In this post, we’ll discuss a few early lessons learned from the Equifax breach announced yesterday. We’ll also recommend a six point plan to avoid becoming “the next Equifax” based on what we know today about the breach. Rendition is in no way involved with the breach assessment for Equifax and we have no inside knowledge. However, we will discuss the publicly available information so organizations can take action to avoid a similar breach.
Note: In the coming days and weeks, you’ll likely be inundated with vendor pitches claiming they can stop you from becoming “the next Equifax.” Be wary, be very wary. If it sounds too good to be true, it probably is. In information security, there are no silver bullets. But that’s okay – werewolves probably aren’t part of your threat model anyway…
At Rendition Infosec, we endorse the SANS Institute six step Incident Response (IR) process. For those not familiar with the process, the steps are:
This conveniently spells PICERL. A handy mnemonic to remember this is “Patched Infrastructure Could’ve Easily Reduced Losses.” This is great because it’s simple to remember AND true.
For this post, we’re going to focus on the preparation and identification phases since those are what we know the most about so far.
Web Application Vulnerabilities
It is clear that some controls were lacking in the Equifax environment. While we don’t know much about their internal network, we do know some details about problems in their web applications. This post shows that the Equifax site was vulnerable to trivial XSS. The XSS was disclosed in March, 2016 but was still actively exploitable yesterday. This probably wasn’t the source of the breach. However, this points to three probable issues in the Equifax network:
Stack traces / error messages printed
You can also see from this screenshot (via of Twitter user @notdan) that there are unhandled exceptions in some Equifax web pages.
Not only are these conditions potentially exploitable, but printing error messages and stack traces provide attackers a roadmap for exploitation. Best practices demand these be removed. This issue points to three probable issues:
Incident Communication / Public Relations
Rendition Infosec always advises our clients to perform tabletop exercises for incident response scenarios. Part of these scenarios involve contacting Public Relations (PR) to help them understand how to work with the IR team. It seems clear that if PR was involved in the breach notification, they failed miserably.
First, you should not register a new domain to communicate a breach notification. Users have no good way to determine whether the new domain you just registered is legitimate or not. Further, this opens opportunities for opportunistic attackers to register lookalike domains and exploit your victims them again. Twitter user @notdan demonstrated this brilliantly with a Twitter poll. The poll highlights the confusion about which domain should actually be trusted. These results are especially concerning because most of Dan’s following is infosec and IT related.
After registering the domain, corporate communications forgot to let reputation monitors know about the new domain. When never before seen domains become popular quickly, they tend to be phishing and/or malware distribution domains. Reputation monitors know this. When they observed the explosive growth in popularity for the new never before seen domain, it was listed as potentially malicious. OpenDNS listed the domain as a phishing domain initially, but overrode their algorithms quickly so their users could access the domain again.
During the initial hours after the breach was announced, users who tried to call Equifax reported waiting on hold for an hour or more, only to be told that the call center didn’t have the list of impacted people. Others, including Brian Krebs, reported that the server wasn’t responding to requests at various points.
There are a few probable issues highlighted in this portion of the IR:
Six point plan
There’s more that can be said about the Equifax breach now, but this is getting long already. Certainly we’ll learn more as time progresses. If your board of directors is asking you today “how do we make sure we’re not the next Equifax,” Rendition has a six point plan to help you make that happen.
Parting thoughts
We hope that you’ve found this useful. Earlier, we noted that you should be wary of anyone trying to capitalize on the Equifax breach by trying to sell you a magic bullet. But nothing we’ve suggested is a silver bullet or a magic pill. We’ve just recommended some of the same services that Rendition delivers to our customers each and every day. Of course the selection of services specifically relates to the topic at hand (the Equifax breach). If you need assistance with any security services or just want the peace of mind that comes with an industry leading firm at your side, contact Renditon – we stand ready to help.
This will be copy area - something to the effect of estimated ship time if applicable