It's Not About the Money, It's About Sending a Message: 18 Months After Equifax
One of the most famous scenes in Christopher Nolan's Dark Knight series is the scene where [SPOILER ALERT] The Joker burns a huge pile of money representing half of the entire mob's "life savings". When asked why he's doing such an unthinkable thing, The Joker simply responds with "It's not about the money, it's about sending a message". The meaning behind this has been debated endless in online forums, but this message resonates well in the cyber world where nation state actors spend countless millions of dollars on obtaining information with no clear profit motive.
This past week marked 18 months since the Equifax data breach that exposed the personal information for up to 145 million Americans, nearly half of the population in the US and most of the adult population. On the 18 month anniversary of the breach, a senate committee report blasted Equifax for failing even the most basic and rudimentary cybersecurity practices. In short, the report suggests Equifax could have easily prevented the massive breach. The Equifax breach differed from previous breaches such as Home Depot or Target in that consumers have a conscious choice to patronize these retailers and "opt in" to having their data in their respective ecosystems. Equifax as a data broker collected this information on nearly every American often without their knowledge or consent.
Among the facts unearthed in the committee report were that Equifax did not have a proper IT security audit until 2015 and that it failed that audit, citing over 8500 unpatched vulnerabilities with more than 1000 of them rated as “critical" or "high risk". Even after failing the audit, Equifax had an "honor system" of patching vulnerabilities and there was no accountability post-audit. A follow-up audit was never conducted and security patches were not implemented in accordance with internal policies or deadlines.
Last month, CNBC reported that after an exhaustive search on hacker forums and the Dark Web (sites only available through the anonymizing service TOR), the stolen data from the Equifax breach was nowhere to be found. This supports and almost confirms initial suspicions that this was a state-sponsored attack with a specific target or targets in mind. The information stolen from Equifax included full names, social security numbers, dates of birth, driver's license numbers, among other personal information that would constitute a gold mine of data for identity thieves. Stolen identity records regularly sell for at least several dollars each, so the mother lode of data from the consumer data theft of the decade would easily be worth potentially hundreds of millions of dollars. Stolen identity information also loses value over time as consumers learning about the breach will put in credit freezes making the stolen data potentially worthless. It is in the thieves' best interest to sell and unload the data as quickly as possible to maximize its value. However, according to CNBC, that data has simply disappeared. After interviewing 8 cybersecurity experts and "hunters" of personal information, they all concluded that while the breach did occur, the stolen data has not been seen for sale anywhere. The data has simply not been used in a way consistent with past data thefts of this nature: sold for identity theft, used to impersonate someone, or to gain access to other accounts in the victim's name. There is only one type of cyber attacker with this methodology, the nation-state actor.
In 2009, the US and Israel allegedly created and released a piece of malware which would later be called "Stuxnet" with the intention of setting back Iran's nuclear weapons program. At the time of Stuxnet’s development, there were approximately 14 million new threats developed each year. Of those 14 million, only 14 of these threats would be considered a zero-day threat; a threat leveraging an exploit never seen in the wild and has no known mitigation or defense. Zero day exploits are literally one in a million and therefore command an astounding price tag; often fetching more than $1 million per zero day. The United States and Israel allegedly used three zero day exploits in creating Stuxnet putting the price tag on the development of the malware to at least $3 million US dollars. This does not include the manpower performing reconnaissance against the Iranian nuclear enrichment facilities, developing the rest of the malicious payload, and finding an infection vector. There was no profit motive for the US and Israel to develop Stuxnet, as it had a sole purpose of destabilizing the Iranian nuclear enrichment and setting back its nuclear weapons program when traditional diplomacy had failed. Many would argue that spending a few million dollars would be preferable than the alternative of using conventional weapons against Iran or having a nuclear-armed Iranian regime, but there was no clear profit motive for the malware authors and expended great resources in achieving their end goal.
With this in mind, it makes perfect sense that the Equifax breach was state-sponsored with a narrowly tailored focus. One prevailing theory is that a nation state actor stole this information in order to combine it with other stolen data to determine the identities of foreign agents or spies. The data stolen from the Office of Personnel Management (OPM) could be combined with the data from the Equifax breach to unmask spies or identify assets that could potentially be turned, such as high ranking officials with financial distress. Emerging technologies such as artificial intelligence and machine learning have made the process of cross referencing and correlating data even easier.
Advanced persistent threats are just that, persistent. If a nation state wishes to obtain access or a key piece of information, they have almost unlimited budgets to achieve their goal. China allegedly hacked RSA security to compromise is SecurID two-factor system in order to gain access to Lockheed Martin's F-35 project files. Even tech giants like Google, Apple, and Yahoo! are not immune to the long reach of the NSA's Tailored Access Operations group, as evidenced by the Snowden leaks.
However, organizations can take steps to protect themselves and make them much less attractive targets. Just like the joke that when going camping, you do not have to outrun an attacking bear, you simply have to outrun another member of your group; let someone less protected be the target of attackers. Cybersecurity defense in depth starts with the user and user awareness training. If users do not click on links they do not know and do not open attachments from unknown sources, that would eliminate a good percentage of attack vectors. Since users cannot be expected to perform perfectly every time, a security stack as a service that follows the user no matter where he or she goes is a great step in securing the organization. Over 80% of the internet's traffic today is TLS encrypted and attackers are taking advantage of that by concealing malware and exfiltrating data in TLS encrypted channels. A security solution with native SSL inspection is needed to ensure nothing bad comes into the organization and nothing good leaves. While patch management is very important in preventing known attacks, it is often viewed with the same priority as flossing teeth; something that can simply be pushed off until tomorrow. Vendors who participate in Microsoft and Adobe's active protection program are automatically notified in advance of upcoming patches so users are protected against these new attacks even before physical systems can be patched.
To nation state actors, every system has a vulnerability. It is up to organizations to minimize these vulnerabilities by implementing systems that are always up to date and are patched automatically.