aNewDomain.net—In early 2011 RSA was attacked by an advanced persistent threat (ATP). An ATP is often committed by a government agency or a government sponsored agency, or a criminal empire with vast and nearly unlimited resources. It uses state of the art tools, social engineering, and imagination to penetrate and exploit its target. It also uses information about its target’s public information easily available online.
With RSA 2013 on this week, the cost of the 2011 attack is a reminder that no one is safe from cyber crime.
According to Uri Rivner, “The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite. With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.”
Spear phishing is a phishing tactic targeting a specific person or role in the enterprise. In RSA’s case, a clerk in the finance department opened a specially-crafted email that was initially isolated by the firm’s spam filter. The subject of the email was “2011 Recruitment Plan.” The email had an Excel spreadsheet with a zero day vulnerability embedded in it. The vulnerability began by revealing credentials of low level-people but eventually worked its way up the food chain to get domain admin credentials so the real hacking could begin.
So what did RSA learn?
Eat your own dog food. This means use the software you sell to your customers. According to Avivah Litan at Gartner, “RSA sells its own fraud detection systems based on user and account profiling which use statistical Bayesian models, and rules, to spot abnormal behavior and intervene in real time to re-authenticate users and verify the authenticity of suspect access, behavior, or transactions. (RSA appears in the leaders quadrant of Gartner’s 2010 Web Fraud Detection Magic Quadrant). They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems.”
Improve user training. The electronic systems were in place to thwart the ATP’s attack leveled on RSA. However, the clerk in the finance department who dug into the spam folder to open the virus-ridden spreadsheet didn’t have proper training. It was spam for a reason.
Disclosure. RSA was immediately forthcoming about how it was attacked and has used that information to help others prevent one.
Based in New York, Dino Londis is a senior commentator at aNewDomain.net, IT Pro alum National Lampoon and teamBYTE. Email him at Dino@aNewDomain.net.