rsa anatomy of an attack
DESCRIPTION
Presentation slides from the Anatomy of an Attack Briefing by RSA and Integrity Solutions focusing on the security breach experienced by RSA in 2011.TRANSCRIPT
1 © Copyright 2012 EMC Corporation. All rights reserved.
RSA Security Anatomy of an Attack – Lessons learned
Malcolm Dundas – Account Executive John Hurley – Senior Technology Consultant
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda
• Advanced Enterprise/ Threats
• The RSA Breach
• A chronology of the attack
• Security Analytics
• Incident Response and Governance
• Q & A
3 © Copyright 2012 EMC Corporation. All rights reserved.
IN 2011 THE DIGITAL UNIVERSE WILL SURPASS
1.8 ZETTABYTES 1,800,000,000,000,000,000,000
4 © Copyright 2012 EMC Corporation. All rights reserved.
$
5 © Copyright 2012 EMC Corporation. All rights reserved.
6 © Copyright 2012 EMC Corporation. All rights reserved.
The RSA Attack
• On March 17th, RSA disclosed it was the target of an Advanced Persistent Threat (APT)
– Communicated that certain information related to RSA SecurID was extracted during the attack
– Provided Best Practices guidance and prioritized remediation steps
On June 6th, RSA issued an open letter to customers
– Shared that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment.
– Confirmed that information taken from RSA was used as an element in an attempted broader attack against Lockheed Martin
– Reinforced that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology
7 © Copyright 2012 EMC Corporation. All rights reserved.
1 2 Phishing emails Some clues about the email lead us to believe that this was from some slightly dated research on employees
2
3 Attacker gains access to other machines Zero-day exploit installs backdoor (Poison Ivy Rat Variant) which enables extraction of memory resident password hashes
X X X X
X
Launch Zero-day One user opened email attachment (an Excel spreadsheet) which launches a flash zero-day
The Initial Vector in the RSA Attack
8 © Copyright 2012 EMC Corporation. All rights reserved.
Attack Begins
System Intrusion
Attacker Surveillanc
e
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
TIME
Attack Set-up
Discovery/ Persistenc
e
Maintain foothold
Cover-up Starts
Attack Forecast
Physical Security
Containment &
Eradication
System Reactio
n Damage Identificati
on
Recovery
Defender Discovery
Monitoring & Controls
Impact Analysi
s
Response Threat
Analysis
Attack Identified
Incident Reportin
g
Reducing Attacker Free Time
ATTACKER
FREE TIME TIME
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
9 © Copyright 2012 EMC Corporation. All rights reserved.
Attacker initiates separate network using credentials obtained from steps 1 - 3
4
Attacker moves laterally through organization, heavily using escalation of privileges, to systems containing disparate information that when combined allowed compromise of RSA SecurID-related information
5
Attacker removes data and stages it on a file share within the network
6
Files are encrypted and attacker tries to ex-filtrate to several servers before finding a successful destination.
7
ATTACKER
External Server
From Compromise to Exfiltration
10 © Copyright 2012 EMC Corporation. All rights reserved.
Shift in spending
11 © Copyright 2012 EMC Corporation. All rights reserved.
Asset Criticality Intelligence
RSA NetWitness
Asset List
Device Type
Device Content
CMDBs
Vuln. Scans
IT Info
Criticality Rating
Device Owner
Business Owner
Business Unit
Biz Process
RPO / RTO
Biz Context
RSA Archer
Asset Intelligence
IP Address
Criticality Rating
Business Unit
Facility
Security analysts now have asset intelligence and
business context to better analyze and
prioritize alerts.
RSA ACI
12 © Copyright 2012 EMC Corporation. All rights reserved.
SOC = Security Operations Center Level 1 adds, moves and changes, security questions, device health, etc.
CIRC = Critical Incident Response Center
Manage security incidents, investigate suspicious behavior, vulnerability analysis, malware analysis, threat management, etc.
EMC SOC vs. CIRC
13 © Copyright 2012 EMC Corporation. All rights reserved.
RSA Critical Incident Response Team detects file transfer activity
DLP Network detects a transfer of encrypted file over FTP protocol
14 © Copyright 2012 EMC Corporation. All rights reserved.
Alert Critical Incident Response Team
RSA SIEM generates alert from two correlated events 1.Successful RDP connection to
critical server 2.DLP activity on the same
server
15 © Copyright 2012 EMC Corporation. All rights reserved.
Incident escalation to Security Management Dashboard
• RSA SIEM alerts sent to RSA eGRC platform
• RSA eGRC links this incident with business context and prioritize it as HIGH priority
16 © Copyright 2012 EMC Corporation. All rights reserved.
Advanced Network Forensics
• Instant integration from RSA eGRC web interface to RSA NetWitness with two clicks
• SIEMLink transparently retrieves full session detail from RSA NetWitness
17 © Copyright 2012 EMC Corporation. All rights reserved.
Situation Aware Analysis
Context of all network activities to/from critical server
Confirm John’s machine (192.168.100.142) as source of RDP session
18 © Copyright 2012 EMC Corporation. All rights reserved.
Situation Aware Analysis
• Small executable file
• Transfer over HTTP
• Suspicious filename & extension
• Malware?!?
Drill into all network sessions from John’s machine
Suspicious domain name
19 © Copyright 2012 EMC Corporation. All rights reserved.
Automated Malware Analysis
RSA NetWitness instantly provides detailed analysis of the file in question
20 © Copyright 2012 EMC Corporation. All rights reserved.
Only Security Analytics can tell you the impact of the attack
Attack Step Traditional SIEM RSA SA
Alert for RDP tunneled over non-standard port
No Yes
Recreate activity of suspect IP address across
environment No Yes
Show user activity across AD and VPN
Yes Yes
Alert for different credentials used for AD and VPN
Yes Yes
Reconstruct exfiltrated data
No Yes
21 © Copyright 2012 EMC Corporation. All rights reserved.
RSA Methodology:
Ripping away the hay with automated queries
ALERT ME for sessions to/from critical assets
SHOW ME files where file type does not match extension
SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc)
Start with all network traffic and logs
22 © Copyright 2011 EMC Corporation. All rights reserved.
Security Practices – Critical Checklist Business Risk Assessment
Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring
activities
Active Directory Hardening
Minimize number of admins
Monitoring and alerting (Windows Event ID #566)
Two factor admin access from hardened VDI platform
Executable whitelisting on hardened DCs
Disable default account and rename key accounts
Complex passwords (9 & 15 Char)
Infrastructure & Logging
Full and detailed logging & analysis
Tighten VPN controls
Increase controls on crypto keys
Full packet capture at strategic network locations
Network segmentation
Team trained and focused on APT activity
Service Accounts
Review accounts for privilege creep
Change passwords frequently
Do not embed credentials into scripts
Minimize interactive login
Restrict login only from required hosts
Web Access
Block access to high risk and web filter categories
Click through on medium risk websites
Black hole dynamic DNS domains
Authenticated internet access
DNS traffic analysis
User Education
Increase security training for IT
Launch security improvement initiative
Regular education of users on phishing attacks
Regular education on social engineering
Increase mail filtering controls
User Machine Hardening
Limit local admin and randomize PW- change often
Increase patching regime
Enable security controls in applications
Deep visibility to identify lateral movement
Limit use of non-authorized and approved software
23 © Copyright 2011 EMC Corporation. All rights reserved.
5 Forward-leaning Practices
• Anti-social engineering (anti-vishing, etc.)
• Zero-day malware detection
• Deeper analysis and responsiveness to network
traffic
• Adaptive authentication and two factor
• Proactive web application security
24 © Copyright 2012 EMC Corporation. All rights reserved.
Disintegration of Perimeter Controls
Focus on the critical assets
Context based security analytics fused with threat intelligence