TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
The State of National Security Systems - Curtis Dukes
1. Mr. Curtis W. Dukes, Deputy National Manager
National Security Agency
THE STATE OF NATIONAL
SECURITY SYSTEMS
2. Connectivity Creates Significant Challenges
• We all share the same cyberspace; convergence has brought nearly
all networks together
• Even networks that are ostensibly “stand alone” have external
connections or dependencies
Cyber Defense is Largely Executed Individually
• Person by person, enterprise by enterprise
• This means that security is not consistent and systems are too
easy to exploit
It Pays to Invest in Defense
• Poor Cyber Hygiene played a pivotal role in recent costly, high-profile
cyber incidents
• We need to raise the basic level of security across the board.
Both security functionality across products and services, and
the security hygiene of connected systems
CURRENT CYBER TRENDS
3. INTRUSION LIFECYCLE
AND MITIGATIONS
Move Laterally
Collect, Exfil,
Destroy Data
Establish
Persistence
Install ToolsReconnaissance Initial Exploit
• Enable Anti-Exploitation
Features
• Take Advantage
of Software Improvements
• Secure Host Baseline
Collect target email addresses,
scan servers for vulnerabilities
Spear-phishing, water-holing,
exploit CVE, SQL injection,
exploit zero-day vulnerability, etc.
Privilege escalate on local computer; use “run
keys,” “scheduled tasks,” “services,” or other
persistence points on Windows computer
Backdoor implant or beacon for command
and control (C2) and download modules
Use public services (e.g., Google, Twitter,
Facebook) for C2
Collect administrative credentials from Group Policy scripts
or local machine using open source tools
Use pass-the-hash (PtH) and other methods to use stolen
credentials to spread to other computers
Search for more privileged credentials (e.g., Domain Admin)
to control entire network
• Implement Application
Whitelisting
• Implement Intrusion
Prevention System
• Offline Backups, Thin
Clients/Sandboxing
(Other)
• Use Anti-Virus File
Reputation Services
• Use DNS Reputation
Services
• Control Admin Privileges
• Limit Host –Host Comms
• Segregate Networks
Use SSL, Tor, BitTorrent, and other
encrypted anonymous protocols to
hide exfil traffic
Use drivers and special malware to
destroy data and render systems
unusable and unrecoverable
Protections provided by the NSA Top Ten Mitigations
& Host Mitigations Package
4. NSA TOP 10 MITIGATIONS AND HOST
MITIGATIONS PACKAGES
Editor's Notes
Hi, my name is _____________, and I am here to talk about the Information Assurance mission at NSA.
For those of you that are less familiar with the National Security Agency (NSA) and Information Assurance (IA) missions, let me share a little background. NSA has had the responsibility for executing two missions in support of National objectives, Signals Intelligence (SIGINT) and Information Assurance, for over 60 years. And, while we’re perhaps best known for our intelligence mission, the pendulum is swinging towards a renewed focus on cyber.
(U) Our IA mission is to:
Protect classified and military mission systems.
Advise and support Federal Government customers
Support the security of key private sector and infrastructure systems
Now that cyberspace is the primary arena in which we protect information, our goal is to lead the Community in designing state of the art information assurance and cybersecurity solutions to secure the nation’s core mission environment against any and all evolving threats.
NSA IA provides our customers with flexible, timely, and risk-sensitive security solutions, as well as traditional information assurance engineering and field support. We analyze current and future Department of Defense, Intelligence Community, Federal, and commercial information assurance requirements and gaps to deliver innovative solutions to secure information that crosses security, or community-of-interest, networks. We apply our unique expertise and capabilities to consume information from a variety of sources, characterize that information in a way that makes the data more understandable, and normalizing the data into concise mitigations, best practices, and strategies.
We also conduct 24x7 information assurance operations, proactively hunting for sophisticated cyber adversaries within national security networks. Sufficiently novel or unexpected adversarial acts will sometimes succeed, therefore, classified networks should therefore undergo intermittent “hunts.” These advanced operations try to smoke-out intrusions that slipped through the cracks. Not only our these operations used to identify vulnerabilities, and then provide mitigation tactics, techniques and procedures to harden national security networks, but they can cause adversaries to temper their acts or even lose confidence in some techniques or other intrusions.
As part of NSA, we have a decisive advantage that the adversary and corporate America cannot access- the NSA SIGINT mission. We leverage the Agency’s SIGINT information to better identify, track, understand, and counter the adversaries, sometimes before they act against a network or system. This is a two-way street, since information we garner from executing the defensive mission can be shared with the SIGINT mission, and vice versa.
Here is an example of how we map our capabilities and mitigations against a typical adversary lifecycle.
Here is an example of how we map our capabilities and mitigations against a typical adversary lifecycle.