RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer

RSA Attack March 2011, RSA had a data breach –Attacker stole information which affected some 40 million two-factor authentication tokens –Devices are used in private industry and government agencies –Produces a 6 digit number every 60 seconds.

RSA Attack Analysis An Advanced Persistent Threat (APT) A structured (advanced), targeted attack (persistent), intent on gaining information (threat)

RSA Background RSA is a security company that employs a great number of security devices to prevent such a data breach Methods used bypassed many of the controls that would otherwise prevented direct attack

Attacker Initial Steps Attackers acquired valid addresses of a small group of employees. If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.

Phishing s Two different phishing s sent over a two-day period. Sent to two small groups of employees, not particularly high profile or high value targets. Subject line read: 2011 Recruitment Plan SPAM filtering DID catch it but put in the Junk folder

Employee Mistake One employee retrieved the from the Junk mail folder contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls Spreadsheet contained a zero-day exploit through Adobe Flash (since patched). –Installed a backdoor program to allow access.

Remote Administration Tool (RAT) Attackers chose to use the Poison Ivy RAT. –Very tiny footprint –Gives attacker complete control over the system –Set in reverse-connect mode. System reaches out to get commands. Fairly standard method of getting through firewalls/IPS

Digital Shoulder-Surfing Next the attackers just sat back and digitally listened to what was going on with the system The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.

Harvesting Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts) Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.

The Race During the stepping from system to system, security controls detected an attack in progress. The race was now on. Attacker had to move very quickly during this phase of finding a valuable target.

Data Gathering Attacker established access at staging servers at key aggregation points to retrieve data. As they visited servers of interest, data was copied to staging servers. Staging servers aggregated, compressed, encrypted and then FTP’d the data out.

Receiving Host Target receiving data was a compromised host at an external hosting provider. Attacker then removed the files from the external compromised host to remove traces of the attack. This also hid the attacker’s true identity/location.

Lessons Learned Weakest link: A human Layered Security: Not adequate to prevent Upside: Able to implement new security controls to this point were considered too restrictive.

Karl’s Changes What follows would be the changes I’d make at RSA. Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts. If I were to implement these, very likely I’d be doing a different job…

Changes Traffic shaping both ways. (Firewall port blocking isn’t enough) Block all but specific protocols IDS/IPS on all those protocols Aggressive use of DMZ: Isolate systems Isolate workstations from one another Clean Access Solutions on all systems

Biggest Change Mandatory Monthly Security Awareness training for everyone. (breaking it into monthly modules makes it tolerable) Needs to be interesting/fun, Door prizes, etc.

RSA Attack: Credits analysis-lessons-learned/