Defending Against Nation-State Cyber Threats: Insights from Tailored Access Operations

[ Applause ] JOYCE: Appreciate it.

Thanks -- thanks for the welcome. So -- so, as David introduced, I'm from Tailored Access Operations.

And I will admit, it is very strange, right, to be in that position, appear on a stage in front of a group of people.

It's not something often done. Um, but -- but I'm, uh, I'm in a -- a unique position in that we produce, in TAO,

foreign intelligence for a wide range of missions to include advice to informing policy makers, um,

protecting the nation's war fighters 24/7. And in that space, um, we're doing nation-state exploitation.

And so my talk today is to tell you, as a nation-state exploiter, what can you do to defend yourself

to make my life hard, right? So not many people will stand on the stage and have the perspective of an organization

that does exploitation and to be able to talk to those elements that really would disrupt the nation-state hackers.

Um, so in that vein, um, I want you to think about if there's something you really, really want to protect,

what do you have to do? So you'll hear a common theme throughout my talk. It'll boil down to a couple small things.

The theme I want you to take away is if you really want to protect your network, you really have to know your network.

You have to know the devices, the security, technologies and the things inside it. So why are we successful?

We put the time in to know that network. We put the time in to know it better than the people who designed it

and the people who are securing it. And that's the bottom line. And you'll kind of hear that woven throughout the talk.

So if you think about what goes into an intrusion, there's a series of phases that happen, right? As you walk down through these, um,

I'll talk about the things that can... that -- that we focus on. Um, and you could break the chain throughout that, uh,

throughout that compromise by disrupting the transitions between these elements. So really the first phase

during a targeted intrusion is a reconnaissance phase. Somebody's got to go out and understand the target. It starts with simple things like scanning.

Go out and physically scan the actual target. There's understanding important people or e-mail addresses from that activity.

Going out and looking at the open-source information about that target. So it really is, what can you learn?

What can you understand? As I said earlier, our key to success is knowing that network better than the people

who set it up. So in that space, the reconnaissance phase is really important.

I'm gonna move my laptop a little here so I can get to my notes. So another key point inside this, um,

you know the technologies you intended to use in that network. We know the technologies

that are actually in use in that network. Subtle difference. Did you catch that? You know what you intended to use.

We know what's actually in use inside there. So when we look at that, we will learn the security functionality

of the devices inside that network. We'll study them, understand them, find the vulnerabilities.

In fact, we've got people who will know the security functionalities of those devices better than the people

who developed the actual device, right? So they won't know the whole product. They won't know every feature that those developers had.

But they'll understand the security technologies, and they'll bring that expertise at a very, very deep level. So inside that, um,

it's minute attention to detail inside that security layer, again, knowing the network, knowing that space. So what does that mean?

We apply the focus and energy to look at those details. Um, will you, as people who have important things

to protect and hold dear, will you put in the energy to understand the network, understand the devices and configure

and use them in the proper way that would prevent exploitation? So there's a foundational piece of advice to countering these kind of threats, right?

You've got to have procedures to evaluate what you'll use, what you'll install. You've got to lock down and, uh,

disable those things that you're, uh, that you're not using, right? Reduce the attack surface.

Um, it's not a new or amazingly insightful piece of advice. Um, but you'd be surprised,

as I said, about the things that are running on a network versus the things that you think are supposed to be there.

So what can you do to understand that exposure surface? Red team that network. Bring in pen testers. Poke and prod it, just like an adversary will do,

to find out what's inside that space. Um, find out what's exploitable. Well-run networks really do make our job hard.

So if you go to the trouble of understanding what's inside a network, you run that pen test,

you've got those results, act on it. So NSA, in our information assurance side, will do red team testing against,

uh, against government networks. So we'll, inevitably, find things that are misconfigured,

things that shouldn't be set up inside that network, holes and flaws, and we'll produce reports telling the network owner things

they need to fix. Cycle comes around to the point where we've got to get back and redo a red team against that same network.

It is not uncommon for us to find the same security flaws that were in that original report.

That's the first place we go is to the original report. Did the things we pointed out previously get fixed? So, um, inexcusable, inconceivable,

but returning a couple years later, the same holes and vulnerabilities exist. I've seen it in the corporate sector, too.

I've seen it in our targets, right? People tell you you're vulnerable in a space, close it down and lock it down.

So if you've invested the resources to do that kind of discovery and red team space, um, go ahead and follow through.

Another key point, don't assume a crack is too small to be noticed or too small to be exploited. So if you go through and do that pen test,

and you say, "We look great on these 97 things, but these three things over here, they're kind of esoteric.

They probably don't matter much. We'll probably ignore them," right? That's what we need. We need that toe hold.

We need that first crack, that first seam, um, and we're gonna look and look and look for that esoteric kind of edge case

to break open and crack in. So pay attention to those results. Same thing in this discussion

about -- about the, uh, the -- the temporary security vulnerabilities. So if you own a network,

and you got trouble with an appliance inside your trust zone, inside your network boundary,

and you're talking to the vendor and just can't quite make it work. And they say, "Well, open it up for me.

I'll come in. We'll poke around. We'll take some logs. We'll fix it for you. We'll do it over the weekend. Don't worry," right?

Are you gonna open that door for that 24, 36 hours? So I'll tell you, the nation-state attackers, there's a reason it's called advanced persistent threats

because we'll poke and we'll poke. And we'll wait and we'll wait and we'll wait, right?

We're looking for that opportunity, that opening, and that opportunity to -- to -- to finish the mission.

Another big area, I'd say, in this reconnaissance phase is figuring out about the network boundaries. So I talked earlier about you know the things

you intend to have in your network. We look for the things that are actually in your network. Well, that's becoming harder and harder these days

as the network boundary gets more amorphous, gets more porous or gets more inclusive of other things.

Um, think about trends like bring your own devices, um, Internet of things, work from home access. Um, these have really created situations

where Internet -- interconnected network elements are under varying administration control, right? I even see the case

where leased facilities come with a leased network that is under the control of that -- that physical location

and trusted in Internet... interconnected to your domain, right? So think about the things

that are now a component of your domain, your trust zone. Cloud computing, right?

Cloud computing is really a fancy name for somebody else's computer. If you have your data in the cloud, right,

you're trusting the security protocols, the physical security, all of the other elements of trust in an outside entity,

maybe done right. It may not. You may have varying degrees of understanding about what's inside that cloud.

But they are now part of your risk and liability. So I see a growing trend that are really making it hard and diffusing the network boundary.

Um, trust boundaries now extended to partners, um, personal devices, right? All of us love to have our iPhones, Androids,

tablets, devices come and go, right? You're trusting those onto the network. Um, there's even the heating and cooling systems, right?

Other elements of building infrastructure and more. So what are you doing to really shore up the trust boundary around the things you absolutely must defend?

And that, for me, is what it comes down to. Do you really know what the keys to the kingdom are that you must defend, right?

Instrument, defend, pay attention to those crown jewels, um, because that attention and rigor really makes our job hard.

So after reconnaissance, the next phase is getting that initial exploitation. Got to find a way to get energy inside that network.

Can you go ahead and get some opportunity? Um, these things can happen from spear fishing. They can happen from water holing.

Is there a, uh, weakly defended site that everybody goes to? Um, exploiting a known CVE, right,

there's already a vulnerability, and there's a recipe for exploiting that -- that activity already done.

SQL injection, um, exploiting a zero day, other technologies, ways to get in.

I think a lot of people think, you know, the nation-states, they're running on this engine of zero days.

You go out with your master skeleton key and unlock the door, and you're in. It's not that.

Take these big corporate networks, these large networks, any large network, I will tell you that persistence and focus will get you in,

um, will achieve that exploitation without the zero days. There -- there's so many more vectors

that are easier, less risky, and -- and, quite often, more productive, um, than going down that route.

So to ward off a persistent, um, vector, you really need to invest in continuous defensive work, right, because if the CVE world

is continuously rolling and pumping out new information about cracks and holes in existing products and services,

you've got to be continually updating and defending inside that space. So most -- most intrusions come down

to one of three initial vectors, right? E-mail, where a user opened an e-mail, clicked on something that they shouldn't have.

Um, a website, where they've gotten to a malicious website and they've gone ahead, and it's either executed,

or they've -- they've run content from that website. Or removable media, where a user inserted contaminated media, um,

sometimes even bridging an air gap network, right? But those three are the big three. Where do you need to go in this space?

You really need to get the networks not to rely on the users to automatically make the right decisions.

Um, sometimes even the experts get it wrong. So how can we build and ensure the policies and the technical enforcement

of those written policies keep, uh, accidents and slip ups from occurring, right, because I don't care how many times you train people

about not clicking on those unsolicited e-mails, um, people do. And even when you get to the nation-state

advanced persistent level, um, sometimes those e-mails can be really well crafted to the point where it's not an unreasonable thing for somebody to click on.

So how do you prevent that from detonating? Can your architecture and your policies defend against those user actions

that are gonna take place? Can they stop those threat vectors because if they can, it really makes my job hard.

So one thing I'd absolutely recommend, um, is things like anti-exploitation features, Microsoft EMET.

Everybody ought to be turning that on, right? It really does slow down, um, the -- the -- the amount of vectors

that are available for something to execute in that space. So I'd look at NSA's information assurance directorates. They have a host mitigation package.

So it's best practices for locking down and mitigating at the host level. Um, EMET is only one of those recommendations.

There's a whole series of things, um, that really do lock things down well. That's the guide. Those are the specificity.

There's not the secret sauce that goes beyond that inside the protection of classified material for the U.S. government, right?

Look at that guide. It really, really is solid. Um, the other thing you've got to do, you've got to take care of --

take advantage of software improvement, right? I -- I mentioned CVEs and vulnerabilities. Boy, if there's a known bug

in a software that's exploitable, um, you ought to be fixing that and getting it off your network. So I think, uh, um, you know,

tip of the hat to the software industry that is making upgrades and automatic patching a background activity

that's beyond the user control. Right? That is an outstanding security practice where it is just taking care of,

every time there is a new, um, there is a newly closed vulnerability, it becomes part of your ecosystem.

That's an outstanding thing. And that cuts down the opportunity window between known vulnerability and execution.

And if that patch window is months or years...um, again, an inexcusable practice. So the other thing I'd encourage is use a secure host baseline.

So, again, that kind of goes like the host mitigation plan, um, the -- the IED product. Um, secure host baseline is the current best practices

for locking down configurations. Um, again, there's some out on the NSA Information Assurance website to look at.

So I'll tell you, our organization teaches and trains. That's one thing we do really, really well, right?

We institutionalize that knowledge. We teach people to get them to the next level so that they can work and exploit.

So we train best practices. We pass those on. We use those best practices. So I'm gonna use best practices for exploitation.

Are you gonna use best practices for defense? Again, it -- it really comes down to that. If you have something somebody's coming at

and you need to defend it, you need to be looking at what is that apex predator gonna be doing to come after your information?

Um, they're gonna be using the best practices for offense. You've got to be using best practices for defense. In almost any intrusion

at this initial exploitation space, people are trying to get credentials, right? Often legitimate credentials are compromised,

enabling intruders to get in and masquerade as legitimate users, um, coming after the network.

And -- and it's imperative that you have some processes and plans to understand what normal is inside your network.

So if somebody's got credentials, are they operating under the norms for those credentials?

Are they going to the places that they should be? Are they trying things, um, that they shouldn't be doing, right?

Better-defended networks, um, require specific methods for accessing the resources of that network. They -- they monitor credential uses.

They look for anomalous behaviors. Um, two-factor authentication, right, making it that much harder, uh,

to, uh, steal credentials. And -- and it -- it really is important to make sure

that that small crack of a lost credential doesn't get turned into a pivot in a later stage into a large access.

Um, there's been numerous security best practices that have been recommended over the years. Um, but some of the things like making sure

lease privileges for accounts, right? There are only a very small handful of accounts that have the keys to the kingdom.

And you only give the privileges needed, um, to specific users. Um, not everybody's happy living in that world, right?

Why can't I have admin to my server or my boxes, those kind of pieces? Those are the kind of wide-ranging credential reuses

that wind up turning in to large-scale compromises. Um, segmenting off portions of the networks rarely implemented, whitelisting, things like that.

If you care about your things, consider those, right? They really do make your hard -- Make our life hard.

We also really love it when administrator credentials or other system-wide credentials are hard coded into scripts

or accessible on the devices. You know, so I think people are starting to understand the pass the hash vulnerability, right?

If you haven't learned about that, if you don't know what pass the hash is, go -- go understand it.

So that's something where you can get, you know, uh, a domain credential. And you -- you can grab a credential

and move laterally onto other machines and just pivot like mad throughout the network. So one of the -- the key activities

is really thinking about, um, how you manage those capabilities so that you can protect against, uh,

against pass the hash. I mentioned that if things are hard coded and included in scripts,

you know, they're vulnerable and -- and likely, um, to be pulled. Most of the --

most of the modern protocols these days are not passing credentials in the clear. But do you think nation-states are taking advantage

of the ones that are, right? So you got to look for those older protocols, drive 'em out of your networks.

Um, it -- it -- it's not enough to know about things like pass the hash and making sure that all of the authentications

are done only with more modern protocols that keep the passcodes and passwords out of, uh, out of plaintext.

Um, but think about where you've hard coded and -- and enabled one box to log in through an account to another to do an activity.

Um, it really does make yourself vulnerable. The other big thing I'd recommend, enable those logs but also look at the logs.

You'd be amazed at incident response teams go in and, you know, there's been some tremendous breach. Yep, there it is right there in the logs.

Great. You've got logs. It'll tell you that you've been had. Um, enable those logs. Look at those logs.

I'll tell you, one of our worst nightmares is that out of band network tap that really is capturing all the data,

understanding anomalous behavior going on. And somebody's paying attention to it. So rewind all the way back to the beginning of my talk

where I said you've got to know your network, understand your network because we're going to, right?

Those logs, they are just the rock bottom bedrock foundation of understanding if you've got a problem

or if you've got somebody rattling the doorknobs to give you a problem. All right? So somebody's cracked open the door.

They're -- they're on the threshold. Um, the next thing they've got to do is they want to establish persistence.

It's not good enough just to be in a network. But if -- if you're really there to exploit, you want to dig in, um, and hold, right?

So work happens at this point. Privilege escalate, maybe, so that you can get down some tools,

um, finding run keys, um, getting into scripts, other technologies to ensure that persistence, um,

onto those computers so that you can stay. One of the things we run into here, um, things that have, uh,

implemented application whitelisting makes this world hard. Um, application whitelisting, it is difficult

for generic users in a large network to know exactly what applications you're gonna run, what should be permitted.

There's some good work going on, um, to make this a little more generic and understand what's --

what's routine and what's not inside an organization. But, again, as I said, you know, figure out early what you need to protect,

segment that off. And that's the place you maybe want to think about whitelisting, right?

Make sure that in that space they can't run a piece of mail where something new or unusual. Um, your goal needs to be to --

to restrain that malicious behavior, um, keep it from launching in the interim. So then after you've gotten into the network,

um, install some tools, right? Usually, the first tools down are lightweight, small beaconing things.

Their intent is to establish that beachhead and then bring down the tools that are actually gonna do the work.

Um, so -- so there are things, I think, the AV industry, at times, gets a bad rap for their ability

or inability to keep things off. You know, if your AV is a list of bad things that shouldn't run on your computer, um,

that's not a great technique because that just means the unique thing you need to run on that computer needs to be unique,

and it will never be in that list. Um, but the research and the technology's evolving now where, um,

reputation services are more the -- more the norm. So every piece of, uh, software that wants to execute on your machine

gets hashed, pushed up into the cloud. Um, let me tell you, if you've got a reputation service, and it says that interesting executable

that you think you want to run in the entire history of the Internet has been run one time,

and it's on your machine, be afraid, right, be very afraid. So reputation services are -- are --

are a growing technology, um, that can make our life hard. Similarly, most of these tools

want to talk out to a domain to get those, um, those further modules. Um, they want to talk out, um,

and, uh, and call back home. They want to report success or bring data back. So -- so they'll be wearing a domain name, right?

Reputation services work probably even better in the domain name world, um, because the domain names, um,

if -- it's not enough to block bad known bad domains, right? That's important. But usually that'll get you the crime

where you've got to block the things that are not known good. It's really hard for an exploiter

to get a website created and established that has good reputation. It's not hard to -- to register a domain

and make something call out to it. But -- but if something is evaluating that reputation, and nobody else is going to it,

or the content's stale, it's not updated, um, it will have neutral or negative domain -- neutral or negative reputation.

So, again, reputation services, looking at that, that's a hard thing to overcome in domain names. So after you're in a network,

rarely do you land where you need to be. At this point, it's important to move laterally and find the things you need to find.

So, um, the big question you need to think about is if you have an intrusion somewhere in your network, can you then defend against this lateral movement?

If you think about it, most networks, big castle walls, hard, crunchy outer shell, soft, gooey center.

How do you get to the point where you know you have an intrusion, and you're gonna keep somebody and make it difficult

for them to move from the place they landed, uh, to the -- to the place they need to be?

And so, again, network segmentation, monitoring, uh, caring about your, um,

the accesses that allow these privileges, they're all really important pieces. Um, so advanced attackers really go for the crown jewels, right?

They're gonna go for those domain admins, um, to control the entire network. You really need to limit the administrator privileges,

segment the accesses, enforce two-factor authentication. Um, nothing is really more frustrating to us than to be inside a network,

know where the thing is you need to go get to and not have a path to get over to find that. So the other thing is, um, you know,

poorly considered trust relationships. I talked earlier about the amorphous edge of your networks, um,

allowing any network -- any user or any net computer with, uh, with valid credentials

to access the network from anywhere. Um, that's a poor idea, a huge risk. Better networks employ things

like comply to connect for remote access. Um, they connect, um, and assure the security of the remote connections,

maybe even figuring out physical locations, um, where you're calling from in, um, seeing some really interesting things with dynamic privileges,

thinking about you can access pieces of information from inside your network but not from out,

inside the state but not out. Um, so -- so there's ways to limit and consider the segmentation

in a creative way. Um, if you really want to make my life hard, you segment, you manage the trust

to the most important places. Um, you consider who really needs that trust and who should be able to access those things.

I think another key thought that people don't have is consider how, um, consider that you're already penetrated, right?

Do you have the means and methods to understand if somebody's inside your network? If you -- if you read statistics,

Verizon does a great intrusion report every year. Look at the statistics for how long intrusions go undetected, months or years, right, after people are inside.

So what do you have to understand and contain, um, after that first -- first pieces? Um, so monitoring and detection inside the networks

is just as important as that network boundary. And -- and many networks, they don't have incident responses -- response plans.

And if they do, they rarely exercise them, right? Have you ever seen incident response plan exercised inside your network?

So the Internet of things, the boundary conditions, all bringing things that are probably untrusted inside your network.

Um, why go after the professionally administered enterprise network when people are bringing their home laptops

that their kids were going out and go and downloading Steam games the night before, right, inside your network and trust unit.

What's that trust boundary? Um, and then as we mentioned earlier, the Internet of things,

there is now getting to be a whole SCADA network running in parallel, sometimes interconnected, to your whole corporate network.

Have we thought about those, uh, those security elements? Ron Rivest, you know, made a great point earlier today. Um, have we got those things right?

Do we need to invest more in those -- those technologies to secure and defend there? Absolutely.

So at that point, we own you. All that's left to do is collect, exfil and exploit, right?

So once inside a network, the main focus is getting what you need, getting it out and, uh, leaving undetected.

So data theft is one arena, um, but I challenge you to think about a new one, right? In the wake of Sony attacks,

everybody's got to think about, right, I've got my basket of eggs. I've got my most important things.

I've defended them. I've instrumented them. I've packed them ever so carefully in that bubble wrap and kept it off to the side

with my best security practices. Um, what about the destructive attack? Um, so off-site backups need to be part of your plan.

Figuring out how you're gonna deal with data corruption, data manipulation or data destruction. Um, it -- it really needs to be something

you're thinking about now. Don't be that Saudi Aramco, that Sony, um, that learns about it afterwards and then is improving.

Um, you've got to think about it now. So the other thing I'd point out is you've got to differentiate between the cyber criminals

and the nation-state intruders. So last weekend we had the huge snowstorm on the east coast.

Turns out my neighborhood, in the middle of the night, one guy walked through the neighborhood, came through the whole court,

checking every car door to see what was unlocked. Took anything that wasn't nailed down in unlocked cars. Didn't break a window. Didn't pick a lock.

Just took, opportunistically, whatever he could, right? Um, that's a lot of the Internet malware or badware. It's looking for credit cards

and opportunities to use your machine to send spam and make money, to do crypto locker and lock down

and extort you for money. But at that point, um, you know, they're opportunistic. They're looking for the back, weak gazelle in the pack

to pick off, right? If you're looking at the nation-state hackers, we're gonna be persistent.

We're gonna keep coming and coming and coming. So you've got to be defending and improving and defending and improving

and evaluating and improving, right? The static person is gonna float to the back of the pack and not for the crimeware,

but for the nation-state advanced hacker, um, they're gonna find those CVEs, those things that are not patched.

They're gonna find ways in that aren't monitored. They're gonna steal credentials. They're going to get to those pieces.

So don't be that easy mark. Anybody holding up the camera? Who's gonna scan the QR code from the NSA guy?

All right. [ Applause ] So that is a link. It's a real link.

It's not a rickroll, I promise. Trust me. Um, so -- so --

so I'd encourage you to go to the NSA website. There is some awesome material that keeps you from being at the back of the herd, right?

It -- it is tough to defend against that nation-state advanced persistent threat. But -- but you really can make a huge, huge difference.

So you ought to be tightening down and learning some of these lessons, right? So thank you for your time and attention.