Case Studies: Cybersecurity in the Organisation
Summary of the Talk(Module 2, Topic 4, Video 1):
The lesson focuses on cybersecurity at the organizational level by analyzing two significant cyber attacks: the Equifax breach and the SolarWinds attack.
1. Equifax Breach (2017):
• A vulnerability in Apache Struts 2 allowed remote attackers to execute arbitrary code on the servers, which compromised the data of 145 million individuals, including Social Security numbers.
• Although a patch was quickly issued, Equifax failed to identify the vulnerable systems and was subsequently attacked.
• The attackers installed a web shell, exfiltrated data, and remained undetected for over four months. The breach resulted in financial costs, executive retirements, lawsuits, and damaged reputation.
• The adversary’s identity remains unclear, though it might be linked to a nation-state actor due to similarities to other attacks like the Office of Personnel Management hack.
2. SolarWinds Attack (2020):
• The adversary infiltrated SolarWinds’ network, compromising the software build process. They injected malicious code (Sunburst) into the Orion network monitoring software, which was then downloaded by thousands of customers, including government and private networks.
• The attackers used sophisticated techniques to avoid detection and targeted specific victims for espionage. They gained backdoor access and escalated their privileges to exfiltrate sensitive information.
• The United States government later attributed the attack to Russia’s Foreign Intelligence Service (SVR).
Both attacks are analyzed using the diamond model, focusing on adversary, capability, infrastructure, and victim.
System Navigation:
- log in to the canvas, and find “Module 2: Cybersecurity in the Organisation). Following are a summary of the lectures and notes where I find important for myself.
In this website you can see loads of beautiful diagrams about ……hacked damages.
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
Now, let’s analyze two cases with the diamond model : breaks down an incident into four key parts: Adversary, Infrastructure, Capability, and Victim.
A. Equifax Attack Flow(2017)
a. TimeLine
[March 5, 2017]
│
[Vulnerability Discovered in Apache Struts 2]
│
[March 7, 2017]
│
[Patch Released by Apache]
│
[Equifax Ordered Patch Deployment]
│
[March 10, 2017]
│
[Equifax Fails to Identify Vulnerable Applications]
│
[Attackers Exploit Vulnerability]
│
[Web Shell Installed on Equifax Servers]
│
[Data Exfiltrated: Social Security Numbers, Birth Dates, etc.]
│
[July 29, 2017]
│
[Attack Discovered by Equifax]
│
[30 Backdoors Found, Consumer Portal Taken Offline]
│
[August 2017]
│
[Public Disclosure of the Breach]
│
[Stock Price Declines, Class Action Lawsuits]
b. Equifax Attack — Diamond Model Analysis
c. Explanation of the Flow :
1. Adversary: The attacker initiates the attack by exploiting a vulnerability in Apache Struts 2, targeting Equifax’s infrastructure to steal sensitive data.
↓ (From Adversary to Infrastructure): The adversary uses advanced tools to breach Equifax’s infrastructure by exploiting the Apache Struts 2 vulnerability.
2. Infrastructure: Once inside, the adversary installs a web shell and uses command-and-control (C2) servers to exfiltrate sensitive data from Equifax.
↑ (From Infrastructure to Adversary): The stolen data (Social Security numbers, personal information) is exfiltrated back to the adversary via C2 servers.
3. Victim: Equifax, the victim, experiences significant financial, legal, and reputational damage due to the breach of highly sensitive personal data.
↓ (From Infrastructure to Victim): Equifax’s systems were compromised due to the failure to patch the vulnerability and the adversary’s persistence within their network.
4. Capability: The attacker’s capabilities, including the ability to execute arbitrary code and tunnel through security, allowed them to set up multiple backdoors and maintain access.
↑ (From Capability to Infrastructure): These capabilities were used to establish and maintain persistence in Equifax’s infrastructure, allowing the adversary to continue exploiting the system and exfiltrating data.
2. SolarWinds Attack Flow (2020)
a. Timeline:
[March — June 2020]
│
[Sunspot Injector Inserted into SolarWinds Build Process]
│
[Malicious Code (Sunburst) Embedded in Orion Software]
│
[Compiled Code Signed and Distributed to Customers]
│
[Backdoor Installed on Target Networks via Software Updates]
│
[Reconnaissance of Victim Networks]
│
[Connection Established to Command and Control (C2) Servers]
│
[Backdoor Enables Lateral Movement, Credential Theft, and Data Exfiltration]
│
[Specific Targets Identified and Monitored]
│
[U.S. Government Attribution to Russian SVR]
b. Diamond Model Analysis for the SolarWinds Attack
c. Explanation of the Flow:
1. Adversary: The Russian Foreign Intelligence Service (SVR) is attributed as the adversary behind the attack, focusing on espionage and targeting high-value government and enterprise networks.
↓ (From Adversary to Infrastructure): The adversary initiates the attack by infiltrating SolarWinds’ build process and injecting the Sunspot and Sunburst malware into the Orion platform.
2. Infrastructure: The adversary compromises SolarWinds’ infrastructure by embedding malicious code in their software build process and setting up command-and-control (C2) servers to communicate with infected victim networks.
↑ (From Infrastructure to Adversary): Data from compromised networks is exfiltrated through the command-and-control infrastructure to the adversary.
↓ (From Infrastructure to Victim): The victim’s systems are affected when they unknowingly install the compromised Orion software, which opens a backdoor into their networks.
3. Victim: The victims include thousands of government agencies and private corporations worldwide that installed the compromised Orion software. Sensitive data and emails were exfiltrated, and the attackers remained persistent in these networks for espionage purposes.
↑ (From Victim to Adversary): Sensitive data and emails were exfiltrated from the victim’s systems to the adversary’s infrastructure.
4. Capability: The adversary used their technical capabilities to infiltrate SolarWinds’ software supply chain, insert backdoors into Orion software, and maintain long-term access to victim networks.
↑ (From Capability to Infrastructure): These capabilities allowed the adversary to maintain persistence within victim systems, avoid detection, and continue exfiltrating data through C2 servers.
Keywords and Definitions:
1. Zero-Day Vulnerability: A security flaw in software that is unknown to the vendor and remains unpatched. Attackers exploit this vulnerability before developers can fix it, as seen in the SolarWinds attack.
2. Arbitrary Code Execution: A vulnerability that allows attackers to execute any command of their choosing on a target system. In the Equifax breach, arbitrary code was executed on vulnerable systems.
3. Web Shell: A script or application that provides attackers with remote control over a web server. In the Equifax breach, a web shell was used to gain a foothold in the system.
4. Exfiltration: The unauthorized transfer of data from a computer or network. Both the Equifax and SolarWinds attackers exfiltrated sensitive data from their victims.
5. Backdoor: A hidden method of bypassing security controls to gain unauthorized access to a system. In the SolarWinds attack, the Sunburst backdoor allowed attackers to access target systems.
6. Command and Control (C2) Server: A server used by attackers to communicate with compromised machines, sending commands and receiving stolen data. In the SolarWinds attack, C2 servers managed the malware’s operations.
7. Privilege Escalation: The process of gaining elevated access to systems or networks by exploiting vulnerabilities. The attackers in the SolarWinds attack used this technique to gain access to sensitive accounts.
8. Advanced Persistent Threat (APT): A long-term, targeted attack where the adversary gains unauthorized access to a network and remains undetected for an extended period. The SolarWinds attack is an example of an APT conducted for espionage purposes.
9. Digital Signature: A cryptographic value used to verify the authenticity and integrity of software. In the SolarWinds attack, malicious code was signed digitally to make it appear legitimate.
10. Supply Chain Attack: A type of cyber attack where the adversary targets less-secure elements in a supply network to access the primary target. The SolarWinds attack exploited vulnerabilities in the software supply chain to spread malware.
