NSA TAO: What Tailored Access Operations unit means for enterprises

The NSA's top-secret Tailored Access Operations offensive hacking unit offers enterprise defense strategy lessons. Expert Nick Lewis discusses.

It was recently revealed that the NSA's top-secret offensive security unit, a specially designed hacking group, can infiltrate systems at the speed of light through everything from satellite and fiber-optic connections to zero-day vulnerabilities and website malware injections.

While defending against the NSA itself as a U.S. company simply isn't feasible, enterprises do have some options.

As the details of this organization, called the Tailored Access Operations (TAO) unit, come to light, some might say that the differences between an advanced persistent threat-style attack and the capabilities at the NSA's disposal are mostly semantic. It's worrisome to think that not only do these powerful groups know that malicious techniques exist, but that governments and nation-states also possess the ability to execute these techniques -- and have already done so.

While the confirmable tools and capabilities of the NSA and the larger intelligence community will most likely never be known to the public, its existence simply cannot be overlooked. Let's delve into the NSA's TAO hacking unit -- and why enterprises need to be aware of it -- as well as what new defense strategies enterprises must adopt in the wake of its revelation.

NSA's TAO unit

The TAO unit is, for all intents and purposes, a hacking group. The TAO aims to exploit hardware and software to gather intelligence on supposedly foreign entities. This is facilitated by gaining access to telecommunication companies that operate the backbone of the Internet and capturing Internet traffic, as well as intercepting physical devices and inserting monitoring capabilities onto them. Since its inception in 1998, the group has grown to be one of the most important parts of the NSA because of society's reliance on computers and the access necessary to monitor those communications. The TAO unit was designed to extend previous capabilities for monitoring radio communications to general monitoring of a broad array of networked systems. Since a potential target could be using practically any technology, the TAO unit likely targets network equipment because of the limited number of devices to attack and the broad access it could offer.

In the now infamous files leaked by former NSA contractor Edward Snowden, details of the TAO unit's tasks, capabilities and functions were released to the general public. For example, the documents exposed information concerning how to compromise systems before they leave the manufacturer, even if they are never connected to a TCP/IP network and other scenarios. Some of the concepts believed to be pioneered by TAO have since been used in credit card skimmer attacks and even USB-based malware. Additionally, there have been many examples of hardware or software shipped with malware already installed and instances of vendors shipping devices where even the most basic security evaluations were not undertaken. While enterprises should plan for and defend against these threats, they must first know how to accomplish it.

The NSA has interrupted the supply chain in attacks so that its monitoring tools will already be present on systems before the devices even connect to a target network. Unfortunately, the supply chain weaknesses are not well understood by enterprises and most are ill-prepared to address hardware that has physical tools already installed on them for intelligence gathering. The physical tool could just send communications to an outside party or it could be used to provide persistence even if the currently installed OS is removed.

While enterprises could reinstall factory operating systems, it is advisable to monitor newly installed systems for any suspicious network access prior to putting them into the production environment.

The reports detailing the NSA's capabilities are both good and bad: not only do they give the good guys hints about areas to investigate, but they also provide insight for the bad guys and potentially help them shorten the development cycle of future attacks. In regard to man-in-the-middle attacks, the TAO's QUANTUM program offers fascinating detail on how a communication channel can be monitored, even if the communication channel is encrypted. Enterprises should be aware that attackers outside the NSA are likely hard at work refining the techniques on the QUANTUM capabilities list and will soon seek to apply them to their own targeted attacks -- this may already be happening.

Defending TAO techniques: What can be done?

One of the most valuable after effects of the leaks has been giving individuals and enterprises alike the knowledge of where particular technologies and processes, such as network communications and supply chains, are vulnerable to creative attack methods. This should certainly help enterprises prioritize resource allocation toward the defense measures that are needed to prevent falling prey to these issues.

While defending against the NSA itself as a U.S. company simply isn't feasible, enterprises do have some options. Prior to adopting new hardware or software, enterprises should validate it for tampering. On the other hand, vendors could also provide customers with a method to validate that software and hardware hasn't been tampered with, such as using signed software. These same steps could be used on a regular basis to look for suspicious activity.

It is also important that enterprises and individuals assume any and all communication is being monitored, even on dedicated circuits. Implementing encryption for all communications beyond merely using a VPN will help thwart tapping and eavesdropping. Enterprises with high security requirements could even protect against attacks using wireless communications through a Faraday cage, though it is unreasonable for most organizations. Alternately, enterprises could get a radio frequency monitor to sweep through their facilities and monitor for unauthorized connections. This is similar to monitoring the network for any suspicious network connections.

In addition to presuming that all lines of communication are being monitored, enterprises could also heed some of the NSA's own advice around assuming that their businesses are also compromised. It can help keep organizations on their toes if they think they are being targeted by better funded, smarter and more advanced attackers.


While the offensive capabilities of the NSA are impressive, lost in the media frenzy is the other side of the equation -- the defensive capabilities. Knowing where attackers are moving can greatly help vendors and enterprises alike prioritize improvements to information security programs. This information also enables enterprises to refocus on what is important to appropriately secure their systems and data, rather than just checking a box to indicate that a security control is in place.

Author's note: This article does not address the ethical, political and legal aspects of the NSA's activities.

About the author:
Nick Lewis, CISSP, is the information security officer at Saint Louis University. Nick received his Master of Science degree in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing