Advanced persistent threat actors are making it more difficult to attribute cyberattacks by using broadly available commercial tools such as virtual private networks as vectors, according to the head of the National Security Agency’s cyber directorate.
“We’ve seen whole APTs kind of go dark to some of the commercial entities who say ‘yeah, I don’t see those custom tools from name your favorite threat actor group,’ when in reality they’re just as active but what they’re using now is, you know some of the commercial tools that get them to the same outcomes,” said NSA Cybersecurity Director Rob Joyce. “So it’s clouded that space.”
Joyce spoke along with FireEye CEO Kevin Mandia and other cybersecurity leaders from government and industry at the Aspen Cyber Summit Wednesday.
Mandia reiterated long-standing calls for the government to impose consequences on malicious hackers while noting how it’s become increasingly difficult to identify the perpetrators.
“In 2010, we only had 40 groups—like everything we were responding to went nice and neatly into 40 different buckets,” he said. “Now we’re up to like 2,900 buckets. It may really only be 40, but everybody’s changing so fast that the evidence we see today from the same hacker group is different than three months ago, so it’s another number.”
Mandia says the government has resources to better attribute hacks, at least to the country level. And that’s something that should concern countries like China, where it can be hard to distinguish between state-sponsored intrusions and independent criminal enterprise, Joyce said.
“What we often see is there are the commercial elements who by day are supporting those government activities and then by night using some of the same tools, infrastructure and other activities. And I think it’s really important China understands how much of a risk that is to them, that these uncontrolled actors are, you know, ambiguously combined with their activities, and that, that’s a problem,” he said.
Joyce said his priorities for the cyber directorate are to work closely with the private sector to acquire the best intel and to secure the defense industrial base.
On Tuesday, NSA and the Cybersecurity and Infrastructure Security Agency jointly released a guide for acquiring and securing virtual private networks. Among the recommendations was for buyers to ask VPN suppliers to deliver a software bill of materials. SBOMs, which are generally described as an ingredients list of the code that goes into building a product, are a major component of President Joe Biden’s May 12 executive order.
“Request and validate a product’s Software Bill of Materials so the risk of the underlying software components can be adjudicated,” the agencies wrote. “Many vendors use outdated versions of open-source software in their products, including many with known vulnerabilities, so this risk is critical to manage.”