How the NSA hacks you, and what cloud can do about it

At the recent Usenix Enigma 2016 conference, NSA TAO chief Rob Joyce explains how his team works. By the way, TAO means Tailored Access Operations, which is a euphemism for hacking. See the full presentation here.  Rob explains their methods, but between the lines he implies that other nation states are doing the same, so in a way he is here to help us. For that reason he also explains what makes their work hard.

After Snowdon I should not need to explain the extent of what is going on here.

In summary, the NSA’s method of operation is: “reconnaissance, initial exploitation, establish persistence, move laterally, collect and exfiltrate”.

In this article I won’t go in more detail on each of these. But here are a couple of rephrased quotes for illustration.

  • Reconnaissance: “We aim to know your network (i.e. infrastructure) better than you do”
  • Initial exploitation: “Zero day exploits are hardly ever necessary”
  • Lateral moves: “Nothing frustrates us more than being inside, and not able to move”

What is the implication of this for cloud security? Of course, if you replicate your legacy infrastructure into a cloud provider, it is not going to be more secure. So you need to do some more.

Cloud to the rescue?

Can the cloud model actually help with security? I think it can, and here are a few examples. They hinge on the cloud essential characteristics of self-service provisioning and rapid elasticity, which enable security automation.

Know your network. A good IaaS provider allows you to fully and automatically take stock of what you have provisioned. A very small proof of concept is on my github project ‘state of cloud’, which just lists all running EC2 instances in your AWS account across all regions. You can then do all kinds of reporting and analysis on your infrastructure, and in particular check for vulnerabilities like rogue machines and open ports.

Code exploits. Why should you use zero day exploits, if organizations are months or even years behind on patching? Why are they behind? Because it is labor intensive. So automate it. Whenever an instance boots up, it should be patched automatically and then tested. All without manual intervention. This requires cloud automation.

Lateral moves. A typical organization has a hard shell, and a soft inside, so to say. Once passed the firewall, the attacker is like the fox in the henhouse. To counter this you need hyper segregation, in particular of security groups and user credentials. You can have a security group per machine, and individual credentials per task. Only cloud automation enables you to do this at scale.


Hacking is an arms race. Automate and scale up your response or lose. Cloud computing might help.
Want to know more about cloud security? See the course calendar