Next step: harvesting your data and sneaking it out of the building
Next the attacker needs to install tools to exploit the network and harvest its data. The first software in the attacker’s toolkit are beacon code that calls out for more hardcore tools. IT managers need to watch out for these in server logs and carefully scrutinise domains being visited and network traffic for warning signs.
With access and the tools to do the job the next stage is to move laterally within the network to get the target information. Admins can protect against this by locking down portions of the network holding sensitive data and by carefully managing who has access.
This includes not just making sure that individuals can’t get into certain network areas, but also considering where they are and what device they are using. A heavily protected network is useless if you’re allowing an employee to bring their insecure home laptop into work - bring-your-own-device firms need to beware he warned.
Finally a nation-state hacker needs to collect, exfiltrate and exploit the data without being spotted. Network segmentation is key here, as is constant monitoring and checking of network logs, to make sure an attacker can’t get anything out of a network without the loss being noticed, and hopefully blocked.
So too are off-site backups - Saudi Arabia’s Aramco and Sony found this out the hard way he said. Destruction of data is now something nation states are doing and regular backups should be considered a priority he said.
At the end of the day it all boils down to knowing your network, he said, and it’s vital that IT administrators pick up their game and get paranoid about attacks. Joyce’s previous job at the NSA was at the Information Assurance Directorate (IAD), protecting the US national infrastructure against attack and he admitted that thoughts of SCADA vulnerabilities kept him up at night.
OK, I know what you’re thinking. This guy is the NSA’s chief hacker and so why should we believe what he’s saying? The agency hasn’t exactly covered itself in glory in the wake of the Snowden disclosures.
But Joyce deserves credit where it’s due: he came to a conference that’s full of people who aren’t exactly fans of the NSA, gave good advice, and stayed on to face sometimes hostile questions from the audience. Some of his talk may be self serving and missing crucial details but almost all of it was useful.
He even had the self awareness to take the piss out of himself. At the end of the presentation he displayed a QR code for attendees to scan for more information, joking that who’d really trust something like that from the NSA.
El Reg asked Joyce about the encryption backdoor question and he came out strongly against borking strong security by the police. It’s clear this guy really does care about security, at least as far as the US is concerned.
Coming to Enigma was a brave move, and his presentation thankfully lacked the bland hand of PR that has marred other NSA speakers at events at Black Hat, RSA, and DEFCON. Take it with a pinch of salt by all means, but there is useful information here, and Joyce comes across as someone who really does know what he’s talking about. ®