Presentation Review: Disrupting Nation State Hackers

Recently, NSA TAO Chief gave a presentation about defensive strategies from a state attacker in practice. While the public attention is drawn to the speecher’s position. From a beginner of security practices’ point of view, I find it informative for both offensive and defensive side. It pointed out some places worth looking at during a penetration testing. This is a noted script of the presentation, as all related articles just picked some quotes but didn’t tell the whole story.

  • Video:
  • Slides: https://www.usenix.org/sites/default/files/conference/protected-files/enigma_slides_joyce.pdf

His advices:

If you really want to protect your network, you really have to know your network. You have to know the devices, the security, technologies and the things inside it. We put the time in to know that network … to know it better than the people who designed it and the the people who are securing it. And that’s the bottom line.

The rest of the speech:

So if you think about what goes into an intrusion,

He then started to talked about the things that they focus on, and you can break the chain throughout that compromise by disrupting the transitions between these elements: slide2.

Somebody’s got to go out and understand the target. It starts with simple thing like scanning. Go out and physicaly scan the actual target. There’s understanding important people or email addresses from that activity. Going out and looking at the open-source information about that target. So it really is, what can you learn, what can you understand? As he said earlier, their key to success is knowing that network better than the people who set it up, so the reconnaissance phase is really important:

Intrusion Phase 1 - RECONNAISSANCE

So another key point inside this, you know the technologies you intended to use in that network, we know the technologies that are actually in use in that network. (You know what you intended to use, we know what’s actually in use inside there.)

When we look at that, we will learn the security functionality of the devices inside that network. We’ll study them, understand them, find the vulnerabilities. In fact, we’ve got people who will know the security functionalities of those devices better than the people who developed the actual device. So they won’t know the whole product, they won’t know every feature that those developers had. But they’ll understand the security technologies, and they’ll bring that expertise at a very, very deep level. Inside that, it’s minus attention to detail, inside that security layer. Again, knowing the network, knowing that space. (We apply the focus and energy to look at those details) Will you as people who have important things to protect and hold dear, will you put in the energy to understand the network, understand the devices and configuring and use them in the proper way that would prevent exploitation?

There’s a foundational piece of advice to countering these kind of threats. You’ve got to have procedures to evaluate what you’ll use, what you’ll install, you’ve got to lock down and disable those things that you’re not using. (Reduce the attack surface) It’s not a new or amazingly insightful piece of advice, but you’d be surprised about the things that are running on a network, versus the things that you think are supposed to be there. So what can you do to understand that exposure surface? Red team network, bring in pen testers, poke and prod it, just like an adversary will do, to find out what’s inside that space, find out what’s exploitable. Well-running networks really do make our job hard. So if you go to the trouble of understanding what’s inside a network, you run that pen test, you’ve got those results, act on it. So NSA, in our information assurance side, will do red team testing against government networks. So we’ll inevitably find things that are misconfigured, things that shouldn’t be set up inside that network, holes and flaws, and we’ll produce reports telling the network owner things they need to fix. Cycle comes around to the point where we’ve got to get back and redo a red team against that same network, it is not uncommon for us to find the same security flaws that were in that original report. That’s the first place we go is to the original report, did the things we pointed out previously get fixed? So in excusable, inconceivable, but returning a couple of years later, the same holes and vulnerabilities exists. I’ve seen it in the corporate sector, in the targets. People tell you you’re vulnerable in a space, close it down and lock it down.

If you’ve invested the resources to do that kind of discovery and red team space, go ahead and follow through.

Another key point, don’t assume a crack is too small to be noticed, or too small to be exploited … We need that first crack, that first seam, and we’re gonna look and look and look for that esoteric kind of edge case, to break open and crack in. So pay attention to those results.

Same thing in this discussion about the temporary security vulnerabilities. So if you own a network, and you got trouble with an appliance inside your trust zone, inside your network boundary, and you’re talking to the vendor and just can’t make it work. And they say, ‘well, open it up for me, I’ll come in, we’ll poke around, we’ll take some logs, we’ll fix it for you. We’ll do it over the weekend, don’t worry. The nation-state attackers, there’s a reason it’s called advanced persistent threats, because we’ll poke and we’ll poke and we’ll wait and we’ll wait and we’ll wait. We’re looking for that opportunity that opening and that opportunity to finish the mission.

Another big area in the reconnaissance phase, is figuring out about the network boundaries. So I talked earlier about you know the things you intend to have in your network. We look for the things that are actually in your network. That’s becoming harder and harder these days as the network boundary gets more amorphous, gets more porous, or gets more inclusive of other things. Think about trends like bring your own devices: Internet of things, work from home access. These have really created situations where interconnected network elements are under varying administration control. I even see the case where leased facilities come with a leased network that is under the control of that physical location and trusted in interconnected to your domain. Think about the things that are now component of your domain, your trust zone. Cloud computing is really a fancy name for somebody else’s computer.

If you have your data in the cloud, you’re trusting the security protocols, the physical security, all of the other elements of trust in an outside entity. Maybe done right, it may not, you may have varying degrees of understanding about what’s inside that cloud. But they are now part of your risk and liability.

I see a growing trend that are really making it hard and diffusing the network boundary. Trust boundaries now extended to partners, personal devices(iPhones, Androids, tablets). Devices come and go. You’re trusting those onto the network. There’s even the heating and cooling systems. Other elements of building infrastructure and more. So what are you doing to really shore up the trust boundary around the things you absolutely must defend. And that for me, is what it comes down to, do you really know what the keys to the kingdom are that you must defend. Instrument, defend, pay attention to those crown jewels, because that attention and rigor really makes our job hard.]

So after reconnaissance, the next phase is getting that initial exploitation. Got to find a way to get energy inside that network. Can you go ahead and get some opportunity? These things can happen from spear fishing, water holing. Is there a weakly defended site that everybody goes to?

Intrusion Phase 2 - INITIAL EXPLOITATION

Exploiting a known CVE, there’s already a vulnerability and there’s a recipe for exploiting that activity already done. SQL injection, exploiting a 0 day, other technologies, ways to get in.

A lot of people think the nation states are running on this engine of 0 days, you go out with your master skeleton key and unlock the door and you’re in. It’s not that. Take these big corporate networks, these large networks, any large network. I will tell you that persistence and focus will get you in, will achieve that exploitation without the 0 days. There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.

Toward off a persistent actor, you really need to invest in continuous defensive work. Because if the CVE world is continuously rolling and pumping out new information about cracks and holes in existing products and services. You’ve got to be continually updating and defending inside that space.

Most intrusions come down to one of three initial vectors: Email, where a user opened an email, clicked on something that they shouldn’t have. A website, where they’ve gotten to a malicious website and they’ve gone ahead and it’s either executed, or they’ve run content from that website. Removable media, where user inserted contaminated media. sometimes even bridging an air gap network, but those three are the big three.

Where do you need to go in this space? You really need to get the networks, not to rely on the users to automatically make the right decisions, sometimes even the experts get it wrong. So how can we build and ensure the policies and the technical enforcement of those written policies keep accidents and slip ups from occurring, because I don’t care how many times you train people about not clicking on those unsolicited emails, people do. And even when you get to the nation state advanced persistent level, sometimes those emails can be really well crafted to the point where it’s not an unreasonable thing for somebody to click on. So how do you prevent that from detonating? Can you architecture and your policies defend against those user actions that are gonna take place? Can they stop those threat vectors? Because if they can, it really makes my job hard.

So one thing I’d absolutely recommend, is things like anti-exploitation features, Microsoft EMET, everybody ought to be turning that on. It really does slow down the amount of vectors that are available for something to execute in that space. So I’d look at NSA’s information assurance directorates, they have a host mitigation package, so it’s best practices for locking down and mitigating at the host level. EMET is only one of those recommendations, there’s a whole series of things that really do lock things down well.

That’s the guide, those are the specificity. There’s not the secret sauce that goes beyond that inside the protection of classified material for the U.S. government. Look at that guide, it really really is solid. The other thing you’ve got to take advantage of software improvement, I mentioned CVEs and vulnerabilities. If there’s a known bug in a software that’s exploitable, you ought to be fixing that and getting it off your network. Tip of the hat to the software industry that is making upgrades and automatic patching, a background activity that’s beyond the user control, that is an outstanding security practice, where it is just taking care of every time there is a newly closed vulnerability, it becomes part of your ecosystem. That’s an outstanding thing. And that cuts down the opportunity window between known vulnerability and execution. And if the patch window is months or years, an inexcusable practice. So the other thing I’d encourage is use a secure host baseline. That kind of goes like the host mitigation plan, the IED product. Secure host baseline is the current best practices for locking down configurations.

Our organization teaches and trains, that’s one thing we do really really well, we institutionalise that knowledge, we teach people to get them to the next level, so that they can work and exploit. So we train best practices, we pass those on, we use those best practices. So I’m gonna use best practices for exploitation, are you gonna use best practices for defence? It really comes down to that. If you have something somebody’s coming at, and you need to defend it, you need to be looking at what is that apex predator gonna be doing to come after your information. They’re gonna be using the best practices for offence, you’ve got to be suing best practice for defence.

In almost any intrusion at this initial exploitation space, people are trying to get credentials. Often legitimate credentials are compromised, enabling intruders to get in and masquerade as legitimate users coming after the network. And it’s imperative that you have some processes and plans to understand what normal is inside your network. So if somebody’s got credentials, are they operating under the norms for those credentials? Are they going the the places that they should be? Are they trying things that they shouldn’t be doing? Better defended networks require specific methods for accessing the resources of that network, they monitor credential uses, they look for anomalous behaviors, two-factor authentication - making it that much harder to steal credentials. It really is important to make sure that small crack of a lost credential doesn’t get turned into a pivot in a later stage into a large access.

There’s been numerous security best practices that have been recommended over the years, but some of the things like making sure least privileges for accounts, there’re only a very small handful of accounts that have the keys to the kingdom. And you only give the privileges needed to specific users. Not everybody’s happy living in that world, why can’t I have admin to my server or my boxes, those kind of pieces, those are the kind of wide-ranging credential reuses that wind up turning into large-scale compromises. Segmenting off portions of the networks rarely implemented, whitelisting, things like that. If you care about your things, consider those, they really do make our life hard.

We also really love it when administrator credentials or other system-wide credentials are hard coded into scripts, or accessible in the devices. People are starting to understand the pass the hash vulnerability. If you haven’t learned about that, go understand it. That’s something where you can get a domain credential, and you can grab a credential and move laterally onto other machines and just pivot like mad throughout the network. One of the key activities is really thinking about how you manage those capabilities so that you can protect against pass the hash.

I mention that if things are hard coded and included in scripts, they’re vulnerable and likely to be pulled. Most of the modern protocols these days are not passing credentials in the clear. But do you think nation states are taking advantages of the ones that are? So you got to look for those older protocols, drive them out of your networks. It’s not enough to know about things like pass the hash and making sure that all of the authentications are done only with more modern protocols that keep the passcodes and passwords out of plaintext. But think about where you’ve hard coded and enabled one box to log in through an account to another to do an activity. It really does make yourself vulnerable.

The other big thing I’d recommend, enable those logs but also look at the logs, you’d be amazed at incident response teams go in and there’s been some tremendous breach. Yep, there it is, right there in the logs. You’ve got logs, it’ll tell you that you’ve been had. Enable those logs, look at those logs. One of our worst nightmares is that our of band network tap that really is capturing al the data, understanding anomalous behavior going on, and somebody’s paying attention to it. So rewind all the way back to the beginning of my talk, where I said you’ve got to know your network, understand your network, because we’re going to. those logs, they’re just the rock bottom bedrock foundation of understanding. If you’ve got a problem, or if you’ve got somebody rattling the doorknobs to give you a problem.

Intrusion Phase 3 - ESTABLISH PERSISTENCE

So somebody’s cracked open the door, they’re on the threshold. The next thing they’ve got to do is they want to establish persistence. It’s not good enough just to be in a network, but if you’re really there to exploit, you want to dig in and hold. So work happens at this point, privilege escalate, maybe, so you can get down some tools, finding run keys, getting into scripts, other technologies to ensure that persistence onto those computers so that you can stay. One of the things we run into here, things that have implemented application whitelisting, makes the world hard. Application whitelisting, it is difficult for generic users in a large network to know exactly what applications you’re gonna run. where should be permitted. There’s some good work going on to make this a little more generic and understand what’s routine and what’s not inside an organization. But again, figure out early what you need to protect, segment that off, and that’s maybe the place you want to think about whitelisting. Make sure that in that space they can’t run a piece of malware something new or unusual. Your goal needs to restrain that malicious behavior, keep it from launching in the interim.

Intrusion Phase 4 - INSTALL TOOLS

So then after you’ve gotten into the network, install some tools. Usually the first tools down are lightweight, small beaconing things. Their intent is to establish that beachedhead and then bring down the tools that are actually gonna do the work. So there are things the AV industry at times gets a bad rap for their ability/inability to keep things off. If your AV is a list of bad things that shouldn’t run on your computer, that’s not a great technique, because that just means the unique thing you need to run on that computer needs to be unique and it will never be in that list.

But the research and the technology’s evolving now, where reputation services are more the norm. So every piece of software that wants to execute on your machine gets hashed, pushed up into the cloud. If you’ve got a reputation service, and it says that interesting executable that you think you want to run in the entire history of the Internet has been run one time, and it’s on your machine, be afraid, be very afraid. So reputation services are a growing technology, that can make our life hard. Similarly, most of these tools want to talk out to a domain to get those further modules, they want to talk out and call back home. They want to report success or bring data back. So they’ll be wearing a domain name, reputation services work probably even better in the domain name world, because it’s not enough to block known bad domains. That’s important, but usually that’s get you the crime where you’ve got to block the things that are not known good. It’s really hard for an exploiter to get a website, created and established that has good reputation. It’s not hard to register a domain and make something call out to it. But if something is evaluating that reputation, and nobody else is going to it, or the content’s stale, it’s not updated, it will have neutral or negative reputation. So again, reputation services, looking at that. That’s a hard thing to overcome in domain names.

Intrusion Phase 5 - MOVE LATERALLY

So after you’re in a network, rarely do you land where you need to be. At this point, it’s important to move laterally, and find the things you need to find. So the big question you need to think about is if you have an intrusion somewhere in your network, can you then defend against this lateral movement? If you think about it, most networks, big castle walls, hard, crunchy outer shell, soft gooey center. How do you get to the point where you know you have an intrusion, and you’re gonna keep somebody and make it difficult for them to move from the place they landed to the place they need to be? And again, network segmentation, monitoring, caring about the accesses that allow these privileges, they’re all really important pieces. So advanced attackers really go for the crown jewels, they’re gonna go for those domain admins to control the entire network. You really need to limit the administrator privileges, segment the accesses, enforce two-factor authentication. Nothing is rally more frustrating to us, than to be inside a network, know where the thing is you need to go get to and not have a path to get over to find that.

The other thing is poorly considered trust relationships. I talked earlier about the amorphous edge of your networks. Allowing any network, any user or any net computer with valid credentials to access the network from anywhere, that’s a poor idea, a huge risk. Better network employs things like comply to connect for remote access. They connect and assure the security of the remote connections, maybe even figuring out physical locations, where you’re calling from in seeing some really interesting things with dynamic privileges. Thinking about you can access pieces of information from inside your network but not from out, inside the state but not out. There are ways to limit and consider the segmentation in a creative way. If you really want to make my life hard, you segment, you manage the trust to the most important places, you consider who really needs that trust, and who should be able to access those things. I think another key thought that people don’t have is consider that you’re already penetrated, do you have the means and methods to understand if somebody’s inside your network? If you read statistics, verizon does a great intrusion report every year, look at the statics for how long intrusions go undetected, months or years after people are inside. So what do you have to understand and contain after that first pieces? So monitoring and detection inside the networks is just as important as that network boundary. And many networks don’t have incident response plans, if they do they rarely exercise them. Have you even seen incident response plan exercised inside your network?

The Internet of things, the boundary conditions, all bringing things that are probably untrusted inside your network. Why go after the professionally administered enterprise network, when people are bringing their home laptops that their kids were going out and downloading Steam games the night before? Inside your network and trust unit. What’s that trust boundary?

As we mentioned earlier, the Internet of things, there is now getting to be a whole SCADA network running in parallel. Sometimes interconnected to your whole corporate network. Have we thought about those security elements? Ron Rivest made a great point earlier today. Have we got those things right? Do we need to invest more in those technologies to secure and defend there? Absolutely.

Intrusion Phase 6 - COLLECT, EXFIL AND EXPLOIT

So at that point, we own you. So once inside a network, the main focus is getting what you need, getting it out and leaving undetected. So date theft is one arena but I challenge you to think about a new one. In the wake of Sony attack, everybody’s got to think about, I’ve got my basket of eggs, I’ve got my most important things, I’ve defended them, I’ve instrumented them. I’ve packed them ever so carefully in that bubble wrap and kept it off to the side with my best security practices. What about the destructive attack? So off-site backups need to be part of your plan, figuring our how you’re gonna deal with data corruption, data manipulation or data destruction. It really needs to be something you’re thinking about now. Don’t be that Saudi Aramco, that Sony that learns about it afterwards, and then is improving. You’ve got to think about it now.

The other thing I’d point out is you’ve got to differentiate between the cyber criminals and the nation state intruders. So last weekend we had the huge snowstorm on the east coast. Turns out my neighborhood, in the middle of the night, one guy walked through the neighborhood, came through the whole court, checking every car door to see what was unlocked, took anything that wasn’t nailed down in unlocked cars. Didn’t break a window, didn’t pick a lock. Just took opportunistically whatever he could. That’s a lot of the Internet malware or badware, it’s looking for credit cards and opportunities to use your machine to send spam and make money to do crypto locker and lock down and extort you for money. But at that point, they’re opportunistic, they’re looking for the back, weak gazelle in the pack to pick off. If you’re looking at the nation state hackers, we’re gonna be persistent, we’re gonna keep coming and coming and coming. So you’ve got to be defending and improving, and defending and improving, and evaluating and improving. The static person is gonna float to the back of the pack and not for the crimeware. But for the nation state advanced hacker, they’re gonna find those CVEs, those things that are not patched. They’re gonna find ways in that aren’t monitored, they’re gonna steal credentials, they’re going to get to those pieces. So don’t be that easy mark.

Last Edited: <15-02-2016 22:25>