After leaving the Coast Guard, he went on to become a sales giant with Big Blue, and of course you know where I ended up!
This old friend, we'll call him Mike (I call everyone Mike when I want to anonymize them) was working us through a 'so what' exercise on Thursday night when the phone rang at about 6:00 —it was WMUR, the local ABC Affiliate, who wanted to come to the lab and interview us for comments on the Equifax breach. At that point I hadn't really kept up. Equifax is bad, but so are all of the others —OPM for example (of which most of my team were included). Equifax was just one more breach from a company who likely let their guard down for a moment, and ended up getting screwed as a result.
In preparing for the interview, I quickly pulled up our internal Kibana instance (you've heard me talk about Cyber Threat Analysis Center? An ELK stack is one of the tools that we make available to our members. So.. I pulled up our internal Kibana and punched in the search term *equifax* with a one year time window —and whadya know…
At the time, we knew that Equifax claimed to have identified the breach in late July. We suspected they'd actually suffered the breach earlier; it's rare to catch the breach on Day 0. I wouldn't surprise me to hear that this incredibly talented security team at Equifax probably caught it much earlier. I've met and had beers with these guys. The are scary smart like I was at that age ;) , and my bet is, they followed the same smart process that any large company would follow before reporting out… they identify the breach, investigate the breach, and at the same time, fix the hole and assess just how bad it is. They then break out the mop. The legal team decides how far it extends and what the reporting requirements are, and then, if they choose, the PR engine fires up. This entire effort could take anywhere from days to months. My estimate would have been that they would have actually suffered the breach approximately two to three months before they announced —sometime between late April and late May. Apparently I was close. Scuttlebutt says May.
So why the chart? We monitor all kinds of proprietary intelligence sources that give us leading indicators of when we think something might be coming. We had early warning on Amazon when Jeff Bezos was portrayed as the Devil Boss in the press a few years ago. We had increased levels of cyber activity (although we had no idea what it meant at the time) before the Paris shootings, and we had a leading edge spike in cyber indicators leading into the time when Equifax was believed breached. Of course this is all speculation at this time, but… what did we see?
- A trojan was sent, several times, to three people —a senior account manager in Mexico, the Information Security Officer in Costa Rica, and an email account that appears to be associated with an unemployment claims service.
- FACT - We saw activity on the leading edge of the currently believed timeline of the incident.
- FACT - That activity targeted three locations (people and email accounts) that would have had significant access:
- The Senior Account Manager would have had access to Equifax's customer relationship management (CRM) systems —that database that contains all of the customers information, easily access by sales and marketing teams to allow tracking of sales efforts.
- The Information Security Officer, if breached would probably have administrative rights on some systems but not all. He would have knowledge of detailed local business unit operations, systems and locations of sensitive data.
- The targeted email that we identified in our collections was associated with unemployment claims -and one (one that we saw), appeared to be sent from an Equifax user to a hospital —apparently looking for health information to support some kind of claim argument.
- ANALYTIC GAP - Did Equifax receive other emails like the ones that we saw, but with successful delivery?
- ANALYTIC GAP - Why the spike in activity on that day anyway? Why was that day so special, as to have received almost three times as much activity as any other day in the preceding twelve months, and to date following?
- We saw only part of the storm.. the derivative of the storm. I believe that we may have seen activity generated by automated sensors, but it may have been only a small piece of what was actually happening.
- My bet is, others were targeted at the same time. In this case, we was emails with, at the time, a virus total detection rate of 2 out of 57 attempts, and others were probably compromised.
- Some of what we saw were attempts to deliver ransomware —a diversion? Noise?
- Access occurred in Latin America (Central America if our indicators are true).
- The ISO was targeted to help him from working
- The Salesperson was targeted because sales people have access, and are easy targets.
- The unemployment line? No idea. Maybe because it was on the list??