The head of an elite team of NSA hackers has revealed the tactics often deployed by the secretive agency to crack into networks and computer systems. Rob Joyce, who has led the notorious Tailored Access Operations (TAO) department of the NSA since 2013, was speaking at the inaugural Usenix Enigma security conference in San Francisco last week and helped to shine a light on how cyber-spies operate in the digital age.
According to the cyber expert, the NSA follows a six-stage process when attempting to compromise a target including reconnaissance, initial exploitation, establishing persistence, installing tools, moving laterally and then collection, exfiltration and finally the exploitation of data. "If you really want to protect your network you have to know your network, including all the devices and technology in it. In many cases we know networks better than the people who designed and run them," he explained.
The TAO department shot to infamy following the revelations of former NSA contractor Edward Snowden in 2013, which exposed a vast spying apparatus used by intelligence agencies across the globe, from the NSA to British spies at GCHQ. Following the disclosures, it was revealed that the TAO specialises in hacking into the networks of foreign targets. In order to infiltrate these networks, Joyce revealed the agency can exploit even the smallest of security gaps. "Don't assume a crack is too small to be noticed or too small to be exploited," he said.
What is a 'zero-day' vulnerability?
At its core, a zero-day vulnerability is an unknown security flaw found in software that can be used by hackers, cyber criminals and spy agencies to infiltrate or exploit a computer system before anyone knows there is a problem.
"If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don't think they don't matter. Those are the ones the NSA, and other nation-state attackers, will seize on. We need that first crack, that first seam. And we're going to look and look and look for that esoteric kind of edge case to break open and crack in."
Joyce, somewhat predictably, did not go into too much detail about how the NSA's cyber-spies operate, but he did deny the agency is reliant on the exploitation of so-called 'zero-day' vulnerabilities to crack networks. "I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero-days. There's so many more vectors that are easier, less risky and quite often more productive than going down that route."
Keeping the spies out
In the wake of the Snowden revelations many internet users have become increasingly concerned about nation-state snooping yet, according to Joyce, there are a number of ways to make it more difficult for the NSA cyber-sleuths to operate. These include limiting access privileges on crucial computer systems, regularly patching security flaws and cracking down on out-of-date legacy protocols that often transmit passwords in an unencrypted format.
However, Joyce maintains that in the end his team are always likely to win. "You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You'd be surprised about the things that are running on a network versus the things that you think are supposed to be there," he said.
Most recently, the Civil Liberties and Privacy Office of the NSA claimed that a revised surveillance program for collecting domestic telephone records meets the privacy standards set by the US government.