This attack was on RSA Security, an American computer and network security operation under EMC Corp. The attacker’s target was acquiring data of RSA’s SecurID two-factor authentication. Now, what does SecurID do? “SecurID adds a double layer of protection to a login process. The authentication mechanism consists token either hardware or software given to every computer user which authentication code at fixed intervals usually 60 seconds”.[1]

The attack started with a social engineering attack (phishing) email sent to two targeted small group of employees of the parent company EMC. The recipients were not high profile like an executive or IT administrator. The phishing email contained malicious Microsoft Excel spreadsheet attachment which was titled as “2011 Recruitment Plan”. “The spoofed e-mail sent by hackers appear to come from a “web master” at Beyond.com, a job-seeking and recruiting site”.[2] The spoofed email came to the junk email and luckily one of the employees opened it and clicked the attachment which had zero-day exploit vulnerability in Adobe Flash to drop another malicious file – a backdoor known as Poison Ivy which is remote Administration Tool (Most poison Ivy malware is capable of copying itself into Alternate Data Stream, avoiding detection) to reach remote command and control server and traverse through RSA’s sensitive systems.

Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Essay Writing Service

After entering the system, the hackers first targeted users with high administrative privileges by moving through the network. Privilege Escalation was performed on the server administrators to move data from the servers. “The password protected RAR files were transferred through FTP (including the key data which was around 40 million user SecurID tokens) to an external compromised host server and extracted the files from there to avoid any traces of the attack”. [3]The information they acquired was suspected to be used to attack a two US company – Lockheed Martin Corporation and L3 communication.

Such attacks are called “Advanced Persistent Threat” (APT). In such an attack they target information about network, employees and their roles, company operation etc. The abnormal user behavior was detected by the RSA’s Netwitness network monitoring system, but they didn’t have lined up process to stop it. The proof about the breach was the replacement tokens that RSA gave to its one-third customers using SecurID for corporate networks and additional security monitoring to two-third customers using SecurID for web-based financial transactions and later improved their security software.

Identification and Description of Victims:

In the RSA SecurID breach, there were four victims: the small group of employees, the company itself and their customer companies.

First victim: The foremost victims of the breach were small groups of employees of the company. One of them opened the phishing email with an attached excel file containing the malware which exploited a vulnerability of Adobe Flash.

Second Victim: The main victim is the company RSA. The breach cost them $66.3 million. RSA is an American computer and network security company which is owned by Dell EMC.

Third victim: The information hacked by the attackers were used on “Lockheed Martin”. Lockheed Martin Corporation is a company based on aerospace, defense, and security technology. The attackers tried to break into their network using the data of the SecurID keys that RSA had given to the company.

Fourth victim:  Defense Giant L-3 Communications has become another victim of the RSA SecurID hack. L-3 communication has been targeted with penetration attacks leveraging the compromised information.

Identification and Description of Social Engineering Component and Mitigation Plan:

Social Engineering- “The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional”.[4]

The social engineering component in the RSA SecurID breach is the Spear Phishing email.

Spear Phishing: “It is the act of creating and using e-mails designed to look like those of well-known legitimate businesses, financial institutions, and government agencies to deceive Internet users in an attempt to scam the user into surrendering private information that will be used for identity theft”. [5] The target is already fixed and fully studied by the attacker before attacking them.

The emails were sent to two small group of employees of the company. One of the employees retrieved the email from the junk and opened it.

The email was sent with the attachment file titled “2011 Recruitment Plan”. It was Microsoft excel file with Adobe Flash zero-day vulnerability. In this way, attacker came inside the network and carried out privilege escalation to gain access to RSA’s SecurID Data. Such attacks are also called “Advanced Persistent Threat” (APT).

The victim of this spear phishing campaign are the employees who opened the email even it was in the junk folder because of the curiosity to see the Recruitment plan file. Attackers exploited the human trait of being curious which helped the hackers to get inside the network of such a big company.

Very often you hear about new phishing scam happening, so it’s better to get updated about it before you fall for it. By finding it soon, there is a lower risk of getting a victim of one. In our case What if RSA employees were more updated and educated in terms of scam? Maybe they wouldn’t have opened mail from junk and prevented the breach. So, keep yourself well informed and educated about phishing (social engineering) techniques.

Opening or clicking links and attachments isn’t a good move, because though email claim to be from a legitimate person/organization they are not always. And that’s what done by the employee, before being sure about it opened the excel file. Think before you open or click can be a prevention trick.

Its recommended installing an anti-phishing toolbar on every browser. They run quick checks on websites you are visiting and give a list of phishing one. And keep your browser up to date.

RSA could use a high-quality firewall which would be a better barrier between their computer and hacker. A good network firewall is a must. Every computer must also use Antivirus software because of many reasons. Anti-spyware and firewall can help to prevent phishing attacks Firewall protection protects against attacks. Antivirus scans each file coming through internet making our system safe. What if that Recruitment excel file was found malicious by the antivirus software and they could stop the breach.

 Many websites and cybersecurity professionals discussed that RSA at some point got the idea of someone in their network, but they didn’t have a response plan to stop it or in better words to make the plan/procedure to work. So, to mitigate the attack after the occurrence it is very necessary for every organization to have a team ready with the response plan to minimize the attack happening. If known during the attack, it’s better to start mitigating to reduce data and money loss.

After 28 Feb 2011, Attacker mailed spear phishing email attached with Excel spreadsheet having Flash zero-day vulnerability and Poison Ivy Rat.

Attacker sent two emails over a two-day period until one of the employees opened the attachment.

After entering the RSA network, attacker learned who were privileged user and had access to sensitive information and stole their credentials and went deep down in the network.

Then attackers went into the server which was in their interest removed data related to SecurID and moved it internal server where data was aggregated, compressed and encrypted for extraction.

All this password protected data was sent to an external server using FTP to a compromised machine at host provider, and later these files were deleted from external compromised host to remove traces of the attack.

RSA detected the attack and investigated and reported finding to EMC executives.

On 6th June 2011, RSA informed customers about the breach and replaced the old tokens with the new ones.

Description of attack technique:

[6]

      As shown above, 2 phishing emails were sent to low-level employees. An email came to their junk folder. One of them retrieved the mail from the junk mail folder which was attached with an Excel spreadsheet with Adobe Flash zero-day vulnerability. Zero-day installs backdoor called Poison Ivy (remote access tool) for remotely controlling the infected system. They set the Rat could reach command and control server that attackers can control giving access to the infected machine from where they could reach system and data they were looking for.

[7]

      As shown above, the exploit stole user credentials from RSA employees and moved through organization using escalation of privileges, to the targeted system. The attackers established access to staging servers and went into the server of interest, removed data and moved it to an internal staging server. They used FTP to transfer password protected RAR files to an external machine. The files were pulled by the attacker and removed from external compromised host to remove traces of the attack.[8]

Identification and Description of Loss:

Around $ 66 million loss to parent company EMC – covering the cost of remediation, investigation, harden IT systems, monitoring transaction of corporate customers.

Authentication related marketing & sales stopped for 6 months. Focused on remediating authenticators.

Lost some customers permanently because customers don’t want to trust the company again.

Other companies got attacked – Lockheed Martin systems became the victim of the cyber-attack. Attacker exploited the vulnerability in SecurID tokens used for VPN access. The company shut down computer systems and re-issued tokens to many of their employees and password reset for more than 120,000 workers at the company.

L3 Communications also reports breaches connected to SecurID tokens.

RSA provides security systems and basically sells fraud detection system according to the user profiling to locate abnormal behavior and intervene in real time to re-authenticate user and verify the authenticity of suspect access, behavior or transactions. They should have applied all these techniques to their own system to stay away from such attacks.

Moreover, good governance and management of detection, diagnosis, and remediation during and after an attack should be crucial for the company.

Work cited:

Anon. RSA SecurID breach began with spear phishing attack. Retrieved November 4, 2018, from https://searchsecurity.techtarget.com/news/1529523/RSA-SecurID-breach-began-with-spear-phishing-attack

Kim Zetter. 2017. Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight. (June 2017). Retrieved November 4, 2018, from https://www.wired.com/2011/08/how-rsa-got-hacked/

Kunal Sharma. 2016. Case Study of RSA Data Breach. (March 2016). Retrieved November 4, 2018, from https://www.slideshare.net/KunalSharma204/case-study-of-rsa-data-breach

RSA SecureID Attack Began With Excel File Rigged With Flash Zero-Day. (n.d.). Retrieved from https://www.darkreading.com/attacks-breaches/rsa-secureid-attack-began-with-excel-file-rigged-with-flash-zero-day/d/d-id/1135501

Wood, T. (n.d.). RSA After the attack PDF. Retrieved from https://www.isaca.org/chapters3/Charlotte/Events/Documents/Event Presentations/06162014/RSA After the Attack – Part 1.pdf

[1]  Kim Zetter. 2017. Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight. (June 2017).

[2] Kim Zetter. 2017. Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight. (June 2017).

[3] Kunal Sharma. 2016. Case Study of RSA Data Breach. (March 2016)

[4] Definition from Web

[5] Definition from Web

[6] Wood, T. (n.d.). RSA After the attack PDF

[7] Wood, T. (n.d.). RSA After the attack PDF

[8] RSA SecureID Attack Began With Excel File Rigged With Flash Zero-Day