The RSA attack took place in multiple phases. In the first phase, the attackers identified employees with specific job roles at RSA, then sent malicious email messages specifically to those users. This kind of tactic, known as spear phishing, is increasingly common. I wrote about it last year, and in that column I said that not all spear phishing attacks contain malware. Well, this one did. Here's part of what RSA's Uri Rivner had to say on his blog about the attack:
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file. It was a spreadsheet titled "2011 Recruitment plan.xls."
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.
First, notice that one of the targeted employees retrieved the malicious message from the Junk E-mail folder. Score 1 for automated filtering; some part of the company's mail system identified the message as junk and filtered it. Score -1 for the employee, who opened it anyway.
Problem #2: A zero-day exploit in Flash. It's certainly reasonable to ask whether it's important to have Flash on corporate computers. Many websites with legitimate business uses depend on Flash, but given Adobe's terrible track record, if I were a corporate security officer, I'd be thinking very seriously about either blocking Flash altogether or restricting its use to sandboxed virtual machines with very limited access to the corporate network.
There are lots of other interesting aspects to the attack. For example, RSA actually noticed it while it was ongoing. This situation is unusual in that most targets of an APT don't find out they've been hacked until after the damage is done and the attackers are long gone. Catching an APT in the act leads to the potential of being able to identify the attackers; if RSA has done so, the company isn't saying so publicly.
Rivner goes on to share some thoughts about the need for new models of security defense to protect against this kind of attack. Although there's much truth in what he says, the fact is that we really can't afford to wait for a new model—and the infrastructure that comes with it—to protect us. What steps can you take now to improve your defenses against these kinds of attacks?
The first thing I'd recommend is that you remind your employees, again and again, about the risks of social engineering. It only takes one poorly trained, ignorant, or careless employee, and bam! Your organization is on the front page of the newspaper. You can't overemphasize the importance of communications security, knowing who you're talking to, and being properly suspicious. Aggressive email filtering can help with this problem, too.
Second, get rid of Flash if you can, or quarantine it if you can't. I'm not picking on Adobe. Well, OK, I am, but only a little. There are probably other common products that have a worse security record, but Flash seems to be a very, very common denominator in these types of attacks, and for that reason alone it needs to be in the penalty box.
Third, remember that APTs tend to be "low and slow": They sneak in, stay in your network for a long time, and slowly escalate their degree of access over time. What kind of monitoring systems do you have in place? What kind of filtering are you doing for inbound documents, executables, and so on? Could you be doing more?
One thing's for sure: The proliferation of APTs means that this isn't the last you'll hear of these kinds of attacks. Be careful.