Rob Joyce closed out the Enigma 2016 conference yesterday by talking about how to defend oneself from state sponsored hackers. It's safe to assume that Mr Joyce knows a thing or two about how state sponsored hackers operate seeing as he runs one of the most prolific APTs operating on the Internet today: he is the Chief of NSA's Tailored Access Operations (TAO) unit, the group within NSA responsible for hacking into their targets.
The advice he gave is right in line with what those of us operating in the private sector of the security industry have been saying for years: It's effectively impossible to keep attackers out 100% of the time so we must limit users' access, segment networks, and pay more attention to detecting attacks in order to slow them down and respond. The reality is that many organizations still aren't taking these basic security steps, instead focusing on trying to keep bad people on the Internet from getting into their network, and this is what makes it possible for hackers to cause so much trouble once they do get in whether it's the NSA, Chinese APTs, identity thieves, or hacktivists.
One of the foundations of security is the idea of "least privilege". That is to say that any individual should have access just to what he or she needs in order to do their job and no more. The goal is to limit the amount of damage a rogue user can cause and to limit the damage an attacker can cause after taking over a user's account as is now common with credential phishing and malware attacks. We often find file shares within organizations' networks that contain mountains of sensitive data available to any user, or attacker, who bothers to go looking through it all. It's very difficult to limit the potential damage from a successful phishing attack when any given user potentially has access to the most sensitive data. Breaking data up into functional areas and/or sensitivity levels will go a long way to keeping small breaches small.
This doesn't just apply to regular users though, even administrators are part of the equation. At some level we have to trust that our system administrators are not rogue threats but they are also prime targets for attackers, in fact some of the classified NSA material that one Mr Snowden leaked describes how TAO itself specifically targets system administrators. Performing day-to-day activities like browsing the web or checking email with administrator privileged accounts is just providing more opportunity for an administrator account to be exploited and fall into the wrong hands. As any good Unix administrator would tell you, you should have your own low-privileged accounts on the system for day-to-day tasks and only switch to the all-powerful root account when necessary. This longstanding rule has been lost on many Windows system administrators who use their domain admin accounts for everything.
Having user accounts locked down is a great first step but on a "flat" network where the security is focused on the perimeter and all systems can freely talk to each other internally it's often fairly easy to either escalate privileges (as discussed in a previous post) or get around authentication requirements completely by exploiting unpatched vulnerabilities within network services. Preventing these sorts of attacks means not just restricting what users can access but also restricting how the systems themselves can communicate within the network.
Many modern networks use VLANs to create multiple logical network segments but this alone is not enough as these VLANs are often configured so that systems can still communicate freely across them. There must be some meaningful control between the segments in order for it to be effective, typically a firewall. It should go without saying that the firewall must also be configured to restrict the traffic flowing between network segments to the bare minimum required for the systems to perform their respective duties. This may be enough to prevent an attacker from using a stolen administrator account or new exploit to gain access to sensitive data before he is detected.
There is a saying about how an attacker only has to be successful once to break in while a defender must be successful every time to keep him out. Sooner or later the attacker will succeed and this is why "Persistent" is part of APT. Once we accept that the attacker will eventually get in we must determine how to stop him once he is in.
Networks already generate an enormous amount of log data that can tip us off if something is amiss, the trick is to do something useful with this data rather than trying to drink from the firehose. SIEM tools can be very effective in correlating log data to make sense of it and generate alerts when anomalous behavior happens but tools alone are not enough. As we saw with the Target breach, someone with enough technical skill to sort out the real incidents from the false positives needs to be responsible for monitoring and reacting to alerts. Maintaining this kind of capability on a 24x7 basis can be an expensive proposition, especially for small and medium size businesses, and many turn to managed service providers who have the appropriate experience.
Just because we can't keep attackers out doesn't mean security is ultimately futile. Process improvement, training and basic patch and configuration management will make it harder for the attacker to break in while using least privilege and segmentation will slow him down once he is in. This all gives us more time to detect an ongoing attack and do something about it before important data gets stolen.
The sad reality is that many businesses are still not taking this to heart even though we've known for years that these are all key steps to stop breaches before they get out of hand. It's time for organizations that don't want to find themselves implicated in the next major breach to get on board, even the people responsible for launching APT attacks are telling us so.
To protect against hackers, like his own guys, Joyce reportedly listed some best security practices for companies and individuals, including limiting access to data to those who really need it, segmenting networks and making sure a system administrator is there and paying attention to anomalies. “Don’t assume a crack is too small to be noticed, or too small to be exploited,” he said. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”