RSA hit by advanced persistent threat attacks

RSA, the security division of EMC, has revealed that attackers have stolen information from the company's IT systems

RSA, the security division of EMC, has revealed that attackers have stolen information from the company's IT systems. Some of that information, the company said, is related to RSA's SecurID two-factor authentication products.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," said Art Coviello, executive chairman of RSA, in an open letter to customers.

RSA is contacting customers to provide immediate steps for them to take to strengthen their SecurID implementations.

Coviello said investigations had revealed that the attack was in the category of an advanced persistent threat (APT), but there is no evidence that customer security related to other RSA products has been affected.

"We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident," he said.

In contrast with customer communications after similar attacks against Google and about 30 other big companies known as Operation Aurora in December 2009, RSA's breach report is very well informed, said Solera Networks.

The firm said the change can be ascribed to more widespread deployment of technologies to enable network forensic (NF) investigations. NF is essential to identify what has been breached and who may be affected, said Steve Shillingford, president and chief executive of Solera Networks.

"It has become unacceptable not to know the most basic facts of who and what has been stolen or compromised," he said.

According to Shillingford, NF makes this information available immediately and completely, which is especially valuable in the face of APTs. Immediate recognition of the APT, in this instance for RSA, may have limited damage and reduced time to resolution, as well as enabled RSA to say with confidence what was and was not compromised, he said.

The IT security community is recognising that APTs are specifically architected to subvert installed security defences. Typically, APTs are made up of a series of attacks using different techniques to probe corporate defences until they are bypassed.

APT threats are becoming a significant challenge for all large corporations, warned Coviello.

"As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organisations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber-security threat," he said.

To identify APTs, organisations need to deploy technologies that not only identify all potential threats through behaviour analysis, but are also able to test all suspicious elements in a virtual environment, said Ashar Aziz, chief executive of security firm FireEye.

This two-phase approach has proven to be very effective in identifying APTs, Aziz told Computer Weekly, because it investigates all suspicious behaviours on a network without disrupting businesses because it eliminates all false positives.

Read more on Hackers and cybercrime prevention