Earlier today I had the opportunity to read a blog post by Uri Rivner, the Head of the Security Division of EMC. While the investigation into the RSA/EMCcompromise is still ongoing, Mr. Rivner presents a very good summary of what they do know.
Some of the facts as written by Mr. Rivner:
The first part of the attack was a spear-phishing attempt aimed at non-high-profile targets. The information on the targets was most likely mined from social networking sites. All it took was one of the targeted employees who was tricked into opening an attached Excel spreadsheet.
The Excel spreadsheet contained a zero-day exploit targeting an Adobe Flash vulnerability.
The exploit added a backdoor. and installed a remote administration program.
The malware then captured credentials for user accounts in order to compromise higher value targets.
In my experience this is typical sequence of events for an APT attack. There is very little in this attack that is particularly sophisticated. The big question is what are the defenses that would have prevented or reduced the impact of this attack?
Obviously the first is user education. It is extremely difficult to educate your employees to prevent this sort of targeted spear-phishing attack, but we need to try. The more users who know how to analyze an email to test its legitimacy the less likely an attack like this will succeed.
The bigger one as Mr. Rivner alludes in this blog post is to come up with a new defense paradigm. The traditional paradigm of a well protected perimeter with a soft inside should be dead. There are just too many ways to circumvent the perimeter, spear phishing being just one.
The thing is I don't think this new paradigm is so new. Many have been advocating for years moving the prevention and detection closer to the data. There are a lot of approaches that can be used here, but in my mind it begins with segregating servers from the desktop LAN and controlling access to these protected enclaves as thoroughly or better as we do our perimeters today. It means classifying your data and installing protection and detection technologies appropriate to the sensitivity of the data. It means installing and tuning Data Loss Prevention (DLP)technologies to detect when your sensitive data is leaving your company. It means instrumenting company LANs and WANs so a network baseline can be determined and deviations from this baseline be detected and investigated.
Obviously this is only a partial list of the possible strategies. What else would you like to see done in your organization to help prevent this type of attack?
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.