software-Foundation-Releases-Security-Updates
2 U.S. Government Accountability Office, August 30, 2018, “Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach” https://www.gao.gov/assets/700/694158.pdf