20 Oct 16. ‘Not If, But When’: NSA Official Discusses Importance of Cyber Vigilance. In the wake of major intrusions into U.S. government computer networks over the last 24 months, the National Security Agency’s deputy national manager for national security systems outlined his agency’s role in developing cyber defense mitigations, and its critical response to public- and private-sector cyber incidents.
During his remarks Oct. 18 at the American Enterprise Institute, Curt Dukes offered an inside look at NSA’s incident-response work, and described the agency’s way ahead in improving government cyber defense in the aftermath of intrusions at the Office of Personnel Management, State Department, DoD’s Joint Staff and two commercial companies that conducted background checks for the U.S. government.
“The adversary took advantage of poorly secured, poorly patched systems,” Dukes said. “Once they had that initial foothold, they elevated privileges and then moved to mission objective, which was exfiltration of personally identifiable information, exfiltration of intelligence, or in some cases, the actual destruction of the host.”
Raising Costs to Adversaries
With so much at stake, Dukes said U.S. vigilance of computer networks is vital, and ultimately needs to stack the odds against cyber attackers.
“[An adversary] could easily attack us [and] achieve mission objective … so I want to raise the cost to the adversary,” he said. “By the time we actually respond to an intrusion — it takes hours to days — by then, in cyber time, an adversary has already met their objective.”
Dukes explained typical cyberattack life cycles and various mitigations that he said will force adversaries to alter their intrusion methods, while helping industry to better prepare the U.S. government and military for those types of attacks at each step of the cycle.
As networks become increasingly interconnected, Dukes said, adversaries will find proportionately more exploitation opportunities. He maintains that it pays to invest in network defense.
“Look at what we currently spend in remediation for the [Office of Personnel Management] breach … if we had put just put one-tenth of that into good security at the very beginning, we’d have been much better prepared for any type of attack in that regard,” Dukes said of the 2015 intrusions that cost the government millions to address and impacted millions of current, former and prospective federal employees and contractors. “There’s an imbalance right now in what we spend on offense capabilities, and what we spend on defense.”
Cyberattack Lifecycles
The cycle, Dukes explained, begins with an initial exploitation of open-source literature or the defense industrial base. When a vendor wins a contract, that information becomes publicly available and adversaries use a phishing attack, such as crafting emails that appear to come from a senior official.
“They want you to either click on that link or open that attachment,” he said, “and this creates a classic spear-phishing avenue that they’re going to continue to use until we actually remove that as a capability for them.”
Dukes also described “watering holes,” in which adversaries lead unsuspecting users to a site they’ve already corrupted. “From that point,” he said, “they can then put the initial install onto your device, and get access through a classic thumb drive or some type of media.”
And, while these vulnerabilities help cyber attackers gain access to very basic network levels, their next move is to establish persistence, Dukes explained.
“It gives them the ability to have multiple ingress and egress points,” once they establish a virus and assesses to a network and its connectivity, Dukes said. “So they’ve maybe found that host, but they’ve already moved to other hosts and to multiple ways in and out of the network.”
But entry points, he noted, are only part of the problem.
“Once they understand your system, if you’re not particularly well-patche