Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    NSA Gives Advice on Defending Against Nation-State Attackers

    By
    Sean Michael Kerner
    -
    February 2, 2016
    Share
    Facebook
    Twitter
    Linkedin
      NSA

      Among the cache of documents leaked by U.S. National Security Agency (NSA) whistleblower Edward Snowden were files containing information on the agency’s offensive operations, known as Tailored Access Operations (TAO). While Snowden’s leaked documents have been a source of information on NSA activities, there is now another, more direct source: the NSA itself.

      In an eye-opening 30-minute session at the USENIX Enigma conference in San Francisco on Jan. 28, Rob Joyce, chief of NSA’s TAO, discussed how advanced persistent threats (APTs) target organizations and what techniques can be used to defend against those attacks. The Enigma session has now been posted to YouTube, enabling anyone with Internet access to watch the NSA explain how to attack and defend against nation-state adversaries.

      “I’m from Tailored Access Operations, and from that perspective, it is very strange to be up here on a stage,” Joyce said. “My talk is to tell you as a nation-state exploiter what you can do to defend yourself to make my life hard.”

      Joyce noted that TAO’s efforts include gaining foreign intelligence by way of nation-state exploitation that supports a wide range of missions, from informing U.S. policy makers to protecting war fighters.

      NSA TAO often has a better understanding of the networks that are targeted for exploitation, rather than the targeted networks owners have themselves, Joyce said.

      “If you really want to protect your network, you really have to know your network, you have to know the devices and the security technologies inside it,” Joyce said.

      NSA TAO puts in the time to really understand the networks of targets, better perhaps even than the people that actually designed the network and those tasked with securing the network.

      From an attack methodology, Joyce explained that there are a series of phases that occur when exploiting a target, starting with reconnaissance. After reconnaissance, an attacker looks to get in the door with an initial exploitation of a network. Once in the door, an attacker seeks to establish persistence and will also install tools. The initial point of entry into a target network isn’t likely where all the information is kept, which is why once the attacker has persistence and tools in place, the next step is to move laterally within the network. The final phases of an intrusion are to collect and exfiltrate data from the target network.

      From a defender’s perspective, the goal is to disrupt an attacker’s progression through the intrusion phases, Joyce explained. One simple recommendation he made is to reduce the potential attack surface by shutting down services that are not actually being used by the organization.

      “It’s not a new or amazingly insightful piece of advice,” Joyce said in reference to his suggestion about shutting down unneeded services. He added that people would be surprised to realize all the things that are running on a network, versus the things that they think are supposed to be running on the network.

      Joyce suggested that organizations run full penetration tests against their own networks to “poke and prod” for potential vulnerabilities, just like an adversary might do. While zero-day vulnerabilities do represent a risk, Joyce commented that they are not the primary attack vector.

      “On any large network, I will tell you that persistence and focus will get you in and will achieve exploitation without the zero-day [exploits],” Joyce said.

      NSA Gives Advice on Defending Against Nation-State Attackers

      To fight off an advanced persistent attacker, organizations should invest in continuous defensive efforts, he advised. New exploits are regularly publicly disclosed as Common Vulnerabilities and Exposures, and organizations need to continually update and be able to defend against those CVEs.

      Additionally, Joyce highlighted the fact that users can often be tricked into clicking on phishing emails and malicious links, which is why security automation is important.

      “You really need to get the networks not to rely on the users to automatically make the right decisions,” Joyce said. “Sometimes, even the experts get it wrong.”

      As such, Joyce emphasized that it’s important that security policies and the technical enforcement of the policies protect the network. Additionally, Joyce recommends the use of anti-exploitation features in software and specifically advocated for the widespread use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Joyce also applauded the increasing prevalence of automatic update mechanisms in software that help to protect users through rapid patching.

      User credential misuse is another critical area. Joyce suggested that well-defended networks require specific methods for accessing the resources of the network. Additionally, he advocated for the use of credential monitoring that also looks for anomalous behavior. Another key recommendation is to make use of two-factor authentication technologies to further defend user credentials against potential misuse and exploitation.

      “I’m going to use best practices for exploitation, are you going to use best practices for defense?” Joyce asked the Enigma conference audience.

      While Joyce’s goal was to help enable better security, some security experts were somewhat skeptical of his intentions in speaking publicly. Among them is Charlie Miller, who is currently a security engineer at Uber and is well-known in the security research community for his work exploiting Apple devices as well as cars. Miller also worked as a global network exploitation analyst for the NSA from 2000 to 2005.

      “To everyone gaga over the wisdom from the head of TAO speaking, would you trust what your boss’s boss had to say about cyber-security?” Miller tweeted.

      Bruce Schneier, CTO of Resilient Systems, is also skeptical about the NSA’s motivation for speaking on how to defend networks against nation-state attackers. “The talk is full of good information about how APT attacks work and how networks can defend themselves,” Schneier wrote. “Nothing really surprising, but all interesting.”

      The NSA does, of course, want the security of American networks to improve, but it’s doubtful the information provided will be able to actually help foreign governments from defending against U.S cyber-operations, he wrote.

      “The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won’t slow it down significantly,” Schneier wrote.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×