The United States National Security Agency (NSA) is a notoriously secretive organization, but the head of its elite Tailored Access Operations (TAO) hacking team has appeared at Usenix’s Enigma conference to tell the assembled security experts how to make his life difficult.
Rob Joyce has spent over a quarter of a century at NSA and in 2013 he became head of TAO, with responsibility for breaking into non-US computer networks run by overseas companies and governments. Joyce’s presentation on network security at the event boiled down to one piece of advice.
“If you really want to protect your network you have to know your network, including all the devices and technology in it,” he said. “In many cases we know networks better than the people who designed and run them.”
NSA tiger teams follow a six-stage process when attempting to crack a target, he explained. These are reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.
During the reconnaissance phase agents examine a network electronically and, in some cases, physically. They work out who the key personnel are, what email accounts matter, how far the network extends, and maintain constant surveillance until they can find a way in.
“We need that first crack and we’ll look and look to find it,” he said. “There’s a reason its called an advanced persistent threat; we’ll poke and poke and wait and wait until we get in.”
The goal is to find weak points, whether they be within the network architecture, or in staff who maybe work from home or bring in unauthorized devices. There’s also areas where the target network interconnects with other computer systems, like heating and ventilation controllers, which can be useful for an attack.
Companies need to pay particular attention to cloud providers, he said. Once you use a cloud company you are essentially handing your data over to them and relying on their security, so he warned due diligence is even more important than usual.
For the initial exploitation phase the key attack vectors are malware attachments in email, injection attacks from websites, and removable media – the latter being particularly useful for penetrating air-gapped systems that aren’t even on the network; Iran found that out the hard way with Stuxnet.
Another common attack vector is common vulnerabilities and exposures (CVEs) that haven’t been patched, he said. Companies need to make automatic patching the norm to protect themselves against nation-state hackers he warned. As for zero-day flaws, he said they are overrated.
“A lot of people think that nation states are running their operations on zero days, but it’s not that common,” he said. “For big corporate networks persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”
As for the NSA’s own collection of zero-day exploits, Joyce said that in fact the agency had very few and each new one was discovered was evaluated by an outside committee to see when software manufacturers should be informed to build a patch. The NSA doesn’t have the final decision on this, he claimed.
To protect against this admins need to lock things down as far as possible; whitelisting apps, locking down permissions, and patching as soon as possible, and use reputation management. If a seemingly legitimate user is displaying abnormal behavior, like accessing network data for the first time, chances are they have been compromised, he said.
Reputation-based tools are particularly useful against malware, Joyce explained. Signature-based antivirus won’t protect you against a unique piece of attack code, but when used in conjunction with reputation databases it can be effective – if code or a domain hasn’t been seen before there’s a high chance it’s dodgy.
It’s amazing how often simple issues come up and allow access to target networks, he explained. Things like administrator credentials being left embedded in scripts, how many networks are unsegmented, and how often suspicious activity reported in network logs got missed.
He cited cases where NSA hackers have performed penetration testing, issued a report on vulnerabilities, and then when they go back two years later to test again found the same problems had not been fixed. When the NSA hacking squad comes back, he said, the first thing they do is investigate previously reported flaws and it’s amazing how many remain un-patched even after the earlier warning.
Once inside a network, the next stage is to establish persistence, primarily by establishing software run lines or subverting other applications. Application whitelisting is key to locking down this phase of an attack he said.