If there is one session about security I really think you should watch, it is definitely Rob Joyce’s talk at USENIX. Rob Joyce leads the NSAs Tailed Access Operations. They are often referred to as Nation-State hackers. His session is about tips on how to prevent or make it more difficult for Nation-State Hackers to get into your organization. The entire session can be found here:
Me and Christian Knarvik did a session yesterday (28th of January 2016 in Arendal – http://www.advania.no/norge/aktuellt/evenemang/klientsikkerhet-28.01.16/ ) about Cryptolocker and Windows client security and I just wanted to highlight some interesting things that our session had in common with Rob Joyce’s session at USENIX. Thanks to all the people that were present at our session.
About 14:46 into the session he talks about Microsoft EMET (Everybody should turn that on!)
And this is just what we pointed out in our talk. This is really a low hanging fruit that is not that difficult to implement and certainly pays off. It is much harder to exploit a computer that has this configured. Rob also said that primary methods of getting in is either mail, webpages or USB-sticks. We talked a lot about mail and webpages in our sessions and we did some interesting demoes of these kinds of attacks.
About 19:42 into the session he talks about segmenting off portion of the networks and whitelisting.
About 21:00 into the session he says: “Most of the modern protocols these days are not passing credentials in the clear. But do you think Nation-States are taking advantages of the ones that are.”
About 23:09 into the session he talks about establishing Persistence and he says: “One of the things we run into here, things that has implemented application whitelisting. Makes this world hard”
These things were some of the main focuses in our Client security session. We recommended that you should start to segment your network and do not allow client to communicate with other clients. IPSEC was also a topic we highlighted to prevent password to be sent in clear-text over the network. We used a lot of time talking about AppLocker and application Whitelisting. We also demonstrated the importance of implementing this correctly.
About 24:35 into the session Rob talks about why Antivirus has a bad reputation.
As we discussed in our session: Antivirus is not to be considered as a “sleeping pillow”. It is not enough to just only have Antivirus on your clients. You need to harden them and make them more secure.
About 32:30 into the talk he Illustrates the difference between Cybercriminal’s and the Nation-state Intruders. He mentions Cryptolocker as an example.
Cryptolocker was our main topic of the day. We demonstrated how it works in detail in our demos and tricks to prevent them. Our goal of the entire day was to give you the needed tips to prevent both Cryptolocker and hackers of getting onto to your client machines. Rob also talks about the importance of not falling behind. You need to be dynamic in terms of security, always update and make things more secure. If you get static, you will get owned sooner or later.
During Rob’s session he also highlighted that they often find passwords hard-coded into scripts. We highlighted this in our session in Group Policy Preferences and Passwords part. Here we recommended that you clean up your existing XML files containing CPassword variables.
I find it very interesting that things we consider smart and things that were highlighted in our sessions is the things that makes hacking for Nation-States more difficult. He also mentioned that one of the nightmares for Nation-State hackers are network taps (IDS/IPS). And this was something we pointed out as one thing you should invest in, both for internal and external networks. Especially Microsoft Advanced Threat Analytics should be a part of your security design.
Rob Joyce also mentioned a great resource for mitigation guidance. This can be found here: https://www.nsa.gov/ia/mitigation_guidance/index.shtml
This link contains a lot of great security information. I highly recommend reading it.