What Equifax Teaches Us About Threat Detection and Response
In early September, Equifax, one of the three big consumer credit reporting agencies, announced that it had been breached by hackers. The fallout, according to The New York Times, is compromised sensitive information including names, birthdays, addresses, credit-card numbers, Social Security numbers and driver’s license numbers, collectively belonging to as many as 143 million Americans.
In other words, half of all U.S. consumers have potentially had private information exposed in this breach.
“A known software flaw is believed to have resulted in the intrusion.”
Initial reports stated that hackers had infiltrated Equifax between mid-May and July by exploiting software vulnerability. However, shortly following the announcement, Bloomberg reported on a separate breach that took place in March, but was never disclosed to the public. That breach potentially affected a small, undisclosed number of customers, who were notified at the time the incident was discovered. However, Equifax never publicly announced the breach, possibly because it could not find evidence that any data had actually been accessed.
This where things get dicey: According to The Verge, the March incident involved a security vulnerability in Apache Struts web-server software, a flaw that was patched March 8, 2017. Equifax claimed that it patched its systems so seal the hole, but also said that this same flaw is the one hackers exploited to access the personal data of nearly half the U.S. population. This raises very obvious questions about whether Equifax did in fact patch its systems, or possibly was not as thorough as it needed to be.
Additionally, Equifax reportedly learned of the breach July 29, 2017. They later discovered that the breach had likely taken place in May and June, which could explain why the same type of information stolen from Equifax had been used by hackers in attempts to infiltrate large financial institutions during those months.
As of now, there are just as many questions as answers. For instance, it is not entirely clear if hacking events of March and May are related. Nevertheless, the situation is disquieting, and has raised many questions about Equifax’s handling of the situation.
Highlighting threat detection and response
The first of several lessons learned from the Equifax breach is a reminder of the importance of having strong threat detection. Based on what Equifax has revealed, it appears that they discovered the breach approximately six weeks after it actually happened. This is not necessarily unusual. Verizon’s security research division found that one in 10 breached from 2016 were discovered more than a year after the fact, according to Quartz.
In this way, the Equifax breach points to a long-running problem associated with cybersecurity, which is a general lack of threat detection capabilities. From the largest enterprises to the smallest SMBs, threat detection is an element information security that businesses cannot seem to get right. Part of the problem is that strong threat detection requires 24/7/365 analysis of log flows, and near-endless triaging of security-related events.
To be fair, larger organizations tend to have more resources, both in terms of the cost of deploying and integrating a comprehensive SIEM and also the complexity associated with managing it for the purposes of continuous monitoring. Traditionally, this has left smaller businesses in a particularly tough spot.
But if there’s a silver lining, it’s the emergence of managed detection and response (MDR). Falling under the umbrella of SOC-as-a-Service, MDR is a viable alternative to building and managing an in-house SOC. For SMBs, this provides the continuous monitoring that is necessary for detecting threats. Just as importantly, MDR supplies vulnerability assessments that will catch oversights, for instance, a failure to patch a known software flaw that could potentially be exploited for hackers.
The value of timely incident response cannot be overstated
It’s possible that Equifax rolled the dice when it chose not to publicly disclose the March breach. It wagered getting off scot-free at the time against the possibility of a deferred exposure, and it lost. The very clear lesson here is that it’s better to hedge your bets when it comes to incident response. Again, the precise relationship between the March breach and the more recent exposure remains unclear. However, the revelation of the March intrusion undoubtedly compounded an already difficult situation, and it had a tangible impact on Equifax’s reputation.
That’s not all.
“The revelation of a March breach will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives,” Bloomberg wrote. “If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading.”
Needless to say, IR is as much about how you respond to the technical aspects of a breach as it is about reputation and damage control.
Make sure you cover all of your bases. In the long run, you simply can’t afford not to. For more, read our brief.