How Did Equifax Know They Were Hacked?

The question is simple. Along with any other company that's actually realized they've had some sort of breach, how do they find out typically?

Find more posts tagged with

Comments

TechGuru80

Lots of ways...new accounts created, data is leaving all of a sudden, undocumented cofiguration changes, alerts all of a sudden start going off, encrypted traffic occurring where it shouldn't be encrypted, random log reviews identify indicators, and several other ways.

How fast a breach is identified and how quickly the breach is resolved are two major metrics that should be monitored to measure effectiveness of Incident Response and Security teams.

gespenstern

First, they finally notice that something is off. Let's say they find a webshell. That's the "oh, sh!t" moment. This goes to CISO and sleepless nights begin.

Next they do forensics. When it was installed? File system timestamps. Traffic logs on firewall.

Found any binaries and scripts? Pass them to reverse engineers for analysis. Also sandbox them for dynamic analysis. Produce IoCs and check everything for known MD5, known IP addresses and domain names, known behavioral techniques unique to the tools used.

Under which user the webshell was installed? Let's track what this user did and accessed. All logon events, all access events on all systems accessible that have access audits. Let's see transaction logs of databases to find out what queries were issued under this account that aren't typical.

Any lateral movements? Other tools on any other systems? Which accounts were compromised? Which IPs? Let's get firewall reports on them and user directory reports on logon events. Here we identify to some degree their C&C IPs that are used to issue commands and exfiltrate sensitive data.

Then, once we've identified the sensitive data was accessed through database transaction logs, we get back to firewall logs to find out amounts of traffic exfiltrated to the outside. Just judging by the size it's possible to guess what was exfiltrated even if their crypto is good and can't be decrypted.

Around this stage you compose a report and send to CISO, risk/compliance folks, etc.

Then you have a series of sessions with everyone involved where you discuss how did we fcked up that bad and what do we do to avoid this in the future. Document proposals, get budgets and act.

jcundiff

the most common method is being told by a third party... the card brands, or payment processor, or security researcher

jcundiff

if this topic truly interests you, download the most recent copy of the Verizon Data Breach Investigation Report. And it now look like the breach goes back to November 2016

dmoore44

jcundiff wrote: »

if this topic truly interests you, download the most recent copy of the Verizon Data Breach Investigation Report. And it now look like the breach goes back to November 2016

I would also recommend the Verizon Data Breach Digest. The DBD contains more case studies and stories about what happened and how it was detected - it's fantastic reading!

scaredoftests

I doubt anyone at Equifax had a sleepless night.

jcundiff

scaredoftests wrote: »

I doubt anyone at Equifax had a sleepless night.

Sure they did... all the C Levels who didnt sell their stock two business days after they learned of the breach and then saw their stock plummet from 142 to 90 in a week after they announced the breach... they have been up all night ever since the 8th mourning how much money they lost

scaredoftests

Well, there is..that.

infosec123

Please, that stock will be back up to 140 in 6 months at the most... Equifax isnt going anywhere anytime soon, I mean its not like consumers can opt out from doing business with them...

Priston

That's assuming all the lawsuits don't force equifax to file for bankruptcy.

jcundiff

infosec123 wrote: »

Please, that stock will be back up to 140 in 6 months at the most... Equifax isnt going anywhere anytime soon, I mean its not like consumers can opt out from doing business with them...

It will rebound, but it wont be back to 140 in 6 months more like 2-3 years at best