4 August 2018

The Story of an NSA Hacker

George I. Seffers

Millions of times every single day, antagonists search for entry into the U.S. Defense Department’s networks. They come from all over: Russia, China, North Korea, Iran. Some are sponsored by nation-states; others are terrorist groups. “Adversaries approach the perimeter, and that’s where we sit. They test our defenses, and we’re the ones on the front line, mitigating the threat,” says Spc. Alexander Woody, USA, a counter pursuit operator within the National Security Agency’s (NSA’s) Cybersecurity Threat Operations Center (NCTOC). “We provide 24/7 year-round support for network monitoring, coordination and crisis response.”


Spc. Woody works on what he calls the center’s “watch floor,” where monitors and large display screens are omnipresent. It is an open space with no cubicle walls and constant chatter.

“It’s a little bit like you’d see in the movies, quite honestly,” Spc. Woody says.

Given the rapid-fire, all-action, all-the-time operations tempo, that movie might be called Fast & Furious: The Cyber Connection. “The speed of cyber is a buzzword, but the surprising thing is how true that is. The turnaround on a mitigation for something we’ve discovered is very fast,” he offers. “It’s a lot. The threat is ongoing and persistent.”

The rapid pace requires continual collaboration. The collaboration extends to other organizations, including the U.S. Homeland Security and Energy departments, the FBI, the Defense Intelligence Agency, the Defense Information Systems Agency, the Joint Force Headquarters-Department of Defense Information Network, the Defense Security Service and the U.S. Cyber Command. “Cyber Command is right next door to us, so we are very good friends with CYBERCOM,” Spc. Woody states.

He compares the center’s daily operations to a high-level tennis match. “We’re volleying back and forth with our adversaries all the time. They attack and we defend. They attempt to exploit a vulnerability, and we mitigate that threat. Staying one step ahead—that’s our goal. And we are more than prepared to handle whatever they serve to us,” the specialist declares.

He recalls once when his team won the cyber equivalent of a grand slam. “My team and I discovered an intrusion within a Department of Defense host, and we were able to mitigate that threat before it could cause any damage. We were also able to identify the guy behind that intrusion as a counter pursuit operator,” Spc. Woody reports.

The constant struggle to defend the network can initially be overwhelming. Some version of “I’m not ready for this” is a sentiment expressed more than once by newcomers to the watch floor. “We get them ready,” Spc. Woody says. “When I first got on the floor, I had no idea what I was getting into.”

He defines a sophisticated threat as adversaries who know what they’re doing rather than simply downloading readily available software. “These groups author their own malware or modify existing malware to be especially dangerous,” the specialist reports. “If they are just taking a tool they found on the Internet and throwing it against targets, I wouldn’t call them sophisticated. I would call them sophisticated if they modified that tool or developed their own tool and deployed it.”

As the threat grows more persistent and sophisticated, the outcome of attacks grows more severe. Spc. Woody cites the 2014 attack on Sony Pictures Entertainment as one example. A hacker group going by the name Guardians of Peace not only stole and revealed sensitive information but also deployed a modified version of the Shamoon wiper malware to destroy the company’s computer infrastructure. “This kind of behavior became more aggressive and destructive over the years, and they’re not stopping anytime soon,” the specialist warns.

He describes the threat as evolving from exploitation to disruption. “Bad actors are using tactics like spear-phishing to infect systems and disrupt their operations,” he says, pointing out that the vast majority of cyber incidents occur “when people click things they shouldn’t.”

NCTOC personnel are seeing more and more supply chain attacks in which an adversary targets the systems that host legitimate software and then modifies that software to become malicious. Users then download a seemingly legitimate but dangerous program. “These attacks are especially concerning since users can become compromised even when downloading from trusted sources,” Spc. Woody adds.

He expresses concern that future threats will involve malware that exploits vulnerabilities in hardware as well as software. The specialist offers Spectre and Meltdown as two recent examples. An Intel website explains that the exploits are based on side-channel analysis. A side channel is some observable aspect of a computer system’s physical operation, such as timing behavior, power consumption or even sound. “The statistical analysis of these behaviors can, in some cases, be used to potentially expose sensitive data on computer systems that are operating as designed,” according to Intel.

“If attackers are able to exploit vulnerabilities in a processor, they can hide their malware from software detection and make it a lot harder for us to detect,” Spc. Woody adds.

Intel reports that the exploits cannot corrupt, modify or delete data, but the specialist suggests that could change as techniques evolve. Such exploits would give an attacker the ability to potentially destroy physical components within the victim’s machine. “If an attacker gains control over low-level processor functions, they may be able to bypass safety limits on that chip, and they can modify the chip voltage or temperature to ultimately destroy that computer,” he elaborates.

To counter the threat, the NSA’s cyber force relies on two readily available tools, Splunk and Wireshark. Splunk’s speciality is big data analysis. Wireshark is an open-source packet analyzer used for troubleshooting networks. Because Wireshark is free, anyone can download it and “use the same tool NSA hackers use,” Spc. Woody says.

Sifting through massive amounts of data and properly reporting the results using the NSA’s strict reporting protocols are two of Spc. Woody’s specialties. Reporting requires that analysts focus only on the facts rather than on emotions or hunches. “We have to formulate all of the cyber knowledge into an easily digestible format for all of our partners. That means taking the cyber jargon and boiling it down to something that the end-line users can understand and act on,” he elaborates.

His reports have at times been presented to Adm. Michael Rogers, USN, the recently retired former NSA director. “I find it weird that a [specialist] can produce an intelligence report that can cross the desk of an [admiral],” he says. “Anytime anybody has a reporting question or has anything they want to report, I’m the go-to soldier for that.”

But one skill set he would most like to sharpen is on the offensive side of network warfare. Spc. Woody reveals he is using his own computer and a Raspberry Pi, a small, inexpensive computer, to develop an exploit he could ultimately employ to train other soldiers.

“Network defense and computer network attack go hand in hand. To understand the defense, you really need to understand the attack. I would like to practice more attacks in order to understand defense better,” he explains.

Spc. Woody has been with the NSA for nearly two years. In that time, he has gone from being the most junior analyst on the floor to a senior analyst in charge of his own team.

Before joining the U.S. Army, he studied chemistry at North Carolina State University. Uninterested in the more marketable careers in chemical engineering or applied chemistry, however, he chose a different path, preferring the chemistry and camaraderie of the NSA’s elite force for cyber. A technology career seemed a natural choice for a self-described computer nerd who had built his own computer and managed his own network. “I was an amateur at it, but I enjoyed it,” Spc. Woody allows.

He jokes that coming out of college, he really wanted to train for another career, but he also wanted a paycheck and a place to live while he trained. “The military was the answer to that,” he says.

Spc. Woody voices no regrets about joining the NSA. “I really love this job. In the military, after the military, this is where I want to be,” he asserts.

The specialist says he tries to live by one part of the soldier’s creed: mission first. “I know that’s trite, but it is really easy for me and other people to get sidetracked on and off the job. I like to keep my sights on what’s important,” he offers. “The work we do here directly supports the warfighters downrange who use our networks to carry out the mission every day.”

No comments: