RSA Reveals Origins Of SecurID Breach

The sophisticated attack that breached RSA’s defences and allowed attackers to steal SecurID data appears to have begun as a phishing attack, according to several security analysts briefed by the company. RSA has faced some criticism about its internal security practices.

During a private call with security analysts, the executive chairman of RSA Security, Art Coviello, revealed some details of how the 17 March security breach happened. During the 1 April call, Coviello discussed how the attack had happened, and how RSA had stopped the incident.

Low-level users

A RSA spokesperson confirmed there had been a call with Coviello and some analysts, but declined to comment on the content of the call.

The attack started with phishing emails sent to small groups of low-profile RSA users that ended up in the users’ email junk folders, according to Avivah Litan, an analyst with Gartner, who was on the call. Litan believes that these low-level users are actually RSA employees.

The emails were titled “2011 Recruitment Plan” and had a malicious Microsoft Excel spreadsheet attached, Litan reported on her blog.

Ironically, the spreadsheet exploited the recently-discovered Adobe Flash zero-day flaw. Adobe had announced the vulnerability on 14 March and patched it on 21 March. However, it appears the patch came a little too late for RSA.

Despite landing in the users’ junk folders, at least one person opened the email and the attachment, which downloaded the Trojan to the user’s PC. Attackers began harvesting credentials and “made their way up the RSA food chain” using accounts belonging to the IT department , as well as other employees to gain “privileged access” to the targeted system, Litan wrote.

“At least RSA’s spam filters were working, even if their social engineering training for employees was not,” Litan added.

From the targeted system, attackers transferred files to an external compromised machine at a hosting provider, at which point RSA detected the attack thanks to its NetWitness implementation, Litan wrote. Industry observers had speculated that RSA must have had a network monitoring and forensics product deployed, and it appears they were right. RSA was able to stop the attack before more damage could be done and immediately told customers about the attack.

Timing left vague

The company remained vague as to when the phishing emails were sent, or how long the attackers spent in the network bouncing between accounts, but several months seemed likely, according to Jon Oltsik, a principal analyst with the Enterprise Strategy Group, who was also on the call. “I think that the intelligence gathering and set up lasted a while,” he told eWEEK.

RSA was a lesson for everyone that technology wasn’t enough to “detect or block attacks,” said Oltsik. “We need to train our people,” he said.

While RSA “should be credited for handling a bad situation as well as it can”, Litan felt that “RSA should have known better”.

“The irony is that they don’t eat their own dog food,” Litan told eWEEK. The company sells fraud detection systems based on sophisticated profiling which use complex models to spot abnormal behavior and intervene in real time to authenticate and re-authenticate users and transactions.

However, RSA did not apply those same techniques to their own systems, Litan said.

RSA gave “a lot of credit” to NetWitness for detecting the attack in real-time, but it wasn’t good enough, as the “signals and scores” were clearly not high enough to prompt a person to shut down the attack immediately, Litan said.

RSA needs to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems, Litan said. This may be a function of being owned by EMC, a “behemoth company”, said Litan. She noted that many of the “best and brightest” at RSA left after the 2006 acquisition.

“Much of the innovation has since been slowed down by the inevitable bureaucracy,” said Litan.