Among the cache of documents leaked by U.S. National Security Agency (NSA) whistleblower Edward Snowden were files containing information on the agency’s offensive operations, known as Tailored Access Operations (TAO). While Snowden’s leaked documents have been a source of information on NSA activities, there is now another, more direct source: the NSA itself.
In an eye-opening 30-minute session at the USENIX Enigma conference in San Francisco on Jan. 28, Rob Joyce, chief of NSA’s TAO, discussed how advanced persistent threats (APTs) target organizations and what techniques can be used to defend against those attacks. The Enigma session has now been posted to YouTube, enabling anyone with Internet access to watch the NSA explain how to attack and defend against nation-state adversaries.
“I’m from Tailored Access Operations, and from that perspective, it is very strange to be up here on a stage,” Joyce said. “My talk is to tell you as a nation-state exploiter what you can do to defend yourself to make my life hard.”
Joyce noted that TAO’s efforts include gaining foreign intelligence by way of nation-state exploitation that supports a wide range of missions, from informing U.S. policy makers to protecting war fighters.
NSA TAO often has a better understanding of the networks that are targeted for exploitation, rather than the targeted networks owners have themselves, Joyce said.
“If you really want to protect your network, you really have to know your network, you have to know the devices and the security technologies inside it,” Joyce said.
NSA TAO puts in the time to really understand the networks of targets, better perhaps even than the people that actually designed the network and those tasked with securing the network.
From an attack methodology, Joyce explained that there are a series of phases that occur when exploiting a target, starting with reconnaissance. After reconnaissance, an attacker looks to get in the door with an initial exploitation of a network. Once in the door, an attacker seeks to establish persistence and will also install tools. The initial point of entry into a target network isn’t likely where all the information is kept, which is why once the attacker has persistence and tools in place, the next step is to move laterally within the network. The final phases of an intrusion are to collect and exfiltrate data from the target network.
From a defender’s perspective, the goal is to disrupt an attacker’s progression through the intrusion phases, Joyce explained. One simple recommendation he made is to reduce the potential attack surface by shutting down services that are not actually being used by the organization.
“It’s not a new or amazingly insightful piece of advice,” Joyce said in reference to his suggestion about shutting down unneeded services. He added that people would be surprised to realize all the things that are running on a network, versus the things that they think are supposed to be running on the network.
Joyce suggested that organizations run full penetration tests against their own networks to “poke and prod” for potential vulnerabilities, just like an adversary might do. While zero-day vulnerabilities do represent a risk, Joyce commented that they are not the primary attack vector.
“On any large network, I will tell you that persistence and focus will get you in and will achieve exploitation without the zero-day [exploits],” Joyce said.
NSA Gives Advice on Defending Against Nation-State Attackers
To fight off an advanced persistent attacker, organizations should invest in continuous defensive efforts, he advised. New exploits are regularly publicly disclosed as Common Vulnerabilities and Exposures, and organizations need to continually update and be able to defend against those CVEs.
Additionally, Joyce highlighted the fact that users can often be tricked into clicking on phishing emails and malicious links, which is why security automation is important.
“You really need to get the networks not to rely on the users to automatically make the right decisions,” Joyce said. “Sometimes, even the experts get it wrong.”
As such, Joyce emphasized that it’s important that security policies and the technical enforcement of the policies protect the network. Additionally, Joyce recommends the use of anti-exploitation features in software and specifically advocated for the widespread use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Joyce also applauded the increasing prevalence of automatic update mechanisms in software that help to protect users through rapid patching.
User credential misuse is another critical area. Joyce suggested that well-defended networks require specific methods for accessing the resources of the network. Additionally, he advocated for the use of credential monitoring that also looks for anomalous behavior. Another key recommendation is to make use of two-factor authentication technologies to further defend user credentials against potential misuse and exploitation.
“I’m going to use best practices for exploitation, are you going to use best practices for defense?” Joyce asked the Enigma conference audience.
While Joyce’s goal was to help enable better security, some security experts were somewhat skeptical of his intentions in speaking publicly. Among them is Charlie Miller, who is currently a security engineer at Uber and is well-known in the security research community for his work exploiting Apple devices as well as cars. Miller also worked as a global network exploitation analyst for the NSA from 2000 to 2005.
“To everyone gaga over the wisdom from the head of TAO speaking, would you trust what your boss’s boss had to say about cyber-security?” Miller tweeted.
Bruce Schneier, CTO of Resilient Systems, is also skeptical about the NSA’s motivation for speaking on how to defend networks against nation-state attackers. “The talk is full of good information about how APT attacks work and how networks can defend themselves,” Schneier wrote. “Nothing really surprising, but all interesting.”
The NSA does, of course, want the security of American networks to improve, but it’s doubtful the information provided will be able to actually help foreign governments from defending against U.S cyber-operations, he wrote.
“The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won’t slow it down significantly,” Schneier wrote.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.