SecureWorks Threat Analysis - RSA Compromise: Impacts on SecurID

http://www.secureworks.com/research/threats/rsacompromise/

Executive Summary

RSA is the security division of EMC software, best known for the popular SecurID two-factor authentication tokens used in high-security environments. RSA announced that a cyberattack resulted in the compromise and disclosure of information "specifically related to RSA's SecurID two-factor authentication products". The full extent of the breach remains publicly unknown. RSA states that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." Organizations that make use of SecurID should be alert for attempts at circumventing their authentication infrastructure, though no specific attacks are known to be occurring at the time of this publication.

[...]

Recommended Actions

Recommended actions
With the potential impacts from the previous section in mind, the response should focus on a few key areas.

• Direct attacks against an ACE server.
  
  • Confirm current patch levels and general server hardening
  • Monitor IPS/IDS logs
  • Monitor server logs
• Brute-Force attacks attempting to determine the specific seed used for a given account's SecurID token, as well as attacks aimed at compromising other authentication factors.
• Monitor for repeat authentication failures, both on the ACE server and on intermediate appliances and systems
• Monitor for authentication failures not followed by success both on the ACE server and on intermediate appliances and systems
• Changes in source of authentication attempts.
• Multiple concurrent logins for a single account.

Caution is also warranted surrounding the integrity of communication channels over which OTPs and tokencodes are submitted. Even under a conservative scenario where seeds were disclosed, but specific customer ownership was not, it may be possible to determine which seed is in use by observing a small number of submitted tokencodes. PINs can also be exposed through such observation. Considering these factors yields the following recommendations:

• Ensure OTPs are only submitted over encrypted channels.
• Be vigilant for phishing or impersonation schemes that may seek to capture OTPs.
• Educate users' expectations as to which systems prompt for OTPs to protect against phishing and social engineering attempts.

Conclusion

Until additional information becomes available regarding the specific information that was compromised, a good deal of assumption and speculation is involved in preparing an appropriate response. However, certain information would be of interest to threat actors and fit RSA's criteria that the information could "... potentially be used to reduce the effectiveness of a current two-factor authentication implementation ..." while not facilitating "... a successful direct attack on any of our RSA SecurID customers." Monitoring for anomalies and additional intelligence may allow customers to further focus response efforts.

By focusing on the publicly available information and factors discussed in this analysis, customers can implement a specific response to decrease the likelihood of exposure via the SecurID authentication compromise.