Equifax Breach: Database Insider Threats From Third-Party Software
The recent and massive database breach at Equifax serves to highlight the insider threat that database systems face today. But you say, “The Equifax database attack was perpetrated by external hackers, not internal personnel.” While that’s true, it is also true that once the Equifax database attackers circumvented the corporate firewalls and breached the application, they were able to masquerade as legitimate and authorized insiders. To identify an attack of that nature requires tools that detect insider threats. To better understand all of this, let’s walk through the Equifax database attack chain.
According to Equifax, the database attackers exploited a vulnerability in the third-party Apache Struts software they were running and had failed to patch with an available security update. Specifically the vulnerability is CVE-2017-5638 and a patch had been available to Equifax for nearly two months prior to the attack, yet for some unexplained reason, Equifax had never installed it.
Apache Struts is a very popular third-party web application software package that Equifax uses, as does 65 of the Fortune 100 companies. Through the vulnerability the attackers were able to submit operating system commands directly to the server. At that point the attacker, for all intents and purposes, appeared as a legitimate and authorized insider – a trusted administrator with all of the privileges assigned to the application. As an aside, we have a textbook example here as to why it’s good security hygiene to restrict privileges of users and applications to the absolute minimum. A least privilege policy limits potential damage in the event the database credentials are compromised.
Because applications and their connected databases have a trust relationship, once the application was hacked, the database offered the attacker access to all database records the application was authorized to access. This enabled the attackers to dump the entire database of personal information on 143 million individuals including names, Social Security numbers, birth dates, addresses and even driver's license numbers. In addition, this database attack compromised 209,000 credit card numbers. The stolen data is the type of information necessary for criminals to perpetrate identity theft and credit fraud. This trove of personal information also has a very long shelf life and could easily end up being sold repeatedly for large sums of money on the dark web.
Organizations that lack the proper security tools designed to continuously monitor and detect anomalous behavior find database insider threats nearly impossible to detect. As a result, attack dwell times can be lengthy and data losses extensive. In the case of Equifax, the database attack spanned from May until July 2017 without detection. Obviously that’s more than ample time to exfiltrate 143 million records. Had the database attack been identified immediately, there would have been little or possibly no loss of data.
Modern database insider threat detection is accomplished through a combination of User Behavior Analytics and machine learning. UBA is a cybersecurity process deployed to detect insider threats, compromised credentials, advanced persistent threats and fraud. In this regard, UBA seeks to identify likely threats by examining patterns of machine and human behavior and pinpointing anomalies that deviate from the established norm. DB Networks, as an example, generates database UBA from deep protocol inspection and statistical analysis of activities occurring within the database infrastructure. Machine learning is then applied to the database UBA to immediately identify database insider threats of the sort Equifax fell victim to. Further, when database UBA is integrated with an organization's traditional UBA tools, the result is a full-spectrum view of user activity that often proves to be extremely insightful.
Organizations need to implement best security practices and keep all of their third-party software up to date with the latest security patches. Attacks nowadays are highly automated and hackers will quickly locate any exposed unpatched software and quickly exploit it. Financial institutions are an enormous target that hackers test continuously for known vulnerabilities in their third-party software.
It’s also important to apply firewall rules to act as a virtual patch to block the attack signatures of those seeking to exploit a known vulnerability. This will also provide interesting metrics that indicate when, where and how often attackers are testing your systems for a specific vulnerability.
Finally, deploying database UBA provides a defense against the insider threat and also for identifying attacks resulting from zero-day vulnerabilities where there is no patch available. A zero-day vulnerability may be known to the hackers but not yet known to the third-party software developers who are responsible for creating the security patches. Database UBA is able to identify exploited unpatched and also zero-day vulnerabilities because the resulting database activity will deviate from the model of normal activity and an alert will be raised.
The Equifax database attack is unprecedented both in terms of its severity and in duration. There are 143 million individuals who will be dealing with the aftermath of this database attack for many years to come. There are a number of important lessons to be learned as a result. Failing to adhere to basic security hygiene by not immediately applying security patches and also not deploying the necessary tools required to identify insider threats can have enormous repercussions.
Dave Rosenberg is CTO of Products for DB Networks. He can be reached at 800-598-0450 or firstname.lastname@example.org.