 |
Walter Goulet, Senior Practice Consultant/Identity and Data Protection, RSA Advanced Cyber Defense Services Organizations which deploy RSA Authentication Manager (SecurID) for enforcing two-factor authentication frequently think of their RSA SecurID solution only as an additional security control to enforce strong authentication to resources. However, by analyzing the wealth of log data that is generated by RSA Authentication Manager, organizations can gain valuable intelligence that can be useful to detect attacks and perhaps even predict new attacks. As my colleague Tom Chmielarski posted a few weeks ago, use cases must be developed first to help guide and refine the types of events that will be valuable to your organization. This post will describe two use cases that many organizations will likely find valuable. Detect access attempts using lost or stolen tokensAs any organization that has operated an RSA SecurID solution for any period of time already knows, users frequently misplace or lose their hardware tokens. When users report the lost token, normally they are assigned emergency access codes for a short period of time until the token is recovered or a new token is assigned. However, if a user authenticates successfully with their emergency access code: (AUTHN_METHOD_SUCCESS_TEMPORARY_FIXED_TOKENCODE events for the user are indicated in runtime authentication logs), but subsequent bad PIN events are discovered for the user (AUTH_FAILED_BAD_PIN_GOOD_TOKENCODE events for user are present in runtime authentication logs), there is a possibility that someone has obtained the user’s token without their knowledge and is attempting to guess the user’s PIN. The previous scenario assumes that the attacker knows the user’s userID; if the useriD is unknown the attacker will likely try to guess the user’s userID. Attempts to guess valid usernames can be detected by looking for AUTH_RESOLUTION_FAILED_BY_ID_ALIAS events. Of particular interest, observe several subsequent login attempts for a particular userid and try to identify patterns. For example, assume that my userid is ‘wgoulet’. An attacker that knows my name and the company I work for may well generate several possible userids based on my name. Here are a series of events that would be logged by RSA Authentication Manager that could indicate such attempts. 2013-04-05 12:35:52,552, 2013-04-05 12:36:12,630, 2013-04-05 12:36:33,254, Detect access attempts to unauthorized resourcesTypical organizations use their RSA SecurID solution to provide strong authentication for remote VPN access and for high value applications. Therefore, there will typically be a few SecurID agent hosts that are accessed by a large percentage of the organization’s user population. These usage patterns can be constructed by observing the total number of AUTHN_METHOD_SUCCESS events for each SecurID agent host. By building a history of userids that access agent hosts, you can construct access profiles for your users that show which agent hosts are typically accessed by a given userid. This history can then be cross-referenced with subsequent AUTHN_METHOD_SUCCESS events for a given userid to detect unusual patterns, such as a userid suddenly attempting to access a SecurID agent host that they have not accessed in the past. Alternatively, attempts to authenticate to a large number of agent hosts could indicate attempts to reconnoiter your network to gain access to SecurID protected resources. Another way to detect unauthorized access to agent hosts is to configure your RSA SecurID agents as restricted agent hosts. When SecurID agents are configured as restricted agent hosts, only users that belong to groups granted access to the agents may authenticate. If unauthorized users attempt to access restricted agent hosts, the following event is logged by AM: 2013-04-11 11:45:03,760, f9c583106441a8c001ee1e2de321139a,899413cc6441a8c000ba0f53a08fd2e6, 192.168.XX.XX,192.168.XX.XX,AUTH_AGENT_ACCESS_CHECK,23004, FAIL,AGENT_ACCESS_CHECK_FAILED_NO_ASSOCIATED_GROUP,, d885b2ae6441a8c00527cc160d00e972,000000000000000000001000d ConclusionHopefully this blog post has given you a few ideas of the types of security monitoring use cases that can be implemented by monitoring your RSA Authentication Manager event logs. By combining these events with other events generated by other components of your security infrastructure, you can gain valuable insight into activities taking place on your network to help you better secure your environment. Walter Goulet is a Senior Practice Consultant within RSA Professional Service’s Identity and Data Protection practice. Walter is responsible for designing and implementing world-class customer security solutions based on RSA’s industry-leading RSA SecurID product line, PKI and other authentication technologies. Walter holds 2 SANS GIAC certifications as well as a MS in Computer, Information and Network Security from DePaul University. |
| Update your feed preferences | |
