RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

RSA Attack Analysis

Karl F. Lutzen, CISSP

S&T Information Security Officer

RSA Attack

• March 2011, RSA had a data breach– Attacker stole information which affected

some 40 million two-factor authentication tokens

– Devices are used in private industry and government agencies

– Produces a 6 digit number every 60 seconds.

RSA Attack Analysis

• An Advanced Persistent Threat (APT)A structured (advanced),

targeted attack (persistent),

intent on gaining information (threat)

RSA Background

• RSA is a security company that employs a great number of security devices to prevent such a data breach

• Methods used bypassed many of the controls that would otherwise prevented direct attack

Attacker Initial Steps

• Attackers acquired valid email addresses of a small group of employees.

• If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.

Phishing Emails

• Two different phishing emails sent over a two-day period.

• Sent to two small groups of employees, not particularly high profile or high value targets.

• Subject line read: 2011 Recruitment Plan• SPAM filtering DID catch it but put in the

Junk folder

Employee Mistake

• One employee retrieved the email from the Junk mail folder

• Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls

• Spreadsheet contained a zero-day exploit through Adobe Flash (since patched).– Installed a backdoor program to allow access.

Remote Administration Tool (RAT)

• Attackers chose to use the Poison Ivy RAT.– Very tiny footprint– Gives attacker complete control over the

system– Set in reverse-connect mode. System

reaches out to get commands. Fairly standard method of getting through firewalls/IPS

Digital Shoulder-Surfing

• Next the attackers just sat back and digitally listened to what was going on with the system

• The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.

Harvesting

• Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts)

• Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.

The Race

• During the stepping from system to system, security controls detected an attack in progress. The race was now on.

• Attacker had to move very quickly during this phase of finding a valuable target.

Data Gathering

• Attacker established access at staging servers at key aggregation points to retrieve data.

• As they visited servers of interest, data was copied to staging servers.

• Staging servers aggregated, compressed, encrypted and then FTP’d the data out.

Receiving Host

• Target receiving data was a compromised host at an external hosting provider.

• Attacker then removed the files from the external compromised host to remove traces of the attack.

• This also hid the attacker’s true identity/location.

Lessons Learned

• Weakest link: A human

• Layered Security: Not adequate to prevent

• Upside: Able to implement new security controls to this point were considered too restrictive.

Karl’s Changes

• What follows would be the changes I’d make at RSA.

• Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts.

• If I were to implement these, very likely I’d be doing a different job…

Changes

• Traffic shaping both ways. (Firewall port blocking isn’t enough)

• Block all but specific protocols• IDS/IPS on all those protocols• Aggressive use of DMZ: Isolate systems• Isolate workstations from one another• Clean Access Solutions on all systems

Biggest Change

• Mandatory Monthly Security Awareness training for everyone.

• (breaking it into monthly modules makes it tolerable)

• Needs to be interesting/fun, Door prizes, etc.

RSA Attack: Credits

• http://www.satorys.com/rsa-attack-analysis-lessons-learned/