RSA Security                                            Anatomy of an Attack –                                            ...
Agenda• Advanced Enterprise/ Threats• The RSA Breach       • A chronology of the attack       • Security Analytics       •...
IN 2011 THE DIGITAL UNIVERSE WILL SURPASS1.8 ZETTABYTES 1,800,000,000,000,000,000,000© Copyright 2012 EMC Corporation. All...
$© Copyright 2012 EMC Corporation. All rights reserved.       4
© Copyright 2012 EMC Corporation. All rights reserved.   5
The RSA Attack• On March 17th, RSA disclosed it was the target of an Advanced  Persistent Threat (APT)       – Communicate...
The Initial Vector in the RSA Attack    1        2 Phishing emails                                   2   Launch Zero-day  ...
Reducing Attacker Free Time AttackerSurveillanc                                 Attack     e                              ...
From Compromise to Exfiltration                                                       Attacker moves laterally through    ...
Shift in                                                         spending© Copyright 2012 EMC Corporation. All rights rese...
Asset Criticality Intelligence                                                                                            ...
EMC SOC vs. CIRCSOC = Security Operations Center                            CIRC = Critical Incident Response   Level 1 ad...
RSA Critical Incident Response Teamdetects file transfer activity                                                         ...
Alert Critical Incident Response Team                                                         RSA SIEM generates alert fro...
Incident escalation to SecurityManagement Dashboard                                                         • RSA SIEM ale...
Advanced Network Forensics• Instant integration from RSA  eGRC web interface to RSA  NetWitness with two clicks• SIEMLink ...
Situation Aware Analysis                                                                    Context of all network activit...
Situation Aware AnalysisDrill into all network sessions from John’s machine                                               ...
Automated Malware Analysis                                                         RSA NetWitness instantly provides      ...
Only Security Analytics can tell you theimpact of the attack Attack Step                                             Tradi...
RSA Methodology:Ripping away the hay with automated queries                                                          Start...
Security Practices – Critical Checklist                                           Business Risk AssessmentIdentify most cr...
5 Forward-leaning Practices• Anti-social engineering (anti-vishing, etc.)• Zero-day malware detection• Deeper analysis and...
Disintegration of                                                          Perimeter Controls                            ...
RSA Anatomy of an Attack
Upcoming SlideShare
Loading in...5
×

RSA Anatomy of an Attack

1,697

Published on

Presentation slides from the Anatomy of an Attack Briefing by RSA and Integrity Solutions focusing on the security breach experienced by RSA in 2011.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,697
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
114
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

RSA Anatomy of an Attack

  1. 1. RSA Security Anatomy of an Attack – Lessons learned Malcolm Dundas – Account Executive John Hurley – Senior Technology Consultant© Copyright 2012 EMC Corporation. All rights reserved. 1
  2. 2. Agenda• Advanced Enterprise/ Threats• The RSA Breach • A chronology of the attack • Security Analytics • Incident Response and Governance•Q&A© Copyright 2012 EMC Corporation. All rights reserved. 2
  3. 3. IN 2011 THE DIGITAL UNIVERSE WILL SURPASS1.8 ZETTABYTES 1,800,000,000,000,000,000,000© Copyright 2012 EMC Corporation. All rights reserved. 3
  4. 4. $© Copyright 2012 EMC Corporation. All rights reserved. 4
  5. 5. © Copyright 2012 EMC Corporation. All rights reserved. 5
  6. 6. The RSA Attack• On March 17th, RSA disclosed it was the target of an Advanced Persistent Threat (APT) – Communicated that certain information related to RSA SecurID was extracted during the attack – Provided Best Practices guidance and prioritized remediation steps On June 6th, RSA issued an open letter to customers – Shared that the perpetrators most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. – Confirmed that information taken from RSA was used as an element in an attempted broader attack against Lockheed Martin – Reinforced that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology© Copyright 2012 EMC Corporation. All rights reserved. 6
  7. 7. The Initial Vector in the RSA Attack 1 2 Phishing emails 2 Launch Zero-day Some clues about the email lead us to One user opened email attachment (an Excel believe that this was from some slightly spreadsheet) which launches a flash zero-day dated research on employees 3 Attacker gains access to other machines Zero-day exploit installs backdoor (Poison Ivy Rat Variant) which enables extraction of memory resident password hashes X X X X X© Copyright 2012 EMC Corporation. All rights reserved. 7
  8. 8. Reducing Attacker Free Time AttackerSurveillanc Attack e Begins Discovery/ Target Attack Set- Persistenc Leap Frog Analysis Attacks e Access up System Cover-up Complete Probe Intrusion Starts Cover-up Complete Maintain foothold TIME ATTACKER FREE TIME TIME Physical Monitoring & Containme Security Controls nt & Eradication Impact Respons Threat Incident Analysi e Attack Analysi Forecast Reportin s Recover s g y System Defender Reactio Discovery Damage n Attack Identificati Identified on Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)© Copyright 2012 EMC Corporation. All rights reserved. 8
  9. 9. From Compromise to Exfiltration Attacker moves laterally through organization, heavily using 4 Attacker initiates separate 5 escalation of privileges, to systems network using credentials containing disparate information obtained from steps 1 - 3 that when combined allowed compromise of RSA SecurID-related information ATTACKER Attacker removes data and stages 6 it on a file share within the network 7 Files are encrypted and attacker tries to ex-filtrate to several servers before finding a successful destination. External Server© Copyright 2012 EMC Corporation. All rights reserved. 9
  10. 10. Shift in spending© Copyright 2012 EMC Corporation. All rights reserved. 10
  11. 11. Asset Criticality Intelligence RSA ACI Asset Intelligence  IP Address RSA Archer  Criticality Rating IT Info Biz Context  Business Unit  Facility Asset List Device Owner Device Type Business Owner Device Content Business Unit Criticality Rating RSA NetWitness CMDBs Biz Process Security analysts now have asset Vuln. Scans RPO / RTO intelligence and business context to better analyze and prioritize alerts.© Copyright 2012 EMC Corporation. All rights reserved. 11
  12. 12. EMC SOC vs. CIRCSOC = Security Operations Center CIRC = Critical Incident Response Level 1 adds, moves and changes, Center security questions, device health, etc. Manage security incidents, investigate suspicious behavior, vulnerability analysis, malware analysis, threat management, etc. © Copyright 2012 EMC Corporation. All rights reserved. 12
  13. 13. RSA Critical Incident Response Teamdetects file transfer activity DLP Network detects a transfer of encrypted file over FTP protocol© Copyright 2012 EMC Corporation. All rights reserved. 13
  14. 14. Alert Critical Incident Response Team RSA SIEM generates alert from two correlated events 1.Successful RDP connection to critical server 2.DLP activity on the same server© Copyright 2012 EMC Corporation. All rights reserved. 14
  15. 15. Incident escalation to SecurityManagement Dashboard • RSA SIEM alerts sent to RSA eGRC platform • RSA eGRC links this incident with business context and prioritize it as HIGH priority© Copyright 2012 EMC Corporation. All rights reserved. 15
  16. 16. Advanced Network Forensics• Instant integration from RSA eGRC web interface to RSA NetWitness with two clicks• SIEMLink transparently retrieves full session detail from RSA NetWitness© Copyright 2012 EMC Corporation. All rights reserved. 16
  17. 17. Situation Aware Analysis Context of all network activities to/from critical server Confirm John’s machine (192.168.100.142) as source of RDP session© Copyright 2012 EMC Corporation. All rights reserved. 17
  18. 18. Situation Aware AnalysisDrill into all network sessions from John’s machine • Small executable file • Transfer over HTTP • Suspicious filename & extension • Malware?!? Suspicious domain name© Copyright 2012 EMC Corporation. All rights reserved. 18
  19. 19. Automated Malware Analysis RSA NetWitness instantly provides detailed analysis of the file in question© Copyright 2012 EMC Corporation. All rights reserved. 19
  20. 20. Only Security Analytics can tell you theimpact of the attack Attack Step Traditional SIEM RSA SA Alert for RDP tunneled over No Yes non-standard port Recreate activity of suspect IP address across No Yes environment Show user activity across AD Yes Yes and VPN Alert for different credentials Yes Yes used for AD and VPN Reconstruct exfiltrated data No Yes© Copyright 2012 EMC Corporation. All rights reserved. 20
  21. 21. RSA Methodology:Ripping away the hay with automated queries Start with all network traffic and logs SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc) SHOW ME files where file type does not match extension ALERT ME for sessions to/from critical assets © Copyright 2012 EMC Corporation. All rights reserved. 21
  22. 22. Security Practices – Critical Checklist Business Risk AssessmentIdentify most critical systems; ensure they are given the highest priorities for all hardening and monitoringactivities Active Directory Hardening Infrastructure & LoggingMinimize number of admins Full and detailed logging & analysisMonitoring and alerting (Windows Event ID #566) Tighten VPN controlsTwo factor admin access from hardened VDI platform Increase controls on crypto keysExecutable whitelisting on hardened DCs Full packet capture at strategic network locationsDisable default account and rename key accounts Network segmentationComplex passwords (9 & 15 Char) Team trained and focused on APT activity Service Accounts Web AccessReview accounts for privilege creep Block access to high risk and web filter categoriesChange passwords frequently Click through on medium risk websitesDo not embed credentials into scripts Black hole dynamic DNS domainsMinimize interactive login Authenticated internet accessRestrict login only from required hosts DNS traffic analysis User Education User Machine HardeningIncrease security training for IT Limit local admin and randomize PW- change oftenLaunch security improvement initiative Increase patching regimeRegular education of users on phishing attacks Enable security controls in applicationsRegular education on social engineering Deep visibility to identify lateral movementIncrease mail filtering controls Limit use of non-authorized and approved software © Copyright 2011 EMC Corporation. All rights reserved. 22
  23. 23. 5 Forward-leaning Practices• Anti-social engineering (anti-vishing, etc.)• Zero-day malware detection• Deeper analysis and responsiveness to network traffic• Adaptive authentication and two factor• Proactive web application security © Copyright 2011 EMC Corporation. All rights reserved. 23
  24. 24. Disintegration of Perimeter Controls Focus on the critical assets Context based security analytics fused with threat intelligence© Copyright 2012 EMC Corporation. All rights reserved. 24
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×