RSA defends handling of two-pronged SecurID breach
'Our adversaries left information' exec says, as FBI probe continues
RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security's systems last March, EMC's security division said.
Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.
"Two groups were involved in the attack," Thomas Heiser, RSA Security president, said during a keynote at the conference. "Both are known to authorities but they have never worked together before."
"The attack involved a lot of preparation," he added.
Forensic examination in the wake of attack on RSA's systems allowed the security arm of EMC to draw tentative conclusions about the origin and purpose of the assault on systems that underpinned its SecurID two-factor authentication technology.
RSA executive chairman Art Coviello said that "one group was very visible and one less so". Coviello declined to point the finger of blame towards any particular country but said during a later question-and-answer session that both came from the same country. "We've not attributed it to a particular nation state," Coviello said. "However with the skill and degree of resources involved it could only have been a nation state."
Coviello's comments painted a picture of the attack as a collaboration between criminal hackers and either a military or intelligence agency, even though he sidestepped a question on whether this was a correct interpretation of his remarks.
Heiser downplayed both the impact of the attack and RSA Security's subsequent drip-drop disclosure of what exactly happened and how it had affected customers of its flagship SecurID two-factor authentication technology, which is widely used for secure remote access to corporate email or intranet applications.
"There was one attack on RSA," he said. "The information taken from the RSA attack was a vector in one other attack, which was thwarted. We know of no other attack.
"We killed the attack while it was still in progress and communicated rapidly with our customers as much as we could tell them."
Both the FBI and Department of Homeland Security are continuing to investigate the case.
"Our adversaries left information," Heiser said. "We didn't want to thwart the investigation, so for that reason we haven't disclosed everything we know."
RSA was widely criticised for its reluctance to disclose details of the assault. Even now, more than six months after the assault, it will only say that information related to SecurID was stolen. It hasn't said what was taken although it has been widely suggested that it might have been the seed database used to generate one-time codes on the devices it supplies.
RSA Security offered to supply enterprise customers with replacement tokens in response to the attack. Both Coviello and Heiser declined to say how many tokens it has replaced, although, pressed on the point, Coviello said it was a "small percentage".
During a question-and-answer session, Heiser denied accusations that many customers had been "left hanging" in the aftermath of the attack.
"We got out to our top 500 customers relatively quick. We have many thousands of other customers which we don't deal with directly, so there wasn't that that kind of hand-holding. We have to rely on our marketing press and partners," he said.
"We disclosed everything we could without putting other customers at risk," he said.
Hackers were looking for 'defence-related intellectual property'
Heiser said that RSA was a pawn in a bigger assault: "The motive was to gain access to defence-related intellectual property. RSA was not the target but a means to an end," he said.
Coviello said one of the ironies of the attack was that it validated trends in the market that had prompted RSA to buy network forensics and threat analysis firm NetWitness just before the attack. Security programs need to evolve to be risk-based and agile rather than "conventional" reactive security, he argued.
"The existing perimeter is not enough, which is why we bought NetWitness. The NetWitness technology allowed us to determine damage and carry out remediation very quickly," Coviello said.
"Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defences," Coviello added. "People are the new perimeter contending with zero-day malware delivered through spear-phishing attacks that are invisible to traditional perimeter-based security defences such as antivirus and intrusion detection systems." ®