In spite of a surfeit of security technologies that it develops to detect fraud and malicious activity on networks in real-time, it seems that security firm RSA was unable to detect a targeted phishing attack last month before attackers took information related to the company’s SecurID authentication products. Over two weeks after informing its channel and customer base about the incident that put SecurID deployments at risk, RSA, the security division of EMC, finally disclosed in an analyst briefing and a blog late on Friday some details as to how the company was compromised, foreshadowing an acquisition announcement today of forensics firm NetWitness, which provided tools that detected the breach.
According to Uri Rivner, head of new technologies and consumer identity protection at RSA, the attacker struck by sending two specially crafted phishing emails over a two-day period to two small groups of employees that Rivner said were not necessarily high value targets.
"The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file," Rivner explained. "It was a spreadsheet titled ‘2011 Recruitment plan.xls.’ The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability."
From there, the attacker installed a tool on the infected machine that enabled remote administration and started digging deeper into the network. RSA offered a ton of credit to NetWitness on Friday for offering the tools critical to the detection. It seems the props offered by the firm and perhaps the description of attack details may have been a very calculated lead in to the announcement of EMC’s decision to acquire NetWitness and merge it with RSA. The announcement went over the wire this morning, but EMC says the deal closed on Friday.
Commenting on the breach details following the analyst briefing on Friday, Gartner analyst Avivah Litan says that RSA’s quick disclosure of the breach is commendable as was its spotting of the threat that struck the company. However, she believes RSA should have been able to use the tools and techniques it sells to customers to discover the threat before it stole information.
"(The people at) RSA (didn’t) eat their own dog food. RSA sells its own fraud detection systems based on user and account profiling which use statistical Beysian models, and rules, to spot abnormal behavior and intervene in real time to re-authenticate users and verify the authenticity of suspect access, behavior, or transactions," Litan explains. "They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems. The old adage rings true – the shoemaker’s children have no shoes."
While RSA has made a step towards better transparency about how it was struck, the firm has still not disclosed the details for which many customers and channel partners have been clamoring: information about what exactly was stolen. At the moment, the industry is still left speculating about how much of the SecurID infrastructure intel is floating around.