The challenge of offensive hacking: the NSA and zero days

Over the last few days, we’ve learned that a group calling itself the Shadow Brokers has obtained and released snippets of what appears to be top-secret malware used by the Equation Group, an elite hacking team thought to be associated with the National Security Agency, to hack its targets. We’ve also learned that these programs were written to exploit unknown hardware and software flaws, creating a rash of zero-day vulnerabilities for vendors to patch and enterprise security professionals to fret over. While the malware is from 2013, if the flaws aren’t patched, the exploits still work. Code doesn’t age.

The news that the NSA has the means to exploit flaws in technology and use them to spy on targets should not surprise people. The classified U.S. government files leaked by Edward Snowden revealed that such programs were in place, although he didn’t release the code that could carry out these attacks. But don’t confuse Snowden’s actions with those of the Shadow Brokers. Snowden went public because he believed he was speaking out against government spying. But make no mistake, the Shadow Brokers released the exploits for less noble reasons: profit and to embarrass the U.S.

An ethical debate

The NSA deals with national security issues and focuses on keeping the U.S. safe from threats. To carry out those missions, the agency uses a variety of tactics, including finding unknown software and hardware exploits and using them against certain targets. The NSA, though, could find itself in an ethical bind now that its offensive hacking tools are in the public domain and can be easily used. According to the stories I’ve read, these exploits can be deployed within minutes and they work, no reverse engineering or proof of concepts required.

The question of does the NSA have an ethical obligation to disclose certain vulnerabilities will undoubtedly be raised. After all, a set of weaponized exploits that go after popular hardware and software products from major vendors is now in the world, putting the IT infrastructure of the U.S. as well as its allies at great risk. Cisco and Fortinet have already warned customers that the released exploits target vulnerabilities in their firewalls. But the point can be made that without using these exploits, the NSA could not obtain information that keeps the country safe.

So what kind of responsible disclosure policy should the NSA practice? The organization broadly leverages vulnerabilities to complete its mission, so a full and immediate disclosure of any vulnerability it finds is very unlikely. Whatever agreement is reached needs to balance the NSA’s offensive mandate with the need to protect the country’s businesses from the consequences that arise if the exploits fall into unknown hands. One option is to disclose a vulnerability after the NSA discovers that another entity has used it. Another possibility is to disclose the exploits with the greatest offensive impact since they would most likely prove a nightmare to handle from a defensive perspective, especially around applying patches.

While patching zero-day flaws is a critical step in protecting your organization from information security incidents, there are many ways for an adversary to penetrate your network. This highlights the importance of endpoint monitoring and using behavioral analysis to detect advanced persistent threats, especially those that are designed to evade traditional security tools like antivirus programs or indicators of compromise.

Insight into nation-state operations

A point that hasn’t been emphasized enough is how these exploits provide insight into how a modern hacking operation works. The entities behind an attack have many tools at their disposal, whether the operation is being carried by a government agency, cybercriminals or a nation-state. They pick the tool that will best exploit the vulnerability and allow them to complete their mission. How do the people behind the attack know what exploits will work on their target? I guarantee they carried out extensive reconnaissance on the target and know what firewalls, routers and other technology the targets use.

Without full and real-time endpoint visibility, you don’t really know what’s happening on your machines. This point is especially salient given the bigger story here: a highly sophisticated attack group linked to the NSA was possibly hacked. Both organizations are responsible for some of the world’s most advanced attacks. If attackers can compromise their defenses, then they will have no issue finding a way around your security measures.

Yonatan Striem-Amit is Cybereason's CTO.

Yonatan Striem-Amit
About the Author

Yonatan Striem-Amit

Yonatan Striem-Amit, CTO and Co-Founder of Cybereason, is a machine learning, big data analytics and visualization technology expert, with over a decade of experience applying analytics to security in the Israeli Defense Forces and Israeli Governmental Agencies.

All Posts by Yonatan Striem-Amit