A fascinating article at the UK Register offers advice from Rob Joyce, the head of the National Security Agency’s Tailored Access Operations unit — in other words, the NSA’s chief hacker — on how to protect your network from intruders… such as, oh, let’s say the NSA’s Tailored Access Operations Unit.
Joyce made no bones about describing certain hacking techniques to the Usenix Enigma conference in San Francisco as favorites of his own team. He laid out a six-stage procedure for penetrating target networks: “reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.”
The initial recon stage is something users are becoming more aware of, as headline stories of high-profile cyber-attacks demonstrate how the hackers built a portfolio of targeted systems and key personnel. In fact, some of the big “hacking” capers involved very little hacking, as most people understand the term — they were carried out by stealing valid user credentials, or tricking network users into exposing their own systems to external threats.
“We need that first crack and we’ll look and look to find it,” said Joyce. “There’s a reason it’s called an advanced persistent threat; we’ll poke and poke and wait and wait until we get in.”
He said the goal was to “find weak points, whether they be within the network architecture, or in staff who maybe work from home or bring in unauthorized devices.”
How about if the boss is routing sensitive information through an unsecured email server that winds up in somebody’s bathroom?
Once weak points are identified, intruders who can’t simply use stolen credentials to loot data from a system will plant various malware tools, create “back door” access for themselves, and otherwise establish the presence they need to carry out the rest of the six-stage attack plan.
Joyce noted that malware tools have become difficult to detect, with today’s threats coming from people who know their stolen data begins losing its value the moment they are discovered.
He also pointed out that many of these malware tools are relatively simple pieces of code, because it’s distressingly easy to trick users into downloading and activating them. (Joyce demonstrated the point by displaying a barcode his audience could scan to obtain more information about network security… and then razzing anyone who would compromise their computer or cell phone by scanning a code provided by the NSA’s chief hacker. It’s funny, but it also illustrates an important point about trust in the digital age.)
Simple first-strike malware opens the door for more powerful viruses to be injected into a compromised system later. Network administrators are making too many obvious mistakes, and failing to follow up on security recommendations — Joyce said his testing team found problems they reported still uncorrected two years later.
Joyce felt those notorious “zero-day exploits” — flaws in software downloads that aren’t detected or patched by providers right away — are overrated, because serious government-sponsored hackers find there are “so many more vectors that are easier, less risky, and more productive.” He did, however, strongly recommend keeping up on software updates.
He thought the introduction of unsecure elements into secure networks was a common mistake, such as allowing employees to bring portable devices with unknown vulnerabilities into tightly secured environments, or failing to notice that low-security systems like air-conditioning controls are now computerized and capable of interacting with secure networks.
Joyce advised developing a thorough understanding of all devices within, and adjacent to, a secure network. That’s a task that might prove surprisingly involved for even home users these days. Try making a mental list of every device you believe is logged into your home or small-business Wi-Fi network… and then check the router’s administration page to see how wrong you are.
In a major security environment, security-conscious administrators should be watching everything, right down to anomalous behavior by individual users. Joyce expressed reservations about cloud services, because sending data to offline providers effectively adds their security problems to your own.
Combined with the tendency of users to bring portable devices with dubious security profiles into secure networks, the popularity of cloud services could give network administrators a whole new set of vulnerabilities to worry about. (Here’s another test for you: how many different networks do you think devices in your home or office are interacting with right now? Your first guess will probably be wrong.)
On the other hand, Joyce stressed that off-site backups are more important than ever for big networks, because nation-state hackers are sometimes interested in destroying data, not just copying it.
The Register says Joyce deserves credit for speaking so frankly with a somewhat unfriendly audience, given the NSA’s reputation these days: “Some of his talk may be self serving and missing crucial details, but almost all of it was useful… Take it with a pinch of salt by all means, but there is useful information here, and Joyce comes across as someone who really does know what he’s talking about.”