Rob Joyce, leader of the National Security Agency’s (NSA) Tailored Access Operations (TAO), was labeled “hacker-in-chief” by WIRED magazine at its “Disrupting Nation State Hackers” event during the USENIX Enigma conference in San Francisco last week.
Joyce refers to his organization as a nation-state exploiter, responsible for breaking into foreign adversaries. During the event, he provided insights into strategies nation-state actors (such as the NSA) use to “own” systems. His "intrusion phases" — reconnaissance, initial exploitation, establishing persistence, installing tools, moving laterally, and collecting, exfiltrating and exploiting — are, not surprisingly, very similar to the Lockheed Martin copywriting "Cyber Kill Chain." Joyce did not present new information. Rather, he provided insights on five commonly known cybersecurity strategies, attacks, and exploits.
1. Reconnaissance
TAO, which was brought to light by the Edward Snowden leaks, uses all resources available for reconnaissance: scanning tools, as well as open-source information, such as social media and social engineering.
Joyce advised that protecting your infrastructure requires knowing it. Nation-state hackers have the time and resources to get to know your staff, business relationships, IT infrastructure, and security technologies. They often know a target's infrastructure better than its designers, implementers, and users. In fact, he noted, there can be a huge difference between what a target thinks it is running and what it is actually running.
He advised reducing your attack surface, performing red team tests, and addressing vulnerabilities, even esoteric cracks that seem too small to be exploited. Also, he warned, do not set up temporary vulnerabilities such as allowing access to vendors or partners even for a short period of time — “absolutely do not do it,” he said.
With changing technologies, a network's boundaries are much more amorphous, leading to complex trust boundaries. BYOD, the Internet of Things, work from home, mobile, physical access to the network from partners (such as HVAC vendors), and cloud computing all need to be included in risk and liability considerations.
2. Initial exploitation
TAO’s favorite tools for initial exploitation include watering holes, spearfishing, software or application security vulnerabilities (such as SQL injection and cross-site scripting), removable media to compromise air gaps, and published CVEs (common vulnerabilities and exposures). Persistence and focus are critical to the strategy. Zero-day exploits are reserved as last resorts, but are not often required.
“It’s amazing how often simple issues come up and allow access to target networks," Joyce said: Administrator credentials are left embedded in scripts, networks go unsegmented, and suspicious activity reported in network logs is missed.
He mentioned the need for continuous defensive work such as CVE patching and software security assurance. Given the sophistication of attacks, be they well-crafted phishing emails or watering holes, and the potential for accidental slip-ups, it is necessary to implement security controls that do not rely on users to do the right thing.
3. Establish persistence
TAO’s strategy is to dig in and hold on. A primary tactic is to obtain privilege escalation — domain admin privileges in particular — and to embed in the environment via whatever method is possible, including finding run keys or installation in scripts. Often, TAO first installs lightweight beaconing then downloads additional exploit tools.
4. Lateral movement
The next step is to expand the foothold in the target environment. Joyce’s team loves when admin credentials are hard-coded or accessible on the system; the pass-the-hash vulnerability — an exploit that is over 15 years old — is used to grab credentials and pivot through the network. The team also looks for older protocols that still pass authentication in clear text.
He recommended log management and monitoring. The logs can tell when your environment has been had. Out-of-band log collection, via network taps, for example, are his team’s biggest nightmare, he said. Joyce stated that “logs are rock-bottom bedrock foundation of understanding if you have a problem or someone is rattling the door to give you a problem.” Additionally, he recommended performing behavior analytics (user, network, and application) — establishing a baseline and then having the tools to know when unusual activity is happening.
5. Own: Collect, exfiltrate and exploit
Once TAO owns the environment, its goal may be data theft, destructive behavior, data corruption, or data modification. He noted that nation-state attacks are persistent — both in attacking and in hanging on once inside the environment.
A few key considerations to prevent being had by nation-state hackers or cybercriminals are well-developed trust relationships, multifactor authentication, software assurance, log monitoring, behavior analytics, network access control including with geolocation, data security, dynamic access restrictions, and network segmentation. Also, have an incident response plan in place and tested, including business continuity plans with tested backup and recovery.
As Joyce emphasized, don’t be an easy mark.
Image credit: Flickr
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.