It is now six months since RSA suffered from the hack that compromised secureID. RSA had a positive attitude regarding the hack by providing some details and good visibility. Thus, we can learn many things about it.
We know now how RSA was penetrated. It was through a targeted email using an excel file. The excel file had an embedded flash object inside. The object, using a zero-day vulnerability, installed Poison Ivy Backdoor. For more details see F-secure’s analysis. The attacker used the backdoor to get access to the sensitive data to break SecureID. The mail was addressed to four members of RSA, thus a targeted attack. Once SecureID compromised, the attackers could access Lockeed Martin.
This is the first publicly known instance of Advanced Persistent Threat (APT). This corresponds to extremely targeted attack that works stealthily, slowly in order not to be detected, and performed by extremely skilled attackers. It was currently reserved to warfare. As the final target was Loockhed Martin, we may believe that it as a high-profile attack. They used a zero-day exploit which passed under the radar of any anti-virus scanner.
RSA and Kapersky Labs presented an interesting analysis of the attack.
What can we conclude:
- The perimetric defense is not anymore sufficient, at least in a professional environment. Skilled hackers will try to attack from inside. We need new tools to detect suspect behaviour within the enterprise network. For instance, an alert should be triggered when a device communicates with “exotic” IP addresses. Unfortunately, they will be more complex to administrate and probably need more manual monitoring. :Weary:
- Targeted attacks will be more and more used against industrial targets. Security awareness will become key. People must also be aware of business intelligence. It is a reality that is too often downplayed by people.
- I will rant against all these software that are used for other purposes than the initial ones. How often did I see Excel used for other things than calculating! For instance, to display tables of text. As a result, software editors add new features. Why should we have to add flash object in calculus? In security, KISS (Keep It Simple & Stupid) is a golden rule. The more features, the more potential vulnerabilities.