Sergey Nivens - Fotolia
Through collaborative action, the cyber security community can have an effect on the adversary, according to Dave Hogue, technical director of the NSA’s Cybersecurity Threat Operations Center (NCTOC).
“By tackling the adversary at the top of the ‘pyramid of pain’ where their behaviour sits, we can force them to reinvent themselves. So for the cyber security community, if we can work together, unify our results and build those layers of defences, we can have an effect on the adversary,” he told the CyberUK 2018 conference in Manchester.
In a brief overview of NCTOC, Hogue described it as an “amazing, exciting and dynamic” mission to serve on the frontlines with the US Cyber Command in defending the Department of Defense’s unclassified networks, encompassing 3 million users across the globe from battle fields in Afghanistan to office buildings in Washington.
“We are charged with defending it all, and we see about 300 terabytes of traffic every day and a wide variety of threats, with analysts dedicated to our most persistent adversaries such as Russia, China, Iran and North Korea,” he said.
In the past year, said Hogue, the round-the-clock team of analyst has seen multiple brands of ransomware attacks, data deletion attacks, and the penetration of key government networks.
“Every day we are probably working a major event somewhere in the world, updating senior US government leadership on the latest developments. Yet the more things change, the more they stay the same,” he said.
For example, he said that in 2012 the US Navy Marine Corps internet was hacked by the Iranians using a simple SQL injection attack, enabling them to penetrate the navy’s unclassified network and pivot to a protected site from there, causing more than $12m in damage.
Then in 2017, attackers used another known vulnerability to get into Equifax’s internal database to access sensitive data on more than 145 million US consumers, costing more than $600m to repair the damage so far.
“These two stories are five years apart, but are distressingly very similar in nature. We have sophisticated adversaries using unsophisticated means to cause a great deal of damage,” said Hogue, adding that his team has not responded to a zero-day attack in more than 24 months.
“Adversaries are getting into networks using very non-technical means, taking advantage of hardware and software that is not patched up to date and bad security practices such as using applications that are no longer supported.”
The “most disturbing” thing, said Hogue, is that adversaries are taking advantage of things that would be blocked by following best practice advice that has been available for months and even years such as implementing application whitelisting, role-based access controls, and two-factor authentication.
The fact that old attacks are still working, he said, is an indication that the security community is not making progress in getting organisations to heed best practice advice.
“A recent survey of US government workers in the US revealed that 48% thought that they had no role in securing their data, and that it was a job for IT professionals,” said Hogue.
“We have got to change the way of thinking so that everybody sees themselves as part of cyber security operations, because adversaries will go after anything or anyone who will enable them to achieve their objective.”
At the same time, he said, security professionals need to change the game to be more predictive and preventative. “We need to build layers of defences that defeat common adversarial cyber attacks.”
Partnerships and innovations key to defence
In addition, he said cyber defenders have to work together, underlining the theme of collaboration as a community and with government, industry and academia to enable thorough, sustained defence campaigns that make it costly for cyber attackers to operate.
“At the NSA we know that cyber is a team sport. There is no single entity that has the capabilities and knowledge to defeat all cyber threats,” he said, adding that the NSA recognises that its partners are likely to see malicious cyber activity that it may not see.
In line with this approach, Hogue said the cyber security operations centres (SOCs) at competing US retailers Walmart and Target are collaborating around cyber security because they know if they are being hit, the whole sector is likely to be affected.
As well as effective partnerships, cyber defenders also need to look at innovative approaches and policies, said Hogue, complimenting the UK on setting up the NCSC, putting all their cyber experts together, and galvanising public and public commitments to make UK the safest place to be online.
The US is also rolling out some innovative policies, he said, such as the US Department of Defence “comply to connect” framework in which devices have to meet security standards before they are allowed to join the network.
Look towards AI and bug bounties
Another important area of innovation, he said, is in artificial intelligence and machine learning. “Every day, AI and machine learning are making a more efficient world, and you absolutely need to understand how they impact the way you can do cyber security.”
The NSA, he said, trains its machine learning models across network, cloud and internet of things (IoT) environments so that they can scan through vast amounts of data to allow analysts to be more predictive and preventative.
“We are not going to use machine learning to replace our analysts, but to automate a lot of the basic tasks to free them up so they can really focus on our top adversaries,” said Hogue.
Returning to the theme of collaboration, he said technology alone is not enough and so cyber defenders need to look for ways to bring in community expertise to harness all the talent that is available.
“One effective way of doing this is bug bounties. While these are not new, they are new to the US Department of Defence, and they are proving to be an amazing and economical means of finding undiagnosed vulnerabilities,” he said.
David Hogue, NSA
According to Hogue, a recent bug bounty programme run by the US Air Force that involved around 100,000 security researchers resulted in the elimination of more than 100 high-risk vulnerabilities, including one that could allow an adversary access to a very sensitive defence website.
Finally, he said organisations need to invest in people as their most important assets, and in the light of the cyber security skills shortages, he said the NSA is pursuing a non-traditional approach to identify cyber security talent.
“Instead, the NSA is placing more emphasis on problem-solving abilities and innovative thinking, and people recruited in this way have become some of our best analysts because they bring a different way of thinking about problems,” he said.
In closing, he said the NSA recently published a document outlining five key principles for security operations centres, based on the daily experience of NCTOC.
The five principles are:
- Establish a defendable perimeter.
- Ensure visibility across the network.
- Harden to best practices.
- Use comprehensive threat intelligence and machine learning.
- Create a culture of curiosity.
Commenting on the fifth principle, Hogue said: “You have got to change your thinking. It both helps your defence posture and also helps your retention rates because people are going to be energised if they are constantly being challenged to play different roles and work together as a unit to achieve an overall objective.