Speaking in his keynote at the RSA Europe conference, Heiser said that two hacker groups cooperated in the attacks and that the groups had not been seen cooperating before.
The two-pronged attack, he told the audience, involved a mid-hack switch of attack vectors that his IT teams were aware of while they were happening.
“These people were persistent. The remote attack was adapted to meet RSA's internal naming convention”, he said, adding that the attack was probably coded up just hours before it was unleashed on the company's servers.
The attack code, he went on to say, was observed as having the ability to copy and encrypt data [on the RSA systems, ready for exfiltration.
“We watched and responded in real time”, he said, adding that it soon became clear that the motive was to gain access to defense-related information, suggesting that the RSA attack was simply a means to an end – and RSA was not the primary target.
Contradicting media reports of earlier this year, Heiser asserted that RSA was pro-active in its communications with the IT security industry and went public on the attack immediately, posting a letter to the RSA.com site – which he claims received 200,000 hits.
“17,000 partners were also notified about what had happened. We also offered remediaton to our defense customers, knowing that they were the real target”, he explained.
The lessons that RSA – and the industry generally – can learn from the attack, said the RSA president, are that the threat landscape is evolving and the attack vectors are also evolving.
The takeout from the attack, said Heiser, was that this was not a frontal attack that the industry has seen before.
The conclusions, he went on to say, are that people are now the most valuable asset when it comes to IT security.
RSA, he explained, moved its most capable people up front to handle the situation and, within a week, issued an open letter explaining what had happened.
Despite this, Heiser admitted that many stakeholders commented that RSA could have done more.
But the good news, he added, is that the attackers did leave some information behind and this, he claimed, has assisted in the ongoing investigation.