Initial Thoughts on RSA "APT" Announcement

Today RSA's Art Coviello announced the following:

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA...

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products.

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack...

This is one of the problems with debates over terminology. If we all accepted the actual definition of APT as created by the Air Force in 2006, we would know what Mr Coviello is describing. Without that clarity we're left wondering if he means any threat on the planet that he and RSA choose to describe as "APT."

Without knowing anything more than what is printed in the RSA announcement, I can offer the following opinion. It is not outside the realm of APT methodology and targeting to attack RSA in order to access internal details on their authentication technology. We know APT actors have attacked other technology companies to steal their intellectual property, ranging from software to algorithms to private keys, all to better infiltrate other targets.

As I Tweeted on March 10th, it's public knowledge that validated APT actors have targeted public key infrastructure for several years. Besides PKI, enterprises of all types rely heavily on two-factor systems such as those created by RSA. Stealing technology and examining it for weaknesses, or identifying ways to exploit the supply chain, or otherwise gain an advantage over RSA users are all valid APT interests.

Hopefully we will learn more about this issue as time passes.

Comments

Anonymous said…
I suspect that customer contact and location data could have been stolen based on what RSA released to the SEC. However, maybe they don't know what was stolen.

http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm
10:08 PM
H. Carvey said…
So, Richard, what are you saying here? Are you suggesting that Mr. Coviello has misused the term "APT"? Are your thoughts that "Our investigation has led us to believe..." doesn't provide enough clarity for others to assess whether this _really_ is an "APT"?
8:40 AM
Matthew Reed said…
I do cringe when I see APT. Even if it is indeed APT, it has become an overused and rather ambiguous buzzword that I associate more with FUD than I do an actual threat. Just a little detail (suspicious traffic from other countries) would differentiate it from the usual buzzword.

On another note, I surely hope "extremely sophisticated cyber attack" is not the same type of "sophisticated attack" that pierced HBGary.
9:09 AM
Richard Bejtlich said…
Harlan,

It's possible this is not a "true APT" as I would define it. It's possible Art used "APT" as cover for an unsophisticated, opportunistic intruder. We just don't know yet. Referencing Matthew's comment, HBG wasn't an APT victim (and never said that), but other victims might just blame "APT" whenever they get compromised. Tough situation.
9:29 AM
Anonymous said…
Rich: Definitely a "words have meanings" issue.

Mandiant's recent reports on APT did a good job of setting the definition in butter if not stone. There needs to be some effort to ground that definition so that the term is not abused.

That said, the reason the definition has "expanded" from the original 2006 definition--which covered a specific threat actor--is that it is even more useful to describe a CLASS of threats than one single threat.

This is useful from an ops perspective even if it does get some of the intel weenies all wrapped around the axle. For example, I've been around quite a few discussions lately concerning whether or not Stuxnet represents an APT--people who want to stick to the original definition are adamant that it is not, but the threat actor was quite obviously both advanced and persistent.

When you're spitballing planning assumptions and you want to speak to adversary capability and intent, the Stux actor falls into the same CLASS as the more "traditional" APT even if their technique and motivations were radically different. I believe that this take jibes with your January 16th post on the subject (http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html).

As for whether or not RSA's case involves an APT--depends on what they took and why. I suppose time will tell.
10:42 AM
Richard Bejtlich said…
Quick comment on my quotes in this SearchSecurity story:

The good news, he said, is that most enterprises that invest in multifactor authentication are sophisticated enough to always [be, sic] on the lookout for potential intruders.

That's not what I told Rob (the reporter). I told him that the best defense, even if your two-factor fails, is to always be on the lookout for potential intruders.

There is probably no correlation between use of multifactor and the sophistication of the enterprise.

Otherwise, he quoted me fairly well! Thank you.
2:47 PM
Jacob Gajek said…
Another quote is potentially misleading: "good crypto works even if an attacker knows how it works"

The danger here of course is that the token-specific random seeds were leaked. If that's the case, all affected tokens would need to be retired from use, IMO.

Reflections on Security
3:46 PM
Richard Bejtlich said…
Jacob, good point. I said "knows the algorithm," which appears to have been reduced to "knows how it works." :)
4:58 PM
Jacob Gajek said…
Some clues about the nature of the stolen data are beginning to emerge. Apparently RSA has been telling customers to protect the serial numbers on their tokens. It is looking more and more like the scenario involving theft of the database mapping token serial numbers to token random seeds is in fact true. If so, this is a big deal.

http://www.networkworld.com/news/2011/031811-rsa-breach-reassure.html
11:41 PM
Anonymous said…
One quick comment: I have seen APT actors successfully target two-factor authentication systems for the purposes of accessing the information they protect. Of course I cannot speak to specifics here, and without more information about the RSA breach it's tough to tell to what extent the two are similar, but from a tactical perspective the overlap is strong.

So yes, evidence exists to support Richard's reasoning that this intent fits well within the (admittedly now watered down) APT classification.
4:11 PM
Anonymous said…
Anonymous: Perhaps the best thing to do is to add a rider identifying the assumed actor, if known. "Traditional" APT would be APT/FAREAST, for example.
11:12 PM
Jacob Gajek said…
In the wake of the breach, I've posted some recommendations for detection and prevention of SecurID break-in attempts:

RSA SecurID Authentication Security
6:44 AM
Anonymous said…
I totally agree with you Richard. I believe that the media and a lack of clarity are partially to blame for the application of the term "APT" to all hacks. That isn't to say that that what happened with RSA couldn't have been part of a state sponsored initiative but until (if ever) they decided to disclose (or we see RSA source code miraculously appearing in foreign nations as a 'new product offering') we'll have to wait and see.
9:30 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more