Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customise your settings, hit “Customise Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences

  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.
Sign in

NSA’s top hacking boss explains how to protect your network from his attack squads

Rare public appearance from Tailored Access Operations leader

Iain Thomson in San Francisco Thu 28 Jan 2016 // 04:06 UTC

Usenix Enigma The United States National Security Agency (NSA) is a notoriously secretive organization, but the head of its elite Tailored Access Operations (TAO) hacking team has appeared at Usenix’s Enigma conference to tell the assembled security experts how to make his life difficult.

Rob Joyce has spent over a quarter of a century at No Such Agency and in 2013 he became head of TAO, with responsibility for breaking into non-US computer networks run by overseas companies and governments. Joyce's presentation on network security at the event boiled down to one piece of advice.

“If you really want to protect your network you have to know your network, including all the devices and technology in it,” he said. “In many cases we know networks better than the people who designed and run them.”

NSA tiger teams follow a six-stage process when attempting to crack a target, he explained. These are reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.

During the reconnaissance phase agents examine a network electronically and, in some cases, physically. They work out who the key personnel are, what email accounts matter, how far the network extends, and maintain constant surveillance until they can find a way in.

“We need that first crack and we’ll look and look to find it,” he said. “There’s a reason its called and advanced persistent threat; we’ll poke and poke and wait and wait until we get in.”

The goal is to find weak points, whether they be within the network architecture, or in staff who maybe work from home or bring in unauthorized devices. There’s also areas where the target network interconnects with other computer systems, like heating and ventilation controllers, which can be useful for an attack.

Companies need to pay particular attention to cloud providers, he said. Once you use a cloud company you are essentially handing your data over to them and relying on their security, so he warned due diligence is even more important than usual.

For the initial exploitation phase the key attack vectors are malware attachments in email, injection attacks from websites, and removable media - the latter being particularly useful for penetrating air-gapped systems that aren’t even on the network; Iran found that out the hard way with Stuxnet.

Another common attack vector is common vulnerabilities and exposures (CVEs) that haven’t been patched, he said. Companies need to make automatic patching the norm to protect themselves against nation-state hackers he warned. As for zero-day flaws, he said they are overrated.

“A lot of people think that nation states are running their operations on zero days, but it’s not that common,” he said. “For big corporate networks persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”

As for the NSA’s own collection of zero-day exploits, Joyce said that in fact the agency had very few and each new one was discovered was evaluated by an outside committee to see when software manufacturers should be informed to build a patch. The NSA doesn’t have the final decision on this, he claimed.

To protect against this admins need to lock things down as far as possible; whitelisting apps, locking down permissions, and patching as soon as possible, and use reputation management. If a seemingly legitimate user is displaying abnormal behavior, like accessing network data for the first time, chances are they have been compromised, he said.

Reputation-based tools are particularly useful against malware, Joyce explained. Signature-based antivirus won’t protect you against a unique piece of attack code, but when used in conjunction with reputation databases it can be effective - if code or a domain hasn’t been seen before there’s a high chance it’s dodgy.

It’s amazing how often simple issues come up and allow access to target networks, he explained. Things like administrator credentials being left embedded in scripts, how many networks are unsegmented, and how often suspicious activity reported in network logs got missed.

He cited cases where NSA hackers have performed penetration testing, issued a report on vulnerabilities, and then when they go back two years later to test again found the same problems had not been fixed. When the NSA hacking squad comes back, he said, the first thing they do is investigate previously reported flaws and it’s amazing how many remain un-patched even after the earlier warning.

Once inside a network, the next stage is to establish persistence, primarily by establishing software run lines or subverting other applications. Application whitelisting is key to locking down this phase of an attack he said.

Page:
58 Comments

Similar topics

Broader topics

Other stories you might like

  • AI drug algorithms can be flipped to invent bioweapons
    Our model took mere hours to suggest 40,000 potentially lethal compounds, says startup
    Katyanna Quach Fri 18 Mar 2022 // 14:02 UTC

    AI algorithms designed to generate therapeutic drugs can be easily repurposed to invent lethal biochemical weapons, a US startup has warned.

    Experts have sounded alarm bells over the potential for machine-learning systems to be used for good and bad. Computer-vision tools can create digital art or deepfakes. Language models can produce poetry or toxic misinformation. Now, Collaboration Pharmaceuticals, a company based in North Carolina, has shown how AI algorithms used in drug design can be rejigged to design biochemical weapons.

    Fabio Urbina, a senior scientist at the startup, said he had tinkered with Collaboration Pharmaceuticals' machine-learning software MegaSyn to generate a class of drugs known to treat Alzheimer's disease.

    Continue reading
  • CISOs face 'perfect storm' of ransomware and state-supported cybercrime
    As some nations turn a blind eye, defense becomes life-or-death matter
    Jessica Lyons Hardcastle Fri 18 Mar 2022 // 13:14 UTC

    With not just ransomware gangs raiding network after network, but nation states consciously turning a blind eye to it, today's chief information security officers are caught in a "perfect storm," says Cybereason CSO Sam Curry.

    "There's this marriage right now of financially motivated cybercrime that can have a critical infrastructure and economic impact," Curry said during a CISO roundtable hosted by his endpoint security shop. "And there are some nation states that do what we call state-ignored sanctioning," he continued, using Russia-based REvil and Conti ransomware groups as examples of criminal operations that benefit from their home governments looking the other way. 

    "You get the umbrella of sovereignty, and you get the free license to be a privateer in essence," Curry said. "It's not just an economic threat. It's not just a geopolitical threat. It's a perfect storm."

    Continue reading
  • Europe, US warn of fake chip danger to national security, critical systems
    Scammers exploit global supply-chain crunch
    Agam Shah Fri 18 Mar 2022 // 12:28 UTC

    Counterfeiters are making the most of the ongoing electronics supply crunch by peddling sham semiconductors to desperate buyers – and it's caught the attention of governments.

    In a report [PDF] out this month, the European Union's law enforcement agency Europol highlighted the dangers of knockoff semiconductors to critical infrastructure as well as people's private devices.

    The fear is that within the planet's complex supply chains, someone under pressure from customers to fulfill orders by any means necessary accepts components that turn out to be fake, and these will end up in equipment. These parts can be readily picked up from online marketplaces, and they look convincing enough.

    Continue reading

Biting the hand that feeds IT © 1998–2022

Your Consent Options Cookies Privacy Ts&Cs