How Did Equifax Know They Were Hacked?

CodeBloxCodeBlox Posts: 1,363Member
The question is simple. Along with any other company that's actually realized they've had some sort of breach, how do they find out typically?
Currently reading: Network Warrior, Unix Network Programming by Richard Stevens

Comments

  • TechGuru80TechGuru80 ■■■■■□□□□□ Posts: 1,539Member ■■■■■□□□□□
    Lots of ways...new accounts created, data is leaving all of a sudden, undocumented cofiguration changes, alerts all of a sudden start going off, encrypted traffic occurring where it shouldn't be encrypted, random log reviews identify indicators, and several other ways.

    How fast a breach is identified and how quickly the breach is resolved are two major metrics that should be monitored to measure effectiveness of Incident Response and Security teams.
  • gespensterngespenstern ■■■■■■■□□□ Posts: 1,243Member ■■■■■■■□□□
    First, they finally notice that something is off. Let's say they find a webshell. That's the "oh, sh!t" moment. This goes to CISO and sleepless nights begin.

    Next they do forensics. When it was installed? File system timestamps. Traffic logs on firewall.

    Found any binaries and scripts? Pass them to reverse engineers for analysis. Also sandbox them for dynamic analysis. Produce IoCs and check everything for known MD5, known IP addresses and domain names, known behavioral techniques unique to the tools used.

    Under which user the webshell was installed? Let's track what this user did and accessed. All logon events, all access events on all systems accessible that have access audits. Let's see transaction logs of databases to find out what queries were issued under this account that aren't typical.

    Any lateral movements? Other tools on any other systems? Which accounts were compromised? Which IPs? Let's get firewall reports on them and user directory reports on logon events. Here we identify to some degree their C&C IPs that are used to issue commands and exfiltrate sensitive data.

    Then, once we've identified the sensitive data was accessed through database transaction logs, we get back to firewall logs to find out amounts of traffic exfiltrated to the outside. Just judging by the size it's possible to guess what was exfiltrated even if their crypto is good and can't be decrypted.

    Around this stage you compose a report and send to CISO, risk/compliance folks, etc.

    Then you have a series of sessions with everyone involved where you discuss how did we fcked up that bad and what do we do to avoid this in the future. Document proposals, get budgets and act.
  • jcundiffjcundiff ■■■■□□□□□□ Posts: 486Member ■■■■□□□□□□
    the most common method is being told by a third party... the card brands, or payment processor, or security researcher icon_sad.gif
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • jcundiffjcundiff ■■■■□□□□□□ Posts: 486Member ■■■■□□□□□□
    if this topic truly interests you, download the most recent copy of the Verizon Data Breach Investigation Report. And it now look like the breach goes back to November 2016
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • dmoore44dmoore44 Posts: 646Member
    jcundiff wrote: »
    if this topic truly interests you, download the most recent copy of the Verizon Data Breach Investigation Report. And it now look like the breach goes back to November 2016

    I would also recommend the Verizon Data Breach Digest. The DBD contains more case studies and stories about what happened and how it was detected - it's fantastic reading!
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youPosts: 2,705Mod Mod
    I doubt anyone at Equifax had a sleepless night.
    Never let your fear decide your fate....
  • jcundiffjcundiff ■■■■□□□□□□ Posts: 486Member ■■■■□□□□□□
    I doubt anyone at Equifax had a sleepless night.

    Sure they did... all the C Levels who didnt sell their stock two business days after they learned of the breach and then saw their stock plummet from 142 to 90 in a week after they announced the breach... they have been up all night ever since the 8th mourning how much money they lost icon_surprised.gificon_rolleyes.gif
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youPosts: 2,705Mod Mod
    Well, there is..that.
    Never let your fear decide your fate....
  • infosec123infosec123 ■■■□□□□□□□ Posts: 48Member ■■■□□□□□□□
    Please, that stock will be back up to 140 in 6 months at the most... Equifax isnt going anywhere anytime soon, I mean its not like consumers can opt out from doing business with them...
  • PristonPriston ■■■■□□□□□□ Posts: 999Member ■■■■□□□□□□
    That's assuming all the lawsuits don't force equifax to file for bankruptcy.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • jcundiffjcundiff ■■■■□□□□□□ Posts: 486Member ■■■■□□□□□□
    infosec123 wrote: »
    Please, that stock will be back up to 140 in 6 months at the most... Equifax isnt going anywhere anytime soon, I mean its not like consumers can opt out from doing business with them...

    It will rebound, but it wont be back to 140 in 6 months more like 2-3 years at best
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
Sign In or Register to comment.