The Equifax breach simplified

The application in question at Equifax was the ACIS – Automated Consumer Interview System – built for consumers to dispute different inquiries on their credit. The ACIS was a standard three-tier architecture comprised of web servers, application servers, and databases. They had perimeter protection comprised of a firewall, IPS and IDS (Intrusion Protection System and Intrusion Detection System), and an SSL visibility appliance – which allowed them to see traffic going in and out of the application.

The breach was targeted at a known vulnerability on Apache Struts – the software they were running on their application server.

Apache Foundation released a patch for a vulnerability. The patch (CVE 2017-5638) was scored at 10⁄10, which is the highest vulnerability rating.

The Department of Homeland Security sent an email to key stakeholders – like Equifax – ensuring they were aware and working to patch their affected servers.

Equifax begins investigating to identify any servers that could have been affected. They used two vulnerability scanners - an open source product and a commercial purchased solution – that would scan the network and try to find where they were vulnerable. The results came back empty. (One of the reasons the scans would have been empty was because of a misconfiguration in looking at the wrong directory on the servers).

An external attacker exploited the vulnerability by coming in through the firewall over standard web ports, dropping a web shell on the application servers, and effectively creating a backdoor for the attackers. They could then run commands from that application server, look at the file system, and scan other servers on the environment.

The web shell started to look around the file system and found a clear text file containing user names and passwords of various servers in the organization. These credentials allowed them access to data on three ACIS databases, as well as 45 other databases on the network.

Over the span of 76 days, they ran – undetected – 9,000 different queries to these web servers. The attackers uncovered 148 million records of personally identifiable information (PII) data and the web shell was used to exfiltrate that data, slowly trickling it out in 10 MB packages to evade detection.

While the attacker was moving Equifax’s data outside the environment, the IT team looked into their SSL appliance and realized it had expired certificates. Operating in a fail-open state, the SSL appliance was allowing traffic to pass-through, when it should have otherwise detected the exfiltration.

Equifax updated these certificates, and almost immediately saw data leaving their environment, going to 35 different IP addresses in China. This is when the door was opened for the investigation; they shut down the ACIS service and went into breach mode.

Aside from ensuring the security measures in place were properly configured, Equifax could have stayed ahead of the curve if they had an agent monitoring their servers. While they can add complexity to some environments, agents are truly the best way to see granular details of events happening on endpoints or servers to identify anomalies. In this circumstance, an agent could have alerted Equifax based on details around:

• Critical system file changes

• The amount of database queries running over a certain amount of time

• Unusual web shells being dropped into the environment

• Files with clear text usernames and passwords Data moving outside the firewall

Security teams will always have to block and tackle, but companies also need to have the ability to quickly contextualize a situation to minimize financial and reputational damage in the event of a breach.