RSA Security Anatomy of an Attack Lessons learned

Transcription

1 RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1

2 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack Security Analytics Incident Response and Governance Q & A 2

3 IN 2011 THE DIGITAL UNIVERSE WILL SURPASS 1.8 ZETTABYTES 1,800,000,000,000,000,000,000 3

4 $ 4

5 5

6 The RSA Attack On March 17 th, RSA disclosed it was the target of an Advanced Persistent Threat (APT) Communicated that certain information related to RSA SecurID was extracted during the attack Provided Best Practices guidance and prioritized remediation steps On June 6 th, RSA issued an open letter to customers Shared that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. Confirmed that information taken from RSA was used as an element in an attempted broader attack against Lockheed Martin Reinforced that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology 6

7 The Initial Vector in the RSA Attack 1 2 Phishing s Some clues about the lead us to believe that this was from some slightly dated research on employees 2 Launch Zero-day One user opened attachment (an Excel spreadsheet) which launches a flash zero-day 3 Attacker gains access to other machines Zero-day exploit installs backdoor (Poison Ivy Rat Variant) which enables extraction of memory resident password hashes X X X X X 7

8 Reducing Attacker Free Time Attacker Surveillanc e Target Analysis Access Probe Attack Setup System Intrusion Attack Begins Discovery/ Persistenc e Cover-up Starts Leap Frog Attacks Complete Cover-up Complete Maintain foothold TIME ATTACKER FREE TIME TIME Physical Security Threat Analysi s Defender Discovery Attack Forecast Monitoring & Controls Attack Identified Source: NERC HILF Report, June 2010 ( Containme nt & Eradication Incident Reportin g Impact Analysi s Damage Identificati on System Reactio n Respons e Recover y 8

9 From Compromise to Exfiltration 4 Attacker initiates separate network using credentials obtained from steps Attacker moves laterally through organization, heavily using escalation of privileges, to systems containing disparate information that when combined allowed compromise of RSA SecurID-related information ATTACKER 6 Attacker removes data and stages it on a file share within the network 7 Files are encrypted and attacker tries to ex-filtrate to several servers before finding a successful destination. External Server 9

10 Shift in spending 10

11 Asset Criticality Intelligence RSA ACI Asset Intelligence IT Info Biz Context RSA Archer IP Address Criticality Rating Business Unit Facility Asset List Device Owner Device Type Business Owner Device Content Business Unit Criticality Rating RSA NetWitness CMDBs Vuln. Scans Biz Process RPO / RTO Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. 11

12 EMC SOC vs. CIRC SOC = Security Operations Center Level 1 adds, moves and changes, security questions, device health, etc. CIRC = Critical Incident Response Center Manage security incidents, investigate suspicious behavior, vulnerability analysis, malware analysis, threat management, etc. 12

13 RSA Critical Incident Response Team detects file transfer activity DLP Network detects a transfer of encrypted file over FTP protocol 13

14 Alert Critical Incident Response Team RSA SIEM generates alert from two correlated events 1.Successful RDP connection to critical server 2.DLP activity on the same server 14

15 Incident escalation to Security Management Dashboard RSA SIEM alerts sent to RSA egrc platform RSA egrc links this incident with business context and prioritize it as HIGH priority 15

16 Advanced Network Forensics Instant integration from RSA egrc web interface to RSA NetWitness with two clicks SIEMLink transparently retrieves full session detail from RSA NetWitness 16

17 Situation Aware Analysis Context of all network activities to/from critical server Confirm John s machine ( ) as source of RDP session 17

18 Situation Aware Analysis Drill into all network sessions from John s machine Small executable file Transfer over HTTP Suspicious filename & extension Malware?!? Suspicious domain name 18

19 Automated Malware Analysis RSA NetWitness instantly provides detailed analysis of the file in question 19

20 Only Security Analytics can tell you the impact of the attack Attack Step Traditional SIEM RSA SA Alert for RDP tunneled over non-standard port Recreate activity of suspect IP address across environment Show user activity across AD and VPN Alert for different credentials used for AD and VPN Reconstruct exfiltrated data No No Yes Yes No Yes Yes Yes Yes Yes 20

21 RSA Methodology: Ripping away the hay with automated queries Start with all network traffic and logs SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc) SHOW ME files where file type does not match extension ALERT ME for sessions to/from critical assets 21

22 Security Practices Critical Checklist Business Risk Assessment Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring activities Active Directory Hardening Minimize number of admins Monitoring and alerting (Windows Event ID #566) Two factor admin access from hardened VDI platform Executable whitelisting on hardened DCs Disable default account and rename key accounts Complex passwords (9 & 15 Char) Service Accounts Review accounts for privilege creep Change passwords frequently Do not embed credentials into scripts Minimize interactive login Restrict login only from required hosts User Education Increase security training for IT Launch security improvement initiative Regular education of users on phishing attacks Regular education on social engineering Increase mail filtering controls Infrastructure & Logging Full and detailed logging & analysis Tighten VPN controls Increase controls on crypto keys Full packet capture at strategic network locations Network segmentation Team trained and focused on APT activity Web Access Block access to high risk and web filter categories Click through on medium risk websites Black hole dynamic DNS domains Authenticated internet access DNS traffic analysis User Machine Hardening Limit local admin and randomize PW- change often Increase patching regime Enable security controls in applications Deep visibility to identify lateral movement Limit use of non-authorized and approved software Copyright 2011 EMC Corporation. All rights reserved. 22

23 5 Forward-leaning Practices Anti-social engineering (anti-vishing, etc.) Zero-day malware detection Deeper analysis and responsiveness to network traffic Adaptive authentication and two factor Proactive web application security Copyright 2011 EMC Corporation. All rights reserved. 23

24 Disintegration of Perimeter Controls Focus on the critical assets Context based security analytics fused with threat intelligence 24

25