A year and a half after Equifax
One of the most famous scenes in Christopher Nolan's “Dark Knight” series is the scene where [SPOILER ALERT] The Joker burns a huge pile of money representing half of the entire mob's “life savings.” When asked why he's doing such an unthinkable thing, The Joker simply responds, "It's not about the money, it's about sending a message." The meaning behind this scene has been debated endlessly in online forums, but this message resonates well in the cyber world where nation-state actors spend countless millions of dollars to obtain information with no clear profit motive.
It's been a year and a half since the Equifax data breach that exposed the personal information of up to 145 million Americans, nearly half of the population in the U.S. and most of the adult population. On the 18 month anniversary of the breach, a Senate committee report blasted Equifax for failing even the most basic and rudimentary cybersecurity practices. In short, the report suggests Equifax could have easily prevented the massive breach. The Equifax breach differed from previous breaches such as Home Depot or Target in that consumers have a choice about patronizing these retailers and "opt-in" to allow their data in those respective ecosystems. Equifax as a data broker collected this information on nearly every American, often without their knowledge or consent.
Among the facts unearthed in the committee's report were that Equifax did not have a proper IT security audit until 2015 and that it failed that audit, which cited over 8,500 unpatched vulnerabilities with more than 1,000 of them rated as “critical" or "high risk." Even after failing the audit, Equifax was allowed to follow an "honor system" of patching vulnerabilities. A follow-up audit was never conducted, and security patches were not implemented in accordance with internal policies or deadlines.
CNBC recently reported that after an exhaustive search on hacker forums and the dark web (sites only available through the anonymizing service TOR), the stolen data from the Equifax breach was nowhere to be found. This supports initial suspicions that this was a state-sponsored attack with a specific target or targets in mind. The information stolen from Equifax included full names, social security numbers, dates of birth, and driver's license numbers, among other personal information that would constitute a gold mine for identity thieves. Stolen identity records regularly sell for at least several dollars each, so the mother lode of data from the Equifax breach could easily have been worth hundreds of millions of dollars. Stolen identity information loses value over time as news spreads and consumers put in credit freezes making the stolen data potentially worthless. It is in the thieves' best interest to sell the data as quickly as possible to maximize its value.
However, the data seems to have disappeared. After interviewing eight cybersecurity experts and "hunters" of personal information, they all concluded that while the breach did occur, the stolen data has not been seen for sale anywhere. The data has simply not been used in a way consistent with past data thefts of this nature: sold for identity theft, used to impersonate someone, or to gain access to other accounts in the victim's name. There is only one type of cyber attacker with this methodology: the nation-state actor.
One theory is that a nation-state actor stole this information in order to combine it with other stolen data to determine the identities of foreign agents or spies. Data stolen from the Office of Personnel Management (OPM) breach could be combined with the data from the Equifax breach to unmask spies or identify assets that could potentially be turned, such as high-ranking officials with financial distress. Emerging technologies such as artificial intelligence and machine learning have made the process of cross-referencing and correlating data even easier.
Advanced persistent threats are just that: persistent. If a nation state wishes to obtain access or a key piece of information, it has almost unlimited budgets to achieve that goal. China allegedly hacked RSA security to compromise its SecurID two-factor system in order to gain access to Lockheed Martin's F-35 project files. However, organizations can take steps to protect themselves and make them less attractive targets. Just like the joke that when camping, you do not have to outrun an attacking bear, you simply have to outrun another member of your group; let someone less protected be the target of attackers.
Cybersecurity defense-in-depth starts with the user and user-awareness training. If users do not click on links they do not know and do not open attachments from unknown sources, that would eliminate a good percentage of attack vectors. Since users cannot be expected to perform perfectly every time, a security stack as a service that follows the user no matter where he or she goes is a great step in securing the organization. Over 80 percent of the internet's traffic today is TLS encrypted, and attackers are taking advantage of that by concealing malware and exfiltrating data in TLS-encrypted channels. A security solution with native SSL inspection is needed to ensure nothing bad comes into the organization and nothing good leaves. While patch management is important in preventing known attacks, it is often viewed with the same priority as flossing; something that can be pushed off till tomorrow. Vendors that participate in Microsoft and Adobe's active protection program are automatically notified of upcoming patches, so users are protected against these new attacks even before physical systems can be patched.
To nation-state actors, every system has a vulnerability. It is up to organizations to minimize these vulnerabilities by implementing systems that are always up to date and are patched automatically.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Christopher Louie, CISSP, is a sales engineer at Zscaler