NSA's Hacker-in-Chief: We Don't Need Zero-Days To Get Inside Your Network
“There's so many more vectors that are easier, less risky and quite often more productive than going down that route.”
The NSA has caught a lot of attention in recent years when it comes to the use of zero-day exploits, the precious security holes unknown to software vendors that hackers use to infect machines and penetrate networks.
The market for these unpatched vulnerabilities is massive, driven by a seemingly insatiable demand from global intelligence services, most notably the US government. But many security experts have suggested that the role of zero-days in government-sponsored hacking has perhaps been overstated.
Including, now, the head of the NSA's most elite and secretive hacking unit.
In an unprecedented talk on Thursday at the USENIX Enigma security conference in San Francisco, Rob Joyce, chief of NSA's Tailored Access Operations (TAO), downplayed the importance of zero-days and the degree to which nation-state hackers like those in his unit depend on them.
"I think a lot of people think the nation states are running on this engine of zero-days. You go out with your skeleton key and unlock the door and you're in. It's not that," he said.
"I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero-days," he continued "There's so many more vectors that are easier, less risky and quite often more productive than going down that route."
Joyce may work for an infamously-deceptive state intelligence apparatus, but his advice here is spot on. While zero-days are powerful, the vast majority of networks likely get compromised by government hackers in much less dramatic ways. Among them: not keeping software updated, failing to restrict administrative privileges to a small number of users, and Bring Your Own Device policies that create havoc by allowing employees to introduce unknown and vulnerable personal devices to their company's network.
Even a laptop running Valve's Steam gaming service can make a nice point of entry for Joyce's NSA buddies, he says.
"Why go after the professionally administered enterprise network when people are bringing their home laptops, where their kids were going out and downloading Steam games the night before?"
Zero-days also tend to have short life-spans, especially once they're used. "They're discovered, they're either used or disclosed, and then they're fixed," security guru Bruce Schneier writes. "If you sit on it, someone else will find it. Use it or lose it."
Nevertheless, the NSA has dredged up plenty of controversy over its use of zero-days, which is supposedly overseen by an inter-agency mechanism known as the Vulnerabilities Equities Process. Not much is known about this process other than it involves agencies judging on a case-by-case basis whether a vulnerability should be exploited to attack or shared with vendors and patched.
President Obama has also not-so-reassuringly claimed that US agencies wouldn't withhold the discovery of a major vulnerability, unless there was a "clear" use case for intelligence or law enforcement. But most of the important details are still unknown, and documents obtained via FOIA request by the Electronic Frontier Foundation remain heavily redacted.
Still, Joyce suggests that the more powerful weapon in the NSA's hacking arsenal isn't some stockpile of secret bugs, but superior resources and patience. Sometimes it's as simple as waiting for a business to give a vendor remote access so they can fix a troublesome piece of software on their network.
"There's a reason it's called Advanced Persistent Threats, 'cause we'll poke and we'll poke and we'll wait and we'll wait," he said. "We're looking for that opening and that opportunity to finish the mission."