+ Reply to Thread
Results 1 to 12 of 12
  1. Network Engineer CodeBlox's Avatar
    Join Date
    Jun 2010
    Posts
    1,336

    Certifications
    CCNA
    #1

    Default How Did Equifax Know They Were Hacked?

    The question is simple. Along with any other company that's actually realized they've had some sort of breach, how do they find out typically?
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    May 2013
    Posts
    1,266

    Certifications
    CISSP, GWAPT, GSEC, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #2
    Lots of ways...new accounts created, data is leaving all of a sudden, undocumented cofiguration changes, alerts all of a sudden start going off, encrypted traffic occurring where it shouldn't be encrypted, random log reviews identify indicators, and several other ways.

    How fast a breach is identified and how quickly the breach is resolved are two major metrics that should be monitored to measure effectiveness of Incident Response and Security teams.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    996

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #3
    First, they finally notice that something is off. Let's say they find a webshell. That's the "oh, sh!t" moment. This goes to CISO and sleepless nights begin.

    Next they do forensics. When it was installed? File system timestamps. Traffic logs on firewall.

    Found any binaries and scripts? Pass them to reverse engineers for analysis. Also sandbox them for dynamic analysis. Produce IoCs and check everything for known MD5, known IP addresses and domain names, known behavioral techniques unique to the tools used.

    Under which user the webshell was installed? Let's track what this user did and accessed. All logon events, all access events on all systems accessible that have access audits. Let's see transaction logs of databases to find out what queries were issued under this account that aren't typical.

    Any lateral movements? Other tools on any other systems? Which accounts were compromised? Which IPs? Let's get firewall reports on them and user directory reports on logon events. Here we identify to some degree their C&C IPs that are used to issue commands and exfiltrate sensitive data.

    Then, once we've identified the sensitive data was accessed through database transaction logs, we get back to firewall logs to find out amounts of traffic exfiltrated to the outside. Just judging by the size it's possible to guess what was exfiltrated even if their crypto is good and can't be decrypted.

    Around this stage you compose a report and send to CISO, risk/compliance folks, etc.

    Then you have a series of sessions with everyone involved where you discuss how did we fcked up that bad and what do we do to avoid this in the future. Document proposals, get budgets and act.
    Reply With Quote Quote  

  5. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    414

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #4
    the most common method is being told by a third party... the card brands, or payment processor, or security researcher
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

  6. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    414

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #5
    if this topic truly interests you, download the most recent copy of the Verizon Data Breach Investigation Report. And it now look like the breach goes back to November 2016
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

  7. Senior Member dmoore44's Avatar
    Join Date
    Sep 2010
    Location
    DFW
    Posts
    628

    Certifications
    Security+, CISSP, CEH
    #6
    Quote Originally Posted by jcundiff View Post
    if this topic truly interests you, download the most recent copy of the Verizon Data Breach Investigation Report. And it now look like the breach goes back to November 2016
    I would also recommend the Verizon Data Breach Digest. The DBD contains more case studies and stories about what happened and how it was detected - it's fantastic reading!
    Enrolled
    Carnegie Mellon University MSIT: Information Security & Assurance

    Currently Reading

    School Books
    Reply With Quote Quote  

  8. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    2,052

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #7
    I doubt anyone at Equifax had a sleepless night.
    Never let your fear decide your fate....
    Reply With Quote Quote  

  9. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    414

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #8
    Quote Originally Posted by scaredoftests View Post
    I doubt anyone at Equifax had a sleepless night.
    Sure they did... all the C Levels who didnt sell their stock two business days after they learned of the breach and then saw their stock plummet from 142 to 90 in a week after they announced the breach... they have been up all night ever since the 8th mourning how much money they lost
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

  10. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    2,052

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #9
    Well, there is..that.
    Never let your fear decide your fate....
    Reply With Quote Quote  

  11. Member
    Join Date
    Jun 2017
    Posts
    48
    #10
    Please, that stock will be back up to 140 in 6 months at the most... Equifax isnt going anywhere anytime soon, I mean its not like consumers can opt out from doing business with them...
    Reply With Quote Quote  

  12. Guest
    Join Date
    Oct 2010
    Posts
    958

    Certifications
    A+, Network+, CCNA
    #11
    That's assuming all the lawsuits don't force equifax to file for bankruptcy.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
    Reply With Quote Quote  

  13. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    414

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #12
    Quote Originally Posted by infosec123 View Post
    Please, that stock will be back up to 140 in 6 months at the most... Equifax isnt going anywhere anytime soon, I mean its not like consumers can opt out from doing business with them...
    It will rebound, but it wont be back to 140 in 6 months more like 2-3 years at best
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks