In 2017, the security world was rocked by a massive breach of personal information from Consumer reporting agency Equifax. The scale of the damage — 145.5 million impacted individuals — combined with the sensitivity of the data exposed — names, social security numbers, dates of birth, addresses and in some cases credit card numbers and driving license numbers — laid bare for the nation the risks posed by cyberattacks. Looking back five years on, a new category of security controls, External Attack Surface Management (EASM) has emerged, that aims to help organizations harden their attack surface by continuously searching for unknown assets, security misconfigurations, and potential vulnerabilities.
While we can not go back in time and prevent the Equifax breach, there are many companies that can learn from the incident to inform their strategies today.
What is External Attack Surface Management?
External Attack Surface Management (EASM) is an emerging category defined by SANS as the continuous discovery, inventory, classification, prioritization, and monitoring of an organization’s attack surface from an external attacker’s perspective.
EASM helps organizations identify internet and attacker-exposed IT assets and monitor them for unexpected changes and vulnerabilities (i.e., blind spots, misconfigurations, process failures) that increase the risk of attacks.
External attack surface management platforms, such as Randori Recon, prioritize these threats, so your patching resources are used to reduce risk and attackability as efficiently as possible while continuously monitoring for new threats that may emerge.
What Led To The Equifax Breach?
While massive in scale, the tactics, techniques and procedures used by the attackers in the Equifax are very similar to those seen by security teams everyday. It was not a particularly sophisticated attack, leveraging known vulnerabilities against exposed assets, and on its face, could have happened to anyone.
According to the office report on the breach done by the Government Accountability Office, the breach originated after attackers leveraged a known vulnerability in the Apache Struts Web Framework to gain access to exploit an exposed web server owned by Equifax.
The asset was publicly exposed on the internet and the attacker’s could have been able to discover it using open source tools such as NMap or tools such as Shodan.
The specific vulnerability (CVE-2017-5638) leveraged was first reported on May 3rd, 2017. Three weeks later, a proof of concept (POC) exploit was then posted to GitHub.
By mid-May, it is believed that the Equifax attackers most likely acquired a weaponized exploit via a 3rd party and used it to gain access to Equifax’s systems. By the end of the month, chatter of this exploit began appearing on criminal darkweb forums. At this point, the vulnerable server had been exposed for only a few weeks.
To quote Muhammad Ali, Equifax’s network was like a walnut, hard on the outside but soft on the inside. Once the equifax attackers had successfully gained initial access, they were able to locate credentials, enumerate additional servers and move laterally.
Once the attackers had access to Equifax’s databases, they were able to successfully exfiltrate data for over 76 days without detection.
What Was The Impact of the Equifax Breach?
Similar to the T-Mobile hack making headlines today, the impact of the Equifax was both enormous in-scope and immediate in it’s effect. As the de facto judge and jury for credit-worthiness in the United States, Equifax had nearly unrivaled insight into the personal finances of Americans, providing attackers with a treasure trove of data that could be used to steal, defame, or impersonate. Within two months of the initial infection, fraud prevention service Forter was noticing a 15 percent increase in credit card fraud – even before the hack was publicly disclosed.
On September 7, 2019, Equifax went public with the breach. Within 24 hours, multiple-class action lawsuits had been filed and members of Congress were calling for investigations and within three weeks, the CEO of Equifax had resigned.
In total, the Equifax breach is estimated to have impacted 143 million Americans and cost Equifax more than $1.4B in direct costs. However, the impact on the industry has been far greater than even these numbers would suggest. Equifax put cybersecurity at the top of every corporate agenda and exposed the business importance of having good attack surface hygiene and the need for better vulnerability prioritization.
How Could Have External Attack Surface Management Helped Prevent the Equifax Breach?
- Faster Visibility: You can’t protect what you can’t see. By providing continuous attack surface monitoring of external assets, EASM solutions could have provided the Equifax team get faster visibility into the exploitable server and other risks on their perimeter, such as S3 buckets or exposed admin portals.
- Insight Into Risk: At the core of the Equifax breach was a failure to prioritize a known external risk (and then detect the intrusion). Had the Equifax team had a better understanding of the risk posed by the vulnerable server, it’s possible they could have prioritized patching it before attackers struck. With the average mean time to patch (MTTP) estimated at more than two months, a key challenge for security teams then, and now, is ensuring they are always patching the highest risk assets first. The best EASM solutions, go far beyond traditional vulnerability scanners – leveraging their external perspective to provide security teams with a richer assessment of attackability. Randori does this by looking at a broader set of factors to estimate the likelihood an attacker is to target a specific target.
- Established Urgency: Armed with evidence of external exposure and a broader 3rd party perspective of risk, an EASM tool such as Randori could have helped the Equifax team establish an internal sense of urgency around this asset in order to get it patched more quickly. Patching or any remediation action is always a balance between the security risk and business impact. While most organizations can tell you the exact business impact of an asset being offline, often down to the dollar – quantifying the security risk is often far harder. EASM solutions give security teams much needed ammo in that fight, changing the conversation from “maybe” to “likely”.
- Validated Remediation: By providing continuous attack surface monitoring of external assets, EASM solutions enable security teams to close the loop and validate remediation – by showing that an asset is no longer exposed, that a patch has been applied or in some cases enabling teams to validate the efficacy of remediation through continuous and automated red teaming.
3 Questions External Attack Surface Management Can Help You Answer Today
- What’s Exposed?: 1 in 3 breaches starts with shadow IT. As the Equifax breach shows, having unknown or vulnerable assets exposed can pose a major business risk. External Attack Surface Management solutions, like Randori, provide an external perspective of your business using the same techniques used by advanced threat actors – so you always know what is exposed.
- What’s Exploitable?: Don’t fall victim to chasing every external asset; focus instead on finding the . There are many asset types – such as hostnames, network ranges, and parked domains – that your organization owns but can t be weaponized by an attacker. These pose limited risk but can overload your team with operational noise – focus instead on the software attackers can go after.
- What’s Changed?: Your attack surface is always changing. New vulnerabilities, configuration changes, and new infrastructure are all important – continuous monitoring ensures your team is always working on the risks that matter most.
How Randori Can Help:
Your attack surface may be expanding, but the work you do to protect it doesn’t have to grow with it. All you need is the attacker’s perspective. With Randori, you and your team can cut through the noise and stay focused on the risks that matter most.
Click here to get a free review of your attack surface today.