RSA's SecurID Breach Started with Phishing Email

RSA's Art Coviello told analysts that the SecurID attackers used a phishing email with a malicious Excel spreadsheet to penetrate the company's network.

The sophisticated attack that breached RSA's defenses and allowed attackers to steal SecurID data appears to have begun as a phishing attack, according to several security analysts briefed by the company. RSA has faced some criticism from about its internal security practices.

During a private call with security analysts, the executive chairman of RSA Security, Art Coviello, revealed some details of how the March 17 security breach happened. During the April 1 call, Coviello also discussed how RSA stopped the incident.

An RSA spokesperson confirmed there had been a call with Coviello and some analysts, but declined to comment on the content of the call.

The attack started with phishing emails sent to small groups of low-profile RSA users that ended up in the users' email junk folders, according to Avivah Litan, an analyst with Gartner, who was on the call. Litan believes these low-level users are actually RSA employees.

The emails were titled "2011 Recruitment Plan" and had a malicious Microsoft Excel spreadsheet attached, Litan reported on her blog.

Ironically, the spreadsheet exploited the recently discovered Adobe Flash zero-day flaw. Adobe had announced the vulnerability on March 14 and patched it March 21. However, it appears the patch came a little too late for RSA.

Despite landing in the users' junk folders, at least one person opened the email and the attachment, which downloaded the Trojan to the user's PC. Attackers began harvesting credentials and "made their way up the RSA food chain" using accounts belonging to the IT department, as well as other employees, to gain "privileged access" to the targeted system, Litan wrote.

"At least RSA's spam filters were working, even if their social engineering training for employees was not," Litan added.

From the targeted system, attackers transferred files to an external compromised machine at a hosting provider, at which point RSA detected the attack thanks to its NetWitness implementation, Litan wrote. Industry observers had speculated that RSA must have had a network monitoring and forensics product deployed, and it appears they were right. RSA was able to stop the attack before more damage could be done and immediately told customers about the attack.

The company remained vague as to when the phishing emails were sent, or how long the attackers spent in the network bouncing between accounts, but several months seem likely, according to Jon Oltsik, a principal analyst with the Enterprise Strategy Group, who was also on the call. "I think that the intelligence gathering and setup lasted awhile," he told eWEEK.

RSA was a lesson for everyone that technology isn't enough to "detect or block attacks," said Oltsik. "We need to train our people," he said.

While RSA "should be credited for handling a bad situation as well as it can," Litan felt that "RSA should have known better."

"The irony is that they don't eat their own dog food," Litan told eWEEK. The company sells fraud detection systems based on sophisticated profiling that use complex models to spot abnormal behavior and intervene in real time to authenticate and reauthenticate users and transactions.

However, RSA did not apply those same techniques to their own systems, Litan said.

RSA gave "a lot of credit" to NetWitness for detecting the attack in real time, but it wasn't good enough, as the "signals and scores" were clearly not high enough to prompt a person to shut down the attack immediately, Litan said.

RSA needs to stay innovative and apply the lessons learned from serving its clients to its own internal enterprise systems, Litan said. This may be a function of being owned by EMC, a "behemoth company," said Litan. She noted that many of the "best and brightest" at RSA left after the 2006 acquisition.

"Much of the innovation has since been slowed down by the inevitable bureaucracy," said Litan.