(WASHINGTON) — Inside the notoriously secretive National Security Agency is an elite unit made up of some of the best hackers on the planet, charged with breaking into computer networks around the world.
Exactly how the Tailored Access Operations (TAO) cell works is a closely-held secret — despite some recent leaks — but in a rare public appearance, TAO’s chief shed some light on how America’s top cyber spies do their thing.
“If you really want to protect your network, you have to know your network, including all the devices and technology in it,” Rob Joyce, chief of the NSA’s TAO, told an audience at the Usenix Enigma security conference in San Francisco Wednesday, according to a report by London’s The Register. “In many cases we know networks better than the people who designed and run them.”
Joyce’s talk, as described on Enigma’s website, was about “security practices and capabilities that most effectively frustrate people seeking to exploit networks” — people just like him. To talk security, Joyce shared a little bit of TAO’s strategy for beating it and cyber security experts sat up and listened.
“When the head of the world’s most sophisticated APT [Advanced Persistent Threat] is telling you how they work, you should probably take notes,” tweeted cyber security researcher Dino Dai Zovi.
According to The Register, Joyce said that TAO follows six steps after picking their target: reconnaissance, initial exploitation, persistence, tool installation, lateral movement and, finally, collection and exfiltration of data. In the reconnaissance phase, they’re simply looking for weak points — whether it’s in the architecture of the network or in the people who use it.
“We need that first crack and we’ll look to find it,” he reportedly said. “There’s a reason it’s called an ‘Advanced Persistent Threat’ (APT). We’ll poke and poke and wait and wait until we get in.”
“Don’t assume a crack is too small to be noticed, or too small to be exploited,” he said, according to WIRED. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”
Joyce didn’t say exactly what TAO does once it’s inside, but Germany’s Der Speigel reported in December 2013, based on internal NSA documents, that TAO uses a host of tools to extract information and otherwise exploit the system.
In his talk, Joyce also reportedly gave his opinion on so-called zero day exploits, flaws in programs or systems that have yet to be discovered and are therefore vulnerable to exploitation. Zero day exploits are valuable on the black market, according to cyber security experts, and an astounding four were used in the Stuxnet attacks that targeted an Iranian nuclear plant — widely believed to have been a joint U.S.-Israeli operation. But Joyce said zero days are not as big of a deal as they’re made out to be.
“A lot of people think that nation states are running their operations on zero days, but it’s not that common,” he said, according to The Register. “For big corporate networks, persistence and focus will get you in without a zero day. There are so many vectors that are easier, less risky, and more productive.”
Joyce claimed the NSA actually knows of very few zero days to exploit.
To protect against hackers, like his own guys, Joyce reportedly listed some best security practices for companies and individuals, including limiting access to data to those who really need it, segmenting networks and making sure a system administrator is there and paying attention to anomalies.
Joyce also addressed the difficulty in attribution in cyber-attacks, but said that if the U.S. government alleges that a nation-state is behind a specific cyber-attack, they are.
“It’s amazing the amount of lawyers that DHS [Department of Homeland Security], FBI and NSA have,” he said, according to WIRED. “So if the government is saying that we have positive attribution too, you ought to book it. Attribution is really, really hard. So when the government’s saying it, we’re using the totality of the sources and methods we have to help inform that. [But] because those advanced persistent threats aren’t going away… we can’t bring all that information to the fore and be fully transparent about everything we know and how we know it.”
Copyright © 2016, ABC Radio. All rights reserved.
Recent posts in National News