NSA Gives Advice on Defending Against Nation-State Attackers
To fight off an advanced persistent attacker, organizations should invest in continuous defensive efforts, he advised. New exploits are regularly publicly disclosed as Common Vulnerabilities and Exposures, and organizations need to continually update and be able to defend against those CVEs. Additionally, Joyce highlighted the fact that users can often be tricked into clicking on phishing emails and malicious links, which is why security automation is important. "You really need to get the networks not to rely on the users to automatically make the right decisions," Joyce said. "Sometimes, even the experts get it wrong." As such, Joyce emphasized that it's important that security policies and the technical enforcement of the policies protect the network. Additionally, Joyce recommends the use of anti-exploitation features in software and specifically advocated for the widespread use of Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Joyce also applauded the increasing prevalence of automatic update mechanisms in software that help to protect users through rapid patching."I'm going to use best practices for exploitation, are you going to use best practices for defense?" Joyce asked the Enigma conference audience. While Joyce's goal was to help enable better security, some security experts were somewhat skeptical of his intentions in speaking publicly. Among them is Charlie Miller, who is currently a security engineer at Uber and is well-known in the security research community for his work exploiting Apple devices as well as cars. Miller also worked as a global network exploitation analyst for the NSA from 2000 to 2005. "To everyone gaga over the wisdom from the head of TAO speaking, would you trust what your boss's boss had to say about cyber-security?" Miller tweeted. Bruce Schneier, CTO of Resilient Systems, is also skeptical about the NSA's motivation for speaking on how to defend networks against nation-state attackers. "The talk is full of good information about how APT attacks work and how networks can defend themselves," Schneier wrote. "Nothing really surprising, but all interesting." The NSA does, of course, want the security of American networks to improve, but it's doubtful the information provided will be able to actually help foreign governments from defending against U.S cyber-operations, he wrote. "The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won't slow it down significantly," Schneier wrote. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
User credential misuse is another critical area. Joyce suggested that well-defended networks require specific methods for accessing the resources of the network. Additionally, he advocated for the use of credential monitoring that also looks for anomalous behavior. Another key recommendation is to make use of two-factor authentication technologies to further defend user credentials against potential misuse and exploitation.