NSA: Hackers use persistence, not zero days, to breach companies

Don’t underestimate the threat posed by persistent attackers. Adversaries that study a company’s network and know its weak spots could cause damage without relying on a zero-day vulnerability.

Businesses often believe that nation-state hackers prefer using zero-day exploits in their attacks. However, there are many other vectors that have a longer shelf life and offer attackers greater rewards.

That’s the advice from Rob Joyce, who runs the U.S. National Security Agency division that handles breaking into the computer networks of foreign adversaries. Joyce, speaking at a conference in San Francisco last week, downplayed how frequently attackers use zero-day flaws.

“A lot of people think that nation-states are running their operations on zero days, but it’s not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky and more productive," said Joyce, who's considered the nation's chief hacker. 

Hackers shun vectors that can be detected quickly

Security researchers have found that attackers are turning away from methods that are easy to detect and shut down, like zero days. While these vulnerabilities provide an opportunity to breach a company, zero-day attacks are useless once a patch is issued by a vendor and applied by a company.

Instead, attackers prefer methods that are difficult for security teams to discover, allowing their campaign to persist unabated. For example, researchers have seen an uptick in fileless malware attacks, in which adversaries use an OS’s embedded tools to penetrate an organization’s network and evade detection by traditional programs like antivirus software.

Security starts with understanding your network

Protecting a corporate network requires knowing all devices and technology that are running on it, Joyce said, adding that the NSA will continuously pick at a network until a hole is discovered.

Given the complexity of modern enterprise networks, this task is daunting. Perhaps this explains why, according to Joyce, the NSA often understands a network better than the company that operates it. In addition to devices traditionally found on enterprise networks, like company-provided laptops and servers, the bring-your-own-device movement had lead to an influx of personal, and often times unprotected, machines appearing at the office.

Endpoint visibility is probably a good way to close this gap. Endpoints are often considered the most vulnerable part of an organization, making them frequent attack targets. But this perceived flaw can be turned into a strength: by constantly monitoring endpoints, an enterprise can discover early on if they’ve under attack and mitigate the damage.

Deploying a next-generation endpoint solution on every device can give a company greater visibility into its IT environment. These products show the connections between malicious acts, helping security analysts understand a hacker’s entire campaign and giving them the information to completely shut it down.

Penetration is inevitable, but hackers can be spotted through abnormalities  

Preventing hackers from the NSA, another nation-state or even from one of the advanced cyber criminal hacking groups from breaching a company's network is virtually impossible, since they’ll prod a network until finding a way in.

“We need that first crack and we’ll look and look to find it,” Joyce said. “There’s a reason it’s called an advanced persistent threat; we’ll poke and poke and wait and wait until we get in. We're looking for that opening and that opportunity to finish the mission.”

But Joyce did offer advice on how businesses can fight such attacks and make the NSA’s job more difficult. He suggested limiting access privileges for important systems to those who really need them; segmenting networks and important data to make it harder for hackers to reach key systems; patching systems and implementing application whitelisting; and removing hardcoded passwords and legacy protocols that transmit passwords in the clear.

An “out-of-band network tap" can also stymie NSA hackers, Joyce said. This type of technology observes network activity and generates records of anomalous activity. Using it requires a sharp system administrator who will review the logs for suspect behavior that could blow a hacker’s cover.

At Cybereason, we believe this is the best approach for fighting advanced persistent threats (APTs): collecting information about everything that happens in an organization, analyzing it in real time, spotting abnormal behavior and then analyzing it to determine whether it's malicious or benign.

We help security analysts - those smart system admins that Joyce is referring to - spot only those abnormalities that are malicious, gain context about them and act immediately to resolve and shut down the complete attack. One of our customers recently used the Cybereason platform to detect a nation-state attack that had compromised the organization for over a year.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.