Last week was published an interview lead by Kapersky team to debate about the RSA targeted attack that took place some weeks ago. This interview is very valuable because RSA participate to this interview and is totally honest about what happened and how the attack succeeded. It’s very rare to have such Post Mortem analysis with honest answers from the company targeted. Therefore we decided to sum up this interview for you to take advantage of ones mistake and learn from this recent targeted attack.

 

Turning to client-side

 A highly interesting point which rises from this interview is the change of paradigm in the defense strategies. RSA confirm that the threat came from the client-side of their network and that all the frontal measures they have taken was therefore totally useless. This dimension that Satorys defend for several years now finally reaches international companies’ through the Advanced Persistent Threat.

Human factor become central in the new cyber defenses strategies. Social Engineering always existed but the recent growth of social media and community made much easier to attain employees personally and professionally. RSA testifies that an employee was attained by a phishing attack that was used to download a malicious payload via the flash plugin of the client browser. These actions allowed the attacker to install a remote administration tool to begin farming the data.

These new means for attacks were used wisely by attackers and finally confirm that being focused on frontal attacks is a completely outdated reasoning. Attackers are now looking for indirect access to resources and overuse the possibilities and credulity of end-users to gain access to private data. Once settled in the network attackers can easily reach the outside world from internal network and go look for orders to know which data to leak.

This change of paradigm is quite striking, indeed as RSA confess, the new postulate is that the internal perimeter should be considered compromised as used to be outside networks. We should take benefit from this experience at RSA to begin changing our approach and focus on the client-side of the network.

This is something Satorys has been claiming for several years and develop technologies focused on client-side for security detection. By analyzing internal connections and interactions Satorys has developed state of the art behavioral detection to determine the vulnerability and potentially compromised clients.

 

Ineffectiveness of signature based detection

Another interesting point revealed by RSA is the skills deployed to perform this attack. No more script kiddies and bruteforce on regular frontal services. The attack was indirect, performed by skilled and trained developer who designed specific software for this attack and at least generated a new signature of the software.

We can therefore notice with this assertion that any security appliance or software based on signature was anachronistic at this point and that finally the network was defense-less. As majority of security products are based on heavy and incomplete signature databases they can never keep up with the pace of new signatures publishing. Even if the database were up to date any software developed exclusively for the attack couldn’t be detected.

Once again, Satorys stood long time ago on the fact that signature-based will fail on short terms due to the exponential publish pace of the malicious softwares. Therefore Satorys focused its technology not to run behind the crowd for signatures updates but to work on a different paradigm: behavioral detection. As it exists a finite set of behaviors to attack and compromise clients, this new reasoning won’t fall into the exponential law as for signatures. By analyzing attacks by their behavior and not their signatures anymore we ensure that it will be always recognized.

 

Lessons learned

The lessons we can learn from such very interesting interview is that there is an increasing need for unparallel visibility on client-side and for traceability inside the information system. As RSA describes, they discovered the attacks quite by chance as few machines did few strange actions. Hopefully RSA analyst was skilled enough to investigate these actions and detect the leakage which could have been totally invisible in another context. I’m sure RSA analyst critically needed this unparallel visibility to investigate and search among their whole client-side infrastructure.

Once again we’re relieved to confirm that the choices made by Satorys actually fit the increasing need for visibility and client-side analysis. Trueboard allows to have such visibility and client oriented architecture and detection to simplify the work of analysts as RSA’s. Additionally, to deal with client-side attacks, it allows to identify and hopefully to train employees to security best practices to finally reach a high level of security.

We can sum up this video to some key points corporate and security manager should keep in mind:

• Consider the internal perimeter as compromised
• Human factor is the key for security enhancement especially concerning social networks
• Security level of partners and providers should be considered thoroughly
• Attackers are now trained, skilled and ready to develop one shot tools
• Signature-based is anachronistic considering the previous statement
• Attackers stop attacking frontally but use the client-side backdoors