Overview – Summary of Events
From 1-5 February 2017, various U.S. financial infrastructures reported network
disruptions and data breaches. The plaintiff corporations were the Experian and Transunion
credit report agencies as well as sects of financial
automated clearinghouses. Each entity’s public
webpage was defaced. The web defacement was the
same across all plaintiff’s websites (see figure 1);
this strongly suggests the same threat actor was
behind each cyberattack. During this same
timeframe, the above-mentioned financial companies also reported distributed denial of service
(DDoS) attacks against their private servers. A DDoS attack makes an online service unavailable
by overwhelming the web application’s servers from multiple sources.
The cyberattack also included sensitive data exfiltration. Experian, Transunion, and areas
of the financial automated clearinghouses detected unauthorized activity in customer accounts
and sensitive company files. We can only assume the threat actor obtained at least 30,000
individual’s credit scores and private information as well as sensitive files and information from
the financial entities themselves. Law enforcement representatives later discovered the threat
actor had extensive knowledge of network defense tools – particularly in zero-day attacks. The
targeted servers had not been updated with the latest network defense tool software, making it
possible for the threat actor to infiltrate the various networks.
How the Cyber Incident was Identified and Resolved
The financial infrastructure cyber incident was resolved in five days due to timely and
critical thinking. A 4-step systematic methodology was used to respond to the cyberattack -
FOR OFFICIAL USE ONLY (FOUO)
WHITE HOUSE NATIONAL CYBER SECURITY TEAM
AFTER ACTION REPORT
1
identify the problem, contain the breach, eradicate the threat, and recovery. Critical thinking was
incorporated in an organic process by identifying the problem, gathering information, and
choosing and implementing the best course of action (Guffey, 1998). They first needed to
establish what happened by identifying the problem. Why had financial infrastructure servers
crashed? The specialists opened a command prompt window and typed “netstat-an” to view the
list of ports in use (Marsh, 2016). The results revealed thousands of contiguous ports with their
connections timing out, ergo DDoS attack. Cyber specialists than reasoned the threat actor may
have elicited further harm in addition to the denial of service attack, so they thought to examine
the security of the data.
Get Free Quote!
317 Experts Online