ITS 3250 - Securing Systems

Security Strategies Wherever We Can Find Some...
Lesson 10

This lesson introduces new topics, having despaired about the contents of texts. 


Tonight's lesson begins by exploring a speech delivered by Rob Joyce of Tailored Access Operations (TAO), a division of the NSA, on defending from Nation State Exploiters.

Mr. Joyce talks about the basics first, knowing the network, knowing the vulnerabilities.

He lists phases of an intrusion at 2:06, and continues to talk about them in the presentation.

  • Reconnaissance - scanning, gathering public information, figuring out who is important, figuring out what is actually in use in the network, then research for functionality, vulnerability, and exploits.
    • we should run our own penetration tests, and keep them for reference in the next test, because things are often not corrected.
    • APT will look for holes opened for vendors to fix something.
  • Initial Exploitation - try spear phishing, waterholing, exploit a known CVE. most intrusions start with an email with a malicious payload, a visit to corrupted website, or contaminated removable media. pass the hash attacks (see pdf attached in Blackboard.
    • use technical enforcement of policies, don't rely on users to do the right thing.
    • use anti-exploitation features. Microsoft EMET?
    • NSA Information Assurance directorate recommendations (attached in Blackboard: top 10 mediations pdf)
    • Patch, upgrade, and update.
  • Establish Persistence - digging in, escalating privileges
  • Install Tools - tools to harvest and report, or to destroy, if that's the objective
  • Move Laterally - find what you need in other locations in the network
  • Collect, Exfil, and Exploit - gather what you need, get it where you want it, and get out. worry about the attacker who only wants to destroy.
His recommendation: disrupt the transition between the elements of the intrusion, take all available action at all levels.

Looking for material beyond the server, I found the following articles about hardening routers:



This week I want you to begin an assignment to assemble material to take into a competition or a compromised network. Assume that you need to harden and to clean up compromised devices. You need a doomsday book for every kind of device in your network. Start by assembling one for Windows and one for Linux.

I am looking for useful information, reliable sources, and insight. I want to see what you know, what you think, and what you plan to do.This needs to be your plan and your advice to your backup, not just a cookbook from Microsoft.