Could an Equifax-sized data breach happen again? 2018 Spotlight Report

I am artificial intelligence.

The driving force behind the hunt for cyberattackers.

I am Cognito.

Vectra | Could an Equifax-sized data breach happen again? | 2

TABLE OF CONTENTS

Anatomy of a cyberattack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Analysis of the financial industry for six months after the Equifax breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Hidden data-exfiltration tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Good vs. bad tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Vectra | Could an Equifax-sized data breach happen again? | 3

Financial services organizations have the largest non-government

cybersecurity budgets in the world.

Bank of America invested over $600 million on cybersecurity

annually and declared it has an unlimited budget to fight

cyberattacks. JPMorgan Chase spends $500 million annually

on cybersecurity.

Although smaller in stature than these two banking powerhouses,

Equifax, which suffered a massive breach in 2017, has a

substantial cybersecurity budget at $85 million annually. That’s

12% of its total IT spend.

According to Homeland Security Research Corp., the 2015 U.S.

financial services cybersecurity market reached $9.5 billion, making

it the largest in the private-sector. If money could buy security,

these would be the safest places in the world.

All this points to one painful fact: The largest enterprise

organizations in the world remain lucrative targets for sophisticated

cyberattackers. Security breaches across multiple industries forge

ahead in an upward trajectory, and the financial services industry

is no exception.

While financial services firms don’t experience the same volume

of breaches as other industries, the ones that do happen have

caused exponential damage along with far-reaching consequences

and public scrutiny.

Despite monumental efforts to fortify security infrastructure,

cyberattacks and breaches still occur.

For example, Equifax had the budget, manpower and a

sophisticated security operations center. Nonetheless,

145.5 million Social Security numbers, around 17.6 million driver’s

license numbers, 20.3 million phone numbers, and 1.8 million

email addresses were stolen.

How could this happen? Could a breach of this magnitude occur

at other financial services firms?

1000

750

500

250

2014 2015 2016 2017

Sources: Identity Theft Resource Center; CyberScout© Statista 2018

Additional Information: United States; Identity Theft Resource Center;CyberScout; 2014 to 2017

0

Number of data breaches in the United States from 2014 to 2017, by industry

258

312

495

870

Business

333

277

376 374

Medical/Healthcare

4371

52

134

Banking/Credit/Finance

57 5898

127

Educational

9263 72 74

Government/Military

Vectra | Could an Equifax-sized data breach happen again? | 4

Eventually, the intruders installed more than 30 web shells, each

with a different web address, which created multiple hidden

tunnels. If one was discovered, the others could continue to

operate. This attack phase is known as command-and-control.

Once inside the network, the attackers had time to customize their

hacking tools to efficiently exploit Equifax software and query and

analyze dozens of databases to determine which ones held the

most valuable data. This attack phase is called reconnaissance.

The attackers used special tunneling tools to evade firewalls,

analyzing and cracking one database after another while

stockpiling data in the company’s own storage systems. This

attack phase is known as lateral movement.

The attackers collected a trove of data so large that it had to be

broken up into small stockpiles to avoid tripping anomaly detection

and data-loss prevention systems. Once this was done, attackers

left with the data. This attack phase is called data exfiltration.

Anatomy of a cyberattack*

On an average day in 2017, the Equifax Cyber Threat Center

captured 2.5 billion logs, monitored more than 50,000

cybersecurity events per second, received over 43,000 security

device health checks, analyzed over 250 internet domains, and

queried over 2,200 cyber-intel forums. Despite this effort, the

breach that occurred in 2017 went undetected for 78 days.

The initial infection that led to the Equifax breach occurred

when the cyberattacker exploited a web server to access to the

company’s network. Although vulnerabilities are commonplace

on any network, the actions and behaviors of the attackers are of

greater interest.

The attackers avoided using certain hacking tools that would

expose them to the Equifax security operations team. However,

one of the tools the attackers did use enabled them to build hidden

command-and-control tunnels into Equifax.

Infection Reconaissance

Command & Control Lateral

Exfiltration

March 10: Attackers exploit a vulnerability in the Apache Struts Web Framework to gain root access to online dispute web application

Attackers customize tools to efficiently exploitEquifax’s software, and to query and analyze dozens of databases to decide which held the most valuable data (Port Sweep, Port Scan, Internal Darknet Scan, Kerberos Account Scan)

Attackers set up about 30 web shells thatwere accessed from around 35 distinct publicIP addresses – China Chopper (ExternalRemote Access, Suspect Domain Activity,Hidden HTTPS Tunnel)

May 13 - July 30: Attackers used hidden tunnels to bypass firewalls, analyzing andcracking one database after the next whilestockpiling data on the company’s ownstorage systems (Suspicious Admin)

The trove of data the attackers collected was so large it had to be broken up into smaller pieces to avoid triggering as an anomalous behavior (Data Smuggler, Hidden HTTPS Tunnel)

*Sources:“Global Security from Equifax,” Coppin University, https://www.coppin.edu/download/downloads/id/1405/the_work_number_-_security_overview_brochure.pdfChicago Tribune, http://www.chicagotribune.com/business/ct-equifax-hack-state-sponsored-pros-20171002-story.htmlThe Wall Street Journal, https://www.wsj.com/articles/hackers-entered-equifax-systems-in-march-1505943617Risk Based Security, https://www.riskbasedsecurity.com/2017/09/equifax-breach-updated-timeline-phishing-regulation-and-a-roundup/

Vectra | Could an Equifax-sized data breach happen again? | 5

The analysis of this metadata provides a better understanding

about attacker behaviors and trends as well as business risks,

enabling Vectra customers to avoid catastrophic data breaches.

Vectra found the same type of attacker behaviors across the

financial services industry as those that led to the Equifax breach.

Every industry has a profile of network and user behaviors that

relate to specific business models, applications and users. Through

careful observation, attackers can mimic and blend-in with these

behaviors, making them difficult to expose.

What stood out the most, shown in Figure 1, is the presence of

hidden tunnels, which attackers use to get into networks that have

strong access controls. Hidden tunnels also enable attackers to

sneak out of networks with stolen data, undetected.

Analysis of the financial industry for six months after the Equifax breach

The information in this spotlight report is based on observations

and data from the RSA Conference Edition of the Attacker

Behavior Industry Report from Vectra®. The report reveals attacker

behaviors and trends in networks from 246 opt-in customers in

financial services and 13 other industries.

From August 2017 through January 2018, the Cognito™

cyberattack-detection and threat-hunting platform from Vectra

monitored network traffic and collected rich metadata from more

than 4.5 million devices and workloads from customer cloud, data

center and enterprise environments.

External Remote Access 56

C&C Hidden HTTPS Tunnel 23

Hidden HTTPS Tunnel Exfiltration 5

Internal Darknet Scan 74

Suspect Domain 86

Port Scan 52

Suspicious Admin 27

Data Smuggler 47

Post Sweep 139

Command and Control

Reconaissance

Lateral Movement

Data Exfiltration

Figure 1: Financial industry attacker behaviors per 10,000 devices

Vectra | Could an Equifax-sized data breach happen again? | 6

With the rise of web applications, the use of SSL/TLS encryption

has become widespread. Today, HTTPS traffic is the norm and

HTTP traffic is the exception. Certificate pinning is also widely

used to prevent network security systems from performing

man-in-the-middle decryption to inspect packets for threats.

The high volume of traffic from web-based enterprise applications

creates a perfect opportunity to hide command-and-control,

data exfiltration and other attacker communications from network

security tools.

While many attackers use SSL/TLS, the most adept attackers will

also create their own encryption schemes. Custom encryption

is especially difficult to detect, because the protocol might be

unidentifiable and use any available port.

Hidden command-and-control tunnels

Compared to the combined industry average, there are fewer

overall command-and-control behaviors in financial services,

as shown in Figure 2. Suspicious HTTP command-and-control

communications are significantly lower in financial services.

However, Vectra Cognito detected significantly more hidden

tunnels per 10,000 devices in financial services than all other

industries combined.

For every 10,000 devices across all industries, 11 hidden HTTPS

tunnels were detected. But in financial services, that number more

than doubled to 23. Hidden HTTP tunnels jumped from seven per

10,000 devices to 16 in financial services.

Hidden tunnels are difficult to detect because communications are

concealed within multiple connections that use normal, commonly-

allowed protocols. For example, communications can be

embedded as text in HTTP-GET requests, as well as in headers,

cookies and other fields. The requests and responses are hidden

among messages within the allowed protocol.

500

400

300

200

100

86

1623

63

11

56

1212

122

11

188

73

1911

Malware Update Suspect Domain C&C Hidden DNS Tunnel C&C Hidden HTTP Tunnel

C&C Hidden HTTPS Tunnel Suspicious HTTP Peer-to-Peer Pulling Instructions

External Remote Access Stealth HTTP Post TOR Connection Relay

0

Combined industry average Financial services

Figure 2: Command-and-control communications per 10,000 devices

Vectra | Could an Equifax-sized data breach happen again? | 7

Hidden data-exfiltration tunnels

Once attackers locate key assets to steal, the focus shifts to

accumulating those assets and smuggling them out. In this exfiltration

phase, attackers control the transmission of large data flows from the

network and into the wild.

As shown in Figure 3, Vectra Cognito detected more than twice as

many hidden tunnels per 10,000 devices in financial services than all

other industries combined.

For every 10,000 devices across all industries, two hidden HTTPS

tunnels were detected. But in financial services, that number more than

doubled to five. Hidden HTTP tunnels doubled from two per 10,000

devices to four in financial services.

Good vs. bad tunnels

In many cases, hidden tunnels are applications used for legitimate

purposes, like stock ticker feeds, internal financial management

services, third-party financial analytics tools and other cloud-based

financial applications.

These legitimate applications use hidden tunnels to circumvent security

controls that would otherwise limit their ability to function. This is the

same reason attackers use hidden tunnels, which were employed in

the Equifax data breach.

80

40

50

60

70

30

20

10

4

5

17

47

42

31

22

Hidden HTTP Tunnel Exit Hidden HTTPS Tunnel Exit Smash and Grab Data Smuggler

0

Combined industry average Financial services

Figure 3: Data exfiltration per 10,000 devices

Vectra | Could an Equifax-sized data breach happen again? | 8

Conclusion

Financial services showed higher than normal rates of hidden tunnels,

which are nearly impossible to detect using signatures, reputation lists,

sandboxes and anomaly detection systems.

Because hidden tunnels carry traffic from legitimate financial services

applications, anomaly detection systems struggle to discern normal

traffic from attacker communications that are concealed among them.

To find these advanced hidden threats, Vectra has created highly

sophisticated mathematical algorithms to identify hidden tunnels within

HTTP, HTTPS and DNS traffic. Although the traffic appears to be

normal, there are subtle abnormalities, such as slight delays or unusual

patterns in requests and responses that indicate the presence of

covert communications.

To learn more about other cyberattacker behaviors seen in

real-world cloud, data center and enterprise environments, get the

2018 RSA Conference Edition of the Attacker Behavior Industry Report

from Vectra.

© 2018 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.

Email info@vectra.ai Phone +1 408-326-2020 vectra.ai

I am artificial intelligence.

The driving force behind the hunt for cyberattackers.

I am Cognito.