1 / 19

RSA Attack Analysis

RSA Attack Analysis. Karl F. Lutzen, CISSP S&T Information Security Officer. RSA Attack. March 2011, RSA had a data breach Attacker stole information which affected some 40 million two-factor authentication tokens Devices are used in private industry and government agencies

bo-hartman
Download Presentation

RSA Attack Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer

  2. RSA Attack • March 2011, RSA had a data breach • Attacker stole information which affected some 40 million two-factor authentication tokens • Devices are used in private industry and government agencies • Produces a 6 digit number every 60 seconds.

  3. RSA Attack Analysis • An Advanced Persistent Threat (APT) A structured (advanced), targeted attack (persistent), intent on gaining information (threat)

  4. RSA Background • RSA is a security company that employs a great number of security devices to prevent such a data breach • Methods used bypassed many of the controls that would otherwise prevented direct attack

  5. Attacker Initial Steps • Attackers acquired valid email addresses of a small group of employees. • If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.

  6. Phishing Emails • Two different phishing emails sent over a two-day period. • Sent to two small groups of employees, not particularly high profile or high value targets. • Subject line read: 2011 Recruitment Plan • SPAM filtering DID catch it but put in the Junk folder

  7. Employee Mistake • One employee retrieved the email from the Junk mail folder • Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls • Spreadsheet contained a zero-day exploit through Adobe Flash (since patched). • Installed a backdoor program to allow access.

  8. Remote Administration Tool (RAT) • Attackers chose to use the Poison Ivy RAT. • Very tiny footprint • Gives attacker complete control over the system • Set in reverse-connect mode. System reaches out to get commands. Fairly standard method of getting through firewalls/IPS

  9. Digital Shoulder-Surfing • Next the attackers just sat back and digitally listened to what was going on with the system • The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.

  10. Harvesting • Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts) • Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.

  11. The Race • During the stepping from system to system, security controls detected an attack in progress. The race was now on. • Attacker had to move very quickly during this phase of finding a valuable target.

  12. Data Gathering • Attacker established access at staging servers at key aggregation points to retrieve data. • As they visited servers of interest, data was copied to staging servers. • Staging servers aggregated, compressed, encrypted and then FTP’d the data out.

  13. Receiving Host • Target receiving data was a compromised host at an external hosting provider. • Attacker then removed the files from the external compromised host to remove traces of the attack. • This also hid the attacker’s true identity/location.

  14. Lessons Learned • Weakest link: A human • Layered Security: Not adequate to prevent • Upside: Able to implement new security controls to this point were considered too restrictive.

  15. Karl’s Changes • What follows would be the changes I’d make at RSA. • Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts. • If I were to implement these, very likely I’d be doing a different job…

  16. Changes • Traffic shaping both ways. (Firewall port blocking isn’t enough) • Block all but specific protocols • IDS/IPS on all those protocols • Aggressive use of DMZ: Isolate systems • Isolate workstations from one another • Clean Access Solutions on all systems

  17. Biggest Change • Mandatory Monthly Security Awareness training for everyone. • (breaking it into monthly modules makes it tolerable) • Needs to be interesting/fun, Door prizes, etc.

  18. RSA Attack: Credits • http://www.satorys.com/rsa-attack-analysis-lessons-learned/

More Related