NSA's TAO Head on Internet Offense and Defense
Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) group — basically the country’s chief hacker — spoke in public earlier this week. He talked both about how the NSA hacks into networks, and what network defenders can do to protect themselves. Here’s a video of the talk, and here are two good summaries.
- Initial Exploitation
- Establish Persistence
- Install Tools
- Move Laterally
- Collect Exfil and Exploit
The event was the USENIX Enigma Conference.
The talk is full of good information about how APT attacks work and how networks can defend themselves. Nothing really surprising, but all interesting. Which brings up the most important question: why did the NSA decide to put Joyce on stage in public? It surely doesn’t want all of its target networks to improve their security so much that the NSA can no longer get in. On the other hand, the NSA does want the general security of US — and presumably allied — networks to improve. My guess is that this is simply a NOBUS issue. The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won’t slow it down significantly. And the Chinese/Russian/etc state-sponsored attackers will have a harder time. Or, at least, that’s what the NSA wants us to believe.
Wheels within wheels….
More information about the NSA’s TAO group is here and here. Here’s an article about TAO’s catalog of implants and attack tools. Note that the catalog is from 2007. Presumably TAO has been very busy developing new attack tools over the past ten years.
EDITED TO ADD (2/2): I was talking with Nicholas Weaver, and he said that he found these three points interesting:
- A one-way monitoring system really gives them headaches, because it allows the defender to go back after the fact and see what happened, remove malware, etc.
- The critical component of APT is the P: persistence. They will just keep trying, trying, and trying. If you have a temporary vulnerability — the window between a vulnerability and a patch, temporarily turning off a defense — they’ll exploit it.
- Trust them when they attribute an attack (e,g: Sony) on the record. Attribution is hard, but when they can attribute they know for sure — and they don’t attribute lightly.