WASHINGTON, Oct. 20, 2016 — In the wake of major intrusions into U.S. government computer networks over the last 24 months, the National Security Agency’s deputy national manager for national security systems outlined his agency’s role in developing cyber defense mitigations, and its critical response to public- and private-sector cyber incidents.
During his remarks Oct. 18 at the American Enterprise Institute, Curt Dukes offered an inside look at NSA’s incident-response work, and described the agency’s way ahead in improving government cyber defense in the aftermath of intrusions at the Office of Personnel Management, State Department, DoD’s Joint Staff and two commercial companies that conducted background checks for the U.S. government.
“The adversary took advantage of poorly secured, poorly patched systems,” Dukes said. “Once they had that initial foothold, they elevated privileges and then moved to mission objective, which was exfiltration of personally identifiable information, exfiltration of intelligence, or in some cases, the actual destruction of the host.”
Raising Costs to Adversaries
With so much at stake, Dukes said U.S. vigilance of computer networks is vital, and ultimately needs to stack the odds against cyber attackers.
“[An adversary] could easily attack us [and] achieve mission objective … so I want to raise the cost to the adversary,” he said. “By the time we actually respond to an intrusion — it takes hours to days — by then, in cyber time, an adversary has already met their objective.”
Dukes explained typical cyberattack life cycles and various mitigations that he said will force adversaries to alter their intrusion methods, while helping industry to better prepare the U.S. government and military for those types of attacks at each step of the cycle.
As networks become increasingly interconnected, Dukes said, adversaries will find proportionately more exploitation opportunities. He maintains that it pays to invest in network defense.
“Look at what we currently spend in remediation for the [Office of Personnel Management] breach … if we had put just put one-tenth of that into good security at the very beginning, we’d have been much better prepared for any type of attack in that regard,” Dukes said of the 2015 intrusions that cost the government millions to address and impacted millions of current, former and prospective federal employees and contractors. “There’s an imbalance right now in what we spend on offense capabilities, and what we spend on defense.”
The cycle, Dukes explained, begins with an initial exploitation of open-source literature or the defense industrial base. When a vendor wins a contract, that information becomes publicly available and adversaries use a phishing attack, such as crafting emails that appear to come from a senior official.
“They want you to either click on that link or open that attachment,” he said, “and this creates a classic spear-phishing avenue that they’re going to continue to use until we actually remove that as a capability for them.”
Dukes also described “watering holes,” in which adversaries lead unsuspecting users to a site they’ve already corrupted. “From that point,” he said, “they can then put the initial install onto your device, and get access through a classic thumb drive or some type of media.”
And, while these vulnerabilities help cyber attackers gain access to very basic network levels, their next move is to establish persistence, Dukes explained.
“It gives them the ability to have multiple ingress and egress points,” once they establish a virus and assesses to a network and its connectivity, Dukes said. “So they’ve maybe found that host, but they’ve already moved to other hosts and to multiple ways in and out of the network.”
But entry points, he noted, are only part of the problem.
“Once they understand your system, if you’re not particularly well-patched or configured, then, they’re going to [seek] privileged escalation [and] they can then download tools … or hide inside normal traffic,” he added.
And that “normal traffic,” Dukes said, can include secure websites or encrypted web mail, which appears innocuous — until it isn’t.
“Defense tools will not be able to protect you,” he said. “They basically ‘own’ you at that point in time.”
Dukes recounted the OPM intrusion had multiple ingress and egress points. “They had the initial attack,” he said, “then they moved laterally across it, and it became very difficult for network defenders to actually find them and eradicate them from that network.”
As a result, he said, NSA network defenders mapped an objective attack life cycle, consisting of phases including intelligence collection, intellectual property collection, and destructive programs such as ransomware.
“It doesn’t matter whether it’s a foreign nation such as Russia, China [or] Iran” Dukes said. “It could even be a terrorist organization. It could be a criminal network. They tend to follow the exact same life cycle in that regard.”
Life Cycle Mitigation Techniques
To mitigate the attacker’s life cycle, he said, NSA implemented anti-exploitation features in a Windows environment, which, along with a secure host baseline, is now core to the Windows 10 operating system. NSA also developed an application whitelist of known and trusted websites that can be refined over time, Dukes said.
Additionally, the Defense Department implements a host-based security or intrusion prevention system, for daily antivirus protection through assessing an adversary’s ability to attack, he said.
About five years ago, Dukes said, the antivirus industry changed technology by moving host reputation services to a cloud-based presence, allowing network defenders the ability to globally detect malware.
“Adversaries like to hide and fake who they actually are, so with reputation service, you can check what websites and [internet protocol] addresses map back to,” he said. “It’s a pretty impactful tool.”
Aside from antivirus protection, Dukes praised controlled administrative privileges.
“You want to limit the number of folks that actually have admin privileges on your network,” he said. “By doing that, you reduce the ability for an adversary to find that one weak host to take advantage of.”
Not If, But When
Dukes asserts that it’s not a matter of if an adversary will attack, but when, so he emphasized the value of network segregation and offline backup.
“By only allowing certain folks certain access to certain parts of the network, you limit the damage that the adversary can do on your network, and you limit their ability for them to achieve their mission in that regard,” Dukes said. “If something happens, have a backup copy of files whether daily, weekly, biweekly or monthly — you have to be ready to reinstall should some unforeseen event occur.”
Overall, Dukes said, NSA has supported the Department of Homeland Security, Federal Bureau of Investigation and other agencies through requests for technical services to examine life cycles and host mitigation techniques that secure national security systems, and the same guidance applies to both commercial industry and home users.
“As a nation we have to rethink how we’re actually organized when we do cyber defense to protect the whole of the nation — not only government, but also our key industry sectors,” Dukes said.