Rob Joyce, the National Security Agency's (NSA) chief of Tailored Access Operations (TAO), revealed that zero-day exploits are not necessary to wage attacks, hacking only requires focus and persistence.
On Wednesday, at the USENIX Enigma security conference, Joyce elaborated that security loopholes and vulnerabilities which are not in the knowledge of software vendors — and are taken advantage of by hackers to infect devices and access networks — are not the only means at the disposal of hackers to wage cyberattacks.
The NSA hacker-in-chief downplayed the importance of the zero-day vulnerabilities used to permeate networks and said that the role of these exploits in hacks that are government-sponsored have been exaggerated.
For the unfamiliar, the TAO unit can be best described as a collected group of nation-backed hackers who are tasked with penetrating into computer networks in a bid to collect foreign intelligence data. The unit also works toward improvement of security networks belonging to the U.S. government by probing them sporadically.
Joyce disclosed that even hackers in the TAO unit do not completely depend on these security lapses.
"I think a lot of people think the nation states are running on this engine of zero-days. You go out with your skeleton key and unlock the door and you're in. It's not that," said Joyce. "I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero-days. There's so many more vectors that are easier, less risky and quite often more productive than going down that route."
The NSA's hacking operation approach is based on tried and tested methods that security industry experts would be only too familiar with.
The TAO head of operations revealed that the 'Internet of Things' is a boon for the TAO group, especially when it is targeting a specific attack. Joyce said that cooling and heating systems, which are Internet-connected, offer the TAO hackers a way into systems of establishments as this route is frequently overlooked by network administrators.
Joyce expressed concerns on the terrible security of such IoT devices, as they could compromise the safety of networks in the U.S.
The research also corroborated that several commercial and industrial control systems (such as power plants) — frequently referred to as SCADA systems — are hooked on to the Internet sans proper security shields. Joyce also said that protection for SCADA is also an area of concern.
He disclosed that government hackers can potentially compromise a gamut of networks in ways that are not dramatic. For instance, if organizations or users do not update their software and are careless in restricting administrative privileges to select users.
Moreover, company policies such as Bring Your Own Device are also passageways to security attacks that are waiting to happen. How? As they enable the introduction of potentially vulnerable and unknown devices to the organization's network.
The most powerful tool in NSA's armory is patience and resources. Since the team of hackers often waits patiently for an organization to give remote access so that the vendor can repair a niggling issue plaguing the software on the company's network.
"There's a reason it's called Advanced Persistent Threats, 'cause we'll poke and we'll poke and we'll wait and we'll wait. We're looking for that opening and that opportunity to finish the mission," said Joyce.