SAN JUAN, PUERTO RICO–The attack that resulted in the compromise of RSA’s SecurID database in 2011 had a lot of ramifications and sent shockwaves through much of the security industry. But it could have had much broader consequences had the security team at Lockheed Martin not discovered the same attack team on its own network and taken actions to shut them down.
Some of the details of the RSA attack are well known, as the company disclosed some of the tactics that the attackers used, as well as the tools they deployed on the company’s network. After the attack became public, speculation started that the attackers were not actually that interested in RSA as a target, but were more keen on compromising some of the company’s high-profile customers, namely defense contractors.
One of those customers was Lockheed Martin, the massive U.S. defense and aeronautics company that does billions of dollars of business with the federal government. The company runs a lot of interesting projects for the Department of Defense, including the development of the Joint Strike Fighter. So the security team at Lockheed has spent quite a bit of time developing a methodology to not just discover attackers on its networks, but also to monitor their activities and prevent them from exfiltrating any useful data.
That methodology came in handy in the days after the attack on RSA, as the same attackers began making their way up the chain to Lockheed’s network. After compromising RSA and obtaining the seed database for the company’s SecurID tokens, the attackers then compromised an unidentified company that’s a supplier to Lockheed. They then began looking at Lockheed, trying to find a way in. With the RSA SecurID database in hand, the attackers were able to get on to Lockheed’s network as an authenticated user.
A nice trick if one can manage it.
The attackers’ next step was to begin looking for interesting data to pull out of the network. So they began removing data in various stages, trying to avoid detection, said Steve Adegbite, director of 
cyber security strategies at Lockheed Martin, speaking at the Kaspersky Lab Security Analyst Summit here Monday. Because the attackers had valid credentials for the Lockheed systems and looked like a legitimate user, the security team saw their activities and noticed that they were not acting the way a normal user should.
“We almost missed it because they looked like a normal user,” Adegbite said.
But instead of closing the door and shutting the attackers out, Lockheed’s team began monitoring their activities to see what they were doing, where they were going and what tactics they used.
Lockheed’s security team saw that the attackers were trying and failing to access various resources over and over, as the authenticated user, which raised some red flags. They were able to monitor the attackers and then shut the attack down, before the attackers removed any sensitive data. The lesson, Adegbite said, is that preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in.”The investment to stop people from coming in is too high,” he said.
