NSA reveals how it beats 0-days

In the ongoing cat-and-mouse game between nation states and attackers, anyone with something to protect has less time than ever to shore up their defenses.

At this week’s RSA conference in San Francisco, Dave Hogue, technical director of the US National Security Agency (NSA), reviewed the organization’s best practices for defense – one of which is to “harden to best practices,” as the NSA often sees attacks against their systems within 24 hours of a new vulnerability being disclosed or discovered in the wild.

Within 24 hours I would say now, whenever an exploit or a vulnerability is released, it’s weaponized and used against us.

This gives the NSA defensive team a very short patching window, especially compared to average patching windows in the private sector, which can measure in weeks or months, certainly not days or hours. Hogue said in his RSA panel that phishing attacks and unpatched systems still account for the majority of attacks that they encounter at the NSA. Understandably, this is why the NSA says keeping their systems as updated as possible, as quickly as possible is “one of the best defense practices.”

This discipline has paid off for the NSA, as Hogue says they have not had any intrusions via a 0-day exploit in the last 24 months. So, while the bad news may be that attackers are moving faster than ever – or at least the ones targeting the NSA are – the good news is that attackers mostly still rely on their old tricks, simply because they’re easier to deploy and usually work.

In fact, the vast majority of the incidents that the NSA deals with aren’t the latest and greatest in APTs or cutting-edge 0-days – 93% of all security incidents in the last year at the NSA were found to be entirely preventable using best practices they already advocated. Attackers are depending on governments and organizations to lapse in the tried-and-true basic principles so they can rely on tried-and-true basic methods, and they don’t have to burn their best (and often more difficult to use) secrets and methods.

For all the headlines that the latest named vulnerability might get, the chances of being hit by this kind of threat are still lower than a phishing email or ransomware causing trouble.