The National Security Agency (NSA) does not need zero-day exploits to break into your network. Or to break into another nation-state's network for that matter. They don't need a sophisticated, custom-built technology stack tailored to your environment. They don't even need their methods to be a secret from the people they're trying to hack.
To be clear, they have those things, and it makes it much easier for them to conduct targeted intrusions at unprecedented global scale. But for any given network, even a large and sophisticated one, most of what the NSA needs to break in and stealthily exfiltrate valuable data is publicly available technology and ideas.
Earlier this year, Rob Joyce, the head of the NSA's Tailored Access Operations (so ... hackers), gave a talk about the 6 phases of a targeted intrusion, and emphasized how little the NSA really needs to break you. Here's what he said (ed: bolding mine):
A lot of people think the nation states are running on this engine of zero-days, that they go out with their master skeleton key and unlock the door and they're in. It's not that. Take these big corporate networks, these large networks, any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero-day. There are so many more vectors that are easier, less risky, and quite often more productive than going down that route.
Later, Joyce continued:
Most intrusions come down to one of three initial vectors: Email, where a user opened an email and clicked on something they shouldn't have; A website, where they've gotten to a malicious website and it's either executed or they've run content from that website; Or removable media, where a user has inserted contaminated media.
Email, web executables, removable media (USB sticks, etc.), readily available malware (think CVEs and rootkits), and good old elbow grease: That's what the NSA needs to "own you," in Joyce's words.
Good News and Bad News
This is a bad news/good news situation. The bad news is that it is incredibly easy to breach most networks, and only slightly harder to massively exploit them, once breached. That may mean anything from stealing credit card numbers to destroying valuable data to stealing corporate secrets for resale on the black market.
The good news is that the primary threat vectors being used for the initial exploit are well-understood, widely used technologies, and their vulnerability relies heavily on user behavior. It won't be easy to reduce that vulnerability, but at least it's something you can see, analyze, and correct.
Preventing sophisticated hackers from ruining your business and your life isn't about having "better technology" than them. It is about having the right combination of technology and wise human behavior.
So, How Do You Protect Your Network?
Next-gen firewalls, endpoint agents, and threat intelligence are good. You should use them. You do need perimeter protection, but too many organizations treat that like a security blanket. You can't just check all the security boxes and assume you're safe. You need a combination of good perimeter security, continuous awareness of what's happening in your network at any given moment, and good user behavior. You can deploy the tech that enables the first two, but the good user behavior doesn't have a price tag attached. You have to work at it.
For more insight into how the NSA breaks into networks, and specific tips about how you can use their ideas to make your own network more secure against sophisticated, malicious hackers, check out our ebook: Dissecting the NSA's 6-Phase Playbook for Targeted Intrusions.
Watch Rob Joyce of the NSA go over the playbook in detail below:
This is a companion discussion topic for the original entry at https://www.extrahop.com/community/blog/2016/the-nsa-doesnt-need-zero-days-to-own-you/