Event Details

Letting Attackers Lead: The Equifax Example

Equifax was breached. They told the world September 10th. The analysis began immediately. And so did breach simulation from SafeBreach.

Not only did we release two new breach methods, thought to be part of this attack, but it’s likely that SafeBreach will have been validating security against the techniques used well ahead of the announcement from Equifax. No, we don’t have a time machine... But we do have thousands of proven attack methods that are often used in new and emerging attacks.

So far, we have already released two new breach methods thought to have been part of the Equifax attack: #1360 and #1367, corresponding to CVE-2017-9805, and CVE-2017-5638, both of which are vulnerabilities in Apache Struts 2. And, as more details come available, we’ll do what we always have: Create more methods as needed.

The power of the playbook

The SafeBreach Labs research team is always adding new methods to our playbook. Whether they are newly found attacks from the wild, or new attacks the research team creates themselves (such as those featured on-stage at Black Hat and DEFCON this year), our team has built the broadest playbook in the industry, with thousands of methods.

With this depth, we often find that headline-level attacks require no new content creation, due to the fact that attackers often use existing techniques to compromise their targets. For example: Proven methods were used in the LOKI2, WannaCry and HIDDEN COBRA campaigns. In these cases, SafeBreach customers were already validating their security controls ahead of the attack being published, thanks to the fact that these methods were already in the Hacker’s PlaybookTM, and therefore part of our customers’ continuous security validation.

In fact, the SafeBreach platform was designed to work this way from day one. By using a modular approach—where attacks are broken down into specific techniques, and not simply just static packet captures (PCAPs)—SafeBreach validates security against both known attacks with a specific set of attack “moves” and also simulate as-yet-unknown attacks, where hackers get creative.

There is no one-size-fits-all

Attackers are relentless, and will try whatever they can—at every stage of an attack—to successfully find and steal the data they’re after. They don’t have a static game plan that they execute and then give up if if fails. They move, section by section, into, across, and out of enterprises always trying whatever they can to achieve their next stage. Simulating attackers, therefore, can’t be done with PCAPs or other static methods. True breach and attack simulation requires the ability to be creative and flexible, like a real attacker, and also to incorporate cloud, network, and endpoint attacks seamlessly.

SafeBreach built our attack simulation to do just that. We use the same attack techniques attackers to, to proactively identify weaknesses in cloud, network, and endpoint security. And thanks to our modular approach, we don’t simply run static methods. We iterate, just like real attackers do. When one technique is blocked, we pivot to others. In this way, we run both a replica of proven attacks, as well as all the permutations of attacks that can be combined from all our thousands of breach methods—just like a real adversary would do.

Turn the tables on attacks

Security needs a paradigm shift. We can’t continue to wait for attackers to prove whether or tools, configuration, and processes are ready to stand against threats. We need to start proactively validating our security, in the same way attackers would do. Only then can we ensure that our security is working as expected.

Doing anything less, is just waiting.