6.2 Capstone Thinkful Cybersecurity Project [2022]

on

 6.2 CAPSTONE Incident Report


Name of Reporter: Elize A Flores

Name of Incident: 2017 Equifax Data Breach

Date of Incident: March 2017

Equifax breach > Equifax logo amid broken, disrupted binary code


Executive Summary:

Over 143 million of Equifax and their consumers experienced a confidential data breach from attackers following Chinese back-state hackers associations. The incident was discovered at the beginning of March, 2017, after unauthorized documentations posted and shared(especially on the darkweb/darknet market) of usually the most-valued Equifax’s consumers. Threat actors of attacks refer back to the 2015 hack of the U.S Office of Personnel Management, and the 2018 hack of Marriott’s Starwood hotel brands, leading to the conclusion of amateur hackers abusing Struts vulnerability in their favor.


Detailed Summary:

One of the biggest agencies from CRA, Equifax, had discovered over 143 million of their consumers were experiencing a data breach in March 2017. Equifax hired a security consulting firm Mandiant to assess their systems and networks. Mandiant described the attackers breached into a consumer's credentials, logging into their Equifax web portal. The web portals of hacked users compromised names, addresses, SSN, and driver license. At the same time, from one hacked user to another, they used the struts vulnerability aka CVE-2017-5638, to their advantage because Equifax did not update and renew their encryption certificate. A sequence of exposed data for 78 days estimated before discovery date on March 7, 2017. Mandiant’s forensics SIEM identified and found malicious HTTP codes from the Struts vulnerability. Apache Software Foundation released patches for the struts vulnerability code on March 9, 2017. More than that, the IT department of Equifax took in the privilege to scan all code and vulnerable systems to patch, especially after having data stolen from this incident. Infosec experts kept tabs of the dark web although no information from Equifax relative documents were found in their knowledge. Which led to the theory that the confidential information cracked by struts vulnerability was in use for espionage. 

Equifax set up a similar site called equifaxsecurity2017.com where consumers knew the news and planting foot into a new domain, the plan failed. Further announced information of the breach caused stockholders to sell during August, 2017. Equifax lost trust in their client, further claiming the second Equifax's website as insecure. After two years of the breach, Equifax spent $1.4 billion for cleanup costs.


Major Findings:

High-value consumers were targeted most on the Equifax platform. 143 million of consumers fell victim to espionage. Struts vulnerability, CVE-2017-5638 sent HTTP codes to the server to hack from one web portal to another.

  • Equifax’s IT department found no data to be exposed on the dark web. No data exposed to the public found which lead to the conclusion

  • The same vulnerability was used repeatedly, using a wide range of attacks to expose hacked users' information. HTTP codes within the CVE-2017-5638 were found close to skribbles of code. In other words, pre-typed code that is utilized to discover information.


Recommendations for remediation:

  • Automatically update and renew Equifax’s encryption certificate. Also, patch the vulnerability ASAP recommended by the Apache Software Foundation. Send notice about this incident to the Bureau of Consumer Financial Protection(BCFP),  Federal Trade Commision(FTC), and especially the Department of Homeland Security (DHS) since Equifax is part of one of the three consumer reporting agencies (CRA) to be reporting to industries protecting as allies for the same purpose of running a functional government. Send notice to the members of Equifax about the occurrence and that it is mandated to change login credentials. Meanwhile secure these endpoints of encryptions solely for extra layers as in depth in defense to prevent another mysterious hack of pre-downloaded codes. 

  • After patching the vulnerabilities and updating the encryption, to follow the zero-trust policy, Equifax must encourage a department within their company for cyber warfare. Cyber Warfare in order to trace back attackers and facilitate them to court if needed. To build up and at the same time higher their intelligence in cybersecurity because an attack happens everyday will happen any day for anyone and everyone.


Conclusion:

This could have been prevented by a better endpoint encryption to fight and block HTTP scripted codes. Or if the data was viewed on a daily basis, Equifax would have immediately been able to identify the errors compared to their history before the past 78 days of an unauthorized breach and exposure. Equifax's consumers are now susceptible to fraud from the data and information witnessed at the attackers control from what is only known to be from extraction. 

Equifax is recommended and should be mandated to include a security operation center (SOC) with cybersecurity to learn from this cyber incident. To fast forward, attacks happen every sec and will grow spontaneously. Where attacks can come from connections of trusted networks or by a proclaimed inside user, either legit or fraud. Assuming that the Department of Homeland Security (DHS) is to be fully trusted as one of the agencies protecting the USA, reporting to the DHS should be done for the next time. When sending a notice, a different network should be used in case the current network has remote access to view live data from an attacker. Which is to prevent any further connections and keep a connection segmented by diversifying codes if needed at a constant to keep an attacker from jumping from one point to another.



Corrections according to AI: How can improve this report?

Here are some suggestions to improve the incident report:

  • Add a timeline of key events in the incident, like when it was first detected, when patches were applied, etc. This helps understand how the incident unfolded.

  • Include more specific technical details on the vulnerability exploited and how the attackers gained access. For example, explain Struts in more detail and how the vulnerability allowed remote code execution.

  • Provide more details on the scope and impact of the breach. How many consumer records were accessed? What specific types of information were compromised?

  • Elaborate on the failure to update software that led to the vulnerability. Provide context on Equifax's software update processes and controls.

  • Explain any impacts to Equifax's operations and finances resulting from the breach. This could include costs for forensic investigation, customer notification, addressing lawsuits, etc.

  • Provide more details on the remediation efforts and outcomes. Did the recommended steps effectively prevent further breaches?

  • Include quantifiable metrics and outcomes wherever possible - number of records breached, amount spent on remediation, etc.

  • Use more formal language and objective tone fitting for an official incident report. Avoid subjective conclusions.

  • Ensure the executive summary concisely captures the key details - what happened, when, impact, and actions taken.

  • Organize the report with clear sections and headings for ease of reference. Include a table of contents.

  • List out the security guidelines and industry standards that Equifax failed to meet, if any. Reference NIST, ISO, etc.

Overall, aim for a detailed yet concise report that objectively captures the technical cybersecurity details as well as assesses the business impacts. Follow formal reporting guidelines and structure to make it easily readable by executives and technical teams.

Comments

Post a Comment

Comment section