A Deeper Look into the NSA's Talk of Network Taps and Smart Sys Admins
The NSA's lead hacker and head of Tailored Access Operations (TAO), Rob Joyce, recently gave a rare speech on the stops and starts of covert network intrusion. In it, he informed organizations how to protect themselves from the NSA. His security tips, he admits, seem almost mundane---segmenting networks, limiting access to sensitive data, and knowing what is actually running on your network---but they are the bulwarks against intrusion. What really caught my eye, however, was this:
“Another nightmare for the NSA? An 'out-of-band network tap'—a device that monitors network activity and produces logs that can record anomalous activity—plus a smart system administrator who actually reads the logs and pays attention to what they say.”
A nightmare for the NSA is also a nightmare for hackers, and subsequently a dream come true for security professionals, but what does it really mean to have an “out-of-band network tap” and a “smart sys admin”?
Putting Joyce's recommendations into practice to secure your network from prying eyes, no matter the direction, isn't hard, but it does require some persistence.
Types of network security
The key to network monitoring is human involvement - that means having smart people working alongside smart technology to detect anomalous behavior. Networks, even with sophisticated tools, and nobody there to really pay attention, are a hacker's dream. But short of the red teaming and penetration testing Joyce mentions, there are plenty of security options for sys admins.
Out-of-band Network Tap: An out-of-band network tap is a passive device that sits on your network and simply collects traffic data. Sys admins can then look through these logs to identify anything out of the ordinary. The upside to this sort of direct, human involvement is that it helps find things that might otherwise get overlooked, such as zero day exploitations, data exfiltration, and intrusions through unpatched legacy systems. The downside is the time it takes to go through the logs.
Network Segmentation: Keeping intruders out means limiting access. Segment your network. Whitelist applications in those segments to prevent malware from running. Be selective with admin privileges. Look at what credentials are being used for which purposes. If it doesn't look normal, then investigate.
Limit Intrusion Vectors: Joyce also calls out the three most common intrusion vectors: email, malicious websites, and removable media. These end-user problems can be addressed with properly tuned spam filters, up-to-date antivirus software and reputation services.
No single method will catch every intrusion attempt. Security has to happen in layers. The end goal is to create security systems within your network that protects and informs, while still allowing you to run your business.
How smart sys admins work
A smart sys admin is more than just someone with a high IQ. Protecting a network and all of a company's internal resources takes more bandwidth than a single person can provide and a smart sys admin recognizes this. The smart sys admin also understands that, despite their best efforts, threats will always find a way past their controls, and that they will need to find creative ways to mitigate them.
As such, these over-worked and under-resourced stalwarts of network security rely on software assistance and automation to help keep systems available and businesses running. Auto-updates for applications and antivirus software help with known threats, but are just the beginning. Threats that make it past all the preventative measures are the hardest to address. Stolen and weak credentials, malware injected phishing or “normal” web surfing, weak system and SQL security, or the flaws you identified but have yet to patch - these are but a few of the ways hackers get around even a watchful eye. Joyce points out in his talk that the average time from breach until detection is over six months.
Employing active breach detection helps guard the outer defenses as well as watch what goes on inside the network perimeter. Smart sys admins find tools that watch 24/7 and utilize analytics and machine learning so that the breach that is happening now helps prevent the next incursion. And it has to happen fast. You can’t afford to find out about Friday night’s hack on Monday morning. Real time tracking, alerts, and acting on the information as soon as it becomes available are essential for every sys admin.
A proportionate response
Hackers and sys admins share two essential characteristics: persistence and creativity. But while hackers only have to find one weakness to gain entry, sys admins have to cover every line of attack. Preventive measures alone aren't enough. Breaches will happen. You can find it in the logs next week or next month or your active breach detection system can find it now, before the hackers do damage.
About the Author
Paul Kraus is CEO, Eastwind Breach Detection, a cloud-based breach detection solution that aims to protect government agencies and enterprise organizations from cyber threats that bypass traditional security measures. Eastwind Breach Detection monitors the entire network, not just the sources, looking at the raw data and providing more context with which to make decisions and flag threats.
Edited by Peter Bernstein