Skip to content ↓ | Skip to navigation ↓

The cost of a breach is on the rise. A recent report from IBM revealed that the average cost of a data breach had risen 12 percent over the past five years to $3.92 million per incident on average. Additionally, this publication uncovered that data breaches originating from malicious digital attacks were both the most common and the most expensive types of security incidents. These types of breaches carried a price tag of $4.45 million per incident—approximately one million dollars more than the costs of a breach caused by a system glitch or human error.

This report highlights the costs associated with network intrusions, events with which Rob Joyce, senior advisor for cybersecurity strategy to the Director of the National Security Agency (NSA), is acutely familiar. As former chief of the Office of Tailored Access Operations (TAO), Joyce works with a team of hackers to produce foreign intelligence for a wide array of mission types. He knows firsthand why and how nation-state hackers succeed, and he knows what types of activities frustrate his team’s offensive campaigns. That is why he chose to speak at Enigma 2016 about what defenders and corporate organizations can do to defend against network intrusions.

In his presentation entitled “Disrupting Nation State Hackers,” Joyce broke down a network intrusion by nation-state attackers into six phases. He also provided tips on how defenders can prevent an attacker from moving between phases. Those stages are as follows:

1. Reconnaissance

In the first stage of an intrusion, a nation-state attacker works to understand their target. That effort begins with scanning, researching important people and email addresses associated with the target, looking up open-source information regarding the organization or government and documenting everything they find on the network. Joyce explains that while defenders might know what technologies they intended to use on a network, attackers know what’s actually in use on that network. They also spend the time learning the security functionalities of those devices and finding vulnerabilities they can exploit.

Defenders can stop an intrusion at the reconnaissance phase if they are willing to invest the time and energy necessary to understand what devices are installed on a network and to familiarize themselves with those products’ security functionalities. As part of that process, they should lock down and disable whatever devices aren’t in use, conduct (and then act upon the results of) penetration tests as well as shore up the network trust boundary so that they can concentrate primarily on protecting the “crown jewels” of the organization.

2. Initial Exploitation

If defenders are unable to stop nation-state hackers after they’ve conducted reconnaissance, those hackers then look for an initial exploitation vector by which they can gain access to their target’s network. This phase usually takes the form of spear-phishing, water-holing attacks, exploiting a known CVE vulnerability or conducting SQL injection.

Many people think nation-state attackers primarily use zero-day vulnerabilities to compromise a target. But that’s not generally the case. According to Joyce, attackers can achieve exploitation in corporate networks using easier, less-risky exploits than zero-days by being patient and focused.

Attackers won’t be able to get past the initial exploitation phase if defenders continually update their space using CVE information and make sure their networks aren’t relying on users to always make the right decisions. That effort involves developing policies and technical enforcement that incorporate anti-exploitation features (such as Microsoft EMET) as well as guidance from NSA Information Assurance Directives and other respected sources. To further foil the plans of nation-state hackers, defenders can develop a baseline for “normal” behavior, make use of network logs and follow best security practices such as by setting the least amount of privileges for accounts, segmenting off parts of the network and whitelisting applications.

3. Establish Persistence

Attackers who achieve initial exploitation ultimately seek to establish persistence in the network. They commonly do so by escalating privileges, finding the Run Keys or getting into scripts.

To prevent advanced hackers from doing anything else, organizations and governments can use application whitelisting. Most organizations have assets that should be protected and segmented off from the rest of the network. Whitelisting applications helps prevent attackers from running malware or something unusual on those business-critical assets.

4. Install Tools

Once nation-state hackers are sure they can hang around in a network and not get caught, they can initiate their malicious activity by installing tools. Attackers usually begin with small tools that can eventually bring down heavier, more advanced scripts and programs—the ones that do the “real” work.

Anti-virus software can only do so much when it comes to preventing malicious tools from running on a computer. The same cannot be said, however, for reputation services. Everything that wants to run is hashed and sent to the cloud via the reputation service. That service then sends back a report.

If something has been run only once or twice before on the public web, it’s a good idea for defenders to prevent that item from running. Additionally, reputation services can also help block attackers from communicating not only with known malicious domains but also suspect domains that don’t have a good reputation.

5. Move Laterally

With the help of some tools, attackers can then begin to move laterally around the network to find what they’re really after.

Defenders can stop attackers in their tracks by practicing network segmentation and monitoring, restricting privileges, enabling two-factor authentication on all accounts and creating processes that can help ensure the security of a remote connection.

6. Collect Exfil and Exploit

At this point, the defenders completely own their target. All they need to do is get what they need, get out and leave undetected.

No organization wants to learn about a breach after attackers have already posted sensitive information online. Defenders should, therefore, have processes in place that monitor for unusual data transfers or corruption. They should also have a backup plan in place in the event hackers steal or erase a target’s data.


Organizations can’t protect themselves from every type of hacker or every form of intrusion. But by getting to know the devices and applications installed on their network, they will be better equipped to detect an intrusion and prevent attackers from stealing valuable information.

Keeping an inventory of all network devices is the first of the Center for Internet Security’s Critical Security Controls (CSCs). To learn how Tripwire’s various solutions align with these security measures, click here.