Fast-Forward: Advanced Persistent Threats

min read

The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the "fast-forward button" on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.

Last month on Fast-Forward we watched a video from the 2012 DEF CON, one of the largest annual hacker conferences in the United States. This was one year before DEF CON's lead organizer, Jess Moss, famously uninvited federal security agents from future events. Naturally, this month it would then seem appropriate to follow-up with a talk from the NSA Office of Tailored Access Operations (TAO) Chief Rob Joyce at USENIX's very first "Enigma" security conference, held in San Francisco in January 2016. As a side note, unlike other presenters featured on the blog, Mr. Joyce does not appear to have a Twitter handle, so you'll need to use @NSAGov.

USENIX is an international organization with a long history, and I highly encourage you to browse the list of presentations from this first year of Enigma. Unfortunately, the slides from Rob's talk offer very little information, other than an outline of what was discussed, and the Q&A session that followed is not recorded for your viewing pleasure, so we'll just have to make do with the video version of the 34-minute "Disrupting Nation State Hackers" presentation.

The first takeaway from this talk, which Rob repeats several times throughout, is the inherent nature of advanced persistent threats and what that really means in practical terms. The emphasis is persistence — nation state hackers are really good at waiting for the right moment to attack. He gives the example of a vendor who asks for special permission and access to fix a problem on your network over the weekend, not unlike what we saw in the Target credit card data breach, which involved a similar vector.

The second takeaway starts around 20 minutes when Rob begins talking about the vulnerabilities nation state attackers like to leverage, like hardcoded passwords in scripts and on devices, plus older protocols that should be higher on the depreciation list for any corporate entity. He places some heavy emphasis on pass the hash vulnerabilities as well, and this SANS white paper from 2010 is a good start if you want to learn more.

In closing, if you're not interested in watching the entire presentation, I would watch the first 10 minutes to get an overview of what the infiltration and exfiltration process looks like from start to finish for a nation state hacker group. As an experiment, imagine for a moment that you have TAO's resources, and compare your strategy. You might be surprised by the results!

Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.