This lesson explores a speech delivered by Rob Joyce of
Tailored Access Operations (TAO), a division of the NSA, on defending
from Nation State Exploiters.
Concepts:
Mr. Joyce talks about the basics first, knowing the network,
knowing the vulnerabilities.
He lists phases of an intrusion at 2:06, and continues to talk
about them in the presentation.
Reconnaissance - scanning, gathering public information,
figuring out who is important, figuring out what is actually in use in
the network, then research for functionality, vulnerability, and
exploits.
we should run our own penetration tests, and keep them
for reference in the next test, because things are often not corrected.
APT will look for holes opened for vendors to fix
something.
Initial Exploitation - try spear phishing, waterholing,
exploit a known CVE. most intrusions start with an email with a
malicious payload, a visit to corrupted website, or contaminated
removable media. pass the hash attacks (see pdf attached in
Blackboard.
use technical enforcement of policies, don't rely on
users to do the right thing.
Establish Persistence - digging in, escalating privileges
Install Tools - tools to harvest and report, or to destroy,
if that's the objective
Move Laterally - find what you need in other locations in
the network
Collect, Exfil, and Exploit - gather what you need, get it
where you want it, and get out. worry about the attacker who only wants
to destroy.
His recommendation: disrupt the transition between the
elements of the intrusion, take all available action at all levels.
Another video from this series, discusses the Internet of Things, and
hackers exploiting them.
Attila Marosi, from Sophos, discusses some attacks, some
tools, and some motivations to run this kind of attack. His point is
that there is every reason to think this will happen again.
Assignments
Assignments for these chapters will be found in Blackboard. We will
explore that in class.