Why Equifax and Deloitte attacks detection took months?

Badr Bouyaala

As you may already know, Equifax (credit reporting bureaus) was lately breached, leaking data of 143 million Americans, that is about half the population of the United States, plus customers in other countries as well. It’s of course premature to pull conclusions about whose fault it is, but we are all aware by now that their systems were compromised at least five months before any evidence was made clear. This means attacks detection took months!

In another case as The Guardian disclosed recently, Deloitte, one of the world’s “big four” accounting firms, has equally recognised a leak of its internal email systems. The breach affected all Admin Email Account!

“The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to their systems since October or November 2016.” Stated Nick Hopkins in his post. That is roughly six months of unhurried operations for the hackers in Deloitte systems to relish, yet again this means attacks detection took months! Stating latest reports and researches, showing that time to compromise is counted in minutes and time to get hands on valuable data (exfiltration) is in days, it makes me cringe!

 

Time to compromise and exfiltration. Source Verizone Enterprise DBIR 2016
Time to compromise and exfiltration. Source Verizone Enterprise DBIR 2016

 

Here is the question now: why on earth big firms like Equifax and Deloitte are not discerning attacks for months? This could be a tricky question to answer, since we must take several parameters into account.

I am not going to cover the operations, technologies and people that a given organization should maintain in order to earn the attributes of secure and reliable, but rather try to depict some of the most likely key points of failure that I already encountered throughout my experience in the domain.

Failed architecture

In a lot of cases, applications and networks infrastructure is not optimised to be monitored and audited using standards compliant tools in the market. I had to deal with a lot of paradigms where it has been necessary to make a deep change or complete redesign of the enterprise applications or network infrastructure in order to make it possible for an IDS to work and cover the scope properly. The reason for this is that network and applications sometimes are not designed and developed security in mind. With the multiplying number of threats and starving eyes for your organization’s data, it clearly worth the investment in complete redesign of a given system if required for security purposes and specifically for potential attacks detection.

Lack of context

In my recent post on IoCs, I converged reminding to always contextualize the information that a security analyst could perceive in his day to day analysis of current threat or risk assessment compliances checks. Threat analyst can be easily submerged with increasing volume of information from flows and events that would make it extremely difficult to pull the significant threats out from the false ones and eventually avoiding delayed attacks detection. Context is key to leverage information security events by correlating different data sources and automating the maximum pre-analysis aspects in order to enhance the security professional tasks performance.

A Human factor

The core source of failure where incident detection teams may disappoint to effectively combat complex attack operations is not proper to a lack of human skills as a lot of high profiles may consider. The reality is that the human factor in the complex chain of incident detection and response is just a single link. Relatively complex environment can produce tons of information and events that if not correlated properly via sophisticated tools and processes would represent a nightmare for the security analyst rather than a reliable source of threat detection. Spending the whole day trying to figure out how to collect, enrich and correlate isolated events, flows and security intelligence information to make a decision is just not that achievable in a lot of cases for a human being.

Simply no incident detection and response plan?

Unfortunately, a lot of small to medium sized organizations still have no clues about setting a real security incident and remediation plan. In same extreme cases, they even don’t know why it is crucial to set up one. A well-defined incident detection and response plan will aid in quickly and effectively addressing a data breach when it does occur.  Identifying personnel inside the organization or external experts who can help dealing with the day to day security threats is key even for the smallest companies as soon as there is important data or assets to protect.

 

Breach discovery methods over time. Source Verizone Enterprise DBIR 2016
Breach discovery methods over time. Source Verizone Enterprise DBIR 2016

 

A more structured and practical way to handle this question for small to medium sized organizations is to relay on external expertise to get the job done as recent reports show that more and more breaches discoveries were ensured by third parties (see figure above). However, defining an end to end strategy for incident management going from detection processes to response and remediation plans is likewise a requirement that all types of organizations must meet to ensure efficient operations for their security teams, if they have some!

 

How to implement SOAR within an organization
How to tune a SIEM solution

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.