Tools, Techniques, Procedures of the RSA Hackers Revealed 54
An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"
An excellent summation. (Score:5, Interesting)
It was most interesting to see one antivirus lab take months longer than another to detect one of these rootkits -- and that the rootkit may have been out there for months longer than that.
We might be past the useful span of antivirus software at this point. The attacker has always had the upper hand, being able to train malware against existing antivirus software.
One piece of advice in there was to limit internal networks to using internal DNS. But it's smarter to go one step further. By determining which sites employees should visit and distributing a hosts file to all internal computers, a company can avoid the myriad risks of operating a DNS server. Then any outgoing DNS traffic can be detected by a savvy internalnet admin at the firewall, and the offending computers cleaned.
E-mail attachments also continue to be a problem. The secret of the pros is to set up a script in your favorite language to detect e-mails with attachments, and move the attachments from the e-mail to the IT account. Then, once a trained professional examines each attachment, safe files can be copied into the folders of the relevant employees, and an e-mail sent to them to let them know they're in the clear.
While good computer safety is complex, much of it can be automated or outsourced. But thankfully not all of it, am I right guys?
Silly q (Score:2, Interesting)