I wanted to follow on from yesterday by discussing Susan Hennessey's post on the NSA, in the sense that like a storybook character, "I Speak For The Trees". She's a former NSA lawyer and she quotes the current head of TAO and I find both those things funny, but there's some very clear misconceptions in industry and her post that I want to clear up.
I am quoting from https://www.lawfareblog.com/good-defense-good-offense-nsa-myths-and-merger below:
Second, there is a mistaken belief that it is not possible to both disclose and exploit a discovered vulnerability. Rob Joyce, head of NSA’s Tailored Access Operations, recently noted that, contrary to popular belief, it is generally more productive for NSA to exploit known vulnerabilities than zero-days.Rob Joyce and Susan Hennessey are both wrong and if they disagree they are happy to come to INFILTRATE to point out why :). While yes, you don't need 0days to hack, there is a clear OPSEC advantage to having them, and once you have them, to not giving them up. Likewise, situations change and should modern defenses live up to their promise we will be ruing the day we decided to empty our "stockpiles" of vulnerabilities. Thirdly, it is obvious to the technical community (although not to lawyers and policy makers) that 0days are not a simple commodity like grain or oil, but often are highly correlated, composed of smaller parts and techniques, and uniquely non-fungible. Also, it is unproven in the public world whether our vulnerabilities have any significant overlap with Chinese and Russian stockpiles.
Based on all of these things, caution needs to be given to any claims that having the NSA "lean towards defense" in its handling of 0days would be beneficial even in the slightest.
|This camo does not protect me from being found by Russian network analysts, but it does get me dates!|
It is obvious to any experienced "operator" (as someone who hacks things for a living is known) that while a target may not be patched, when you use a known vulnerability, you are risking an IDS or AV or other defensive mechanism SILENTLY detecting you, and warning the target. The worst case scenario is not being blocked. The worse case scenario is being detected without knowing you are detected!
A brief understanding of how operations and defense play together is important. This is not NSA specific, but imagine you, as a nation-state attacker, use your shiny new IIS 0day against a Russian target. Russia keeps full packet logs of their entire countries network and has for many years. If you give that vulnerability to Microsoft, and fix it, Russia will then go backwards in time and look for all possible exploitation that would fit that pattern. Perhaps this is the goal of the next generation of EINSTEIN as well? ;>
Nation-grade hacking the way the US does it requires expensive implants, so if an implant (like FLAME) is discovered, not only will you lose access to that host, you may lose access to a thousand other hosts, and of course have to deploy an entirely new tool chain. You will, in a sense, have your entire tool-chain wrapped up in a destructive manner similar to having one of your spies discovered, and their case officer found and silently tracked for several years until all your other spies are found.
Because of this, even if you are no longer using an 0day, nation-state hackers are loath to give them to a vendor for fixes even if there may be some minor ancillary benefit. This case is completely lost, for whatever reason, to policy dialog at the moment.
The Chinese often do the opposite, having made a different OPSEC calculation. They use cheap implants that are highly replaceable, for the most part, and so when they realize they have been discovered, they release their exploits widely to avoid attribution. This is not the American way. We need the NSA to stockpile more 0day, not less, to accomplish our long term strategic goals.