The NSA's Worst Nightmare

"That out-of-band network tap that someone's actually paying attention to..."

Rob Joyce presents the NSA's 7 phases of network intrusion Rob Joyce explains the NSA's 7 steps to breach a network.

The NSA doesn't speak out too frequently about how they go about hacking networks, so when they do, we like to hear what they have to say.

Rob Joyce, a 25-year NSA veteran with the incredibly boring title of Chief of Tailored Access Operations, gave a talk titled "Disrupting Nation State Hackers" at the 2016 USENIX Enigma conference. Most of what he said was just reiterating security best practices that anyone in this field should know, but there were a couple of money quotes in the talk that were so good we need to pick them apart a little more.

These are statements from the top of the NSA's nation-state hacking food chain that strongly indicate that visibility into the network is the linchpin of any effort to protect against advanced, persistent threats. Anyone who isn't prioritizing network visibility is going to end up at the back of the pack, or in the headlines for a massive data breach.

Let's start with my favorite:

"One of our worst nightmares..."

"One of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior that's going on, and someone's paying attention to it. You've gotta know your network. Understand your network, because we're going to." — Rob Joyce

Joyce is getting at something that is so crucial to the future of IT security that it needs to be said repeatedly, like a mantra for survival in the new world of IT security: Visibility comes first!

The out-of-band network tap that Joyce describes is exactly what a product like ExtraHop delivers. Why does the NSA fear this type of observation? Because they can't hide from it and can't turn it off. Unlike logs, which can be deleted or turned off, wire data is empirical. You know something happened because you saw it on the wire.

"Our key to success..."

"Our key to success is knowing that network better than the people who set it up." — Rob Joyce

If the NSA can see into your network better than you can, you're done for. Real-time visibility is the only way to keep control of your network, the devices that connect to it, the encryption and protocols used, the whitelisted applications … everything. If you can't see it, you can't do anything about it, and that makes it a vulnerability that the NSA or another threat actor can exploit.

This is a point that Joyce makes over and over and over in his talk, and he perfectly sums it up in this quote:

"If you really want to protect your network, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. Why are we successful? We put the time in to know that network, we put the time in to know it better than the people who designed it and the people who are securing it, and that's the bottom line." — Rob Joyce

Another major point Joyce makes is that hackers don't need zero days or advanced tactics to exploit you if you leave basic flaws in your system. Why break a window when the front door's unlocked?

"Persistence and focus will get you in."

"I think a lot of people think the nation states are running on an engine of zero days. You go out with your master skeleton key and unlock the door and you're in. It's not that. Take these big corporate networks, these large networks. Any large network. I'll tell you that persistence and focus will get you in, will achieve that exploitation without the zero-days. There's so many more vectors that are easier, less risky, and often more productive." — Rob Joyce

What is Joyce saying here? He's saying that basic issues—unpatched servers, default passwords, poor encryption—are more likely to be vulnerabilities that the NSA can exploit than any kind of unique malware or zero day exploit. Keeping your day-to-day operations locked down is more important than trying to be ready for the next big zero day.

The last point Joyce makes is an incredibly potent one that drives right back to his overall message of "visibility-first."

"Can you defend against lateral movement?"

"After you're in a network, rarely do you land where you need to be. At this point, it's important to move laterally and find the things you need to find. The big question you need to think about is, if you have an intrusion somewhere in your network, can you then defend against this lateral movement?

If you think about it, most networks have big castle walls, hard crunchy outer shell, soft gooey center. How do you get to the point where you know you have an intrusion and you're going to make it difficult for them to move from the place they landed to the place they need to be?" — Rob Joyce

Well? Can you see those intrusions, and see where they try to go next? Do you have the visibility into the East-West traffic that Joyce describes as being so crucial to stopping advanced, persistent threat actors from exploiting you?

ExtraHop can give it to you. Our platform auto-discovers and classifies every device, every interface, and every application that touches your network, and can observe and analyze ever transaction in real time. We give you all the information you need to stay one step ahead of anyone who might be trying to break into your network.

Read our security operations use cases or try our free demo to see how.

Watch Joyce's whole presentation from the USENIX Enigma conference here. It is half an hour long, and worth every second of your time.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.