Blog post

RSA SecurID attack details unveiled – lessons learned

By Avivah Litan | April 01, 2011 | 15 Comments

RSA had a conference call today with various analysts to discuss more details of the attack, and how they are communicating the after-effects to and with their customers.

RSA said the attack started with phishing emails sent to small groups of low-profile RSA users (presumably employees). The emails were surreptitiously titled “2011 Recruitment Plan” and landed in the users’ email Junk folders. (At least RSA’s SPAM filters were working, even if their social engineering training for employees was not).

Attached to the mysterious email was an Excel spreadsheet with recently-discovered Adobe Flash zero day flaw CVE 20110609. With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. RSA saw the attack, using its implementation of NetWitness, and stopped the attack before more damage could be done.

RSA came clean and told its customers immediately about the attack (which is something other companies have not done) and should be credited for handling a bad situation as well as it can.

The irony though with RSA is that they don’t eat their own dog food. In other words, they relied on yesterday’s best of breed tools to prevent and detect the attack. They gave a lot of credit to NetWitness for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time, which means the signals and scores weren’t high enough to cause a person to shut down the attack in real time.

RSA sells its own fraud detection systems based on user and account profiling which use statistical Bayesian models, and rules, to spot abnormal behavior and intervene in real time to re-authenticate users and verify the authenticity of suspect access, behavior, or transactions. (RSA appears in the leaders quadrant of Gartner’s 2010 Web Fraud Detection Magic Quadrant). They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems.

Perhaps this will shake them up so that they start moving a lot faster, like some of the small agile start ups they acquired in the past. They need to make it possible for the innovation to bubble up quickly into products and services that they not only sell and implement at customer sites, but that they use themselves internally.

I’m sure they are not the only company where this phenomena is true. The old adage rings true – the shoemakers children have no shoes.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Jon Waters says:

    If you take a look at how poor some of their products actually are, such as the EnVision product, i’m surprised they catch anyone at all.

  • Jason Smith says:

    I can’t believe this blog is written by Gartner. Surely the author does not expect any enterprise today to catch all exploits in “real time” or that any security product would have exactly the right telemetry for all situations — especially with a determined adversary. I’d like to understand how many Gartner clients stop all attacks in real time or what percentage of Gartner clients feel that their awareness programs actually are effective against well crafted social engineering or spear phishing attacks? Her answer is to use products in a Gartner Magic Quadrant. Most forward-leaning security products don’t even have a magic quadrant yet because the companies are not big enough to pay Gartner’s consulting fees. The author clearly is lecturing about things she does not understand in an operational context. This blog should be pulled.

  • M Shams says:

    Jason, your comment may be valid from an operational stand point (I dont know as i am not a technical geek). However your comment demonstrated that you have no / very little understanding of Gartners methodology! Did you know that there are many vendors in Gartner’s Magic Quadrants that are not Gartner clients? Vendors that are Gartner clients do not necessarily pay ‘Gartner Consulantcy’ fee’s… And there is a huge difference between an analyst advisory role and a consultants’ role

  • Avivah Litan says:

    Jason: With respect to your comment “I’d like to understand how many Gartner clients stop all attacks in real time” – the response is there are many financial institutions, especially in the U.S. and the U.K. that are stopping malware-based attacks against their customer accounts (mainly business accounts) in real or near-real time. I realize this can, in some aspects, be more difficult in enterprise settings, but it is possible given appropriate policies, processes and technology. Also, I did not say the solution is to use products in our Magic Quadrant; I was pointing out that RSA’s fraud detection products are covered in our Magic Quadrant. Trojan based attacks have been common for a couple of years now, and there are measures to defeat them in real time or near real-time – whether they are targeted against internal enterprise systems or not. I’m not minimizing the operational complexity – I’m just noting it has and can been done.

  • Nick Selby says:

    Good analysis overall, thank you. I disagree with one point – telling customers early that something happened is not the same as doing the best job one can. Personally I believe that RSA did itself a disservice in handling the overall PR of this, by not appearing more forthcoming, and appearing to stall and hem and haw. Perception is reality, especially when you’re selling security. The universal perception was that RSA was playing fast and loose with the details, regardless of whether they were.

  • Jason Smith says:


    I am familiar with the technologies you mention that purport to stop malware-based attacks in real-time. If you talk to these vendors they will tell you they are 80 to 90% effective at best. True advanced advesaries are not going to use exploits that will be defeated by simple sandboxing and proxy techniques or so-called next-generation firewalls. If you are having open dialogs with these financial services customers of yours I am sure they also tell you that a certain percentage of zero days and covert network communications still bypass these defenses. Statistically, these zero days and targeted attacks are the ones we need to be concerned about in terms of real losses to the enterprise. So, I think we have to have an open mind here and not jump to criticize. RSA has joined Google, Northrup Grumman, Symantec, and a very long list of companies that have falled victim to a determined and advanced adversary. We have to understand that there will be a true contrast between the value offered by preventative and detective measures, and we need operational focus and investment in each area. But a failure to prevent does not equate to a failure overall. Not in today’s threat environment. Thank you.

  • J says:

    “RSA sells its own fraud detection systems based on user and account profiling which use statistical Beysian models”

    I think the models are Bayesian, utilizing something based on Bayes’ theorem:

    As Bayesian-based filters are based on what has been seen in the past and using that to predict whether a new occurence of something is statistically like the previous events, it’s possible to circumvent a Bayes-filter using some content that is unpredictable [or that looks like a totally valid piece of content] (especially if your training corpus is too small.)

  • Avivah Litan says:

    J: thanks for your feedback. I agree that the Bayesian models aren’t enough here; I was talking about some of the techniques that are used to stop malicious behavior. These range from secure browsing (using locked down browsers, or other methods), to monitoring and blocking suspect navigations and traffic to monitoring and blocking suspect transactions. RSA’s current fraud detection system does some of the latter, but you are right – predictive fraud models are typically based on the ‘what you know you don’t know’ but not on ‘what you don’t know you don’t know.’ Secure browsing and monitoring navigations (and blocking them) can compensate for those weaknesses, in part.

    Bayesian models (or even simple rules) can catch however the retrieval of ‘too many’ records from various systems, indicating ‘abnormal behavior’. And they can call authentication or transaction verification systems to make sure the right authorized user is executing those retrieval requests.

  • Daniel Levin says:


    Security vendors should set an example to other enterprises by the way they protect sensitive information and the security solutions they use to protect their networks. What I believe Avivah is saying is that RSA failed to do so. This problem is not limited to RSA. Having worked for large security vendors before I can tell you that they don’t always practice what they preach. The next time you talk to a security vendor ask them for a use case of how their solutions help them protect their network and data. They’ll be amazed by the question and there is a good chance you’ll be amazed by the answer. I think Avivah was spot on here. RSA went on about the attack and how sophisticated it was but didn’t explain what kind of security measures they had in place and how the attackers were able to bypass them. The truth is that this attack could have been prevented by various security solutions that provide virtual patching, network anomaly detection, desktop lockdown, etc.

  • Dave James says:

    Jason, if your a CEO, CSO or CTO of a big company, or say a board member of an investment firm with large holdings in the Tech secure that needs to do a risk analysts of this type of theft. It’s Gartner man, always going to be stuff written in for those in upper management or simply high level non technical people.

  • PJ says:

    The 8th layer of the osi model, people, has always been the weakest link and will continue to be, regardless of the training and education programs organizations put in place. I’m sure I could send the author of this article and attachment so enticing that she would open it. 🙂

    The government and it’s suppliers have long been under these attacks and have all fallen victim. Keep in mind these are the people that develop our nuclear weapons, the planes we fly on and who put man on the moon. The fact of the matter is that organizations can’t move fast enough to stop the threats while still allowing the business to run. I find it misleading to relate a web fraud detection tool with an APT detection tool. That’s like comparing, well apple and oranges!

    I have been involved with various financial services organizations and all have let regulatory requirements drive their security, not advanced threats. No amount of compliance checkboxes can stop an APT. These financial services orgs are trying to reduce fraud and ensure uptime, not stop the theft of intellectual property.

    Ultimately RSA did the right thing. Others have long swept this under the rug. Being that no organization in this century can live without email and no technology can stop people from being careless we will always have this gameq of cat and mouse. It’s how organizations deal with this adversity and respond to future attacks that will define how we secure organizations and conduct business in the ever connected society.


  • Avivah Litan says:

    Hi PJ: thanks for your thoughtful comments. Just one note – our research has always advocated a layered security approach, of which web fraud detection is but one layer. And imho, you are absolutely right that the 8th layer, people, are the weakest leak.

  • Good work, it’s pleasure to read your articles. Waiting for more
    platne typy

  • PJ says:


    You are quite welcome. Of course I agree with the mantra of defense in depth, however those defensive layers have to be relevant to your business. Your reference to RSA’s eFraud network and the fact they should use it on their internal systems is a bit misleading. If you read their site, that capability is based at online fraud and identity theft, not the detection of advanced attacks. There are other tools like that such as Symantec’s Deep Sight and other free threat feeds. A control designed for ecommerce won’t do a lot of good for a company that doesn’t have an ecommerce business. Again, apples and oranges.


  • Avivah Litan says:

    Hi PJ; re my blog reference, I was calling out that RSA knows about web fraud detection and that they develop and sell such systems. You may be correct that it would have been difficult to use their system to prevent this breach (although we don’t know enough about the breach to conclude that). RSA does claim to have user and account profiling and their fraud detection system should be able to see abnormal user or account behavior – for example high velocity data extracts (if indeed data were extracted from a database or file monitored by the system, or if a privileged user account were behaving ‘strangely’ per that user profile).

    Also other web fraud detection systems do detect malware-infected PC’s and browsers accessing the server, and can block access on the spot. Still others can look for abnormal navigation (perhaps something NetWitness did) and feed alerts to authentication or transaction verification systems so that the user/transactions can be blocked.

    So, I don’t think it’s misleading to say these technologies can prevent system intrusions that start with the type of exploit we saw here.

    Thanks for your interest in this subject.