NSA: There's a New Normal on the Nation-State Front

Speaking in the keynote theatre at Infosecurity North America, David Hogue, senior technical director at the NSA's Cybersecurity Threat Operations Center (NCTOC), laid out the new normal for nation-state threats. Hint: Nothing is normal anymore.

The NCTOC’s primary mission is defending the non-classified US Department of Defense (DoD) network and its 2.9 million users that are spread everywhere from office buildings in DC to battlegrounds in Afghanistan. It also works hand-in-hand with US Cyber Command to protect other federal agencies, including the Departments of Energy and Homeland Security. The group also is in the process of moving to an integrated cyber-center that will house 250 people. “We’re talking six-foot walls and the whole nine,” said Hogue. “It will be the center of the universe for how we defend cyber.”

In his talk, “Building Cyber Resilience,” Hogue noted that phishing and vulnerability exploitation remain the top two threat vectors against the government—and both have taken on new characteristics.

As to the former, he said that the US government network rejects 85% of the emails that it receives on a daily basis. “90% of intrusions we see come from phishing, whaling and spear phishing, and it's just a relentless barrage of emails. It still works,” Hogue said.

Exploits are on the rise too. Hogue said that from the time a new flaw is disclosed or patches come out, US federal networks are scanned within 24 hours.

“Our adversaries are actively and constantly probing our networks to see what has been patched and what has not,” he explained. “The time it takes from disclosure to weaponization is now less than 24 hours. That makes us rethink how we react in terms of agilty and info-sharing.”

Much of the activity, as it always has been, is nation-state motivated. But the activity of the four main attackers (China, Iran, North Korea and Russia) is evolving, and the NCTOC has had to re-evaluate its assumptions.

Some of the changes are positive. “Iran for instance remains very sensitive to international political events, which can influence target selection and the level of malicious activity,” Hogue said. “But while its hackers are still very disruptive, they have moderated their behavior since the nuclear deal was signed.”

The story is similar with China, he added.

“Two years ago China was spear-phishing the world, resulting in what many called the greatest transfer of wealth in history,” Hogue explained. “But now that has fundamentally changed after the agreement last year between the US and China to curtail cyber-activities for purposes of commercial gain. FireEye saw a 90% reduction in cyber-activity after that—we see similar results.”

On the not-so-positive side, destructive attacks are on the rise.

“North Korea is also very sensitive to world events, and they clearly don’t like Seth Rogan movies,” Hogue, who was a response lead in the Sony breach, quipped. “Events like the Sony breach were once outlier events, and that particular incident was seminal. But now the DPRK views cyber as an effective tool of state power more than ever before, and every conflict will have a cyber-dimension. If you’re a defense contractor or a government entity, you are having the kitchen sink thrown at you by North Korea right now.”

In last 12 months, another big change is the volume of large-scale attacks. “Attacks on the Saudi aviation authority, the Ukraine power grid attack, WannaCry, ongoing MSPs compromises, Equifax—the list goes on and on,” Hogue said. “There are two to three national-level events every month now that require us to provide information to senior leaders.”

This is, he said, not waning anytime soon.

“We are dealing with a new normal—traditional exploits are giving way to destructive activities that mirror geopolitical events,” Hogue said.

Russia meanwhile has continued its very aggressive cyber-behavior, which Hogue said resembles the show of force we see in its military operations.

“As evidenced by the DDoS of the electrical grids in Georgia and Ukraine, Russia likes to couple physical attacks with destructive cyber elements—we equate it to hand-to-hand combat,” Hogue said. “Once they are in the network they do everything they can to stay there. We sever a C&C—they stand up a new one within minutes. They continuously target network administrators, trying to stay one step ahead. It’s relentless.”

One of the defenses that NCTOC has implemented is a reduction in touchpoints for the 300 TB of traffic that it sees every day. It has consolidated its internet access points from hundreds to just 10 for traffic coming in and out, which offers deep visibility into 99% of the traffic, Hogue said.

“This is not just passive monitoring but also real-time packet inspection and manipulation of known bad traffic, from the knowledge that we have about our adversaries,” he said. “Also, we have to have an out of band playbook. We have to be much more agile on how we share information and respond.”

The NSA also has its sights on fresh, innovative approaches to security. For one, he cited Google’s decision to enforce its security perimeter based on device profiles and user authentication. Similarly, he lauded the UK’s recently transformed approach.

“They have a national cybersecurity center, and have an attitude that the entire internet space is sovereign—they act as a one-stop shop, and government and industry are working side by side,” he said. “Canada and Australia are looking at similar models. We can learn a lot from this.”

Hogue concluded his session by issuing his top five principles for CISOs:

1. Have well-managed and dependable gateways and perimeters. “We were drawn down to 10,” Hogue said. “It’s important to not give adversaries hundreds of options to get to you.”

2. Ensure visibility on a continuous basis, especially at the endpoint level.

3. Harden endpoints and services to meet best practices. “CISOs have to be able to converse in known vulnerabilities and threats,” he said.

4. Embrace comprehensive and automated threat intelligence sources that are appropriate for your environment. “Less is more here, you don’t need 35 different feeds,” Hogue said. “Use your team’s time wisely, and pair analysts with network defenders.”

5. Cultivate a culture of curiosity and innovative approaches. 

What’s Hot on Infosecurity Magazine?