ITS 3250 - Securing Systems

Week 10: Disrupting Hackers
USENIX Enigma Conference

This lesson explores a speech delivered by Rob Joyce of Tailored Access Operations (TAO), a division of the NSA, on defending from Nation State Exploiters.


Mr. Joyce talks about the basics first, knowing the network, knowing the vulnerabilities.

He lists phases of an intrusion at 2:06, and continues to talk about them in the presentation.

  • Reconnaissance - scanning, gathering public information, figuring out who is important, figuring out what is actually in use in the network, then research for functionality, vulnerability, and exploits.
    • we should run our own penetration tests, and keep them for reference in the next test, because things are often not corrected.
    • APT will look for holes opened for vendors to fix something.
  • Initial Exploitation - try spear phishing, waterholing, exploit a known CVE. most intrusions start with an email with a malicious payload, a visit to corrupted website, or contaminated removable media. pass the hash attacks (see pdf attached in Blackboard.
    • use technical enforcement of policies, don't rely on users to do the right thing.
    • use anti-exploitation features. Microsoft EMET?
    • NSA Information Assurance directorate recommendations (attached in Blackboard: top 10 mediations pdf)
    • Patch, upgrade, and update.
  • Establish Persistence - digging in, escalating privileges
  • Install Tools - tools to harvest and report, or to destroy, if that's the objective
  • Move Laterally - find what you need in other locations in the network
  • Collect, Exfil, and Exploit - gather what you need, get it where you want it, and get out. worry about the attacker who only wants to destroy.

His recommendation: disrupt the transition between the elements of the intrusion, take all available action at all levels.

Another video from this series, discusses the Internet of Things, and hackers exploiting them.

Attila Marosi, from Sophos, discusses some attacks, some tools, and some motivations to run this kind of attack. His point is that there is every reason to think this will happen again.


Assignments for these chapters will be found in Blackboard. We will explore that in class.