SlideShare a Scribd company logo

Case Study of RSA Data Breach

Download as DOCX, PDF
K
Kunal Sharma

The attackers used a spear phishing campaign targeting RSA employees to gain access to the RSA network. They sent emails appearing to come from a job site with a malicious Excel spreadsheet attachment exploiting Flash vulnerabilities. This allowed the attackers to install backdoors and remote access tools on the network. They were then able to escalate privileges and extract encrypted password-protected files containing user SecurID tokens. The stolen data was suspected to be used in an attempted attack on Lockheed Martin, though their security measures detected the threat. In response, RSA improved security including issuing new SecurID tokens and launching incident response services.

1 of 5
1 Kunal Sharma IST-323: Case Study – RSA Phishing and APT Attack IST-323 In the modern-day business world that integrates computer networks into their operations more than ever before, attackers can use various methods to gain access to information systems. RSA Security LLC, an American computer and network security corporation, has many databases that require optimum network security, including cryptography libraries and the employees’ user SecurID tokens. In 2011, these tokens acted as a two-factor authentication method for employees, by requiring users to enter a “secret code number displayed on a key fob, or in software” (Zetter), in addition to their username and password. This number was cryptographically generated and changed every 30 seconds, adding an extra layer of security. However, each token had a serial number on it to make it unique, and if an attacker were able to compromise the system, they could obtain the individual user information(Zetter). These network aspects can introduce various liabilities (especially when they rely on the defenses of supplemental end-user software like Adobe Flash [“RSA FraudAction Research Labs”] when employees are browsing the internet on one of the network clients), and the RSA network did suffer a successful attack by remote hackers on March 3rd, 2011. The attackers used phishing to gain end-user pertinent information, then proceeded to hack into the RSA network using an APT attack. In an APT attack, a group of hackers are a threat due to the resources at their disposal and their persistence to get what they want. They have techniques to gather information about their target, and have an objective as to how they want to compromise their target and subsequently extract the information they want. The first step the attackers took when approaching this was to gather any publicly available information about specific employees, such as e-mail addresses and social media sites, so they could set up a social engineering manipulation technique. Once they had gathered the e-mails of 4 workers that
2 weren’t particularly high-profile at the RSA’s parent company EMC (Zetter), the attackers sent them two [target-based content] spear phishing e-mails that read “2011 Recruitment plan” in the subject line and appeared to come from a “web master” at a job-seeking site called Beyond.com (Zetter). The email was able to coerce one of the employees to access it from the junk mail and open the Excel spreadsheet attachment titled, “2011 Recruitment plan.xls”. This spreadsheet contained a new platform of a zero-day attack (a bug in an application is found by the attacker, and the vendor of that software has not implemented the necessary patches to fix it), which was a technique called a “hybrid document exploit”, and Microsoft Office security patches were not able to protect the system against it. (Pan and Tsai) The document can be embedded in an object of another application, and the end user would not be aware of the underlying threat within what appears to be a simple e-mail. However, because individual applications are sandboxed, the attacker had to gain remote access to the client. The exploit was a two-step attack that used the Flash vulnerability on the end-user application (on the Authplay.dll component) and repacked it into the document exploit. Then, a control-flow hijack allowed the hacker to enter arbitrary code into the memory. Now, why would the attackers use Excel as the document exploit as opposed to a PDF file or a webpage? This was due to the Data Execution Prevention (DEP) security feature for operating systems. Usually, DEP would only allow codes to run if those codes were already instilled into the software, but with the Flash bug, the hacker was able to make arbitrary code that appeared as logically instilled code to the DEP. Due to the Flash bug, the code did not appear as excess data area execution instructions (Pan and Tsai). Now that the hacker had gained privileges to enter codes, they proceeded to set up a backdoor. This allowed them to install a remote access tool (RAT) known as Poison Ivy, and then to set it up in reverse-connect mode, so they could obtain commands from the server of that
3 client. With the RAT installed in this fashion, the attacker was more difficult to detect than if it wasn’t installed that way. Then, the hacker started to move laterally through the network, searching for users with more access and higher administrative privileges. By not diagnosing the threat immediately, the RSA network allowed the hacker to indulge in this shoulder surfing activity for sufficient enough time to map the network and locate a high-end user. By using privilege escalation, the attacker was able to gain access to the accounts of server administrators. Then, they moved data from the servers of interest to internal staging servers, where the data was collected, compressed, and encrypted for extraction. The hackers then used FTP to transfer password-protected RAR files (including the key data which was the roughly 40 million user SecurID tokens) to an external, compromised host server, and extracted the files from there to avoid any traces of the attack. All of these actions were not recognized as external by the network security system because of the remote high-end privileges the attackers had gained (“RSA FraudAction Research Labs”). Finally, the information the attackers obtained was suspected to have been used to launch an attack on Lockheed Martin, a US Defense contracting corporation that was a vital customer of the RSA. However, the company had a strong security system that used its accounting prowess to detect abnormal activity within the intranet. The company then launched its “Cyber Kill Chain” framework that “barricaded” any attempts to access data within the network (Higgins). “The same day that Lockheed Martin detected the attack, all remote access for employees was disabled, and the company told all telecommuters to work from company offices for at least a week” (Higgins). Later on that week, the company informed all remote workers that they'd receive new RSA SecurID tokens and told all workers to reset their network passwords. As this specific attack attempt indicates, companies must protect
4 their information systems and minimize risk, because otherwise serious valuable data can be extracted for malicious use (Kemshall). As for the main portion of the entire attack sequence, which was the infiltration into the RSA network, the first step of response taken was by Adobe; the Flash player company released a patch for the zero-day that prevented any injection of malware (Keiser). The RSA then re-issued free SecurID tokens to all of its customers and proceeded to harden its security software. Then, the RSA took its most important action that was influenced by the APT attack. It launched its Advanced Cyber Defense (ACD) Services, which has incident response and breach readiness services designed to rapidly assist an organization during an incident or breach, as well as implement new preventative measures to minimize the risk of a successful attack (“EMC Press Release”). Finally, a test was conducted for the most advanced attack, a new side-channel attack”, on the RSA (Finke, Gebhardt, Schindler) The probability was only 10-15 percent.
5 BIBLIOGRAPHY Pan, Ming-Chieh and Tsai, Sung-Ting. (August 2011). Weapons of Targeted Attack. Blackhat Presentation. Retrievedfrom: https://media.blackhat.com/bh-us 11/Tsai/BH_US_11_TsaiPan_Weapons_Targeted_Attack_Slides.pdf Kemshall, Andy. (22 May 2012). Analyzing the RSA Security Breach. Tmcnet.com. Retrieved from: http://www.tmcnet.com/voip/departments/articles/291353-analyzing-rsa- security-breach.htm Zetter, Kim. (26 August 2011). Researchers Uncover RSA Phishing Attack, Hiding In Plain Sight. Wired. Retrieved from: http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/ Anatomy of an Attack. (1 April 2011). RSA Fraudaction ResearchLabs Blog Post. Retrieved from: https://blogs.rsa.com/anatomy-of-an-attack/(2/10/14) Keiser, Gregg. (14 March 2011). Hackers exploit Flash zero-day, Adobe confirms. Computerworld.com. Retrievedfrom: http://www.computerworld.com/s/article/9214521/Hackers_exploit_Flash_zero_day_Adobe_con firms Higgins, Kelly Jackson. (12, February 2013). How Lockheed Martin’s ‘Kill Chain’ Stopped SecurID Attack. Darkreading.com. RetrievedFrom: http://www.darkreading.com/attacks- breaches/how-lockheed-martins-kill-chain-stopped/240148399 RSA Lauches Incident Response and Breach Readiness Services to Help Customers Turn the Tide on Advanced Threats.(19 September 2012). EMC Press Release. Retrievedfrom: http://www.emc.com/about/news/press/2012/20120919-01.htm Thomas Finke, Max Gebhardt, Werner Schindler. (1 September 2009). A New Side- Channel Attack on RSA Prime Generation. Iacr.org. Retrievedfrom: http://www.iacr.org/archive/ches2009/57470141/57470141.pdf

Recommended

Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
Rashed Sayyed
 
What is keylogger
What is keyloggerWhat is keylogger
What is keylogger
hilarypark97
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Keyloggers
KeyloggersKeyloggers
Keyloggersnovacharter
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Social engineering
Social engineeringSocial engineering
Social engineering
Vishal Kumar
 

Recommended

Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
Rashed Sayyed
 
What is keylogger
What is keyloggerWhat is keylogger
What is keylogger
hilarypark97
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Keyloggers
KeyloggersKeyloggers
Keyloggersnovacharter
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Social engineering
Social engineeringSocial engineering
Social engineering
Vishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
Dr. P. Mohana Priya
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Cyber Crime and Security
Cyber Crime and Security Cyber Crime and Security
Cyber Crime and Security
Sanguine_Eva
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Email security
Email securityEmail security
Email security
Ahmed EL-KOSAIRY
 
Cyber Terrorism Presentation
Cyber Terrorism PresentationCyber Terrorism Presentation
Cyber Terrorism Presentation
merlyna
 
Tools and methods used in cyber crime
Tools and methods used in cyber crimeTools and methods used in cyber crime
Tools and methods used in cyber crime
shubhravrat Deshpande
 
Social Networking Security
Social Networking SecuritySocial Networking Security
Social Networking Security
S. M. Shakib Limon
 
Social engineering
Social engineering Social engineering
Social engineering
Vîñàý Pãtêl
 
Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
ssuser1eca7d
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
Farwa Ansari
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
Pratum
 
Database security
Database securityDatabase security
Database security
Birju Tank
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Password Attack
Password Attack Password Attack
Password Attack
Sina Manavi
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 

More Related Content

What's hot

Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
Dr. P. Mohana Priya
 
Cyber Crime and Security
Cyber Crime and Security Cyber Crime and Security
Cyber Crime and Security
Sanguine_Eva
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Email security
Email securityEmail security
Email security
Ahmed EL-KOSAIRY
 
Cyber Terrorism Presentation
Cyber Terrorism PresentationCyber Terrorism Presentation
Cyber Terrorism Presentation
merlyna
 
Tools and methods used in cyber crime
Tools and methods used in cyber crimeTools and methods used in cyber crime
Tools and methods used in cyber crime
shubhravrat Deshpande
 
Social Networking Security
Social Networking SecuritySocial Networking Security
Social Networking Security
S. M. Shakib Limon
 
Social engineering
Social engineering Social engineering
Social engineering
Vîñàý Pãtêl
 
Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
ssuser1eca7d
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
Farwa Ansari
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
Pratum
 
Database security
Database securityDatabase security
Database security
Birju Tank
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Password Attack
Password Attack Password Attack
Password Attack
Sina Manavi
 

What's hot (20)

Social engineering
Social engineeringSocial engineering
Social engineering
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Cyber Crime and Security
Cyber Crime and Security Cyber Crime and Security
Cyber Crime and Security
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Email security
Email securityEmail security
Email security
 
Cyber Terrorism Presentation
Cyber Terrorism PresentationCyber Terrorism Presentation
Cyber Terrorism Presentation
 
Tools and methods used in cyber crime
Tools and methods used in cyber crimeTools and methods used in cyber crime
Tools and methods used in cyber crime
 
Social Networking Security
Social Networking SecuritySocial Networking Security
Social Networking Security
 
Social engineering
Social engineering Social engineering
Social engineering
 
Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
 
Xss attack
Xss attackXss attack
Xss attack
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Database security
Database securityDatabase security
Database security
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Password Attack
Password Attack Password Attack
Password Attack
 

Viewers also liked

RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Sony - A Crisis Management Case Study
Sony - A Crisis Management Case StudySony - A Crisis Management Case Study
Sony - A Crisis Management Case Study
Dylan Holbrook
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
Pratik Poddar
 
Sony Playstation Hack Presentation
Sony Playstation Hack PresentationSony Playstation Hack Presentation
Sony Playstation Hack Presentation
CreditCardFinder
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
Panama
PanamaPanama
Panama
Cdoglover2100
 
Presentation Penama Leaks
Presentation Penama LeaksPresentation Penama Leaks
Presentation Penama Leaks
sidra khalid
 
Panama Papers( leaks) ? The Biggest Financial leaks in History.
Panama Papers( leaks) ? The Biggest Financial leaks in History.Panama Papers( leaks) ? The Biggest Financial leaks in History.
Panama Papers( leaks) ? The Biggest Financial leaks in History.
Arslan Haider
 
Breech presentation
Breech presentationBreech presentation
Breech presentation
Deepa Mishra
 
Threat detection-report-backoff-pos
Threat detection-report-backoff-posThreat detection-report-backoff-pos
Threat detection-report-backoff-posEMC
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 
Panama Papers - The Biggest Financial Leak in History
Panama Papers - The Biggest Financial Leak in HistoryPanama Papers - The Biggest Financial Leak in History
Panama Papers - The Biggest Financial Leak in History
Stinson
 

Viewers also liked (14)

RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
Sony - A Crisis Management Case Study
Sony - A Crisis Management Case StudySony - A Crisis Management Case Study
Sony - A Crisis Management Case Study
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
 
Sony Playstation Hack Presentation
Sony Playstation Hack PresentationSony Playstation Hack Presentation
Sony Playstation Hack Presentation
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
Panama
PanamaPanama
Panama
 
Presentation Penama Leaks
Presentation Penama LeaksPresentation Penama Leaks
Presentation Penama Leaks
 
Panama Papers( leaks) ? The Biggest Financial leaks in History.
Panama Papers( leaks) ? The Biggest Financial leaks in History.Panama Papers( leaks) ? The Biggest Financial leaks in History.
Panama Papers( leaks) ? The Biggest Financial leaks in History.
 
Breech presentation
Breech presentationBreech presentation
Breech presentation
 
Threat detection-report-backoff-pos
Threat detection-report-backoff-posThreat detection-report-backoff-pos
Threat detection-report-backoff-pos
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Panama Papers - The Biggest Financial Leak in History
Panama Papers - The Biggest Financial Leak in HistoryPanama Papers - The Biggest Financial Leak in History
Panama Papers - The Biggest Financial Leak in History
 

Similar to Case Study of RSA Data Breach

Ceis 9 padeep kumar_final_paper
Ceis 9 padeep kumar_final_paperCeis 9 padeep kumar_final_paper
Ceis 9 padeep kumar_final_paper
Alexander Decker
 
Running head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxRunning head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docx
susanschei
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
International Journal of Engineering Inventions www.ijeijournal.com
 
Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)
OllieShoresna
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
Felipe Prado
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
EMC
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
Tiffany Sandoval
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Chema Alonso
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
DefCamp
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
VTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesVTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notes
Jayanth Dwijesh H P
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Muhammad FAHAD
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
lmelaine
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
Wail Hassan
 

Similar to Case Study of RSA Data Breach (20)

OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Ceis 9 padeep kumar_final_paper
Ceis 9 padeep kumar_final_paperCeis 9 padeep kumar_final_paper
Ceis 9 padeep kumar_final_paper
 
Running head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxRunning head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docx
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
VTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesVTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notes
 
APT - Project
APT - Project APT - Project
APT - Project
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 

More from Kunal Sharma

Impact of Current Technology on Information Agencies
Impact of Current Technology on Information AgenciesImpact of Current Technology on Information Agencies
Impact of Current Technology on Information AgenciesKunal Sharma
 
Cyber Defense Team's Security Policy
Cyber Defense Team's Security PolicyCyber Defense Team's Security Policy
Cyber Defense Team's Security PolicyKunal Sharma
 
Improving the Wi-Fi in the Carrier Dome Feasibility Report
Improving the Wi-Fi in the Carrier Dome Feasibility ReportImproving the Wi-Fi in the Carrier Dome Feasibility Report
Improving the Wi-Fi in the Carrier Dome Feasibility ReportKunal Sharma
 
Multi Vendor Wireless Channel Interference.docx
Multi Vendor Wireless Channel Interference.docxMulti Vendor Wireless Channel Interference.docx
Multi Vendor Wireless Channel Interference.docxKunal Sharma
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityKunal Sharma
 

More from Kunal Sharma (6)

HendricksERD
HendricksERDHendricksERD
HendricksERD
 
Impact of Current Technology on Information Agencies
Impact of Current Technology on Information AgenciesImpact of Current Technology on Information Agencies
Impact of Current Technology on Information Agencies
 
Cyber Defense Team's Security Policy
Cyber Defense Team's Security PolicyCyber Defense Team's Security Policy
Cyber Defense Team's Security Policy
 
Improving the Wi-Fi in the Carrier Dome Feasibility Report
Improving the Wi-Fi in the Carrier Dome Feasibility ReportImproving the Wi-Fi in the Carrier Dome Feasibility Report
Improving the Wi-Fi in the Carrier Dome Feasibility Report
 
Multi Vendor Wireless Channel Interference.docx
Multi Vendor Wireless Channel Interference.docxMulti Vendor Wireless Channel Interference.docx
Multi Vendor Wireless Channel Interference.docx
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP Vulnerability
 

Case Study of RSA Data Breach

  • 1. 1 Kunal Sharma IST-323: Case Study – RSA Phishing and APT Attack IST-323 In the modern-day business world that integrates computer networks into their operations more than ever before, attackers can use various methods to gain access to information systems. RSA Security LLC, an American computer and network security corporation, has many databases that require optimum network security, including cryptography libraries and the employees’ user SecurID tokens. In 2011, these tokens acted as a two-factor authentication method for employees, by requiring users to enter a “secret code number displayed on a key fob, or in software” (Zetter), in addition to their username and password. This number was cryptographically generated and changed every 30 seconds, adding an extra layer of security. However, each token had a serial number on it to make it unique, and if an attacker were able to compromise the system, they could obtain the individual user information(Zetter). These network aspects can introduce various liabilities (especially when they rely on the defenses of supplemental end-user software like Adobe Flash [“RSA FraudAction Research Labs”] when employees are browsing the internet on one of the network clients), and the RSA network did suffer a successful attack by remote hackers on March 3rd, 2011. The attackers used phishing to gain end-user pertinent information, then proceeded to hack into the RSA network using an APT attack. In an APT attack, a group of hackers are a threat due to the resources at their disposal and their persistence to get what they want. They have techniques to gather information about their target, and have an objective as to how they want to compromise their target and subsequently extract the information they want. The first step the attackers took when approaching this was to gather any publicly available information about specific employees, such as e-mail addresses and social media sites, so they could set up a social engineering manipulation technique. Once they had gathered the e-mails of 4 workers that
  • 2. 2 weren’t particularly high-profile at the RSA’s parent company EMC (Zetter), the attackers sent them two [target-based content] spear phishing e-mails that read “2011 Recruitment plan” in the subject line and appeared to come from a “web master” at a job-seeking site called Beyond.com (Zetter). The email was able to coerce one of the employees to access it from the junk mail and open the Excel spreadsheet attachment titled, “2011 Recruitment plan.xls”. This spreadsheet contained a new platform of a zero-day attack (a bug in an application is found by the attacker, and the vendor of that software has not implemented the necessary patches to fix it), which was a technique called a “hybrid document exploit”, and Microsoft Office security patches were not able to protect the system against it. (Pan and Tsai) The document can be embedded in an object of another application, and the end user would not be aware of the underlying threat within what appears to be a simple e-mail. However, because individual applications are sandboxed, the attacker had to gain remote access to the client. The exploit was a two-step attack that used the Flash vulnerability on the end-user application (on the Authplay.dll component) and repacked it into the document exploit. Then, a control-flow hijack allowed the hacker to enter arbitrary code into the memory. Now, why would the attackers use Excel as the document exploit as opposed to a PDF file or a webpage? This was due to the Data Execution Prevention (DEP) security feature for operating systems. Usually, DEP would only allow codes to run if those codes were already instilled into the software, but with the Flash bug, the hacker was able to make arbitrary code that appeared as logically instilled code to the DEP. Due to the Flash bug, the code did not appear as excess data area execution instructions (Pan and Tsai). Now that the hacker had gained privileges to enter codes, they proceeded to set up a backdoor. This allowed them to install a remote access tool (RAT) known as Poison Ivy, and then to set it up in reverse-connect mode, so they could obtain commands from the server of that
  • 3. 3 client. With the RAT installed in this fashion, the attacker was more difficult to detect than if it wasn’t installed that way. Then, the hacker started to move laterally through the network, searching for users with more access and higher administrative privileges. By not diagnosing the threat immediately, the RSA network allowed the hacker to indulge in this shoulder surfing activity for sufficient enough time to map the network and locate a high-end user. By using privilege escalation, the attacker was able to gain access to the accounts of server administrators. Then, they moved data from the servers of interest to internal staging servers, where the data was collected, compressed, and encrypted for extraction. The hackers then used FTP to transfer password-protected RAR files (including the key data which was the roughly 40 million user SecurID tokens) to an external, compromised host server, and extracted the files from there to avoid any traces of the attack. All of these actions were not recognized as external by the network security system because of the remote high-end privileges the attackers had gained (“RSA FraudAction Research Labs”). Finally, the information the attackers obtained was suspected to have been used to launch an attack on Lockheed Martin, a US Defense contracting corporation that was a vital customer of the RSA. However, the company had a strong security system that used its accounting prowess to detect abnormal activity within the intranet. The company then launched its “Cyber Kill Chain” framework that “barricaded” any attempts to access data within the network (Higgins). “The same day that Lockheed Martin detected the attack, all remote access for employees was disabled, and the company told all telecommuters to work from company offices for at least a week” (Higgins). Later on that week, the company informed all remote workers that they'd receive new RSA SecurID tokens and told all workers to reset their network passwords. As this specific attack attempt indicates, companies must protect
  • 4. 4 their information systems and minimize risk, because otherwise serious valuable data can be extracted for malicious use (Kemshall). As for the main portion of the entire attack sequence, which was the infiltration into the RSA network, the first step of response taken was by Adobe; the Flash player company released a patch for the zero-day that prevented any injection of malware (Keiser). The RSA then re-issued free SecurID tokens to all of its customers and proceeded to harden its security software. Then, the RSA took its most important action that was influenced by the APT attack. It launched its Advanced Cyber Defense (ACD) Services, which has incident response and breach readiness services designed to rapidly assist an organization during an incident or breach, as well as implement new preventative measures to minimize the risk of a successful attack (“EMC Press Release”). Finally, a test was conducted for the most advanced attack, a new side-channel attack”, on the RSA (Finke, Gebhardt, Schindler) The probability was only 10-15 percent.
  • 5. 5 BIBLIOGRAPHY Pan, Ming-Chieh and Tsai, Sung-Ting. (August 2011). Weapons of Targeted Attack. Blackhat Presentation. Retrievedfrom: https://media.blackhat.com/bh-us 11/Tsai/BH_US_11_TsaiPan_Weapons_Targeted_Attack_Slides.pdf Kemshall, Andy. (22 May 2012). Analyzing the RSA Security Breach. Tmcnet.com. Retrieved from: http://www.tmcnet.com/voip/departments/articles/291353-analyzing-rsa- security-breach.htm Zetter, Kim. (26 August 2011). Researchers Uncover RSA Phishing Attack, Hiding In Plain Sight. Wired. Retrieved from: http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/ Anatomy of an Attack. (1 April 2011). RSA Fraudaction ResearchLabs Blog Post. Retrieved from: https://blogs.rsa.com/anatomy-of-an-attack/(2/10/14) Keiser, Gregg. (14 March 2011). Hackers exploit Flash zero-day, Adobe confirms. Computerworld.com. Retrievedfrom: http://www.computerworld.com/s/article/9214521/Hackers_exploit_Flash_zero_day_Adobe_con firms Higgins, Kelly Jackson. (12, February 2013). How Lockheed Martin’s ‘Kill Chain’ Stopped SecurID Attack. Darkreading.com. RetrievedFrom: http://www.darkreading.com/attacks- breaches/how-lockheed-martins-kill-chain-stopped/240148399 RSA Lauches Incident Response and Breach Readiness Services to Help Customers Turn the Tide on Advanced Threats.(19 September 2012). EMC Press Release. Retrievedfrom: http://www.emc.com/about/news/press/2012/20120919-01.htm Thomas Finke, Max Gebhardt, Werner Schindler. (1 September 2009). A New Side- Channel Attack on RSA Prime Generation. Iacr.org. Retrievedfrom: http://www.iacr.org/archive/ches2009/57470141/57470141.pdf