Credentials are King and Sysadmins are Hunted says NSA’s Rob Joyce

February 11, 2016 |
Rob Joyce, chief of the NSA’s Tailored Access Operations (TAO). Kim Zetter

NSA’s head of the Tailored Access Operations, Rob Joyce, (also dubbed as the nation’s hacker-in-chief by Wired) said credentials are king for gaining access to systems and sysadmins are the hunted.

The Wired report on Joyce’s presentation at the inaugural Usenix Enigma security conference in January discussed at length, advanced persistent threat actors (APT), credentialed theft, third party access, temporary cracks in network security and personal devices threating corporate networks.

Rob Joyce on the topic of privileged access and credentials:

“In the world of advanced persistent threat actors (APT) like the NSA, credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.”

If you want to see inside the workings of the NSA, check out this article on The Intercept.

Joyce On third-party access:

“If you’ve got trouble with an appliance on your network, for example, and the vendor tells you to briefly open the network for them over the weekend so they can pop in remotely and fix it, don’t do it. Nation-state attackers are just looking for an opportunity like this, however brief, and will poke and poke your network patiently waiting for one to appear, he said.”

Joyce on lateral movements inside the network:

“The NSA is also keen to find any hardcoded passwords in software or passwords that are transmitted in the clear—especially by old, legacy protocols—that can help them move laterally through a network once inside.”

Cracks, even temporary are great for hackers according to Joyce:

“Don’t assume a crack is too small to be noticed, or too small to be exploited. If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter. Those are the ones the NSA, and other nation-state attackers will seize on. We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

Even temporary cracks—vulnerabilities that exist on a system for mere hours or days—are sweet spots for the NSA according to Joyce.

Joyce’s suggestions for making the NSA’s life hard with a list of things to do:

“…limit access privileges for important systems to those who really need them; segment networks and important data to make it harder for hackers to reach your jewels; patch systems and implement application whitelisting; remove hardcoded passwords and legacy protocols that transmit passwords in the clear.”

Be the hunted or be the hunter

Wired quoted Joyce saying, “…spies have little trouble getting into your network because they know better than you what’s on it. We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” he said. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”

We know this to be true. Traditional methods of securing networks are simply inadequate for privileged users. Traditional security methods such as VPNs, firewalls, and jump hosts fall short. They don’t provide fine-grained access control and do not consider the user’s role and attribute-based context. With Gartner’s estimate that 80% of attacks use privileged credentials* it’s clear that perimeter security has become insufficient, and trust cannot be presumed purely on credentials.

If Joyce’s suggestions have just been added to your to-do list, you must research AppGate. It enables organizations to adopt a software defined perimeter approach for granular security control. AppGate makes the application/server infrastructure effectively “invisible.” It then delivers access to authorized resources only, verifying a number of user variables each session—including device posture and identity—before granting access to an application.

Learn more about dynamic, context aware privileged access management and how a segment of one can help.

Hide All Network Resources a User is Not Authorized to See. Get the white paper.

*Gartner IAM Summit (Dec 2014)

Back to Blog Home

Mark McCue

Senior Vice President & General Manager, Americas

As SVP & General Manager, Americas, Mark McCue is responsible for the Americas sales force at Cryptzone and the development of local channel and strategic alliance relationships. He also oversees the region's support and services organization. McCue brings over 20 years of experience in IT and security sales to Cryptzone, helping customers advance their businesses through technology.

Leave a Reply

Your email address will not be published. Required fields are marked *