RSA 'Explanation' Foggy About Breach Details
Apr 4, 2011 12:28 PM PT
IT security giant RSA is still trying to figure out exactly what was stolen from its systems, more than two weeks after announcing that they had been breached.
The company detailed how the attackers broke into its systems, in a blog post by Uri Rivner, its head of new technologies, consumer identity protection.
However, it still apparently doesn't know just what was taken, apart from credentials of compromised users and unnamed data.
"RSA are still figuring it all out and are releasing details once they confirm them," company representative Alison Parker told TechNewsWorld.
How the Attackers Struck
The attackers used spearphishing -- a social engineering technique in which highly targeted emails are sent to a select group of people. In this case, they sent two different phishing emails over two days to two groups of employees who wouldn't be considered particularly high-profile or high-value targets, Rivner stated.
The subject line of the email read "2011 Recruitment Plan," and it had a Microsoft Excel spreadsheet attached.
That spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability, CVE-2011-0609. Adobe has since patched that vulnerability.
The exploit installed a variant of the Poison Ivy malware set in a reverse-connect mode, Rivner said.
Poison Ivy is a backdoor Trojan consisting of a remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network. Once executed, it copies itself to either the Windows folder or the Windows/system32 folder.
The reverse-connect mode makes it more difficult to detect the malware, as the infected PC will reach out to the command and control center set up by the hacker rather than having the C&C center send instructions to it, as is the norm. This technique isn't new -- earlier advanced persistent threats, such as GhostNet, used it.
Using the Trojan, the attacker harvested access credentials from the compromised users. It then escalated the privileges of non-administrative users in the targeted systems, and then accessed key high-value targets, Rivner said.
These targets included process experts and both IT- and non-IT-specific server administrators.
The attacker used FTP to transfer "many" password-protected RAR files from the RSA file server. (Think of an RAR file as a zipped folder).
Slow on the Uptake?
Advanced persistent threats are hitting "just about every industry," and victims fall prey despite having deployed every imaginable combination of state-of-the-art security, Rivner pointed out.
RSA's Computer Incident Response Team detected the attack while it was in progress, Rivner said, adding that many corporations that were hit by similar APTs either didn't detect them at all or did so after several months.
The question many critics are asking, however, is why RSA did not detect the attack sooner, given that IT security is its bread and butter. After all, a variety of log-monitoring applications and network forensics programs are available to detect a breach shortly after it occurs.
"Network forensics creates a state of constant situational awareness and network visibility, which is needed to be able to respond appropriately to any threat and remediate quickly," Steve Shillingford, president and CEO of Solera Networks, told TechNewsWorld.
"Network logs, intrusion-protection systems and firewalls are needed, but they do not stop intrusions," Shillingford noted. "So, organizations have to accept the fact that they will be breached. If you're breached, you had better know fast that you were and what was affected, so you can remediate and inform your customers."
Picking up the Pieces
RSA is now hardening its systems and creating a new defense doctrine to be able to handle APTs, Rivner said.
However, APTs don't defeat security products -- they evade them.
"APT is a new breed of cyberadversary, Adam Vincent, CTO, public sector, Layer 7 Technologies, told TechNewsWorld. "We cannot think the same way about them as we do the common Internet threat."