At the 2011 Gartner Security & Risk Management Summit, Gartner Vice President and Fellow Emeritus Neil MacDonald discusses RSA, APT and the social engineering threat. Specifically, MacDonald discusses what RSA did wrong following the SecurID breach earlier this year and how RSA customers should respond, as well as why the RSA attackers may be getting too much credit. Later MacDonald talks about the reality of advanced persistent threats as they exist in the enterprise today, and why new monitoring and detection capabilities may be the best way to defend against social engineering attacks.
Read the full transcript from this video below:
Gartner’s Neil MacDonald on RSA, APT and the social engineering threat
Interviewer: Neil MacDonald, Gartner vice president and Gartner fellow
emeritus thank you so much for joining us today.
Neil MacDonald: My pleasure.
Interviewer: The RSA SecurID attack and all the fallout as of today,
June 2011, there's still a lot we don't know and may never
know, but what's your over all reaction and take way as of
Neil MacDonald: Well, RSA has not been as transparent as they should have been from
the beginning. They have disclosed to some of their customers
and they have started a replacement program with many of their
customers, especially the higher risk, higher profile accounts.
So if you're using a RSA SecurID token, you should actually be
inquiring to RSA about your schedule for replacement. There's
some additional thinking, as I've looked at this whole RSA
One is that the initial assumption was the bad guys now have the
private numbers that were used to see the algorithm. They have
those, and what they need is the ability to map a user name to a
token. So the advice from RSA was very focused on the back-end
servers that might maintain those mappings, because the bad guys
are now going to go target those servers, because now they have
these private C keys.
As I looked at this I though, those bad guys they're smart,
we've established that earlier. If I know I'm going to attack
RSA and go after the private C keys, and I know I want to go
after let's say some defense contractors, maybe I'll go target
the defense contractors first. I'll get those user to key
mappings. Then I'll go get the C-values. If I do it in the
reverse order and people now know the C-values have been
compromised, they're going to now start building up their
defenses that they didn't have before on those user token
mappings. So part of this is, I think it's wishful thinking to
say the bad guys are going to get RSA and now they're going to
go after all the defense contractors, where they could've got
that information first. Then they get the C-mappings, and then
they can impersonate any user they want. That's one area of
A second is the initial thinking was they have to go after the
server to get the user name to get the token mappings. But what
has been shown is they're going after end-users directly. They
can try a Trojan machine put a Zeus-like Trojan on the machine
and capture in real time that user name to token mapping, not at
the server, but at the user. What's harder to attack, an end
user who can be tricked, or a server that's behind a firewall?
And I think the bad guys again, path of least resistance, if I
can trick one of these users into downloading this Trojan. Now I
can make that user name to token mapping and reportedly that's
what happened with Lockheed Martin. They went after a
contractor and somehow compromised the machine and got the key
mapping and were able to impersonate that user within the
Lockheed Martin network.
Interviewer: Art Coviello called the incident APT, which some say was a
veil reference to China. However some have argued that it was
wrong to call it APT, and some say APT has, at this point, little
to no meaning anyway. What's your take on the APT term?
Neil MacDonald: Well I think we can all agree, whether you like the term or don't
like the term, we're being hit by threats that are persisting
undetected in our networks, that have gotten by our traditional
defenses. Whether it's signature-based malware or firewalls. It's
already gotten by and it's persisting undetected, so what do you
want to call it? It's an advanced threat that persists
undetected in our network.
That's a mouthful, APT for short. I'm, okay, with that. I think
what's happened is the military -- specifically I believe it was
an Air Force -- document that was declassified, and in the process
of declassification they had to remove a reference to a nation
state, and they substituted this term APT. And it was a very
specific reference to say, this is a nation state, but they
couldn't name it, because it was a declassified document; that's,
if you go back in history, about where this term came from. And
now people, from a marketing perspective, have misused the term.
But I do believe we can all agree that there are advanced
threats that are persisting undetected in our networks.
We're at risk. RSA is getting hit, Lockheed Martin is getting
hit. Google was hit, there have been, over the past year, lots and
lots of reports of attacks that have persisted undetected. Many
of them have been attributed to a nation state. In many cases
it's reportedly tied back to China. But many of them having
associated with a nation state, and I think Google came out
recently and said, not project Aurora, that was last year. But
recently after this RSA attack, essentially came out and said a
named I believe it was China. These are state sponsored attacks
and when RSA says that APT I believe they are making a reference
in this case to a who, an actor, and they're using APT as a
shorthand for that.
Interviewer: The RSA attack as we've touched on ultimately boiled down
to social engineering. For enterprises it certainly is
indicative of the social engineering problem that exists today.
Any help or new guidance for what continues to be a vexing
Neil MacDonald: It's hard to patch the end users, I mean they're vulnerable, we
talked about patching earlier but it's hard to develop patches
for end users that do silly things. Now reportedly in the RSA
case it was a malformed PDF. Which exploited a zero day in
Adobe, so back to our vendors writing secure software, and we
talked about Microsoft and their issues. Adobe has their issues,
and Adobe should be putting specific programs in place to make
sure they're producing secure code as well.
Again, reportedly it was a zero day in Adobe. It was a malformed
PDF, through social engineering they were able to get onto the
machine. So it was a combination of things. A very sophisticated
attack that's the word advanced in ATP. Very sophisticated
attack, we can train users, we can try. We can say don't click
on attachments. Most people don't think PDFs are in the same
realm as executables. Many email systems that block executable
code allow PDFs to cross.
If I remember correctly with the RSA example it was a PDF that
may have been embedded within a spreadsheet. It was quite a
complex attack and stuff that we would normally allow. We can go
so far in end user training. I think we need to like turn the
discussion a bit and say, you know what, we're never going to
fix all of these vulnerabilities and end users are always going
to be vulnerable. I think we need to rethink rather than
feudally trying to prevent everything. Maybe we need to do a
better job detecting when we are compromised. So yes it was
advanced. How long did it sit there and persist undetected while
they pilfered through the RSA network and got their algorithms.
Shouldn't something have picked it up?
That's where people talk about the hard exterior. We've got this
great perimeter, but once you get in it's really squishy in the
middle, kind of like an egg almost. What we need are better
monitoring and better detection capabilities with the assumption
that we will be compromised. We will. It's just a matter of
time. So how would you detect it? Assume it's going to get by
you AV signatures, and get by your firewall, get by your IPS.
Your users are going to get tricked, how would you know? I think
that's where RSA fell down. And interestingly it was a
coincidence they announced their acquisition of NetWitness
which does give you packet level intelligence and great
visibility into what's going on that layer in the network, would
have helped to identify the anomalous behavior.
Again, RSA's acquisition of NetWitness was already put
into motion well before the attack was made public but it's that
type of technology that we need. NetWitness isn't the only
vendor, Solera has similar offerings, Fidelis Networks… there
are multiple vendors that can give us visibility at the network
layer looking for anomalous behavior. We're really good at
prevention, not so good at detection, especially detecting these
sophisticated attacks that have already evaded our traditional
perimeter security where we don't have traditional signatures.
Interviewer: Finally regarding secure ID. Is this a short term issue or
should enterprises in some circumstances consider an
alternative to factor technology or supplementing it with
Neil MacDonald: Even before this breech of RSA, there have been attacks one time
password tokens. I mentioned Zeus earlier. The idea is, can I
capture that information in real time and send it out to
somebody somewhere and try to take advantage of this window for
which the number is still valid. And there were attacks that
would do exactly that where they would try to maintain a session
open even after the user had terminated their session.
So one-time passwords have already been proven to be vulnerable.
See you had to start thinking in the back of your mind, "Maybe I
just need a different approach altogether." Now what raised
this issue to a head is now they've got breached; now I've got
to replace them anyways. Should I look at other approaches, and
yes, the advice is yes. One time passwords have weaknesses, in
fact there is no silver bullet in information security so we're
going to weigh the costs.
What is the cost to replace all the tokens and the effort versus
what are some of my alternatives to one-time passwords? Other
technologies that have appeared that might provide equivalent
stronger protection and address some of the weaknesses of
onetime passwords. I think the RSA breach has provided an
opportune time to reevaluate the whole decision.
The fact that the RSA is replacing tokens, that's great. That's
the responsible thing to do, but it ignores the cost and the
pain to go out and change the server infrastructure, or issue
new IDs for the users. That whole process cost organizations
time and money. That's why I'm saying, if you're going to go
through the effort anyway, you might as well look at
alternatives. Including competitors, and including competitive