7 (Samurai) Cyber Insights from the Former NSA Hacker Advising the White House
Rob Joyce, White House Cybersecurity Coordinator, brings to the job years of experience with the National Security Agency and its Tailored Access Operations unit. In an unusual public appearance at USENIX 2016 last August, he described how institutions can best protect their networks from attack.
Here are his seven keys to protection:
1 In almost any intrusion, people are trying to get credentials.
Login credentials are the keys to the kingdom for which cyber spies are phishing and snooping. Protecting and monitoring credentialed access is crucial. The best-defended networks:
- Require two-factor authentication, making it that much harder to steal credentials
- Monitor users and look for anomalous behaviors
- Require specific actions to gain access, and look for those actions from users
- Minimize the number of privileged accounts. “Only give the privileges needed to specific users. Not everybody’s happy with that world, [but] … those are the kinds of wide ranging credential reuses that end up turning into large-scale compromises.”
- Never hard-code administrator or system credentials into scripts. Though most modern protocols do not pass credentials in the clear, nation states are looking for the older ones. “You’ve got to look for those older protocols and drive them out of your networks.”
2 Look at your logs.
“You’d be amazed that incident response teams go in after there’s been some amazing breach, and yup, there it is in the log. If you’ve got logs, it will tell you that you’ve been had. Enable those logs, and look at them.”
Logs are key to understanding whether you’ve got a problem or if someone’s ‘rattling the door’ and trying to become a problem.
3 Use a reputation service to test software
“Every piece of software that wants to execute on your machine gets hashed and pushed up onto the cloud,” Joyce explains. There, the service determines if it is safe or not.
“Let me tell you, if you’ve got a reputation service and it says that interesting executable that you think you want to run in the entire history of the internet, has been run one time and it’s on your machine, be afraid. Be very afraid.”
4 Use a reputation service to test web domains
Most hacker tools, once active, “want to talk out to a domain, they want to call back home, they want to report success, or bring back data,” Joyce says.
But if your network is testing domains before letting traffic go through, there’s a good chance it can stop those calls home. “If something is evaluating that reputation, if no one is going to that domain or the content is stale, it will have neutral or negative reputation,” Joyce says. “That’s a hard thing to overcome.”
5 Stop lateral movement
Once an intruder is inside your network, the next step is to move laterally in search of better credentials or other access. Stopping lateral movement is critical to limiting damage. Among the best ways to do that:
- Limit access privileges
- Segment privileges, so that additional authentication is needed in different parts of the network
- Enforce two-factor authentication everywhere
6 Control everything, Trust little
Better networks employ comply-to-connect to ensure remote connections are legitimate. Some determine the remote user’s location and can be programmed to question the response.
Expect that your network is vulnerable and has already been penetrated, then ask: Do you have the means to understand who is already in your network?
7 Back it up!
Digital attacks come in many forms. Some seek to ex-filtrate data for intelligence or profit. Others are just plain malicious. Be prepared for destructive attacks by ensuring you have offsite backups as part of your plan. Anticipate how you will deal with data corruption, data manipulation and data destruction.