The Enigma 2016 Usenix Conference featured an hour long talk from NSA’s Tailored Access Operations (TAO) chief, where he exposed the ease with which they were able to penetrate most networks without much effort.
The NSA’s TAO group is widely known as one of the most elite and advanced hacking group of the NSA, specializing in custom security penetration scenarios, going as far as having a dedicated catalog of custom hardware implants to insure remote presence into targeted infrastructures.
What Mr Joyce went to present though, had not much to do with such advanced techniques, APTs, TADA, or any other trendy acronym and was much more about the current problems with the IT security landscape.
During his presentation, he described the ways in which they were able to insure their presence into most networks, only by using well-known “standard” penetration techniques : reconnaissance, exploitation, persistence, moving laterally in the network and then collecting data, and by exploiting low-hanging fruits : plaintext authentication, old protocols, etc.
Almost describing the Top 3 critical security controls, Joyce said “If you really want to protect your network you have to know your network, including all the devices and technology in it” adding “In many cases we know networks better than the people who designed and run them.”
He also mentioned that their use of 0-days is fairly exceptional : “A lot of people think that nation states are running their operations on zero days, but it’s not that common”.
One final interesting statement was the reference to their preference on using mobile & IoT devices to get into the network, such as cell phones from employees or heating and cooling systems.
Though it’s possible to doubt the veracity of such statements made in the light of a publicly recorded conference, it still shows that most networks today can be successfully targeted by malicious adversaries through secondary and ternary assets: they are usually not well looked after and secured because their quantity forbids current security products to efficiently scale to cover all of them and thus the few security experts most companies dispose of, are obliged to focus on the most critical systems.