Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

Published byRuth Andrews Modified over 9 years ago

Similar presentations

Presentation on theme: "RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer."— Presentation transcript:

1 RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer

2 RSA Attack March 2011, RSA had a data breach –Attacker stole information which affected some 40 million two-factor authentication tokens –Devices are used in private industry and government agencies –Produces a 6 digit number every 60 seconds.

3 RSA Attack Analysis An Advanced Persistent Threat (APT) A structured (advanced), targeted attack (persistent), intent on gaining information (threat)

4 RSA Background RSA is a security company that employs a great number of security devices to prevent such a data breach Methods used bypassed many of the controls that would otherwise prevented direct attack

5 Attacker Initial Steps Attackers acquired valid email addresses of a small group of employees. If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.

6 Phishing Emails Two different phishing emails sent over a two-day period. Sent to two small groups of employees, not particularly high profile or high value targets. Subject line read: 2011 Recruitment Plan SPAM filtering DID catch it but put in the Junk folder

7 Employee Mistake One employee retrieved the email from the Junk mail folder Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls Spreadsheet contained a zero-day exploit through Adobe Flash (since patched). –Installed a backdoor program to allow access.

8 Remote Administration Tool (RAT) Attackers chose to use the Poison Ivy RAT. –Very tiny footprint –Gives attacker complete control over the system –Set in reverse-connect mode. System reaches out to get commands. Fairly standard method of getting through firewalls/IPS

9 Digital Shoulder-Surfing Next the attackers just sat back and digitally listened to what was going on with the system The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.

10 Harvesting Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts) Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.

11 The Race During the stepping from system to system, security controls detected an attack in progress. The race was now on. Attacker had to move very quickly during this phase of finding a valuable target.

12 Data Gathering Attacker established access at staging servers at key aggregation points to retrieve data. As they visited servers of interest, data was copied to staging servers. Staging servers aggregated, compressed, encrypted and then FTP’d the data out.

13 Receiving Host Target receiving data was a compromised host at an external hosting provider. Attacker then removed the files from the external compromised host to remove traces of the attack. This also hid the attacker’s true identity/location.

14

15 Lessons Learned Weakest link: A human Layered Security: Not adequate to prevent Upside: Able to implement new security controls to this point were considered too restrictive.

16 Karl’s Changes What follows would be the changes I’d make at RSA. Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts. If I were to implement these, very likely I’d be doing a different job…

17 Changes Traffic shaping both ways. (Firewall port blocking isn’t enough) Block all but specific protocols IDS/IPS on all those protocols Aggressive use of DMZ: Isolate systems Isolate workstations from one another Clean Access Solutions on all systems

18 Biggest Change Mandatory Monthly Security Awareness training for everyone. (breaking it into monthly modules makes it tolerable) Needs to be interesting/fun, Door prizes, etc.

19 RSA Attack: Credits http://www.satorys.com/rsa-attack- analysis-lessons-learned/

Download ppt "RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer."

Similar presentations

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Chapter 12 Network Security.

Chapter 12 Network Security.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Similar presentations

Ads by Google