In a rare public appearance in 2016, Robert Joyce, then the head of the National Security Agency’s elite hacking unit Tailored Access Operations, gave a speech to generally describe how the team goes about infiltrating target computer networks. The first challenge, he said, was getting a "toe-hold."
That meant latching onto a small soft spot in the system, usually a compromised user account with very limited access. Depending on the target, getting a toe-hold can be extremely difficult (like slipping malware into the supply chain of a closed-off system at an Iranian nuclear facility) or fairly simple (like tricking someone into clicking on a link in an email that they shouldn't).
"Don’t assume a crack is too small to be noticed, or too small to be exploited," said Joyce, who now serves as the White House cybersecurity coordinator. "We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in."
But that's only the beginning. From the toe-hold, an attacker needed to do network reconnaissance and then “move laterally” through the system, fighting for greater and greater access all the way, exploring mazes of permissions and backtracking from dead ends -- all without being detected.
"Our key to success is knowing that network better than the people who set it up," Joyce said. "Nothing is really more frustrating to us than to be inside a network, know where the thing is you need to go get to, and not have a path to get over to find that."
With the discovery of the Meltdown and Spectre computer chip vulnerabilities last week, however, that second job just got a lot easier, according to Jake Williams, a former Defense Department official involved in cyber operations.
Since the vulnerabilities could potentially allow a hacker to read snippets data from the underlying functionality of modern computer chips, most higher-level protections are simply bypassed -- including most everything that makes moving laterally necessary, difficult or dangerous. Essentially, if an attacker has already, but just barely, compromised a system, that toe hold just became an open plateau of access.
"It goes from clawing for every inch to taking candy from a baby," Williams said.
There have been rumblings of the vulnerabilities online since the summer among researchers and developers, and Williams said he would be amazed if nation-state hackers weren’t already aware and exploiting them before the formal, public disclosure this week.
On the defensive side, Williams said all this doesn't necessarily mean government systems are any more vulnerable today than they were yesterday, but it prompted him to rethink how many people had access to different networks -- how many potential toe-holds there were.
"I think that there are a lot of those systems that have lots of people that [could become] toe-holds in very specific areas," Williams said of government networks. "They’ve basically been put in a box… with the fundamental assumption that they can't break out, and that if they could, it would be so loud and noisy that somebody would notice. And these [vulnerabilities] violate that assumption."
[Do you have a tip or question for Code and Dagger? Reach us at CodeAndDagger@protonmail.com. And if you like what you read and want to help keep the site running (kind of) smoothly, click here to learn how you can support the site. ]