We're Just Like the NSA, and Nothing Like Them

During penetration tests, and especially scoping calls, we often get quizzed about what secret, proprietary techniques we'll use to gain access to privileged resources. Most folks assume they're doing "good enough" or at least meeting "industry best practices" so only the latest, unknown attacks will be successful. The notorious zero-day always seems to take the top spot in many organizations' threat matrix. Fortunately, that's not realistic.

Last month Rob Joyce spoke at the Usenix Enigma conference in San Francisco. Rob is the head of the NSA's Tailored Access Operations (TAO) hacking team. These guys are the American version of Mandiant's APT1 in China. It's their job to gain access to the systems of foreign nations. During his talk, Rob discussed how they go about their work, and lessons that businesses should learn from their experiences.

In several ways, their attack process is very similar to those of a good penetration test. Rob talked about the detailed reconnaissance phase in which they seek to know the network "better than the people running it." Seeking out available information about the people, processes, and technologies in a network should be part of any good pentest. Part of that recon includes scanning the network, mapping out systems and services, looking for openings that may be exploitable.

"A lot of people think the nation states are running on this engine of zero days... There are so many more vectors that are easier, less risky, and more productive than going down that route." Later he shared that "You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network." Similarly, in most of our pentests, the issues that allow us to gain access are rarely a new fancy attack as opposed to chaining together common flaws that are often unknown to the organization. Rob shared that one required key to good security, and to defending against any attacker, is to know and understand your network and systems extremely well. He suggested common best practices such as regular scanning, penetration tests, and tabletop red teaming to discuss and familiarize yourself with every aspect of your network.

However there are a few critical differences between a TAO engagement and a standard penetration test that are important to realize. And understanding these differences is key to scoping out and receiving a good penetration test. An attack by a nation state is an active, live-fire event; not an exercise. Conversely, a penetration test is an exercise designed to educate. So even though many of the techniques outlined and used by Rob's team are similar, their purpose is not.

The first major difference is the scope of the engagement. Every penetration test has limitations on the scope of the assessment, many of which are very reasonable. For example targeting the personal email accounts or home networks of employees during an educational test is both illegal and unethical. Oftentimes though scope limitations are introduced for other reasons. Perhaps the business won't accept the additional cost, or a compliance-driven test is focused only on checking a box on a form for auditors. In most cases, the fewer restrictions placed on an assessment, the more successful it will ultimately be at painting a true picture of risk exposure.

A second key difference between an APT attack and a pentest is the amount of resources afforded for the assessment. Rob spoke of having copies of known software and experts in those systems that often know more about the technologies than the administrators themselves. Every firm and pentester has a range of experiences and a network of colleagues that can be leaned on for support when attacking unfamiliar systems, but no private company can rival the checkbook of the U.S. government. For this reason, we strongly recommend against black-box testing which is both impractical and ineffective. I mentioned previously that a pentest is an educational opportunity that should provide as much benefit as possible to the organization. A black-box test inherently limits that transfer of knowledge. Alternatively nearly all of our tests are gray-box tests in which we utilize the existing resources of the organization to some degree in order to better assess security findings and associated risk. If you're still approaching a pentest as a red-vs-blue contest, you're doing it wrong.

The final issue is closely related. Rob discussed his team's persistence (APT remember?). "We'll poke and we'll poke and we'll wait and we'll wait and we'll wait...," he shared. Eventually a hole will be introduced, maybe just for a short time during a maintenance window or while a vendor is fixing an issue. With nearly unlimited resources they can continue to scan and test and push until something changes. Most pentests though rarely last more than a few weeks. However a good test can take these issues into account. A good tester can help you consider different variables and potential events and how those may affect deployed security controls. It may not be realistic to wait for an event to occur, but often a simulated situation can be used to explore potential risk. Again this falls back on the importance of an open gray-box test.

Ultimately, it's important to understand the difference between advanced attackers and a penetration test. There are similarities, but also key differences. If your testers aren't able to have that conversation, give us a call.

Rob had a lot more great advice for businesses on how to secure their network. His 35 minute talk is definitely worth a listen: Watch Rob Joyce's Usenix Enigma Talk.