RSA had a conference call today with various analysts to discuss more details of the attack, and how they are communicating the after-effects to and with their customers.
RSA said the attack started with phishing emails sent to small groups of low-profile RSA users (presumably employees). The emails were surreptitiously titled “2011 Recruitment Plan” and landed in the users’ email Junk folders. (At least RSA’s SPAM filters were working, even if their social engineering training for employees was not).
Attached to the mysterious email was an Excel spreadsheet with recently-discovered Adobe Flash zero day flaw CVE 20110609. With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. RSA saw the attack, using its implementation of NetWitness, and stopped the attack before more damage could be done.
RSA came clean and told its customers immediately about the attack (which is something other companies have not done) and should be credited for handling a bad situation as well as it can.
The irony though with RSA is that they don’t eat their own dog food. In other words, they relied on yesterday’s best of breed tools to prevent and detect the attack. They gave a lot of credit to NetWitness for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time, which means the signals and scores weren’t high enough to cause a person to shut down the attack in real time.
RSA sells its own fraud detection systems based on user and account profiling which use statistical Bayesian models, and rules, to spot abnormal behavior and intervene in real time to re-authenticate users and verify the authenticity of suspect access, behavior, or transactions. (RSA appears in the leaders quadrant of Gartner’s 2010 Web Fraud Detection Magic Quadrant). They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems.
Perhaps this will shake them up so that they start moving a lot faster, like some of the small agile start ups they acquired in the past. They need to make it possible for the innovation to bubble up quickly into products and services that they not only sell and implement at customer sites, but that they use themselves internally.
I’m sure they are not the only company where this phenomena is true. The old adage rings true – the shoemakers children have no shoes.