Since I started the ball rolling, I guess I’ll continue logging references to the recent RSA hack. Finally, RSA has started talking about the actual incident progression itself in a blog post. This is a great thing! I tweeted my thoughts, but I’ll repost here for posterity.
1. Kudos for posting more information, and being detailed about it! I was a bit surprised, but I appreciate it.
2. Sadly, the blog post rambles. Remove the historical/contextual crap about APT. Remove the historical examples. Describe APT in another blog post, or in a separate section of the blog post. That way I can skip that useless crap and not feel like I need to skim it because what I want to read is interwoven with it.
3. There’s no reason, so far, to even include the term “APT” into this post. APT is a reference to the ATTACKER. If you’ve not identified the attacker, you can’t name them an APT. This would have simplified the entire blog post and focused it very nicely if no mention of APT had been made. There is plenty of time to do so if you need to, but later. Use attacker(s), hacker(s), cracker(s), whatever. It was just not useful to use APT right now, except to try and deflect any blame by tying it to some genius attacker(s) whom Google didn’t even stop, blah blah blah. Let the mass media do that, not you.
4. I loved the start with mentioning your own internal CIRT and detection. I know it’s a dig and sort of jerking yourself off to talk about your own products and response time when so many others don’t detect this shit at all, but IT’S FUCKING TRUE! So, props for starting the conversation moving forward, though I’d still love to hear more details on the detection. So far, for all we know, this runs into the category of, “user reported ‘weird’ system issues, desktop support checked on it and thought things looked weird, found Poison Ivy, queue CIRT.” That’s not the same as, CIRT notices FTP data egress, opens incident. One shows luck, the other security maturity. Still, great, great start to that discussion, and I hope to see more!
5. APT is not new. I really bristled in the few moments in the blog post where it was implied or outright stated that “APT” is new. APT is not new, in practice. Again, drop the APT crap for now. These attacks are not new. The existence of 0day is not new. SE is not new. Yes, they may be on the rise and increasing in use and exposure, but that’s not new. If you’re in security, you hate those moments in blog posts like this. It’s awkward, it makes you feel like the author is a newbie (or so far removed that this stuff *is* new to him), and it detracts from the usefulness. You’re not a special snowflake, but no one is saying your baby is ugly. Stop being defensive up front. That’s for PR drones and legal vultures.
Lots of people are whining and complaining and throwing stones at RSA, and I think justifiably so, but only on the basis that they’ve been unforthcoming with answering my basic two questions:
1. As a customer, tell me enough about how this impacts me so that I can manage my risk and talk intelligently to my boss. RSA is still failing at this, even in a twofold manner. By not telling me anything useful, they’re allowing rumors to run rampant, which are damaging to them and me.
2. As a security geek, tell me enough to understand the progression of the attack, how the attackers worked, moved around, eggressed data, and how they were found, handled, investigated. Both the good and the bad. Lessons, people!
For lots of other people who complain, I wonder if they’re just doing so to complain. Are there any conditions that would appease your complaints that RSA can meet? If not, then shut up and stop wasting your time and energy.