“The big question you need to think about is if you have an intrusion somewhere in your network, can you then defend against this lateral movement?” – Rob Joyce, Chief of the TAO
Rob Joyce, head of the NSA’s Tailored Access Operations (TAO) elite division, recently spoke to a large audience at the Usenix Enigma security conference in San Francisco. Joyce talked about TAO’s process for exploiting victim networks. This was the first public talk made by any member of the NSA’s team which is considered among the best cyber-warfare intelligence gathering organization in the world.
According to Joyce, the intrusion process goes through six stages: reconnaissance, initial exploitation, establish persistence, install tools, lateral movement, and then collect, exfiltrate and exploit the data.
To quote Joyce, after you’ve breached the network, “rarely do you land where you need to be”. From the attacker’s point of view, this is the most difficult and dangerous part of the operation inside the network. The attacker, unfamiliar with the network, is required to move laterally to reach the data they need to find. “Nothing is really more frustrating to us than to be inside a network, know where the thing is you need to go get to, and not have a path to get over to find that”.
This comes as no surprise to the team at Guardicore. Guardicore’s Data Center Security Suite is based on in-depth understanding of how cyber attackers behave inside a network, focusing on finding real time attackers that perform reconnaissance activities and attempt to move laterally inside Guardicore’s customers networks.
When an attacker’s movement is detected, the attacker is transparently diverted into a network of honeypots created dynamically based on the attacker’s behavior. At this point our Data Suite’s Semantic Analysis capabilities allow us to recognize and analyze the attacker’s toolchain across the entire data center in real time and devise a precise response, while preventing access to the coveted information.
“There’s a reason it’s called an ‘Advanced Persistent Threat’ (APT). We’ll poke and poke and wait and wait until we get in” Joyce says. In addition to locking down privileges and monitoring logs, security professionals should assume they are “missing something” and deploy software that can investigate blocked or filtered network traffic.
We strongly believe that a data center network should be under constant monitoring for post-breach behavior as these networks typically hold the most sensitive information stores and critical business processes for every organization.