Using the NSA Intrusion Lifecycle to bolster security

 

Connecting state and local government leaders

Although enterprise security will never be perfect, the NSA lifecycle can give defenders a model for mapping the appropriate mitigation to each step in the intrusion process.

IT systems in both the public and private sectors are woefully unprepared for an environment in which cyberthreats are becoming more constant and complex, according to Curtis Dukes, director of the National Security Agency’s Information Assurance Directorate.

Dukes, speaking at the recent Cyber Resilience Summit hosted by the Consortium for IT Software Quality, gave disappointing grades for the nation’s cybersecurity. The government’s national security systems -- his primary customers -- are at 70 to 75 percent, a C, he said. The government as a whole receives only a D, and the nation as a whole, including industry, gets a failing grade.

“We’re never going to be 100 percent effective, no matter how good we are,” he said, but there are ways to improve.

In a threat landscape in which attacks cannot be prevented and successful intrusions are almost inevitable, IT systems must be resilient enough to mitigate damage and minimize the impact of attacks. Resilience involves more than well-executed code; it requires software components that are designed to work securely, efficiently and reliably as part of a complex system.

Participants from government, industry and academia discussed the opportunities and challenges in achieving cyber resilience at the summit.

“We’ve learned a great deal about the adversary” by investigating recent breaches, Dukes said. Among the fruits of this education is a set of Top 10 Mitigations -- including a description of the intrusion lifecycle -- to help organizations “reduce the chance of a significant intrusion occurring and evolve more resilient networks overall.”

Although both the techniques used by intruders and the mitigations change over time, the steps of the lifecycle persist, providing defenders with a model for mapping the appropriate mitigation at each step in the process.

The essential steps of an intrusion described in the NSA lifecycle are:

Scout the target: Collecting basic information about networks, systems and users that could be exploited.

Initial exploit: Using social engineering or malware -- including zero-day exploits if necessary -- to gain a foothold in a device or system.

Establish persistence: Escalating privileges or exploiting services to “burrow” into a computer to make detection and removal difficult.

Install tools: Implanting backdoors and enabling communications with command and control servers that allow attackers to install malicious tools.

Move laterally: Gathering administrative credentials and exploiting trust relationships between machines and networks to expand attacks to other target computers or networks.

Execute the mission: Collecting, exfiltrating and/or destroying data.

Each of these steps can be countered with the appropriate tools, techniques and practices, most of which are probably in use by or available to organizations already. These include:

  • Enabling vendor utilities such as Microsoft’s Enhanced Mitigation Experience Toolkit.
  • Enlisting basic tools such as whitelisting, reputation services and antivirus software.
  • Controlling the implementation of software architecture.
  • Practicing prompt software patching.
  • Setting a secure baseline configuration.
  • Properly managing access control.

The NSA's basic message is to be aware and be up-to-date -- with both patches and the most current versions of software.

“Companies are more and more taking the quality of products to heart,” Dukes said. New applications and new versions of operating systems are more secure and reliable as security is being built in from the earliest stages of development.

Keeping patches current is critical to protecting systems, not only because they fix vulnerabilities, but because once a patch is publicly released it is available to all malicious actors as well as to the legitimate users. Dukes said that adversaries have reverse-engineered security patches with 48 hours of release to identify the root vulnerability it fixes.

Yet testing and deploying a patch across and enterprise can take weeks or months, because the patches are developed in isolation and can have unintended consequences as they interoperate with other critical applications. The result is that known vulnerabilities continue to be exploited, giving criminals a window in which to achieve a foothold in target systems.

And although newer versions of operating systems generally are more secure, updating an OS across an enterprise is no trivial matter. Organizations often maintain long outdated operating systems because they support critical operations and cannot be easily replaced.

“Nobody runs legacy software because they are lazy,” said Phyllis Schneck, deputy undersecretary in the Homeland Security Department’s National Protection and Programs Directorate. They run them, she said, because they have to.

Dukes acknowledged that although software security is improving, backwards compatibility -- the ability of new software to operate effectively with other legacy applications -- remains a challenge. This is a major hurdle in achieving the resiliency needed to protect systems and data in complex environments.

The recent decision by the Defense Department to upgrade more than 4 million seats to Windows 10, the latest Microsoft OS, by 2017 will be a major test of how well Microsoft has addressed the challenge of backwards compatibility and resiliency. The goal of the transition is to establish a more secure baseline of software across the department. In theory, a more secure standard operating system should result in better enterprise security.

Whether it can provide the reliability, performance, efficiency, security and maintainability needed to achieve resilience in a massive production environment remains to be seen. Dukes is optimistic, although he said he does not expect the department to achieve a 100 percent upgrade to Windows 10 by the end of the year. He said he would be happy to see 80 percent of the national security systems upgraded, which should make them more secure. “That means I will only have to worry about 20 percent.”

Note: Jackson, a former GCN staff writer covers cybersecurity for a wide range of publications, was commissioned by the Consortium for IT Software Quality to cover this conference.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.