I am artificial intelligence. I am ... - info.vectra.ai · 98 127 Educational 92 63 72 74...
Transcript of I am artificial intelligence. I am ... - info.vectra.ai · 98 127 Educational 92 63 72 74...
Could an Equifax-sized data breach happen again? 2018 Spotlight Report
I am artificial intelligence.
The driving force behind the hunt for cyberattackers.
I am Cognito.
Vectra | Could an Equifax-sized data breach happen again? | 2
TABLE OF CONTENTS
Anatomy of a cyberattack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Analysis of the financial industry for six months after the Equifax breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Hidden data-exfiltration tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Good vs. bad tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Vectra | Could an Equifax-sized data breach happen again? | 3
Financial services organizations have the largest non-government
cybersecurity budgets in the world.
Bank of America invested over $600 million on cybersecurity
annually and declared it has an unlimited budget to fight
cyberattacks. JPMorgan Chase spends $500 million annually
on cybersecurity.
Although smaller in stature than these two banking powerhouses,
Equifax, which suffered a massive breach in 2017, has a
substantial cybersecurity budget at $85 million annually. That’s
12% of its total IT spend.
According to Homeland Security Research Corp., the 2015 U.S.
financial services cybersecurity market reached $9.5 billion, making
it the largest in the private-sector. If money could buy security,
these would be the safest places in the world.
All this points to one painful fact: The largest enterprise
organizations in the world remain lucrative targets for sophisticated
cyberattackers. Security breaches across multiple industries forge
ahead in an upward trajectory, and the financial services industry
is no exception.
While financial services firms don’t experience the same volume
of breaches as other industries, the ones that do happen have
caused exponential damage along with far-reaching consequences
and public scrutiny.
Despite monumental efforts to fortify security infrastructure,
cyberattacks and breaches still occur.
For example, Equifax had the budget, manpower and a
sophisticated security operations center. Nonetheless,
145.5 million Social Security numbers, around 17.6 million driver’s
license numbers, 20.3 million phone numbers, and 1.8 million
email addresses were stolen.
How could this happen? Could a breach of this magnitude occur
at other financial services firms?
1000
750
500
250
2014 2015 2016 2017
Sources: Identity Theft Resource Center; CyberScout© Statista 2018
Additional Information: United States; Identity Theft Resource Center;CyberScout; 2014 to 2017
0
Number of data breaches in the United States from 2014 to 2017, by industry
258
312
495
870
Business
333
277
376 374
Medical/Healthcare
4371
52
134
Banking/Credit/Finance
57 5898
127
Educational
9263 72 74
Government/Military
Vectra | Could an Equifax-sized data breach happen again? | 4
Eventually, the intruders installed more than 30 web shells, each
with a different web address, which created multiple hidden
tunnels. If one was discovered, the others could continue to
operate. This attack phase is known as command-and-control.
Once inside the network, the attackers had time to customize their
hacking tools to efficiently exploit Equifax software and query and
analyze dozens of databases to determine which ones held the
most valuable data. This attack phase is called reconnaissance.
The attackers used special tunneling tools to evade firewalls,
analyzing and cracking one database after another while
stockpiling data in the company’s own storage systems. This
attack phase is known as lateral movement.
The attackers collected a trove of data so large that it had to be
broken up into small stockpiles to avoid tripping anomaly detection
and data-loss prevention systems. Once this was done, attackers
left with the data. This attack phase is called data exfiltration.
Anatomy of a cyberattack*
On an average day in 2017, the Equifax Cyber Threat Center
captured 2.5 billion logs, monitored more than 50,000
cybersecurity events per second, received over 43,000 security
device health checks, analyzed over 250 internet domains, and
queried over 2,200 cyber-intel forums. Despite this effort, the
breach that occurred in 2017 went undetected for 78 days.
The initial infection that led to the Equifax breach occurred
when the cyberattacker exploited a web server to access to the
company’s network. Although vulnerabilities are commonplace
on any network, the actions and behaviors of the attackers are of
greater interest.
The attackers avoided using certain hacking tools that would
expose them to the Equifax security operations team. However,
one of the tools the attackers did use enabled them to build hidden
command-and-control tunnels into Equifax.
Infection Reconaissance
Command & Control Lateral
Exfiltration
March 10: Attackers exploit a vulnerability in the Apache Struts Web Framework to gain root access to online dispute web application
Attackers customize tools to efficiently exploitEquifax’s software, and to query and analyze dozens of databases to decide which held the most valuable data (Port Sweep, Port Scan, Internal Darknet Scan, Kerberos Account Scan)
Attackers set up about 30 web shells thatwere accessed from around 35 distinct publicIP addresses – China Chopper (ExternalRemote Access, Suspect Domain Activity,Hidden HTTPS Tunnel)
May 13 - July 30: Attackers used hidden tunnels to bypass firewalls, analyzing andcracking one database after the next whilestockpiling data on the company’s ownstorage systems (Suspicious Admin)
The trove of data the attackers collected was so large it had to be broken up into smaller pieces to avoid triggering as an anomalous behavior (Data Smuggler, Hidden HTTPS Tunnel)
*Sources:“Global Security from Equifax,” Coppin University, https://www.coppin.edu/download/downloads/id/1405/the_work_number_-_security_overview_brochure.pdfChicago Tribune, http://www.chicagotribune.com/business/ct-equifax-hack-state-sponsored-pros-20171002-story.htmlThe Wall Street Journal, https://www.wsj.com/articles/hackers-entered-equifax-systems-in-march-1505943617Risk Based Security, https://www.riskbasedsecurity.com/2017/09/equifax-breach-updated-timeline-phishing-regulation-and-a-roundup/
Vectra | Could an Equifax-sized data breach happen again? | 5
The analysis of this metadata provides a better understanding
about attacker behaviors and trends as well as business risks,
enabling Vectra customers to avoid catastrophic data breaches.
Vectra found the same type of attacker behaviors across the
financial services industry as those that led to the Equifax breach.
Every industry has a profile of network and user behaviors that
relate to specific business models, applications and users. Through
careful observation, attackers can mimic and blend-in with these
behaviors, making them difficult to expose.
What stood out the most, shown in Figure 1, is the presence of
hidden tunnels, which attackers use to get into networks that have
strong access controls. Hidden tunnels also enable attackers to
sneak out of networks with stolen data, undetected.
Analysis of the financial industry for six months after the Equifax breach
The information in this spotlight report is based on observations
and data from the RSA Conference Edition of the Attacker
Behavior Industry Report from Vectra®. The report reveals attacker
behaviors and trends in networks from 246 opt-in customers in
financial services and 13 other industries.
From August 2017 through January 2018, the Cognito™
cyberattack-detection and threat-hunting platform from Vectra
monitored network traffic and collected rich metadata from more
than 4.5 million devices and workloads from customer cloud, data
center and enterprise environments.
External Remote Access 56
C&C Hidden HTTPS Tunnel 23
Hidden HTTPS Tunnel Exfiltration 5
Internal Darknet Scan 74
Suspect Domain 86
Port Scan 52
Suspicious Admin 27
Data Smuggler 47
Post Sweep 139
Command and Control
Reconaissance
Lateral Movement
Data Exfiltration
Figure 1: Financial industry attacker behaviors per 10,000 devices
Vectra | Could an Equifax-sized data breach happen again? | 6
With the rise of web applications, the use of SSL/TLS encryption
has become widespread. Today, HTTPS traffic is the norm and
HTTP traffic is the exception. Certificate pinning is also widely
used to prevent network security systems from performing
man-in-the-middle decryption to inspect packets for threats.
The high volume of traffic from web-based enterprise applications
creates a perfect opportunity to hide command-and-control,
data exfiltration and other attacker communications from network
security tools.
While many attackers use SSL/TLS, the most adept attackers will
also create their own encryption schemes. Custom encryption
is especially difficult to detect, because the protocol might be
unidentifiable and use any available port.
Hidden command-and-control tunnels
Compared to the combined industry average, there are fewer
overall command-and-control behaviors in financial services,
as shown in Figure 2. Suspicious HTTP command-and-control
communications are significantly lower in financial services.
However, Vectra Cognito detected significantly more hidden
tunnels per 10,000 devices in financial services than all other
industries combined.
For every 10,000 devices across all industries, 11 hidden HTTPS
tunnels were detected. But in financial services, that number more
than doubled to 23. Hidden HTTP tunnels jumped from seven per
10,000 devices to 16 in financial services.
Hidden tunnels are difficult to detect because communications are
concealed within multiple connections that use normal, commonly-
allowed protocols. For example, communications can be
embedded as text in HTTP-GET requests, as well as in headers,
cookies and other fields. The requests and responses are hidden
among messages within the allowed protocol.
500
400
300
200
100
86
1623
63
11
56
1212
122
11
188
73
1911
Malware Update Suspect Domain C&C Hidden DNS Tunnel C&C Hidden HTTP Tunnel
C&C Hidden HTTPS Tunnel Suspicious HTTP Peer-to-Peer Pulling Instructions
External Remote Access Stealth HTTP Post TOR Connection Relay
0
Combined industry average Financial services
Figure 2: Command-and-control communications per 10,000 devices
Vectra | Could an Equifax-sized data breach happen again? | 7
Hidden data-exfiltration tunnels
Once attackers locate key assets to steal, the focus shifts to
accumulating those assets and smuggling them out. In this exfiltration
phase, attackers control the transmission of large data flows from the
network and into the wild.
As shown in Figure 3, Vectra Cognito detected more than twice as
many hidden tunnels per 10,000 devices in financial services than all
other industries combined.
For every 10,000 devices across all industries, two hidden HTTPS
tunnels were detected. But in financial services, that number more than
doubled to five. Hidden HTTP tunnels doubled from two per 10,000
devices to four in financial services.
Good vs. bad tunnels
In many cases, hidden tunnels are applications used for legitimate
purposes, like stock ticker feeds, internal financial management
services, third-party financial analytics tools and other cloud-based
financial applications.
These legitimate applications use hidden tunnels to circumvent security
controls that would otherwise limit their ability to function. This is the
same reason attackers use hidden tunnels, which were employed in
the Equifax data breach.
80
40
50
60
70
30
20
10
4
5
17
47
42
31
22
Hidden HTTP Tunnel Exit Hidden HTTPS Tunnel Exit Smash and Grab Data Smuggler
0
Combined industry average Financial services
Figure 3: Data exfiltration per 10,000 devices
Vectra | Could an Equifax-sized data breach happen again? | 8
Conclusion
Financial services showed higher than normal rates of hidden tunnels,
which are nearly impossible to detect using signatures, reputation lists,
sandboxes and anomaly detection systems.
Because hidden tunnels carry traffic from legitimate financial services
applications, anomaly detection systems struggle to discern normal
traffic from attacker communications that are concealed among them.
To find these advanced hidden threats, Vectra has created highly
sophisticated mathematical algorithms to identify hidden tunnels within
HTTP, HTTPS and DNS traffic. Although the traffic appears to be
normal, there are subtle abnormalities, such as slight delays or unusual
patterns in requests and responses that indicate the presence of
covert communications.
To learn more about other cyberattacker behaviors seen in
real-world cloud, data center and enterprise environments, get the
2018 RSA Conference Edition of the Attacker Behavior Industry Report
from Vectra.
© 2018 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.
Email [email protected] Phone +1 408-326-2020 vectra.ai
I am artificial intelligence.
The driving force behind the hunt for cyberattackers.
I am Cognito.