NSA: The Silence of the Zero DaysUS Defense Department Defenders Say Attackers Don't Need No Stinking Zero Days
After information about a newly discovered flaw or exploit becomes the public, attackers use it to target unclassified U.S. Department of Defense networks within 24 hours.
"Within 24 hours of a vulnerability or exploit being released, it's weaponized and used against us," said the National Security Agency's David Hogue in a presentation at last month's RSA conference in San Francisco.
"NSA has not responded to an [unclassified network] intrusion that has used a zero-day [exploit] in the last 24 months."
For example, Hogue says a nation-state attacker began scanning DOD networks less than 24 hours after an Apache Struts flaw was revealed in March 2017 - at the same time a patch was released - looking for unpatched DOD servers. The same flaw was later used to exploit data broker Equifax.
Hogue heads the National Security Agency's Cybersecurity Threat Operations Center - NCTOC - which is the security operations center in charge of defending unclassified DOD networks.
"In partnership with U.S. Cyber Command and the Defense Information Systems Agency, NCTOC is on the 'front lines' in defending the unclassified Department of Defense - DoDIN - network, which serves over 2.9 million users in places ranging from the battlefields in Afghanistan to the nation's capital," Hogue says in a recent blog post.
In his RSA presentation, Hogue didn't touch on attacks against classified networks. But he said the NCTOC sees about 36 million emails per day inbound to its 2.9 million users, of which it rejects 85 percent per day. He also offered other network defenders the NSA's top five actionable SOC principles, including hardening systems, using threat intelligence and machine learning, and the need to "create a culture of curiosity."
Hogue added: "We need to get more predictive and preventive."
Zero Day Scarcity
Hogue also said the DOD's unclassified network hasn't been targeted with a zero-day attack in two years.
"NSA has not responded to an intrusion that has used a zero-day [exploit] in the last 24 months," he said. Rather, the majority of incidents involved email-borne attacks - in 90 percent of all cases - and attempts to exploit systems that are "not compliant with hardware and software best practices," he said.
One member of the audience - Israeli cryptographer Adi Shamir, the "S" in the RSA asymmetric cryptographic algorithm - asked Hogue whether zero days were not being used by attackers, or if the NSA was simply failing to spot them.
Hogue responded that the existing state of network defenses wasn't robust enough to make attackers have to rely on secret exploits that might get burned once used. "If you can live off the land, so to speak, you don't need to dip into your toolkit," he said.
Saying that no one has attempted to target the unclassified Department of Defense network using a zero-day exploit appears to be a bold claim. But multiple information security experts tell me they've seen a trend similar to what Hogue described.
"I think that is true. A true zero day is one where no one has seen that element or aspect of code or attack appear before," Kris Lovejoy, CEO of network security firm BluVector, which was spun off from U.S. defense contractor Northrop Grumman, told me at the RSA conference (see What's Artificial Intelligence? Here's a Solid Definition). "Everything that we've discovered is reused code that was used in another attack."
Equifax's Breach Blues
It's difficult to say how many breaches trace to known vulnerabilities, as opposed to zero-day attacks. Anecdotally, however, some major breaches resulted from hackers exploiting flaws for which a patch was available. Last year's breach of Equifax, for example, occurred after the company failed to patch a known flaw in its Struts web application (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
The result was the exposure of personally identifiable information for 145.5 million U.S. consumers and almost 700,000 U.K. consumers.
Many other breaches were also enabled by basic information security slipups. Last year, "analysis indicated a large number of incidents were caused by third-party suppliers failing to secure data properly," according to The Cyber Threat to U.K. Business 2017-2018 Report released last month by the U.K.'s National Cyber Security Center - part of intelligence agency GCHQ - and the National Crime Agency.
The NCSC and NCA report says that attackers are increasingly "able to achieve many of their aims by using techniques that are not particularly advanced."
That goes both for cybercrime groups, nation-state attackers or groups that blend the two. "Groups assessed to have links to state actors - sometimes described as APTs [advanced persistent threats] - were likely responsible for some of the larger  breaches," the report says. "The techniques used in most cases were not particularly advanced, including exploiting unpatched vulnerabilities and spear-phishing, further demonstrating the blurring boundaries between nation states and cyber criminals, making attribution more difficult."
Known Vulnerabilities Bite
Incident responders also report that attackers are getting by just fine thanks to exploiting known flaws.
"In the main we are still seeing that the majority of compromises are due to a lack of security hardening of the service or through a lack of patching against known vulnerabilities," says incident response expert David Stubley, CEO of cybersecurity consultancy 7 Elements in Edinburgh, Scotland (see Hackers Exploit Weak Remote Desktop Protocol Credentials).
"Hackers will always take the path of least resistance and that includes using publicly available exploit code over the creation of zero-day payloads," Stubley told me.
Stop the Bleeding
Many organizations would do well to focus more on locking down their systems, and worry less about whether they might get targeted by a zero-day attack. "At the end of the day, if you're bleeding from the eyeballs, just stop the bleeding," BluVector's Lovejoy told me.
But as the Equifax breach dramatically demonstrated, it's tough to keep track of all patches.
According to software vendor Flexera's Secunia research team, the number of documented, unique vulnerabilities in software increased from 17,147 in 2016 to 19,954 in 2017 - a 14 percent increase - across about 2,000 products from 200 vendors.
The good news, Flexera's Alejandro Lavie told me at RSA, is that "86 percent of [newly announced] vulnerabilities have a patch available within 24 hours of their disclosure."
But as the NSA's Hogue warned, patches can be quickly reverse-engineered by hackers - criminals, nation-states or otherwise. So organizations need to do a better job of hardening their hardware and software, including not only tracking but also applying patches everywhere they're required, as quickly as possible.
Or at least, that's the NSA's approach.