Skip to content ↓ | Skip to navigation ↓

Back in January, the USENIX Association held its first-ever iteration of Enigma, a new conference designed to help the security community “take a step back and get a fresh perspective on threat assessment and attacks.”

USENIX assembled an impressive speaker lineup of security researchers and practitioners to help introduce the Enigma brand. Together, those presenters provided some unique perspectives on challenges in the digital space, including cybercrime, debugging, and security usability.

To wrap up the conference and to drive home the central theme of protecting against attacks, the event’s program committee selected Rob Joyce to deliver the closing session.

As chief of the Office of Tailored Access Operations (TAO), a division of the National Security Agency which actively engages in “computer network exploitation” against systems used by entities foreign to the United States, Joyce works with a team of hackers to produce foreign intelligence for a wide array of mission types. He knows firsthand why and how nation-state hackers succeed, and he knows what types of activities frustrate his team’s offensive campaigns. That is why he chose to speak at Enigma about what nation-state defenders and corporate organizations can do to protect themselves against advanced persistent threats (APTs).

In his presentation entitled “Disrupting Nation State Hackers,” Joyce breaks down a network intrusion by nation-state hackers into six key phases. He also provides tips on how defenders can prevent an attacker from transitioning from one phase to another. Those stages are as follows:

1. Reconnaissance

In the first stage of an intrusion, a nation-state attacker takes the time out to understand their target. That begins with scanning, researching important people and email addresses associated with the target, looking up open-source information regarding the organization or government, and documenting everything they find on the network. Joyce explains that while defenders might know what technologies they intended to use on a network, attackers know what’s actually in use on that network. They also spend the time learning the security functionalities of those devices and finding vulnerabilities they can exploit.

Defenders can stop an intrusion at the reconnaissance phase if they are willing to invest the time and energy necessary to understand what devices are installed on a network and to familiarize themselves with those products’ security functionalities. As part of that process, they should lock down and disable whatever devices aren’t in use, conduct (and then act upon the results of) penetration tests, and shore up the network trust boundary so that they can concentrate primarily on protecting the “crown jewels” of the organization.

2. Initial Exploitation

If defenders are unable to stop nation-state hackers after they’ve conducted reconnaissance, those hackers then look for an initial exploitation vector by which they can gain access to their target’s network. This phase usually takes the form of spear-phishing, water-holing attacks, exploiting a known CVE vulnerability, or conducting SQL injection. Many people think nation-state attackers primarily use zero-day vulnerabilities to compromise a target. But that’s not generally the case. According to Joyce, attackers can achieve exploitation in most corporate networks using easier and less-risky exploits than zero-days by being patient and focused.

Attackers won’t be able to get past the initial exploitation phase if defenders continually update their space using CVE information and make sure their networks aren’t relying on users to always make the right decisions. That effort involves developing policies and technical enforcement that incorporate anti-exploitation features (such as Microsoft EMET) as well as guidance from NSA Information Assurance Directives and other respected sources. To further foil the plans of nation-state hackers, defenders can develop a baseline for “normal” behavior, make use of network logs, and follow best security practices, such as by setting the least amount of privileges for accounts, segmenting off parts of the network, and whitelisting applications.

3. Establish Persistence

Attackers who achieve initial exploitation ultimately seek to establish persistence in the network. They commonly do so via privilege escalation, finding the Run Keys, or getting into scripts.

To prevent advanced hackers from doing anything else, organizations and governments can use application whitelisting. Most organizations have assets that should be protected and segmented off from the rest of the network. Whitelisting applications help prevent attackers from running malware or something unusual on those business-critical assets.

4. Install Tools

Once nation-state hackers are sure they can hang around in a network and not get caught, they can initiate their malicious activity by installing tools. Attackers usually begin with small tools that can eventually bring down heavier, more advanced scripts and programs–the ones that do the “real” work.

Anti-virus software can only do so much when it comes to preventing malicious tools from running on a computer. The same cannot be said, however, for reputation services. Everything that wants to run is hashed and sent to the cloud via the reputation service. That service then sends back a report. If something has been run only once or twice before on the public web, it’s a good idea for defenders to prevent that item from running. Additionally, reputation services can also help block attackers from communicating not only with known malicious domains but also suspect domains that don’t have a good reputation.

5. Move Laterally

With the help of some tools, attackers can then begin to move laterally around the network to find what they’re really after.

Defenders can stop attackers in their tracks by practicing network segmentation and monitoring, restricting privileges, enabling two-factor authentication on all accounts, and creating processes that can help ensure the security of a remote connection.

6. Collect Exfil and Exploit

At this point, the defenders completely own their target. All they need to do is get what they need, get out, and leave undetected.

No organization wants to follow the example set by Sony Pictures Entertainment and learn about a breach after attackers have already posted sensitive information online. Defenders should therefore have processes in place that monitor for unusual data transfers or corruption. They should also have a backup plan in place in the event hackers steal or erase a target’s data.


Organizations can’t protect themselves from every type of hacker or every form of intrusion. But by getting to know the devices and applications installed on their network, they will be better equipped to detect an intrusion and prevent attackers from stealing valuable information.

Keeping an inventory of all network devices is one of the most important steps when it comes to endpoint detection and response (EDR). To learn about some of the other components of an effective EDR strategy, please click here or download Tripwire’s free eBook Endpoint Detection and Response for Dummies here.