“I will admit that it’s very strange, to be in that position [and] up here on a stage in front of a group of people,” Rob Joyce, Chief of the NSA’s TAO, told an audience at the Usenix Enigma security conference in San Francisco Wednesday. “I’m in a unique position in that we produce, in TAO, foreign intelligence for a wide range of missions to include advice [for] informing policymakers, protecting the nation’s warfighters 24/7 and in that space we’re doing nation-state exploitation. My talk today is to tell you, as a nation-state exploiter, what [you can] do to defend yourself, to make my life hard.”
To talk security, Joyce shared a little bit of TAO’s strategy for beating it and cyber security experts sat up and listened.
“When the head of the world’s most sophisticated APT [Advanced Persistent Threat] is telling you how they work, you should probably take notes,” tweeted cyber security researcher Dino Dai Zovi.
Joyce said that TAO follows six steps after picking their target: reconnaissance, initial exploitation, persistence, tool installation, lateral movement and, finally, collection and exfiltration of data. In the reconnaissance phase, they’re simply looking for weak points – whether it’s in the architecture of the network or in the people who use it.
“Our key to success is knowing that network better than the people who set it up,” he said. “We need that first crack and we’ll look to find it.”
“Don’t assume a crack is too small to be noticed, or too small to be exploited,” he said. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”
He said not even temporary lightening of security is a good idea because that’s when hackers will take advantage. “There’s a reason it’s called an ‘Advanced Persistent Threat’ (APT). We’ll poke and poke and wait and wait until we get in,” he said.
NSA hackers get into the system the same way as any hackers, Joyce said, by tricking users into clicking links they shouldn’t or visiting websites infested with malware or by plugging in compromised thumb drives.
“If you have something somebody’s coming at and you need to defend it, you need to be looking at what is that apex predator going to be doing to come after your information. They’re going to be using the best practices for offense, you’ve got to be using best practices for defense,” he said.
After getting inside, Joyce said attackers will need to establish a toe-hold in the system, install “light-weight” tools to pave the way for bigger ones. Joyce didn’t say exactly what those are, but Germany’s Der Speigel reported in December 2013, based on internal NSA documents, that TAO uses a host of tools to extract information and otherwise exploit the system.
Also, the hacker will need to “move laterally” to find the data they’re after.
“So after you’re in a network, rarely do you land where you need to be. At this point, it’s important to move laterally and find the things you need to find,” he said. “Nothing is really more frustrating to us than to be inside a network, know where the thing is you need to go get to, and not have a path to get over to find that.”
In his talk, Joyce also reportedly gave his opinion on so-called zero day exploits, flaws in programs or systems that have yet to be discovered and are therefore vulnerable to exploitation. Zero day exploits are valuable on the black market, according to cyber security experts, and an astounding four were used in the Stuxnet attacks that targeted an Iranian nuclear plant -- widely believed to have been a joint U.S.-Israeli operation. But Joyce said zero days are not as big of a deal as they’re made out to be.
“A lot of people think the nation states, they’re running on these engines of zero days. You go out with your master skeleton key and unlock the door and you’re in. It’s not that,” he said. “Take these big corporate networks, these large networks, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There are so many more vectors that are easier, less risky, and quite often more productive.”
Joyce claimed the NSA actually knows of very few zero days to exploit, according to London’s The Register.
To protect against hackers, like his own guys, Joyce reportedly listed some best security practices for companies and individuals, including limiting access to data to those who really need it, segmenting networks and making sure a system administrator is there and paying attention to anomalies. He also said companies should bring in penetration testers to look for holes before bad guys find them first.
“Well-run networks really do make our job hard,” Joyce said.
Joyce also addressed the difficulty in attribution in cyber-attacks, but said that if the U.S. government alleges that a nation-state is behind a specific cyber-attack, they are.
“It’s amazing the amount of lawyers that DHS [Department of Homeland Security], FBI and NSA have,” he said in response to a question, according to WIRED. “So if the government is saying that we have positive attribution too, you ought to book it. Attribution is really, really hard. So when the government’s saying it, we’re using the totality of the sources and methods we have to help inform that. [But] because those advanced persistent threats aren’t going away… we can’t bring all that information to the fore and be fully transparent about everything we know and how we know it.”
This report was updated after Joyce’s talk was posted online.