The NSA's Hubris and the Shadow Brokers 0-day

Reuters has a possibly incendiary report on the FBI investigation into the "Shadow Brokers" dump of NSA tools. According to a Reuters exclusive, the NSA was aware that their tools may have been exposed almost immediately after it occurred, and yet never notified Cisco and Fortinet about the vulnerabilities in their system. There is a defensible argument for not informing a vendor about a zero-day where the Agency is confident nobody else knows about it. But if the NSA has reason to suspect an adversary has captured a zero-day—the use of which could substantially impact US interests—it is critical that the NSA report it to the vendors in the interest of defense. 

Apparently the NSA disagrees, appearing to claim that they are able to detect usage and therefore only need to alert vendors or otherwise respond to the breach once there is evidence someone else is using the stolen zero day.  From Reuters:

After the discovery, the NSA tuned its sensors to detect use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia.

That could have helped identify rival powers’ hacking targets, potentially leading them to be defended better. It might also have allowed U.S officials to see deeper into rival hacking operations while enabling the NSA itself to continue using the tools for its own operations.

Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and one other person familiar with the matter said.

The problem with this logic lies in the nature of the vulnerabilities released by the Shadow Brokers. Two exploits in particular challenge the “we’d know if it were used” premise—the EXTRABACON exploit targeting Cisco equipment and the EGREGIOUSBLUNDER exploit targeting Fortigate. Both of the vulnerabilities directly impact systems used in the United States—including the national security systems NSA is tasked with defending—and, more critically, would not be able to be detected in the wild by NSA’s sensors.

First, a note of caution. Reuter’s sources are people “with direct knowledge of the probe” and do not appear to be NSA sources. So it is difficult to draw firm conclusions from non-specific terms like “sensors.” It is possible, the “sensors” in question is a laypersons description of penetrations into the operational planning of nation-state adversaries. But, taking the report in its face, it appears sensors means those systems NSA uses to search large volumes of network traffic. And if that is the case, then the NSA’s claims here ring seriously hollow. 

Both the EXTRABACON and EGREGIOUSBLUNDER exploits are used to "pivot" within an institution, starting with a toehold on a computer which can access the firewall's administration interface (web in the case of EGREGIOUSBLUNDER, the network SNMP protocol in the case of EXTRABACON) and using this position to greatly increase capabilities. Once the attacker gains control over the firewall using one of these exploits, they might as well have control over every system in the network as they can easily attack any other system at will. These firewalls are quite common, both in US commercial and US government networks.

And NSA's "sensors”—like XKEYSCORE and UPSTREAM—would not actually be able to see these exploits used against US targets. These sensors are effectively Network Intrusion Detection Systems  or NIDS—and, in the case of XKEYSCORE, quite possibly Lockheed Martin's Vortex—systems which sift massive volumes of network traffic looking for known patterns and extracting content-derived metadata. But a NIDS can only interpret data that it can see. The major NSA NIDS located on significant Internet transit links would not see evidence of an attacker using these stolen tools, because the only place the tools appear in a way that a NIDS might detect is within a target's internal network and not the general Internet.

This means that the more likely way NSA would know that an attacker used these zero days is if the Agency had compromised the attacker's internal infrastructure. This leads to a kind of Catch-22: the only way the NSA could reasonably see evidence of an attacker using the 0-day is by penetrating the attacker’s infrastructure, but in that case, alerting the vendor to the zero-day use risks revealing the likely far more sensitive information that the NSA had managed to compromise that infrastructure. All roads lead to nondisclosure, here, and that’s a problem.

In short, NSA's excuse for not revealing the zero-days to Fortinet and Cisco is empty. Either NSA knows they can’t detect the exploit use, or they know they couldn’t alert the vendors if they can. And even if the NSA is able to see the exploit, it might be too late: by the time the vendors have a patch, the attacker might have already used the exploit to substantially damage our interests. Even the most responsive company can take a couple of weeks to develop, test, validate, and deploy a patch for a zero-day.

Of course there is another possibility: the NSA knew about the possible leak but never knew that an adversary obtained the tools.  In which case the belief that their "sensors" is still flawed, and we need to know if that is the case why the NSA never knew their tools were stolen in the first place.

The NSA operator's screw-up is probably forgivable and the result of some combination of bad tools and operational expediency. And comfortingly, this means that the NSA can reasonably estimate what is in the still unrevealed blackmail file, since they are aware of what could have been stolen but is yet unreleased. One would hope if undisclosed exploits remain in an adversary’s hands, NSA is working overtime to alert the affected companies and develop a patch before time runs out.

But once again, we are faced with evidence that the NSA is not dutifully discharging their role in defending our country from others who seek to exploit our systems.