Stealth in the Face of Adversaries: Integrating Intelligence Data Into Cyber Operations

The addition of intelligence, such as open-source, signals, human, financial, geospatial and technical intelligence, when paired with military cyber operations as well as industry insights, makes a powerful combination for the United States, said Daniel McCormack, chief information officer (CIO) of the Cybersecurity Directorate, National Security Agency (NSA).

McCormack spoke with George Seffers, SIGNAL Media’s editor-in-chief, during a fireside chat Thursday at AFCEA International’s TechNet Cyber conference in Baltimore.

“What we find with our intelligence insights really augments what we have from industry partners,” McCormack noted. “Where they can see traffic as it traverses networks within the United States, across the world or even at the local area where they have their products deployed, where they have ultimate responsibility, we have been able to really leap ahead combining our insights with theirs.”

For example, if one company shares what may be considered a small, singular event, when combined with intelligence and global cyber operational information, that can paint a much clearer picture for the NSA and amplify understanding and defenses quickly.

“People will say, ‘I found this one thing with this one particular [cyber attack] victim,’ and now we can know three other things. We can magnify that to where we can say, ‘Well, now let's take how you found that and apply that, often across the entire ecosystem, with everyone that we deal with,’" McCormack stated. "And we go from finding three extra things to 300 very, very quickly.”

The NSA cyber warriors need this advantage. Adversaries are only becoming more sophisticated in their attack methods used on government networks and systems, McCormack said. They are employing less malware, or malicious software that has more visible impacts, and instead are mounting stealthly positioning inside a network.

Vulnerabilities or security gaps in computer or software systems unknown to the developers or users, known as zero-day vulnerabilities, are still are common adversarial entry methods into a network or system, the CIO said, but they are being used less frequently.

“The biggest two trends that I would highlight are the very malware-light situations that we're dealing with,” he shared. “Malware seems to be deployed only in the most necessary cases. We see plenty of ‘zero days’ still being developed and used, obviously, but an incredible amount of ‘end days’ that are being used for access to the edge.” 

The end-days approach has adversaries getting in with low detectability and exploiting a network almost silently, McCormack warned. 

“Once adversaries are inside the network, the way that they are moving around, the way that they are persisting is with the natural form of the network,” he cautioned. “It is with the administrators' own credentials, their own tools, everything that their people have put in place.”

The NSA cyber operators are seeing how these adversaries have the restraint to sit and wait without tipping off normal detection while benefiting from their dangerous data-gathering.

“Some of the real top-tier adversaries have a bit of the strategic patience that we have always preached within NSA to not just get in and immediately start bouncing around like a ransomware actor,” McCormack stated. “They will spend the time to learn everything the actual admins know, find where they are storing all their documentation about the network, find where the credentials are for the tools.”

This can be treacherous to hunt down since the cyber marauder resembles actual administrators, he said.

In addition, social engineering is still being used by adversaries “in a lot of cases” and is being combined with artificial intelligence for initial breach activities like spear phishing. They are not yet seeing artificial intelligence (AI) used for exploiting networks.

“The other trend that we see a lot is called ‘AI first,’” the CIO continued. “We do not see a lot of actors currently using AI for the exploitation phase for what they are doing inside the network. We are certainly watching for when that really kicks into high gear. But actors are absolutely loving AI for the initial spear phishing. The social engineering becomes so much more natural, so much more human.”

The NSA cyber operators are seeing cyber criminals use AI for video phishing, with digital exploitation of voices, so that people trust who is on the other side. In addition, adversaries are using AI to find and identify vulnerabilities.

“Finding what edge matches with what target is something that takes a lot of time. A lot of human effort goes into that,” McCormack stated. “AI has taken that and made it easy. It is just child's play now to match up and find the right way into a network from the outside.”

On a positive note, McCormack does see AI benefiting the NSA’s and other organization’s cyber defenders, albeit with an increased knowledge base of how best to use it. And that is something the agency is advancing for its operators.

“I think it takes a lot for defenders to understand how to implement,” the CIO stated. “We are in an interesting phase at the moment, where people are learning how best to employ AI agents and AI defensive tools. But attackers have a bit more freedom in the space, where they can afford to be wrong a little more often. I think they have got the advantage in testing things now, but defenders can figure that out. And that is something that we are working to make easier.”

The NSA also has many currently available resource tools for cyber operators, McCormack shared. Moreover, the community should expect to see more tools and guidance on AI security and zero-trust implementation guidance coming out this fall.

The CIO stressed that cyber operators should not feel like they are alone in battling forward.

“Our Cybersecurity Collaboration Center has within it an entire group just doing AI security,” he offered. “Part of what they are doing with that is publishing guidance as we learn how best to implement these things. Suggestions on deployment and use, we are publishing that just openly on our website, nsa.gov, for people to read, implement, critique and help us improve.”

TechNet Cyber is organized by AFCEA International. SIGNAL Media is the official media of AFCEA International.