rsa anatomy of an attack

1 © Copyright 2012 EMC Corporation. All rights reserved.

RSA Security Anatomy of an Attack – Lessons learned

Malcolm Dundas – Account Executive John Hurley – Senior Technology Consultant


Agenda

• Advanced Enterprise/ Threats

• The RSA Breach

• A chronology of the attack

• Security Analytics

• Incident Response and Governance

• Q & A


IN 2011 THE DIGITAL UNIVERSE WILL SURPASS

1.8 ZETTABYTES 1,800,000,000,000,000,000,000


$


The RSA Attack

• On March 17th, RSA disclosed it was the target of an Advanced Persistent Threat (APT)

– Communicated that certain information related to RSA SecurID was extracted during the attack

– Provided Best Practices guidance and prioritized remediation steps

On June 6th, RSA issued an open letter to customers

– Shared that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment.

– Confirmed that information taken from RSA was used as an element in an attempted broader attack against Lockheed Martin

– Reinforced that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology


1 2 Phishing emails Some clues about the email lead us to believe that this was from some slightly dated research on employees

2

3 Attacker gains access to other machines Zero-day exploit installs backdoor (Poison Ivy Rat Variant) which enables extraction of memory resident password hashes

X X X X

X

Launch Zero-day One user opened email attachment (an Excel spreadsheet) which launches a flash zero-day

The Initial Vector in the RSA Attack


Attack Begins

System Intrusion

Attacker Surveillanc

e

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

TIME

Attack Set-up

Discovery/ Persistenc

e

Maintain foothold

Cover-up Starts

Attack Forecast

Physical Security

Containment &

Eradication

System Reactio

n Damage Identificati

on

Recovery

Defender Discovery

Monitoring & Controls

Impact Analysi

s

Response Threat

Analysis

Attack Identified

Incident Reportin

g

Reducing Attacker Free Time

ATTACKER

FREE TIME TIME

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)


Attacker initiates separate network using credentials obtained from steps 1 - 3

4

Attacker moves laterally through organization, heavily using escalation of privileges, to systems containing disparate information that when combined allowed compromise of RSA SecurID-related information

5

Attacker removes data and stages it on a file share within the network

6

Files are encrypted and attacker tries to ex-filtrate to several servers before finding a successful destination.

7

ATTACKER

External Server

From Compromise to Exfiltration


Shift in spending


Asset Criticality Intelligence

RSA NetWitness

Asset List

Device Type

Device Content

CMDBs

Vuln. Scans

IT Info

Criticality Rating

Device Owner

Business Owner

Business Unit

Biz Process

RPO / RTO

Biz Context

RSA Archer

Asset Intelligence

IP Address

Criticality Rating

Business Unit

Facility

Security analysts now have asset intelligence and

business context to better analyze and

prioritize alerts.

RSA ACI


SOC = Security Operations Center Level 1 adds, moves and changes, security questions, device health, etc.

CIRC = Critical Incident Response Center

Manage security incidents, investigate suspicious behavior, vulnerability analysis, malware analysis, threat management, etc.

EMC SOC vs. CIRC


RSA Critical Incident Response Team detects file transfer activity

DLP Network detects a transfer of encrypted file over FTP protocol


Alert Critical Incident Response Team

RSA SIEM generates alert from two correlated events 1.Successful RDP connection to

critical server 2.DLP activity on the same

server


Incident escalation to Security Management Dashboard

• RSA SIEM alerts sent to RSA eGRC platform

• RSA eGRC links this incident with business context and prioritize it as HIGH priority


Advanced Network Forensics

• Instant integration from RSA eGRC web interface to RSA NetWitness with two clicks

• SIEMLink transparently retrieves full session detail from RSA NetWitness


Situation Aware Analysis

Context of all network activities to/from critical server

Confirm John’s machine (192.168.100.142) as source of RDP session


Situation Aware Analysis

• Small executable file

• Transfer over HTTP

• Suspicious filename & extension

• Malware?!?

Drill into all network sessions from John’s machine

Suspicious domain name


Automated Malware Analysis

RSA NetWitness instantly provides detailed analysis of the file in question


Only Security Analytics can tell you the impact of the attack

Attack Step Traditional SIEM RSA SA

Alert for RDP tunneled over non-standard port

No Yes

Recreate activity of suspect IP address across

environment No Yes

Show user activity across AD and VPN

Yes Yes

Alert for different credentials used for AD and VPN

Yes Yes

Reconstruct exfiltrated data

No Yes


RSA Methodology:

Ripping away the hay with automated queries

ALERT ME for sessions to/from critical assets

SHOW ME files where file type does not match extension

SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc)

Start with all network traffic and logs


Security Practices – Critical Checklist Business Risk Assessment

Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring

activities

Active Directory Hardening

Minimize number of admins

Monitoring and alerting (Windows Event ID #566)

Two factor admin access from hardened VDI platform

Executable whitelisting on hardened DCs

Disable default account and rename key accounts

Complex passwords (9 & 15 Char)

Infrastructure & Logging

Full and detailed logging & analysis

Tighten VPN controls

Increase controls on crypto keys

Full packet capture at strategic network locations

Network segmentation

Team trained and focused on APT activity

Service Accounts

Review accounts for privilege creep

Change passwords frequently

Do not embed credentials into scripts

Minimize interactive login

Restrict login only from required hosts

Web Access

Block access to high risk and web filter categories

Click through on medium risk websites

Black hole dynamic DNS domains

Authenticated internet access

DNS traffic analysis

User Education

Increase security training for IT

Launch security improvement initiative

Regular education of users on phishing attacks

Regular education on social engineering

Increase mail filtering controls

User Machine Hardening

Limit local admin and randomize PW- change often

Increase patching regime

Enable security controls in applications

Deep visibility to identify lateral movement

Limit use of non-authorized and approved software


5 Forward-leaning Practices

• Anti-social engineering (anti-vishing, etc.)

• Zero-day malware detection

• Deeper analysis and responsiveness to network

traffic

• Adaptive authentication and two factor

• Proactive web application security


Disintegration of Perimeter Controls

Focus on the critical assets

Context based security analytics fused with threat intelligence

rsa anatomy of an attack

Technology

emc corporation

rsanetwitness copyright

emc soc

rsa securityanatomy

governanceqa copyright

spending copyright

rsa egrc platform rsa

external server copyright