Rob Joyce was previously head of the NSA’s Tailored Access Operations (TAO), and is now a member of White House National Security Council. He is now President Donald Trump’s cybersecurity coordinator. Rob is someone well known to us here at Cyber-Shadow.
In 2016 Rob, came out of the shadows and presented “Disrupting Nation State Hackers” during the USENIX Enigma conference in San Francisco. Rob refers to NSA’s TAO organization as a nation-state exploiter, responsible for breaking into foreign adversaries. During the event, he provided insights into strategies nation-state actors (such as the NSA) use to “own” systems.
Although, this is not new information but are insights on five commonly known cybersecurity strategies, attacks, and exploits.
At Cyber-shadow we have extensive experience of these strategies that we think of as reconnaissance, initial exploitation, establishing persistence, installing tools, moving laterally, and finally collecting, exfiltrating and exploiting.
A state sponsored unit or well-organised cyber-criminal group, will typically use all resources available for reconnaissance: private scanning tools, as well as open-source (public) information, such as social media supported by social engineering.
It sounds obvious, but we advise that protecting your infrastructure requires knowing it. Nation-state hackers, cyber-criminals professionals have the time and resources to get to know your staff, business relationships, IT infrastructure, and security technologies. They often know a target's infrastructure better than its designers, implementers, and users. In fact, as Rob noted, there can be a huge difference between what a target thinks it is running and what it is actually running.
When Cyber-Shadow works with our clients we are constantly working to reduce their attack surface, performing red-team tests, and addressing vulnerabilities, even the esoteric cracks that seem too small to be exploited. As Rob states, we warn against inadvertently creating temporary vulnerabilities such as allowing access to vendors or partners even for a short period of time — “absolutely do not do it”.
With changing technologies, a network's boundaries are much more amorphous, leading to complex trust boundaries. BYOD, the Internet of Things, work from home, mobile, physical access to the network from partners (such as HVAC vendors), and cloud computing all need to be included in risk and liability considerations.
2. Initial exploitation
Professional Cyber criminals favourite tools for initial exploitation include watering holes, spearfishing, software or application security vulnerabilities (such as SQL injection and cross-site scripting), removable media to compromise air gaps, and published CVEs (common vulnerabilities and exposures). Persistence and focus are critical to the strategy. Zero-day exploits are reserved as last resorts, but are not often required. It’s a bit like approaching a house, if some has enough persistence, eventually they will get in.
It’s amazing how often simple issues come up and allow access to target networks. Administrator credentials are left embedded in scripts, networks go unsegmented, and suspicious activity reported in network logs is missed.
At Cyber-Shadow we specialise in continuous defensive work such as CVE patching and security assurance. Given the sophistication of attacks, be they well-crafted phishing emails or watering holes, and the potential for accidental slip-ups, it is necessary to implement security controls that do not rely on clients to do the right thing.
3. Establish persistence
A well organised cyber-criminal group, such as those responsible for the NHS attacks, strategy is to dig in and hold on. A primary tactic is to obtain privilege escalation — domain admin privileges in particular — and to embed in the environment via whatever method is possible, including finding run keys or installation in scripts. Often, the first installs are lightweight beaconing software which then downloads additional exploit tools.
4. Lateral movement
The next step is to expand the foothold in the target environment. It so often easy to make mistakes and leave admin credentials that are hard-coded or accessible on the system; the pass-the-hash vulnerability — an exploit that is over 15 years old — is used to grab credentials and pivot through the network. The team also looks for older protocols that still pass authentication in clear text.
Cyber-Shadow recommended log management and monitoring. The logs can tell when your environment has been exploited. Logs are rock-bottom bedrock foundation of understanding if you have a problem or someone is rattling the door to give you a problem.
Additionally, we’ve created tools and techniques for behaviour analytics (user, network, and application) — establishing a baseline and then having the tools to know when unusual activity is happening.
5. Own: Collect, exfiltrate and exploit
Once a cyber-criminal owns the environment, their goal may be data theft, destructive behaviour, data corruption, or data modification. Attacks can be persistent from well organised hacking groups — both in attacking and in hanging on once inside the environment.
A few key considerations to prevent being exploited by nation-state hackers or cybercriminals are well-developed trust relationships, multifactor authentication, software assurance, log monitoring, behaviour analytics, network access control including with geolocation, data security, dynamic access restrictions, and network segmentation. Also, have an incident response plan in place and tested, including business continuity plans with tested backup and recovery.
Here at Cyber-Shadow we can provide this for our clients.
Here's Rob Joyce speaking at the Usenix Enigma Conference