Thursday, March 17, 2011

Initial Thoughts on RSA "APT" Announcement

Today RSA's Art Coviello announced the following:

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA...

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products.

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack...

This is one of the problems with debates over terminology. If we all accepted the actual definition of APT as created by the Air Force in 2006, we would know what Mr Coviello is describing. Without that clarity we're left wondering if he means any threat on the planet that he and RSA choose to describe as "APT."

Without knowing anything more than what is printed in the RSA announcement, I can offer the following opinion. It is not outside the realm of APT methodology and targeting to attack RSA in order to access internal details on their authentication technology. We know APT actors have attacked other technology companies to steal their intellectual property, ranging from software to algorithms to private keys, all to better infiltrate other targets.

As I Tweeted on March 10th, it's public knowledge that validated APT actors have targeted public key infrastructure for several years. Besides PKI, enterprises of all types rely heavily on two-factor systems such as those created by RSA. Stealing technology and examining it for weaknesses, or identifying ways to exploit the supply chain, or otherwise gain an advantage over RSA users are all valid APT interests.

Hopefully we will learn more about this issue as time passes.


Anonymous said...

I suspect that customer contact and location data could have been stolen based on what RSA released to the SEC. However, maybe they don't know what was stolen.

Keydet89 said...

So, Richard, what are you saying here? Are you suggesting that Mr. Coviello has misused the term "APT"? Are your thoughts that "Our investigation has led us to believe..." doesn't provide enough clarity for others to assess whether this _really_ is an "APT"?

Matthew Reed said...

I do cringe when I see APT. Even if it is indeed APT, it has become an overused and rather ambiguous buzzword that I associate more with FUD than I do an actual threat. Just a little detail (suspicious traffic from other countries) would differentiate it from the usual buzzword.

On another note, I surely hope "extremely sophisticated cyber attack" is not the same type of "sophisticated attack" that pierced HBGary.

Richard Bejtlich said...


It's possible this is not a "true APT" as I would define it. It's possible Art used "APT" as cover for an unsophisticated, opportunistic intruder. We just don't know yet. Referencing Matthew's comment, HBG wasn't an APT victim (and never said that), but other victims might just blame "APT" whenever they get compromised. Tough situation.

Anonymous said...

Rich: Definitely a "words have meanings" issue.

Mandiant's recent reports on APT did a good job of setting the definition in butter if not stone. There needs to be some effort to ground that definition so that the term is not abused.

That said, the reason the definition has "expanded" from the original 2006 definition--which covered a specific threat actor--is that it is even more useful to describe a CLASS of threats than one single threat.

This is useful from an ops perspective even if it does get some of the intel weenies all wrapped around the axle. For example, I've been around quite a few discussions lately concerning whether or not Stuxnet represents an APT--people who want to stick to the original definition are adamant that it is not, but the threat actor was quite obviously both advanced and persistent.

When you're spitballing planning assumptions and you want to speak to adversary capability and intent, the Stux actor falls into the same CLASS as the more "traditional" APT even if their technique and motivations were radically different. I believe that this take jibes with your January 16th post on the subject (

As for whether or not RSA's case involves an APT--depends on what they took and why. I suppose time will tell.

Richard Bejtlich said...

Quick comment on my quotes in this SearchSecurity story:

The good news, he said, is that most enterprises that invest in multifactor authentication are sophisticated enough to always [be, sic] on the lookout for potential intruders.

That's not what I told Rob (the reporter). I told him that the best defense, even if your two-factor fails, is to always be on the lookout for potential intruders.

There is probably no correlation between use of multifactor and the sophistication of the enterprise.

Otherwise, he quoted me fairly well! Thank you.

Jacob Gajek said...

Another quote is potentially misleading: "good crypto works even if an attacker knows how it works"

The danger here of course is that the token-specific random seeds were leaked. If that's the case, all affected tokens would need to be retired from use, IMO.

Reflections on Security

Richard Bejtlich said...

Jacob, good point. I said "knows the algorithm," which appears to have been reduced to "knows how it works." :)

Jacob Gajek said...

Some clues about the nature of the stolen data are beginning to emerge. Apparently RSA has been telling customers to protect the serial numbers on their tokens. It is looking more and more like the scenario involving theft of the database mapping token serial numbers to token random seeds is in fact true. If so, this is a big deal.

Michael Cloppert said...

One quick comment: I have seen APT actors successfully target two-factor authentication systems for the purposes of accessing the information they protect. Of course I cannot speak to specifics here, and without more information about the RSA breach it's tough to tell to what extent the two are similar, but from a tactical perspective the overlap is strong.

So yes, evidence exists to support Richard's reasoning that this intent fits well within the (admittedly now watered down) APT classification.

Anonymous said...

Anonymous: Perhaps the best thing to do is to add a rider identifying the assumed actor, if known. "Traditional" APT would be APT/FAREAST, for example.

Jacob Gajek said...

In the wake of the breach, I've posted some recommendations for detection and prevention of SecurID break-in attempts:

RSA SecurID Authentication Security

Will said...

I totally agree with you Richard. I believe that the media and a lack of clarity are partially to blame for the application of the term "APT" to all hacks. That isn't to say that that what happened with RSA couldn't have been part of a state sponsored initiative but until (if ever) they decided to disclose (or we see RSA source code miraculously appearing in foreign nations as a 'new product offering') we'll have to wait and see.