SlideShare ist ein Scribd-Unternehmen logo

Equifax Breach Postmortem

Als PPTX, PDF herunterladen
Adrian Sanabria
Adrian Sanabria

What do you remember about the Equifax? Something about someone forgetting to patch Struts, and then the bad guys were able to get in and steal all the data? What actually happened was much more nuanced, and there's much to learn by diving into the details.

Technologie
1 von 26
Equifax Breach Postmortem September 8, 2021
2 Adrian who? 10 years as security practitioner (all the hats) 5 years as a security consultant (pen tester and PCI QSA) 3 years as an industry analyst 2 years building my own company and working for vendors Founded several local cybersecurity community groups in East Tennessee Old enough to remember Mastercard’s SDP before PCI DSS was a thing Now: cybersecurity product reviews at Security Weekly Labs
3 How do you remember the Equifax breach?
4 Like this?
5 How do most breaches happen?
6 Common traits across breaches Attacks aren’t ‘one-and-done’ - they have multiple phases and take time “Attackers only need to succeed once, defenders need to get it right every time” “Defenders only need to detect attackers once, attackers have to evade every time”
7 Common traits across breaches • Vulnerabilities exploited in less than 3% of breaches - The vulns that ARE exploited are OLD – over 91% are over a year old! • Malware isn’t always used - But when it is, it’s in the middle and end stages of the attack • Most attacks require four or more steps - Especially system intrusions - Webapp attacks have the shortest number of steps – think SQLi or open S3 bucket Source: 2021 Verizon data Breach Investigations Report
8 Common traits across breaches Most look pretty much like every pen test ever (ouch) 1. Phish an employee; exploit a vuln or misconfiguration 2. Steal creds 3. Log in via [technology] 4. Dump admin credentials 5. Pivot using newfound creds, maybe sprinkle some malware 6. Own everything
9 Storytime: the Equifax breach
10 Struts vuln announced: CVE-2017- 5638 March 7th: struts vuln announced March 9th: Equifax’s GTVM group urges everyone to patch within 48 hours! OMG, patch struts now!
11 Struts? What struts? March 10th: First evidence of struts exploits on Equifax systems March 14th: Emerging Threats team releases faulty Snort rule; Countermeasures team installs it (neither team tests it) March 15th: Employees scan for Struts, finding nothing (McAfee Vuln Mgr) March 16th: GTVM holds a special meeting on this Struts vulnerability I got nothin’
12 Attackers break in May 13th: 2 months after the special Struts vuln meeting, attackers exploit Struts and drop web shells Attackers hang out, explore systems, run queries, exfiltrate data – all undetected for another 76 days
13 Additional context • The system attacked (ACIS) was ancient, originally built in the 70s - Few understood it - It was not well documented - J2EE - Still, it was exposed to the public Internet • Equifax had a lot of ground to cover • Scanning tools seemed ineffective and improperly
14 Additional context Finding and patching Struts isn’t like updating a software package, as it’s not “installed”, per se
15 Equifax discovers hijinks July 29th,2017 at 9pm: Countermeasures team updates 67 SSL certificates on SSL Visibility (SSLV) device. They had been expired since January 2016. July 29th at 10pm: Suspicious connections from China are spotted July 30th at 12:41pm: The hacked system is taken offline July 30th at 1:30pm: CSO is notified of the incident
16 The initial response? (once they knew, of course) The Countermeasures team identified the attack, contained it and pulled in key stakeholders in ~15.5 hours. If the SSL Visibility device was properly maintained…
17 Struts vuln: found at last July 31st: The vulnerability assessment team scans the ACIS WAR file and finds vulnerable Struts July 31st: The team scans more ACIS related systems and finds more vulnerable Struts not being inspected by the SSLV IDS system
18 Communication breakdown July 31st: CSO suspects PII is compromised, but doesn’t tell CIO August 2nd: CIO goes on vacation for 2 weeks August 2nd: Equifax calls outside counsel, who then calls Mandiant August 3rd: Mandiant gets to work September 7th: Public notice goes out The public notice also
19 Don’t skip those PR classes, CEOs “…three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”
20 Equifax blames an intern before it was cool
21 Putting it all together: the big picture
22 Equifax Process and Control Failures 1. No asset inventory (CSC01 2. No software inventory (CSC02) 3. No file integrity monitoring 4. No network segmentation 5. Neglected SSL Visibility (SSLV) Appliance 6. Neglected SSLV failed open 7. SSLV lacked certs for key systems 8. SAST failed to find Struts due to misconfig 9. No anomaly detection on web servers 10. Custom snort rule didn’t work 11. Custom snort rule wasn’t tested. 12. Network scanner didn’t find Struts 16. Least privilege principles not followed for database access 17. Ad-hoc DB queries not restricted 18. No DB anomaly monitoring 19. No field-level encryption in DBs 20. No data exfiltration detection 21. DAST scanning failed to detect vulns 22. Ineffective IR plan/procedures 23. No owners assigned to apps or DBs 24. Comms issues due to corp structure 25. Lack of accountability in processes 26. No post-patching validation 27. Old audit findings were not
23 Equifax Process and Control Failures 1,12 26,28 29 2,8,21,23 26 3,9,13,14 4,5,6,7,1 6 10,11,20 15,23 16,17,19 17,18,20 24 25,26,27 22 Applicat ions Devices Network Data People Ident ify Recove r Respon d Detec t Prote ct Proces s Technolo gy People Degree of Dependence on People, Process, Technology https://cyberdefensematrix.com/ - created by Sounil Yu - @sounilyu
24 Summarizing the worst control failures Summarizing only the most egregious control failures: Tech-oriented control failures: Zero People-oriented control failures: One Process-oriented control failures: Eight Special thanks to Sounil Yu, the cyber defense matrix creator, for reviewing my work and making some suggestions and corrections!
25 References House oversight report Senate subcommittee report Chinese military hacker indictment Me, live-tweeting my way through the house oversight report Talos’s day 2 post reporting exploit activity The original Struts vulnerability security bulletin
26 Thanks! @sawaba Adrian.Sanabria@hey.com

Empfohlen

Equifax data breach
Equifax data breachEquifax data breach
Equifax data breachSajib Sen
 
Equifax
Equifax Equifax
Equifax nsjsj4
 
Equifax Breach - Lessons - Cyber Rescue - 16th may 2018
Equifax Breach - Lessons - Cyber Rescue - 16th may 2018Equifax Breach - Lessons - Cyber Rescue - 16th may 2018
Equifax Breach - Lessons - Cyber Rescue - 16th may 2018Kevin Duffey
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRobert Grupe, CSSLP CISSP PE PMP
 
Beta management company
Beta management companyBeta management company
Beta management companyRohan Khandelwal
 

Empfohlen

Equifax data breach
Equifax data breachEquifax data breach
Equifax data breachSajib Sen
 
Equifax
Equifax Equifax
Equifax nsjsj4
 
Equifax Breach - Lessons - Cyber Rescue - 16th may 2018
Equifax Breach - Lessons - Cyber Rescue - 16th may 2018Equifax Breach - Lessons - Cyber Rescue - 16th may 2018
Equifax Breach - Lessons - Cyber Rescue - 16th may 2018Kevin Duffey
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRobert Grupe, CSSLP CISSP PE PMP
 
Beta management company
Beta management companyBeta management company
Beta management companyRohan Khandelwal
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
NIST CSF Overview
NIST CSF OverviewNIST CSF Overview
NIST CSF OverviewPriyanka Aash
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 
Eli lilly and company
Eli lilly and companyEli lilly and company
Eli lilly and companyChitkara University
 
Apple INC.: Managing a Global Supply Chain
Apple INC.: Managing a Global Supply ChainApple INC.: Managing a Global Supply Chain
Apple INC.: Managing a Global Supply ChainAyesha Majid
 
Merton Truck Company
Merton Truck CompanyMerton Truck Company
Merton Truck CompanyTushar Arora
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and ResponseCyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and ResponsePanji Ramadhan Hadjarati
 
20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service Proposal20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service ProposalCarl Bradley Pate
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 
Apple INC.: Managing a Global Supply Chain
Apple INC.: Managing a Global Supply ChainApple INC.: Managing a Global Supply Chain
Apple INC.: Managing a Global Supply ChainAyesha Majid
 
Merton Truck Company
Merton Truck CompanyMerton Truck Company
Merton Truck CompanyTushar Arora
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and ResponseCyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and ResponsePanji Ramadhan Hadjarati
 
20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service Proposal20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service ProposalCarl Bradley Pate
 

Was ist angesagt? (20)

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
NIST CSF Overview
NIST CSF OverviewNIST CSF Overview
NIST CSF Overview
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 
Eli lilly and company
Eli lilly and companyEli lilly and company
Eli lilly and company
 
Apple INC.: Managing a Global Supply Chain
Apple INC.: Managing a Global Supply ChainApple INC.: Managing a Global Supply Chain
Apple INC.: Managing a Global Supply Chain
 
Merton Truck Company
Merton Truck CompanyMerton Truck Company
Merton Truck Company
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and ResponseCyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
CyberOps Associate Modul 28 Digital Forensics and Incident Analysis and Response
 
20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service Proposal20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service Proposal
 

Ähnlich wie Equifax Breach Postmortem

Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008John Gilligan
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
M.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxM.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxpawandeoli1
 
M.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universityM.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universitypheonix4
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 

Ähnlich wie Equifax Breach Postmortem (20)

Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
M.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxM.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptx
 
M.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universityM.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era university
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 

Mehr von Adrian Sanabria

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Adrian Sanabria
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's GuideAdrian Sanabria
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disasterAdrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 

Mehr von Adrian Sanabria (20)

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
The Products We Deserve
The Products We DeserveThe Products We Deserve
The Products We Deserve
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disaster
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 

Kürzlich hochgeladen

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Kürzlich hochgeladen (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Equifax Breach Postmortem

  • 2. 2 Adrian who? 10 years as security practitioner (all the hats) 5 years as a security consultant (pen tester and PCI QSA) 3 years as an industry analyst 2 years building my own company and working for vendors Founded several local cybersecurity community groups in East Tennessee Old enough to remember Mastercard’s SDP before PCI DSS was a thing Now: cybersecurity product reviews at Security Weekly Labs
  • 3. 3 How do you remember the Equifax breach?
  • 5. 5 How do most breaches happen?
  • 6. 6 Common traits across breaches Attacks aren’t ‘one-and-done’ - they have multiple phases and take time “Attackers only need to succeed once, defenders need to get it right every time” “Defenders only need to detect attackers once, attackers have to evade every time”
  • 7. 7 Common traits across breaches • Vulnerabilities exploited in less than 3% of breaches - The vulns that ARE exploited are OLD – over 91% are over a year old! • Malware isn’t always used - But when it is, it’s in the middle and end stages of the attack • Most attacks require four or more steps - Especially system intrusions - Webapp attacks have the shortest number of steps – think SQLi or open S3 bucket Source: 2021 Verizon data Breach Investigations Report
  • 8. 8 Common traits across breaches Most look pretty much like every pen test ever (ouch) 1. Phish an employee; exploit a vuln or misconfiguration 2. Steal creds 3. Log in via [technology] 4. Dump admin credentials 5. Pivot using newfound creds, maybe sprinkle some malware 6. Own everything
  • 10. 10 Struts vuln announced: CVE-2017- 5638 March 7th: struts vuln announced March 9th: Equifax’s GTVM group urges everyone to patch within 48 hours! OMG, patch struts now!
  • 11. 11 Struts? What struts? March 10th: First evidence of struts exploits on Equifax systems March 14th: Emerging Threats team releases faulty Snort rule; Countermeasures team installs it (neither team tests it) March 15th: Employees scan for Struts, finding nothing (McAfee Vuln Mgr) March 16th: GTVM holds a special meeting on this Struts vulnerability I got nothin’
  • 12. 12 Attackers break in May 13th: 2 months after the special Struts vuln meeting, attackers exploit Struts and drop web shells Attackers hang out, explore systems, run queries, exfiltrate data – all undetected for another 76 days
  • 13. 13 Additional context • The system attacked (ACIS) was ancient, originally built in the 70s - Few understood it - It was not well documented - J2EE - Still, it was exposed to the public Internet • Equifax had a lot of ground to cover • Scanning tools seemed ineffective and improperly
  • 14. 14 Additional context Finding and patching Struts isn’t like updating a software package, as it’s not “installed”, per se
  • 15. 15 Equifax discovers hijinks July 29th,2017 at 9pm: Countermeasures team updates 67 SSL certificates on SSL Visibility (SSLV) device. They had been expired since January 2016. July 29th at 10pm: Suspicious connections from China are spotted July 30th at 12:41pm: The hacked system is taken offline July 30th at 1:30pm: CSO is notified of the incident
  • 16. 16 The initial response? (once they knew, of course) The Countermeasures team identified the attack, contained it and pulled in key stakeholders in ~15.5 hours. If the SSL Visibility device was properly maintained…
  • 17. 17 Struts vuln: found at last July 31st: The vulnerability assessment team scans the ACIS WAR file and finds vulnerable Struts July 31st: The team scans more ACIS related systems and finds more vulnerable Struts not being inspected by the SSLV IDS system
  • 18. 18 Communication breakdown July 31st: CSO suspects PII is compromised, but doesn’t tell CIO August 2nd: CIO goes on vacation for 2 weeks August 2nd: Equifax calls outside counsel, who then calls Mandiant August 3rd: Mandiant gets to work September 7th: Public notice goes out The public notice also
  • 19. 19 Don’t skip those PR classes, CEOs “…three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”
  • 20. 20 Equifax blames an intern before it was cool
  • 21. 21 Putting it all together: the big picture
  • 22. 22 Equifax Process and Control Failures 1. No asset inventory (CSC01 2. No software inventory (CSC02) 3. No file integrity monitoring 4. No network segmentation 5. Neglected SSL Visibility (SSLV) Appliance 6. Neglected SSLV failed open 7. SSLV lacked certs for key systems 8. SAST failed to find Struts due to misconfig 9. No anomaly detection on web servers 10. Custom snort rule didn’t work 11. Custom snort rule wasn’t tested. 12. Network scanner didn’t find Struts 16. Least privilege principles not followed for database access 17. Ad-hoc DB queries not restricted 18. No DB anomaly monitoring 19. No field-level encryption in DBs 20. No data exfiltration detection 21. DAST scanning failed to detect vulns 22. Ineffective IR plan/procedures 23. No owners assigned to apps or DBs 24. Comms issues due to corp structure 25. Lack of accountability in processes 26. No post-patching validation 27. Old audit findings were not
  • 23. 23 Equifax Process and Control Failures 1,12 26,28 29 2,8,21,23 26 3,9,13,14 4,5,6,7,1 6 10,11,20 15,23 16,17,19 17,18,20 24 25,26,27 22 Applicat ions Devices Network Data People Ident ify Recove r Respon d Detec t Prote ct Proces s Technolo gy People Degree of Dependence on People, Process, Technology https://cyberdefensematrix.com/ - created by Sounil Yu - @sounilyu
  • 24. 24 Summarizing the worst control failures Summarizing only the most egregious control failures: Tech-oriented control failures: Zero People-oriented control failures: One Process-oriented control failures: Eight Special thanks to Sounil Yu, the cyber defense matrix creator, for reviewing my work and making some suggestions and corrections!
  • 25. 25 References House oversight report Senate subcommittee report Chinese military hacker indictment Me, live-tweeting my way through the house oversight report Talos’s day 2 post reporting exploit activity The original Struts vulnerability security bulletin

Hinweis der Redaktion

  1. The headline isn’t wrong, but as an answer to what question? Why did attackers get an initial foothold into Equifax? Why did Equifax fail to detect and respond to the attack in a reasonable timeframe? Ultimately, breaches are almost never due to a single control failure, and the failure to patch here wasn’t because Equifax was slow or not paying attention. Why did I pick the Equifax breach? Mainly because it’s an excellent example of a large, complex environment, heavy with tech debt. Also, because SO MANY details were made public that we can really have a meaningful conversation about what went wrong at each stage.
  2. 2017/03/07 - The struts vulnerability is announced by Apache 2017/03/08 - Talos blogs that they’re seeing live exploitation attempts (meaning the opportunistic scanning has begun) 2017/03/09 – Equifax’s Global threat and Vulnerability Management (GTVM) team forwards a USCert notification internally, noting the issue must be fixed within 48 hours! 2017/03/15 – Metasploit module released
  3. So the way this likely happened was that attackers were just blasting out scans for vulnerable systems across the whole Internet. This is likely why we see some early exploitation, but nothing comes of it. Might not even be the same actor. All this stuff about “we know patching is hard, but we’ve got to do better” punditry assumed that Equifax was aware of the need to patch, but their corporate wheels spun too slowly. The reality was somewhat worse – they didn’t know they even had instances of Struts exposed to the public Internet that needed to be patched! Also, why are they holding a special meeting about struts 5 days after the deadline for everyone to fix it? Because they suspect no one had?
  4. There was seemingly no significant monitoring on this legacy system. No FIM, no anomaly detection. Used to exfiltrate massive amounts of data (placed in webroot and retrieved with wget), without any detection Further, the system broke many security policies: having more access to systems than necessary (only needed 3 databases, had access to 51) Storage of cleartext creds
  5. He had to have known the breach investigation was well underway at this point, suggesting he was either 1. clueless about the severity of the breach, or 2. clueless about how tone deaf his statement was, given the circumstances
  6. Okay, it wasn’t an intern, but I couldn’t pass up that title and it’s not far off the mark. Also, recognition for a true American hero: the Monopoly cosplayer photobombing this hearing like crazy
  7. Check on specifically what happened with #15
  8. What the cyber defense matrix tells us: 1.
  9. Put another way, all the technology did its job, but people or processes failed to keep it in a functional state.