Anatomy of an Attack
I was on a tour in Asia Pacific when I first heard the news about the attack. The investigation into this attack continues but I’m eager to share some information with you about it.
Let’s first make sure everyone is on the same page. The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.
These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?
The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite. With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.
The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.
OK, back to the attack. As you know, the next step in a typical APT is to install some sort of a remote administration tool that allows the attacker to control the machine. In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet.
Having set remote access, now the attacker in a typical APT starts digital shoulder surfing to establish the employee’s role and their level of access. If this isn’t sufficient for the attackers’ purpose, they will seek user accounts with better, more relevant, privileges. I’ve pieced together a separate blog post as an appendix, talking about the attack end-to-end and providing more data.
When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization. You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.
One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
Building a new defense doctrine takes time, but over the course of history many campaigns that required building a new defense doctrine were eventually won. The battle of the Atlantic is a good example. For years it was completely controlled by U-boat ‘Wolf Packs’, which were so effective in cutting Britain off from fuel and supplies that in early 1943 there was talk of stopping U.S. aid altogether.
But in mid 1943 the tide turned through a combination of smart leadership by newly appointed Admiral Horton of the Royal Navy, advancements in defensive technologies, as well as new tactics used by allied aircrafts and escort ships. A new defense doctrine was born, and it worked like a charm.
And we don’t even have to go back that far. I still vividly remember the first Phishing attacks against online banks. IT security departments spent many long nights, trying to figure out what to do against sneaky attackers who didn’t bother at all with all the millions poured into securing the infrastructure, attacking instead the weakest element in the chain: the humans.
Recently the UK payment council announced that in 2010 online banking fraud declined 22%, despite phishing levels increasing 21%. This is turning the tide. It took the financial sector 7 years to build a new defense doctrine against social engineering attacks like Phishing and Trojans. I was part of this gargantuan effort, and I think we’ve learned a thing or two that can help us build a new defense doctrine against APTs much faster. Already we’re learning fast, and every organization hit by an APT is much more prepared against the next one; I’m confident it will take us far less than 7 years to say we’ve turned the tide on APTs.
Now let me point out a couple of additional points regarding the attack.
First, while RSA made it clear that certain information was extracted, it’s interesting to note that the attack was detected by its Computer Incident Response Team in progress; I’ve been talking to many CISOs in corporations that were hit by similar APTs and a lot of companies either detected the attacks after months, or didn’t detect them at all and learned about it from the government. This is not a trivial point: by detecting what is happening early on, RSA was able to respond quickly and engage in immediate countermeasures.
The other point I’d like to make is that the new defense doctrine is shaping up faster than I thought. We’re already working hard on introducing several completely new approaches; they map to some of the strategic directions I outlined in the end of the blog post here.
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology. Our incident response team and their technical array – a lot of it using RSA technologies – did enable us to identify the attack in progress and respond accordingly. That’s further proof that one key element is the people, not just the technology.
Well, guys, I think that’s all for now. I plan to write additional blogs in the coming days covering other aspects of the unfolding events, and as I mentioned there’s an appendix at the end of this blog with an end-to-end description of the attack.
I just want to leave you with one thought. What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.
We’re headed into an interesting decade, but in the end I have confidence, the good guys will prevail.
Anatomy of an Attack (Appendix)
Before reading this, you should read the blog entitled ’Anatomy of an Attack’, which describes the attack on RSA at a high level. This post is an add-on, a sort of appendix really, that provides some end-to-end visibility into the various stages of the attack.
Advanced Persistent Threat attacks typically have three main phases. The first is the social engineering attack; that’s one of the key elements that differentiates an APT from good old hacking. From the very first mention of APTs it’s been clear that these attacks will be difficult to defend against, as they use a combination of social engineering with vulnerabilities in the end-point to access users’ PCs. Once inside you’re already in the network; you just have to find your way to the right users and systems, and carry on with “regular” hacking activities.
End-point security struggles with protecting against more simple form attacks such as data stealing Trojans, which is why you can find so many examples of ZeusiLeaks, or employees compromised with a Trojan that grabs the corporate data and sends it to a Trojan mothership halfway across the world. If Trojans available for sale from every digital thug on the cyber block are getting through the perimeter, what should we expect when it comes to the more devious attacks that are currently launched against private sector companies?
The social engineering part is equally simple. Like I mentioned in a previous blog that focused on some long-term defense strategies against APTs, just think of what has changed in the past few decades. In the early 1980s you would have guys like Matthew Broderick in War Games, searching for modems connected to sensitive networks. Matthew mapped networks and found weak spots. His attacks had nothing to do with the users; he used weaknesses in the infrastructure. But if Matthew was staging an APT hack today, the first thing he’d do is visit social media sites. He’d collect intelligence on the organizations’ people, not infrastructure. Then he’d send a spear phishing email to the employees of interest.
In our case the attacker sent two different phishing emails over a two-day period. These emails were sent to two small groups of employees. When you look at the list of users that were targeted, you don’t see any glaring insights; nothing that spells high profile or high value targets.
The email subject line read “2011 Recruitment Plan”. This was intriguing enough for one of the employees to actually pull the email out of their Junk Box and double-click on the email attachment, which was an excel spreadsheet titled “2011 Recruitment plan.xls”.
The spreadsheet contained a zero-day exploit that installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609). Adobe has already released an emergency patch for the zero-day. The exploit injects malicious code into the employee’s PC, allowing full access into the machine. The attacker in this case installed a customized remote administration tool known as Poison Ivy RAT variant; if you are familiar with APTs you will recognize Poison Ivy as it has been used extensively in many other attacks, including GhostNet. Often these remote administration tools, the purpose of which is simply to allow external control of the PC or server, are set up in a reverse-connect mode: this means they pull commands from the central command & control servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to detect, as the PC reaches out to the command and control rather than the other way around. You’ll find references of Remote Administration tools here, including Poison Ivy – which you can also download yourself in pure form off the Internet.
The next phase of an APT is moving laterally inside the network once it’s compromised some of the employee PCs. The thing is, the initial entry points are not strategic enough for the attackers; they need users with more access, more admin rights to relevant services and servers, etc.
This is one of the key reasons why, having failed to prevent the initial social engineering phase, detecting it quickly is so important. In many of the APTs publicized in the last 18 months the attackers had months to do digital “shoulder surfing” on the attacked users, map the network and the resources, and start looking for a path to the coveted assets they desired. Then they use the compromised accounts, coupled with various other tactics, to gain access to more “strategic” users. In the RSA attack the timeline was shorter, but still there was time for the attacker to identify and gain access to more strategic users.
The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.
If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most “noisy”, stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.
In the third stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.
The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.
I hope this description provides information that can be used to understand what has happened and correlate with other APTs. In addition three URLs associated with this attacker are:
Good[DOT]mincesur[DOT]com | up82673[DOT]hopto[DOT]org | www[DOT]cz88[DOT]net
Perhaps this incident can be used as an exercise when you look at your own infrastructure and wonder what mitigation options you have against similar attacks. I gave my thoughts on the matter in the main blog post, and can summarize them like this: there’s a reason why APTs are so dangerous, and it has to tell us something. As an industry, we have to act fast and develop a new defense doctrine; the happy days of good old hacking are gone, and gone too are the old defense paradigms. New threats call for new strategies.
At RSA we’re already learning fast, making both small-term hardening moves and giant strides towards establishing a whole new defense doctrine. We’re implementing techniques that just a couple of weeks ago I thought were in the realm of long-term roadmaps.
There are so many historic examples of campaigns that seemed hopeless at the time but were then turned through sheer will, creativity and leadership; I’m sure that in a few years, Advanced Persistent Threats will become a familiar, almost mainstream form of attack and that we’ll be able to deploy effective defenses against those who want to spy and control on our intellectual property, digital assets and critical infrastructure.
this attack methodology isnt new…Red Teaming has been emulating this type of attack methodology for years. Frankly an organization of your size and stature should have been doing this type of penetration testing for awhile. FTPing out to untrusted hosts…appreacite the honestly but you should have made it MUCH harder for these guys to steal your stuff.
Further evidence that organizations should be doing spear phishing awareness training.
Can you elaborate on *how* you detected the attacks in progress?
Going again to prove that systesm with a single operating system vulerable to known flaws makes is easier to spread an attack around a network.
We have been moving to require token authentication for FTP, SSH and admin sessions, and placing firewalls between the servers and even the internal users, but we can never be 100% sure the clients are clean, so there is still risk, and not every system allows us to configure token authentication.
File servers shouldn’t have to be windows servers with huge numbers of services running. Vitualisation means that even Windows Server Core can be a better file server than Server standard, and even then, SAMBA on a dedicated storage VM is even leaner. Require proxying though a fire wall for ALL internet access. Block FTP and require SSH or SFTP for transfers through the firewall, leaving only http as a weakness. Use an intrusion protection system to alert on longs, and actually give an admin time each week to examine the logs, and not leave it to chance. Keep endpoints patched, but there is noting you can do for the wetware layer except training. This will always be the weakest point, even with the administrators. Some admins are just people running the HR system, not just the UNIX gurus or the server system admins. Very hard to find the balance between restricting access and letting people be able to do their job easily. Bars on windows destroy your view as well as slowing down an intruder.
Thanks for sharing some further information about the situation at hand. To be absolutely honest I don’t find this attack to be particularly sophisticated – it is pretty much standard stuff that I almost see on a day to day basis. The key here is that taking control of those “low profile target” users should never allow further escalation to the keys of the kingdom… That in itself is very troubling for a company like RSA which should have much tighter security.
Anyway the next step is now full disclosure about what has actually been compromised. No more corporate PR, just the straight facts.
Why were users operating with single factor authentication? Wouldn’t two factor authentication have prevented this?
Very interesting and important article. Not so new though. Social engineering has been the unspoken beast for a long time; perhaps because theres nothing that can be sold to us for it. Read Art of Deception by Kevin Mitnick to see its as old as the internet.
Whether it is Poison Ivy or some other tool, if that tool is for sale then there is a question: Are the best tools that are on sale fresh products of the best minds? Or are the best tools that are on sale their maker’s monetizing of what residual value remains in tools after they have been technically eclipsed by what are really the best current tools? The brilliance of Intel is that they have a set of residual markets such that a new primary, flagship chip bumps what had been the primary chip down one level in their tiered market, which bumps what had been the secondary chip to the tertiary position, etc. In other words, is Poison Ivy a used car? The conservative assumption for vulnerabilities is that when you discover one, your discovery must be assumed to be a re-discovery — that someone else will have gotten there first. With attack tools, the conservative assumption is that the ones we are able to detect are already eclipsed, already second best. “We” will now perform an experiment in this regard as smartphones replace desktop PCs.
Thx, but how about the impact of the attack on RSA users. With so much unanswered questions it is almost a must to abondon the secureid product, now we see that major players are doing this.
Great to know how, but like to know what and how it impacts us.
I just wanted to say thank you for sharing this very useful information. If one is to believe reports in the security press — and I have no reason not to, one of the reasons that we in the information security community are not making better progress against some of the recent threat trends is that the bad guys as a group are doing a better job than we are at organizing themselves and sharing information.
It’s great to see an industry leader like RSA stand up and say, “this bad thing happened to us, and we want everyone to be able to learn from it.”
A good starting point to explain what happened. Still, it would be of great help to go into more details about the data compromised in these attacks.
In our opinion key aspects of corporate security should be focussed on encryption at a per-person level. No big document repositories and no undocumented data access. Although this would not have stopped the attack it would have had a smaller impact.
I am completely confused by this post.
RSA is a security leader, and yet this post reads like you had no idea of apt or how to defend against it.
I would like to hear how application whitelisting, air gapping the most sensitive components of your network, protecting less sensitive segments with two factor auth all failed to prevent this. Why was outbound ftp allowed?
What incoming email content checking was done? Do you any sandbox assessment tools in the gateway?
This stuff is hard but … you guys are a security company?!
Albert
Hallo Uri,
Thank you for your deep information about the attack.
There are two questions left for me.
At first it would be helpful to know, why your virusscanners didn’t detect the “Poison Ivy RAT”? All virusscanners I know detect it with the right settings.
And the second question is, how could the attacker connect to a listener (the Poison Ivy RAT client) inside your network? Each simple firewall should protect against that access.
Can you explain why RSA’s systems are configured to allow Microsoft Excel to execute Adobe Flash content?
Good article, thanks.
I have read RSA used NetWitness to detect the attack,
is that true?
I’ll find very interesting to know what other tools
helped you in detecting an attack was in course.
Thanks.
Actually the “War Games” example is more apt in this case than you indicate. If you’ll remember, when the Broderick character needed a password, he researched the author of one of the games and from that research deduced the most likely password. A different form of social engineering, but one none the less based on human frailties.
The APT method is proof positive the REAL threat of putting it all out on the web for all to see. I have never been nor will ever be a fan of the social networking movement as it has become today where TOO much is shared on the internet. The basics used for networking like LinkedIn are appropriate so long as a measure of wisdom in used in what one puts in their profile but the more personal sites like Facebook are a bad idea and APT attacks are proof of this. I admit that I am on the earlier end of this movement (meaning I’m now the old guy as far as the majority of Facebook users are concerned ) and so I embrace the internet unlike generations before but not to the point where I blindly trust it enough to put info out there I would not be willing to wear on a sign hung around my neck while out shopping.
I realize there is no fool-proof method to always prevent crackers from attacking but a good bit of the fault lies in the generations of users so willing to put their life’s story on any website offering to host it for free (even though the term “Free” is loosely interpreted because nothing is truly for free). When I was younger I too thought that the mindset of the generation before of “not so fast – take it slow” with regards to the latest in technology was “old people attitude” but now with some age myself I see they weren’t so dumb after all.
In prior generations people respected their elders and headed their judgment but not anymore. Perhaps if we had been less willing to jump head strong into the latest in computing without thinking first we might have avoided a lot of the pitfalls that we now face from identity theft to APT’s which are due in part thanks to the MySpace/Facebook revolution.
You appendix is a little misleading. Yes Mathew mapped the technology network, he then spent a great deal of time investigating the key team member – to figure out the backdoor that was left in the system. Hacking the human has always been a leading vector on the way in.
Most of the current methods are putting up defenses. An approach using a honey pot can be effective. The attackers aren’t sure what they have just accessed or it’s value so they keep looking. It’s a simple tool to confuse attackers, confuse the value of data retrieved and extend the time to uncover intrusions.
Simple is better but does not an industry build.
It is thinking like this that will stagnate the industry, and doom it to make the same mistakes over and over. These so called “APT” attacks are nothing new, they’ve been going on for years at this point (point of info, most hackers call APT “spidering”).
The attempts to take an “APT” attack and break it down into a series of consise steps that follows a fairly specific formula shows a lack of understanding on the topic. It is only the current trend for these types of attacks to utilize social networking media and clientside exploits. Two or three years from now the typical “signature” of an APT-style attack will be 100% different. In fact, I’d be willing to bet a LOT that there are other attackers out there who are conducting what would be classified as APT attacks that look NOTHING like the one described in this blog.
I think the poster of this blog (and if their attitude reflects the feelings of RSA in general, then all of RSA) is forgetting what the first two letters of APT stand for. Advanced, and Persistant. An “unsophisticated” APT-style attack seems to be a contradiction of terms, especially one that involved the discovery of a 0day exploit (remember that five years ago any attack involving 0day was automatically regarded as highly advanced), and getting it working correctly outside the test environment (if you’ve done 0day R&D you know this is the real trick).
Regarding the Persistant factor, Dave Aitel made a comment on his mailing list DailyDave about hacking strategy: “[...] And after enough hacking, you learn strategy, and once into a network you are impossible to kick out. You pick your targets carefully, and spend years preparing, and you wake up every morning thinking “I am a sword”.” I think both the blog poster and possibly the higher ups of RSA should read that several times (along with punk’s prophile in the latest Phrack) and really think about it and absorb it.
that kind of attack is not new
altho rsa employes should be aware and take care
What I find interesting is the following:
1. Why do ordinary users have elevated privileges on their own machines? Why do you give them local admin rights? If they can’t install, malware can’t install.
2. How much training is offered to new and existing employees such as falling for simple spear phishing ploys?
3. Does RSA use web blocking technologies such as websense? We block all social networking sites except Linked In. We also have policy related to what is broadcast with the world.
I appreciate the transparency. However I would expect there will be eventual discussion related to what was “breached”.
Rich
Why is everyone so concerned with what was taken? It’s called 2 factor for a reason. If your concerned over your implementation you should be checking your pin policies. I think many don’t realize the algorithm has been public knowledge for years and even if you do get the seeds you still need username, person who is mapped to the token, the pin and the resource your after. Now I howly doubt the source code was stolen as I doubt it was the target. But they could make things interesting…
I also agree the attack is pretty standard, however the use of adobe zero days has long been the MO of our friends overseas. The real devil is in the details….when did the attack actually happen vs. when was the vulnerability made public.
For those that ask about executing flash in excel and why A/V dient detect the malware obviously have never led or been involved in incident response, forensics and to be brutally honest don’t really understand information security and technology. The question around how the RAT was allowed out, it was answered in the doc, “reverse connect mode” the same thing as a reverse shell, it establishes the connection out to a command and control server. Who doesn’t allow 80 outbound?
Secure company or not, this can happen to anyone. Forget Operation Aurora or what ever they called it. Read up on situations like “Titan Rain.” I assure you our 3 letter agencies have state of the art security technologies and even they have succumb to similar attacks. Sneaker net it is!!!
“The attacker first harvested access credentials from
the compromised users (user, domain admin, and service
accounts). They performed privilege escalation on non-administrative users in the targeted systems, and
then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.”
So what were these “access credential” that allowed the
attackers to perform privilege escalation? Was it only a
userID and password? Wouldn’t this attack have failed
if the access credentials had involved public / private
key cryptography, especially if the private key was
housed in a separate and protected USB device?
separate and protected container (USB device)
cryptography
Did the users who opened the attachement have admin privledges on their computer? What’s the OS?
Responses to some comments that map to common APT mitigation misconceptions:
1. “2 Factor Will Stop This”
-No, no it won’t. 2 Factor authentcation is normally only quired for the initial authentication within most Enterprises; subsequent authentication occurs using some sort of “security token” authentication (ex: Active Directory or SAML tokens); this allows these “one-click-and-you’re-owned” attacks to use “pass-the-token” or “pass-the-hash” techniques as a part of the attack payload. These attacks are still successful even with 2 factor authentication. (You should think of your app allowing a minimum of 2 different auth mechanisms: I. Your 2 factor auth mechanism II. token authentication; enterprises won’t get rid of the single sign-on mechanism because prompting for authentication when connecting to every app is a usability non-starter.
2. Blocking FTP doesn’t gain much as exfiltrating data over HTTP is just as easy. (Outbound content filtering IS useful, though)
3. Pertaining to the question about Excel: The old “binary” MS Office file formats are effectively a file system within a file; they allow any other file to be embedded within the Office file and executed as apart of the attack payload. You don’t have to permit some Office setting that says “permit Flash” or something like that for this to be successful. The truth is that the legacy office file formats are a true thing of evil but cannot be done away with even if you’re on new versions of Office. The Office 2010 sandbox and isolation technologies are a HUGE help here; as is the free “Microsoft Office Isolated Conversion Environment” (“MOICE”) tool which converts the legacy file formats to the new XML formats on the fly in a sandbox, which strips out embedded binary files in the process.
Agile Threat-informed Risk Management is a necessity. (Keeping abreast of emerging attack techniques and including per-app “hardening” mitigations.) -The old CISSP definition of risk says that its equal to Likelihood x Impact of a vulnerability being exploited; when a technique is being used in the wild it’s liklihood, and therefore it’s risk just changed dramatically; you need a Risk Management system that can take these sorts of things into account.
Ema Nymton
Respectfully I suggest that it is time that you ‘come clean’ and tell us what data was compromised.
I appreciate that you no doubt have concerns that this may cause an escalation of the impact that this incident had already had on your business, but you need to recognise that if you do not give your customers, and prospective customers, the details they need to understand what level of risk this compromise presents to them then they will a). not trust you and b). will probably assume the compromise is worse than it in fact is and will base their strategic and tactical decisions on this imagined ‘worst case assumption’.
If you want your customers to trust you, which I’m sure you do as otherwise you won’t have any business in the longer-term, then you need to give us the facts now, however painful this may be to your business in the immediate term.
> Content published here is not read or approved in advance by EMC?
So, why doesn’t my comment show up here?
Reading the responses tot he article shows a clear lack of understanding in general about security.
@CG: The only way to make it much harder, is to air gap critical systems, and unless you do an in depth analysis, that may not be possible for various reasons. Its not as simple as “make it much harder”. Sure you could block ftp, but like anybody trying to extract data thinks that is an issue.
@John: “Going again to prove that systesm with a single operating system vulerable to known flaws makes is easier to spread an attack around a network.”
For one, where does it say there is only one operating system in the environment? Secondly, you thinks its viable for every desktop, or every second desktop to run a different OS? Even if they did, once the attackers on the inside, they would be analysing any target OS and exploiting vulnerabilities. Do you think the attackers are only knowledgable in one OS?
@AlexT: “The key here is that taking control of those “low profile target” users should never allow further escalation to the keys of the kingdom… That in itself is very troubling” You need to read about exploits and vulnerabilities more. There are always zero day exploits that utilise flaws in applications and the OS to elevate he privilege of a user to higher than they have been given.
@Carroll: No, thats only affects signon, after that, the exploit is operational
@Sihoko, no, not without details of user to serial ID matching, so anyone would then have to target your environment and specifically get the serial number to user id matching, and then get the users PIN number
@Roberto: Going into details about the data compromised is of zero benefit. Would knowing it was the secret recipe of KFC’s 11 herbs and spices, or the secret recipe for grandma’s pistachio icecream, be of any benefit to the attack analysis? No.
@Albert: Two factor authentication, is just that, two factor authentication. once signed on, two factor authentication is complete, its them user behaviour that initiated the attack vector, which is clearly stated in the article.
Does it matter whether ftp is allowed or not? Not really. Do you think that the attackers wouldnt know how to send the data outbound via http?
Email content checking? You need to learn that there is no 100% guarantee.
Did you actually read the article? It was a specifically crafted message, targetted to specific groups of users.
An email content checking system, is not going to find a 0 day exploit.
Do you actually comprehend what a zero day exploit means?
This stuff is hard, and people making the comments about “what about” etc etc, need to do far more reading and research.
@Tomas: “how could the attacker connect to a listener: Read the article again, and again, till you get the part about reverse connection. The attackers didnt connect to the RAT client. The RAT client initiated an outbound connection to the attacker.
@Richard: 1. Users didnt, thet attackers used epxloits to elevate privileges
2. Training is no guarantee. Event the best most competent people have moments where they do something silly.
3. Completely and utterly pointless and useless. Where did facebook at work have anything to do with the article?
Why would there be a discussion about what was breached? What relevance does the payload have to the methodologies and tools used with which to make the attack?
The payload could have been the recipe for the best type of dog food, would that change anything?
@B: read the article, they shoulder surfed and analysed systems and used exploits to get the credentials they needed
If the private key is housed in a seperate storage offline device, how is data encrypted with my public key that is transported across the network, going to be decrypted at the other end?
Also, the endpoint has been compromised, so the end of the tunnel, has been compromised. Its like saying you cant get into the a car park unless you have a pin code. Hide in someones boot, and you dont need the pin code to get into the car park, you are already aboard the system that does.
@jader: read the article
Clearly those asking these types of questions need further training, or they wouldnt be asking these kinds of questions.
I disagree with the comment that APT’s do not defeat security products. Isn’t overlaying of AV DLL’s in memory defeating a security product? It is my belief that you will not keep advanced intruders out of your network if you allow your employees to use the Internet! Just how many companies have the resources to defend against Nation sponsored hacking? The internet and desktop computing has made Industrial Espionage simple. The only real question is whether a foreign entity has any interest in what you have of value.
Brian
Hi,
Its been quite a while now, I believe RSA has to come up with more details on the exposure/impact of the attack on the clients. Till then, every time I use RSA token, I will feel in-secure. In the era of cloud computing, all the companies have to be 1000 times more careful and proactive.
There are many things that still I am not getting any point.
1.Why didnt the RSA DLP that is used didnt alert when some password protected files are tranferred out from the internal network?
2.Do such a core company wont use email filtering software to filter phishing emails?
3.Why did they give the sensitivity areas for a direct access aprt from two factor authentication or any controlled access.
What are the employees taught or told about the junk folder? This attack is like so many others and human nature continues to get the best of employees.
If you have the initial emails, please tell us how long it was from those emails to you detecting the attack in progress.
Thanks!
Rich Aplin
Why wasn’t the RSA SecureID seed tokens segregated from the user network zone? If I was storing the keys to the kingdom I would have airgapped it?
@Dorian Grey (love the name BTW)
The data that was compromised is of intense interest to anyone using RSA security solutions because we wish to understand the ramifications of the (presumed new) knowledge that is now in the hands of the attackers. Agreed that the content is irrelevant to the attack/breach analysis, but we are interested because it may compromise the effectiveness of our own defenses, not because it helps us understand this attack any better.
@RSA: I see I am not the first to bring this up: our trust in you is eroding as each day passes (we’re now at the TWO MONTH mark) and you refuse to talk to us, even in private, about what information was compromised. Why should I not recommend to my employer that they 86 SecureID and go with something else?? I’m still waiting for you to come clean about what was taken – or to admit that you don’t know what they took. Any time you’re ready, folks…
@Dorian: “Going into details about the data compromised is of zero benefit”
Oh really? You must not be using RSA tokens at work. Our RSA rep has given us grief about re-keying stating that nobody has been rekeyed because it’s not needed. Well, I think what just happened to Lockheed proves why RSA should have come clean about what was taken. I cannot believe they have not yet re-keyed all their customers at whatever cost, and insisted that its customers disallow remote access using RSA tokens until rekeying is completed.
That’s the reason we (RSA’s customers) need to know what was taken, so we can make the right decision: a) do nothing (as token seeds or master seed is safe and sound), b) immediately disallow access (as Lockheed did AFTER they realized they were getting hacked) until re-keying is completed, or c) Change 2FA provider, as for many of the reasons stated above RSA appears to have grown lazy and lax, not to mention the complete lack of transparency that lulled customers into a false sense of security, that is until the Lockheed incident made it clear that the crown jewels were anything but safe.
You mentioned seafaring defense tactics that turned the tide for the u-boats vs convoys in WWII. I believe that what turned the tide for u-boats was the cracking of the enigma cyphers by the Bletchley Park team in UK. They got much more intelligence about where the u-boats where and their intentions and conditions. As a result, convoys were able to avoid them, and it was also easier to sink or ward them off. All had to be done without alerting the Germans that their codes had been broken, but I believe that technology innovation was what turned the tide.
A change in defense doctrine surely, but not the one you cited.
From Wikipedia: “[Ultra intercepts] contributed greatly to Allied success in defeating the U-boats in the Battle of the Atlantic, and to the British naval victories in the Battle of Cape Matapan and the Battle of North Cape.” [http://en.wikipedia.org/wiki/Bletchley_Park]
My question is: Why is RSA storing token seeds? It would be a better service to customers not to do so. If you don’t have my token seeds then frankly I don’t care if you get breached because I am not relying on you for my security.
Why wasn’t the RSA SecureID seed tokens segregated from the user network zone? If I was storing the keys to the kingdom I would have airgapped it?
Thanks for such intuitive article about APT. Not was not only informative but enlightening.
By the way, Can you tell me some meaningful reference about the phishing defense doctrine. It would be a great help. Thanks in advance.
As long as people have freedom and do not live by a moral code, there is bound to be fraud. Further details by searching in Google for “Windle Stops Swindle”
Cheers
Srinivasan Devrajan, the Common Informer