Lessons From the RSA Breach

In the world of ICT security "the fundamental threat landscape has changed" -- again -- in the past 18 months, says Andy Solterbeck, Australia-NZ general manager for security specialist RSA.

Embarrassingly, in March this year, RSA's own network was breached by an advanced attack, combining "social engineering" -- falsely gaining the confidence of employees -- with phishing, malware-infected emails and "privilege escalation" -- the attacker posing as one of the targeted personnel was able to use their network privileges to gain access indirectly to highly secure parts of the network.

RSA, which sells the SecurID two-factor authentication system, is convinced the attack came from a "nation-state actor"; an agency of government in an overseas country, says Solterbeck.

As evidence for this he cites the sophistication and probable resource requirements to launch what RSA describes as an "advanced persistent threat", and the fact that the information gained in the penetration of RSA's network was used to mount an attack on defence contractor Lockheed Martin later in the year -- an attack, that was unsuccessful, Solterbeck emphasises.

It was part of "a fairly broad set of attacks against the defence-contracting community, where they were going after intellectual property. That gives you a pretty good indication as to what the orientation of that initial attack was," he says.

Security attacks were originally done chiefly to demonstrate skill and score points in the hacker community. In the past few years, the dominant motive has been financial - seeking, for example, to steal credit-card numbers. The more recent involvement of nation states and discontented groups proceeding from political motives marks another major change of target, he says.

Organisations can do a lot to meet threats even when they apparently come from such powerful entities as governments, he says, by changing their approach to protection.

RSA is boosting its capabilities and offerings to the market in several areas. "The first is analytics and forensics; the ability to understand at a packet and session level, what's going on in the network; so you can firstly understand what's happening that's not normal; and then if you are breached, you have the ability to replay the attack; to understand what just occurred."

The rumour is that the RSA attackers may have gained access to a random-number "seed", which would have allowed them to generate valid SecurID authentication tokens. RSA immediately offered to recall and reissue customer tokens, and many customers took advantage of that offer.

RSA now knows what the attackers did get. "Unfortunately, we're not allowed to share that," says Solterbeck.

Forensics and analytics mark "one new market, one new set of capabilities that's been brought to bear," he says. "And we like that technology so much, we ended up buying the company that supplied it to us. We have a capability called the CIRC -- Critical Information Response Centre -- run by [RSA's parent] EMC -- and they were the ones that found this incident going on and the forensic tools they were using were from Netwitness. We bought that company."

Secondly, good governance and management of detection, diagnosis and remediation during and after an attack is becoming increasingly crucial, Solterbeck says. "There is a movement away from siloed processes within an organisation to centralised governed and managed processes that have a risk overlay. Some customers are really starting to look at that. That's not just from a security standpoint; it's a broader movement than that, but it has a very strong security element to it."

The third defence lies in adoption of a more advanced suite of authentication techniques, summed up by the term "adaptive authentication." This takes note of unfamiliar patterns of usage, such as a logon from a terminal in a place not usually associated with that user; in that case, the user will be asked to supply another piece of identity information before being given access.

Fourthly, Solterbeck says, there is increased collaboration among ICT vendors, to develop a united front on protection against attack. "EMC is working with Cisco, is working with us, who are working with VMware, who's working with Microsoft, to really step up in this space; to embed each other's technologies."

Customers have apparently not lost confidence in RSA or the SecurID authentication system; that side of the company's business has turned in record earnings over last and this quarter, Solterbeck claims.

Another reason for continuing confidence is that the company nearly deflected the attack, he says. "We did actually see and capture the attack in flight; and we don't know of another organisation that's caught an advanced persistent threat in flight."

In a set of attacks last year, known as Operation Aurora against Google, Symantec and others, "the only reason [the victims] knew what had occurred was because the US government informed them," he says.

Similarly, he says, an attack earlier this year against Vasco, another two-factor security vendor only became known because the Dutch government informed the company.

"In our instance, we actually saw it and shut it down; but just didn't shut it down in time to fully remediate the attack."

The apparent involvement of nation-states in cyber-attacks will, in the last analysis, demand political action, Solterbeck says. "Governments -- and I think we've already started to see this in the US -- will become far clearer in what they expect of other nation-states when they engage in the economic life of another country. If you're going to partake in the benefits of trading with another country, then you're going to have to live by their rules."

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies