“I hunt Sys Admins” by the NSA

According to a secret document provided by whistleblower Edward Snowden, the NSA tracks down the private email and Facebook accounts of system administrators before hacking their computers to gain access to the networks they control. Why do they do this? To gain privileged access, of course.

According to The Intercept, “the document consists of several posts – one of them is titled “I hunt sys admins” – that were published in 2012 on an internal discussion board hosted on the agency’s classified servers. They were written by an NSA official involved in the agency’s effort to break into foreign network routers, the devices that connect computer networks and transport data across the Internet. By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks.”

This is a scary concept for any organization – system administrators have the keys to the kingdom, otherwise known as privileged accounts. Once they gain access to the system administrator’s computers they are free to roam about the network – gaining access to whatever they are looking for. This is a method not only used by the NSA but by countless attackers that understand the value of privileged access. 

The author of the post even stated, “up front, sys admins are generally not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some system administrators takes care of.” The NSA is traveling the road most traveled when it comes to infiltrating a network – the privileged pathway. You can see more examples of the use of this pathway in my post on Wired’s Innovation Insights Community, Cyber-Attackers Riding the Privileged Pathway.

As I emphasized in my previous post, this recent NSA document enforces the reality that the entry point of a cyber-attack no longer matters. It’s not about how an attacker gets inside. At this point we need to assume it’s going to happen. It’s what the attacker does once they are inside the perimeter. Cyber-attackers immediately target privileged and administrative accounts once they breach the perimeter. This is because these accounts provide a gateway to an organization’s most sensitive data.

Organizations clearly need to lock down these accounts to protect the heart of the enterprise. Locking down privileged accounts effectively means making sure only authorized remote system administrators can access and reconfigure internal devices. Additionally, if the activity of system administrators were logged and monitored, suspicious behavior would be detected immediately. Don’t take our word for it – the NSA told you so.

Thursday, April 17, 2014