RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer
Dec 17, 2015
RSA Attack
• March 2011, RSA had a data breach– Attacker stole information which affected
some 40 million two-factor authentication tokens
– Devices are used in private industry and government agencies
– Produces a 6 digit number every 60 seconds.
RSA Attack Analysis
• An Advanced Persistent Threat (APT)A structured (advanced),
targeted attack (persistent),
intent on gaining information (threat)
RSA Background
• RSA is a security company that employs a great number of security devices to prevent such a data breach
• Methods used bypassed many of the controls that would otherwise prevented direct attack
Attacker Initial Steps
• Attackers acquired valid email addresses of a small group of employees.
• If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.
Phishing Emails
• Two different phishing emails sent over a two-day period.
• Sent to two small groups of employees, not particularly high profile or high value targets.
• Subject line read: 2011 Recruitment Plan• SPAM filtering DID catch it but put in the
Junk folder
Employee Mistake
• One employee retrieved the email from the Junk mail folder
• Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls
• Spreadsheet contained a zero-day exploit through Adobe Flash (since patched).– Installed a backdoor program to allow access.
Remote Administration Tool (RAT)
• Attackers chose to use the Poison Ivy RAT.– Very tiny footprint– Gives attacker complete control over the
system– Set in reverse-connect mode. System
reaches out to get commands. Fairly standard method of getting through firewalls/IPS
Digital Shoulder-Surfing
• Next the attackers just sat back and digitally listened to what was going on with the system
• The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.
Harvesting
• Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts)
• Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.
The Race
• During the stepping from system to system, security controls detected an attack in progress. The race was now on.
• Attacker had to move very quickly during this phase of finding a valuable target.
Data Gathering
• Attacker established access at staging servers at key aggregation points to retrieve data.
• As they visited servers of interest, data was copied to staging servers.
• Staging servers aggregated, compressed, encrypted and then FTP’d the data out.
Receiving Host
• Target receiving data was a compromised host at an external hosting provider.
• Attacker then removed the files from the external compromised host to remove traces of the attack.
• This also hid the attacker’s true identity/location.
Lessons Learned
• Weakest link: A human
• Layered Security: Not adequate to prevent
• Upside: Able to implement new security controls to this point were considered too restrictive.
Karl’s Changes
• What follows would be the changes I’d make at RSA.
• Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts.
• If I were to implement these, very likely I’d be doing a different job…
Changes
• Traffic shaping both ways. (Firewall port blocking isn’t enough)
• Block all but specific protocols• IDS/IPS on all those protocols• Aggressive use of DMZ: Isolate systems• Isolate workstations from one another• Clean Access Solutions on all systems
Biggest Change
• Mandatory Monthly Security Awareness training for everyone.
• (breaking it into monthly modules makes it tolerable)
• Needs to be interesting/fun, Door prizes, etc.