The Equifax hack of 2017 is, for cyber security folks, one of those “frozen in time” moments. Like all defining moments, I think we will all look back and remember where we were and what we were doing when we first heard about the sheer magnitude of this breach. To say this is a BIG DEAL is quite the understatement.
But here’s the kicker: From a cyber security/attacker point of view, It’s just like every other breach. Nothing to see here…
But this last point is the main thing. Why are we relying on hindsight? Looking backwards is NOT going to help us get ahead of attacks. This attack is big enough that it needs to break the cycle of “hindsight” and move us into “foresight.” Read on to understand what I mean.
If we remove the magnitude of the incident for a moment, and just look at Equifax as “another data breach” it doesn’t stand out at all. It’s “business as usual” for cyber attacks.
Phase 1: Exploit the Unknown
A company with a very complex data infrastructure has some (trust me, it’s MANY) vulnerabilities in their security posture. Attackers probe for these weaknesses, and then exploit them.
Phase 2: Find the “Crown Jewels”
Once inside, attackers move around in the network, find sensitive, private, valuable data, and also establish beachheads in the environment for further exploitation.
Phase 3: Steal and Leak
Attackers find a way to send the “crown jewels” out of the network, and into their own hands, whereupon they either leak them to the world, or worse, sell them in secret to underground criminal organizations.
Phase 4: Mea Culpa, and “Forensic Hindsight”
The breached company apologizes, loses customers, loses money, exposes millions of people to follow-on cybercrime, and then tried to make up for it by hiring a big-name security firm to tell us all why it happened, and try to stop it from happening again.
BUT WE CAN NO LONGER IGNORE THIS – IT’S HAPPENING AGAIN EVERY SINGLE DAY.
All this “hindsight” is the problem! None of this after-the-fact investigation and subsequent “mea culpas” have stopped this tide of breaches. In truth, the beaches are getting worse. So why then are we all continuing to engage in the same processes – with the same tools and mindset?
Until recently, security teams had to rely on good processes, strong tools, and smart people. And, frankly, that all sounds good, but it doesn’t account for validation of the end product. Security teams have been building defenses, without the ability to ensure they are working.
Security teams have been under increasing pressure to just “stop breaches.” So they do what they have always done: buy more products, build thicker perimeters, and hope against hope that they have done everything they can to thwart attacks. Security vendors help assuage their fears with broader coverage, or defense in depth, or name-your-euphemism, and everyone hopes they are doing the right thing.
But we now have 143 million reasons why that approach has failed us.
This method simply does not work. We can no longer just build what we think is right, and hope for the best. We can no longer rely on the tools to do what they are supposed to do. We can’t assume our people and our teams have enough time in the day to understand how every single line of configuration on every single security tool in our giant enterprise of security tools is supposed to work together to stop attacks.
Instead, we need to constantly validate. We need to know, in real time, if security is actually working against attacks. Every time we implement a new technology. Every time we change configuration or update policy. We need to be sure we are not introducing risk when we make updates. We need to be sure that new attacks aren’t able to thwart are defenses. Every single day.
We can’t wait until after the fact to figure out what went wrong. We need to find out first, fix our weaknesses, and then re-validate continuously.
We know the right thing to do. We just typically do it last, and call it hindsight. That needs to become “Foresight.” No, I am not trying to suggest a psychic hotline, or a modified DeLorean here. I’m suggesting that we stop waiting until after the attack to find out where our weaknesses are.
Instead, we need to actively and continuously discover our weaknesses BEFORE the attackers do it for us. We need to use the same real, proven techniques attackers use – creatively and relentlessly – to validate the security of our environments. We need to see where real attacks can break in, move laterally, and steal data. And we then need to plug those holes.
It’s no time for half-measures. Yes, Equifax was breached via a vulnerability in Apache Struts 2. But don’t fall for vendors who simply say they can help you see if your business is also vulnerable to that specific attack. PCAPs or simple recordings of attacks may help you find a specific network attack. But attackers won’t stop at one specific network attack. They’ll iterate, pivot, and get creative. They’ll infect an endpoint, or uncover other blind spots – they play on the unknown-unknowns.
It’s time for a full paradigm shift into proactive security. Offensive security. It’s time to harness the power of the attacker to validate your defenses before a real attack. It’s time for continuous validation, not just monitoring. It’s time to turn the timeline around. It’s time for breach and attack simulation