Defending a network from the NSA

The head of NSA TAO advises on defensive computing for networks

NSA - National Security Agency
Credit: Reuters/Jason Reed

In the just-completed USENIX Enigma security conference, Rob Joyce, the head of the elite Tailored Access Operations (TAO) division of the NSA, offered advice on making his job harder. Go figure.

The setting struck me as surprisingly routine, considering he is, arguably, the nations head hacker. The NSA is an apex predator (his term) and Joyce sits at the head of the apex.


Rob Joyce of the NSA

Much of the presentation, Disrupting Nation State Hackers, consisted of standard best practices, but Joyce did offer a small peek behind the curtain.

While spies abusing generally unknown software flaws (a.k.a. zero day vulnerabilities) makes for great headlines and movies, real life, according to Joyce, is quite different. He characterized the use of zero day flaws by the NSA as "not that common."

Instead, Joyce said, the NSAs big advantages are their competence and their persistence. "For big corporate networks", he said, "persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive."

The NSA benefits from targets that do a poor job of defense, such as not watching logs, embedding plain text passwords in scripts, mis-configuring devices, reusing passwords, and network administrators that don't have a baseline of what constitutes normal inside their network. Then too, small holes may get overlooked, he said that no hole is too small for their getting a foot in the door.

The NSA is also persistent. They will wait and watch and test and probe for as long as it takes.

There's a reason it's called Advanced Persistent Threats, 'cause we'll poke and we'll poke and we'll wait and we'll wait. We're looking for that opening and that opportunity to finish the mission.

An example he gave was of a network operator that gives a vendor temporary access to deal with a problem. No doubt he used this example because it is how Target was breached.

The more he talked about the overall competence of the NSA, the more I took it as a knock on their adversaries.

It is not news that many techies are lazy, stupid and/or poorly trained. Among those that are smart, motivated and well-trained, some are stretched too thin, others are hampered by the bureaucracy, finances and/or politics of the organizations where they work. How else to explain the many hacks and breaches in the news, which are, no doubt, only the tip of the iceberg.

Somewhat bragging, Joyce said that the NSA often knows networks better than the people who designed them, and better than those protecting them.

We put the time in …to know [a network] better than the people who designed it and the people who are securing it ... You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.

The last point is interesting, defenders know what is supposed to be there, the NSA knows what actually is there.

I suspect Joyce has a point. Speaking as a programmer, I can attest that debugging can be hampered by perception. The person who wrote a program looks at it and sees what is supposed to be there. Often someone else is needed to see what actually is there. From what Joyce says, the same is true with networks; administrators keep tabs on the software and devices they know about, while other exploitable stuff flies under the radar. 


Joyce also offered some specific Defensive Computing advice.

One product he recommended for securing Windows machines was EMET, a free program from Microsoft. The NSA even has an EMET PDF on their website, Understanding the Enhanced Mitigation Experience Toolkit that says

EMET inhibits attacks currently used by Advanced Persistent Threat (APT) actors ... EMET stops the majority of cyber attacks in use today.

Did Joyce recommend EMET because it's a good defensive tactic, or, because the NSA has a back door in it that makes their job easier? That's above my pay grade.

Joyce also spoke highly of whitelisting -- twice.

Whitelisting is the opposite of anti-virus software. That is, rather than allowing all software to execute by default and trying to block bad stuff, white listing defaults to blocking everything and only lets known good applications run.

Perhaps realizing that many in the audience felt that whitelisting was impractical, Joyce hinted at using it on servers. As a rule, servers run less software than the computers used by employees, and the software is updated less frequently, making it easier to maintain the whitelist.

Another area where he suggested whitelisting was outgoing traffic. Companies often allow all outgoing requests by default and then try to block known bad domains. I got he feeling the considered this a fools errand.

After a breach, spies have to phone home to get their captured data out of the infiltrated network. Where do they send it? Likely, to a domain never seen anywhere else in the world.

Thus, outgoing requests to domains not previously seen, should be a red flag and treated as suspicious. A network may get breached, but if it blocks the stolen data from being sent to, the damage is minimized. I suspect that, in private meetings, the NSA recommends blocking all never-before-seen domains by default. 


NSA intrusion phase 5 - moving laterally

Two other things Joyce mentioned were network segmentation and trust boundaries. I took these to mean VLANs.

A Virtual Local Area Network, is an isolated segment of a larger network. In the event of a breach, VLANs can keep the bad guys from moving sideways within the network. That is, if one department gets breached, a VLAN would prevent the infection from spreading to the rest of the company. You could make a case that the worst mistake Sony made was not using VLANs.

At the last DEF CON conference, I was lucky enough to discuss the network architecture with Luiz Eduardo who ran the network (see Wi-Fi at DEF CON - dealing with the worlds most dangerous network). VLANs played a big part in defending the DEF CON network from attack. Each presenter at the conference was on their own VLAN and there were many more in place. 

I recently setup a VLAN at home. While I share files and printers amongst the computers on my LAN, I don't share anything with the Wi-Fi tablets and smartphones on it. So, I configured my router to create a new SSID that isolates connected devices in three ways.

First, devices on the wireless network can not see anything that is Ethernet connected to the router. They are also blocked from seeing devices connected to other wireless networks created by the router. Secondly, devices on the isolated network can't even see each other. Finally, although isolated devices can see the router (necessary for Internet access) they can not logon to it.

The net effect is that Wi-Fi devices on this isolated SSID can get to the Internet and nothing else. My home network is better segmented than airplanes offering Wi-Fi.

Someone with a consumer router may be able to get this same effect with a Guest network. I say maybe because there is a huge difference in the way routers implement Guest networks. For more, see my recent blog To share or not to share - a look at Guest Wi-Fi networks

Another interesting point Joyce made, was that there is no such thing as the cloud, there is just someone else's computer. He didn't expand on this much, but I took it as reminder that cloud services just as Dropbox, Google Drive, Box, Microsoft OneDrive, Apple iCloud and Amazon Cloud Drive can, as a rule, read the files stored on their computers.


Frequently the NSA doesn't break into networks, victims let them in, in the most obvious ways - email and web pages.

As for email, Joyce repeated the phrase that should be a nerds mantra: don't click that link. Nothing new about this, other than the fact that the NSA and bad guys world-wide share the same tactic - phishing. And, that it works far too often.

The use of infected web pages is a bit more interesting. 

I have read elsewhere that attackers learn the websites popular with employees of a target organization, such as restaurants across the street, and then infect those sites with malware. The TAO division of the NSA is said (not by Joyce, of course) to be more advanced.

Rather than touching a restaurant website, they might sit on the network with a malicious version of website at the ready. When victims try to visit the restaurant website, the NSA intercepts it and responds with their hacked edition. 

Joyce offered no advice for defending against malicious email and web pages.

My suggestion is one that I doubt any company would implement - restrict web browsing and email to VLAN isolated devices. Since these devices are the most likely to get infected, they should not have access to the corporate LAN. 

The third way that victims let the NSA into their network is also not a surprise: removable media. As seen on the second episode of Mr. Robot, don't take CDs from strangers.


What to do if the NSA is better at attacking than you are at defending?

Air gap. A network attacker can't get at computers and files that are not on a network.


Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon