Security posture that can reasonably withstand nation states

blushinggilda

Evaluating security posture for an EU based person (50 U.S.C. § 1881a protections do not apply to this person). This person might face targeting by nation states. Their most feared adversary in this situation is the NSA, specifically the NSA’s TAO division. Readers might rightfully state that TAO targeting is exceptionally unlikely. Regardless this person has concluded that it is part of their threat model, so it has to be considered. No additional details can be provided to justify why this might be the case. What can be stated is that the justification is neither criminal nor terrorism related.

The person in question has access to valuable infrastructure, which makes them a high-value target to gain a foothold and potential persistence. This infrastructure access happens over traditional remote access protocols such as SSH and RDP. Implied but not stated yet: this person is extremely technically capable, so operational discipline is in their nature.

Any access happens through a WireGuard VPN with extensive filtering, allowing access solely from ASNs this person uses. All connections through this VPN need to be separately authorized statefully with 2FA, through hardware-tokens where possible. Every 30 minutes, a hard-interrupt terminates all connections within the VPN, with the goal of preventing lateral movement and persistence through the endpoint.

This person currently uses traditional hardware, specifically a latest-generation MacBook. Supply-chain risks are combated by sourcing hardware anonymously and in-person with cash payments from different suppliers.

For endpoint hardening specifically, the following measures were taken:

LittleSnitch as firewall, default-deny policy
Built-in firewall configured to deny everything and logging
Apple services are blocked from communicating except OCSP
MDM profile that disables almost all features (Airdrop, Sharing, etc)
Minimal application surface (Browser, Terminal, RDP client)
Chromium-based browser with V8, WASM and JIT disabled
Javascript is allowed on a small set of trustable sites
Santa is deployed for binary allowlisting

For network-level, the following measures were taken:

Work-related devices (MacBook) are on their own VLAN
No inter-VLAN routing and extensive packet logging for this VLAN
Separate uplink for this VLAN with CGNAT to the internet
Local DNS resolver (AdGuard Home) with DoT forwarder
eBPF based packet inspection to detect anomalies
Port 80 TCP/UDP blocked to prevent downgrade attacks
Port 443 UDP blocked to disable QUIC
Internet is restricted to “trusted” target ASNs

This person has extensive personal infrastructure to leverage. Currently, they use various virtual machines hosted on this infrastructure for tasks that require running untrusted software. They connect to the virtual machines using RDP over the VPN setup (even internally, the VLAN does not give any trust level or authorization).

Currently, the assumed most likely available attack vector looks like this: TAO targets ISP with selector for the person in question. This gives them an IP address to target, albeit not an unique IP address because of CGNAT. With this information, they could compromise or compel a JS-whitelisted site to deliver a zero-day exploit. This would mean V8, WASM and JIT are still disabled with intent of forcing them to burn an expensive zero-day. A sandbox escape and LPE is required to get anywhere and a custom implant is likely needed to ride sessions after they were authenticated. This is also primary but not sole concern which this setup needs to defend against: session riding/hijacking to infrastructure.

It is known that browser exploits outside of JavaScript exist but it is presumed that they are substantially more valuable and complex. Endpoints are not used for random browsing to unknown websites. That much said, the only true feasible attack vector remaining is still the browser. Remote Browser Isolation by i.e. Cloudflare was explored, but since they are an US company, it is not feasible at this time. Removing the browser entirely from endpoints would make any work practically impossible. Any pointers here are greatly appreciated.

What I’m also looking for is advise on where this setup might have cracks or what could be done to make it even more difficult for a nation state to compromise the person in question. A reality check would be appreciated on where this setup currently stands. It is presumed that it goes far beyond what most high-value targets run in practice. Unfortunately moving to a nuclear bunker with airgap and without any internet connection is not feasible.

QubesOS is ruled out due to various reasons which no further details can be provided for.

Personal devices are intentionally not mentioned because they are assumed compromised.

Anonymity and privacy is not a strong concern here.

Novalissoide

blushinggilda Any GrapheneOS device in play here?

DohnJoe

blushinggilda

Let's start saying that if TAO is in play, the target already has some enterprise backing them up, probably .

Let's just skip why/how NSA is in play and let's try a very simple evaluation: nowhere in this description I see a single monitoring tool.

I do not know if this is intentional or not, but collecting logs from a VLAN (or any other system) and not having a single tool to scan/evaluate them, it's completely useless.

The target seems to value logs, so I should underline that a monitoring tool is:

as effective as how meaningful the logs are
useful to detect things that are happening live/happened in the past

We cannot expect to prevent an attack with a monitoring tool of course, but every IPS system needs detection, and in this moment I don't see any information on this matter.

A Network Access Control (which the target is not using), needs logs to work properly, for example.
Keep in mind that a NAC it's not useful only for physical access to your network, but implements defense also against software attacks (some of them are implementable also with more common network devices).
This is probably already part of the target infrastructure, but it's not mentioned anywhere.

There are also no mentions on the budget the target could use (a licenced firewall might give you better Application Control defense than a "Community Edition" firewall). I usually won't suggest people to install something like a Fortigate (just to name one) product in their home, but people usually aren't concerned about state actors...

I also see there is not mention about virtualization technology. That could make the difference, especially if they are mixed.
Just to make a single example, Proxmox ships SPICE (open protocol) that could be used instead of RDP (proprietary protocol) for every virtual machine (Linux, Windows, BSD, etc.).
This way the target might have better control of your Certification Authority (Spice supports TLS encryption) that could be recycled for other systems (maybe a transparent proxy).
Keep in mind that proxies are not there only to cache/log user traffic, they could implement some level of protection. But a proxy/firewall cannot inspect packets if the target doesn't own the CA.

No mention on data retention, backup systems and stuff like that.
While the target wants to protect your live systems, a wrong backup plan could give NSA the data they need without hacking your live systems.

It seems the target decided to always access their "enterprise network" through internet.
While this is usually considered a very good Idea (it follow the Zero Trust Network Access), prepare a plan B if they cut the target internet connection (We are talking about gov resources, afterall).
While they cannot access the target network if they cut the connectivity, neither the target will.

There are certainly a lot of other considerations to make, let's wait for someone else more knowledgeable than me!

nologo

blushinggilda This person might face targeting by nation states.

This person should hire a professional, instead of having their security measures posted in detail on a public internet forum.

Johnnyloans

I was thinking "this person" and OP are one and the same.

blushinggilda Personal devices are intentionally not mentioned because they are assumed compromised.

Discard these?

blushinggilda

Novalissoide

This setup is extended by two Google Pixel devices running GrapheneOS. One of them is a dedicated 2FA device without internet connection, the other is dedicated towards communications. To avoid creating a weakest-link in communications, this device communicates only with other devices running GrapheneOS, through a self-hosted Mattermost instance behind VPN.

DohnJoe

Thank you for your feedback and many of your points are very valid and acknowledged. The biggest gap aside of the browser attack surface is indeed a lack of observability. This is mostly caused by the reasoning following a "make exploitation nearly impossible" approach instead of "exploitation will happen" approach. Unfortunately, the threat model has expanded over time and this is a residue weakness that absolutely needs to be addressed. The packet-level logging is a good basis to start for the network side of it - since it is already setup in a way where modifying logs is impossible.

nologo

There are fundamental trust issues making it impossible in this situation to have a third-party manage security posture. While agreed that a great detail of measure was specified here, security through obscurity does not work apply on this level. The person in question is not a criminal that needs to hide, it is actually public information who they are and it can be deduced what level of access they may have. Anything else can likely be inferred through meta-data.

The-Man

Your statement can be interpreted in different ways. If you are capable of judging this setup and have feedback, it would be highly appreciated if you shared it. If your point is that the assumed adversary just received a blueprint how to build an exploit chain - agreed, but as stated above, it can be inferred anyhow.

The-Man

blushinggilda
You have just proven, with your post, that there is a gaping chasm between Knowledge and Wisdom.

DohnJoe

blushinggilda If your point is that the assumed adversary just received a blueprint how to build an exploit chain - agreed,

This "help" for the "attacker" is not as big as someone would think, especially against a state actor.

I am thinking about how I would do it for myself, but I never put a state actor in my threat model in the past.
Let's start with a reality check.
I always took for granted I will never be able to beat an entire country, because they have too much time and money.

State actors could use things that opportunistic hackers or cybercriminals don't cannot, like paying a truck of money to trained people, or buying new exploits.
A state actor might have enough time/patience to wait for an encryption becaming obsolete to newer technologies/algorithms; this means that if they get a copy of the target traffic today, they will be able to decrypt it sooner or later.

I would dare to say it is not possible to defeat an attacker this big, but I will try my best to examine the situation as if I had to do it for myself.

Ready for a wall of text?

First, some considerations:
We already thought about the amount of money they can throw at resources (not only machines, but also menpower) and how they can wait long time to gain advantages / find a way in.
Also, a state actor might have some legal leverage, which is something no technical skills could stop.
If they send police at the target's door taking away the equipment, they might also have physical access to the devices. I am not sure if this is a possibility in this specific case.

Some attack vectors I can think of (based on what happened in the past) are supply-chain comprimission, zero-day exploitation, endpoint compromission / network attacks...

On the supply-chain I am thinking about SolarWind (proprietary software), hacked apparently by a state actor and could grab a lot of information before they could tell they have been hacked.
Also, in the past we saw some open source dependencies mangled... I am thinking about XZ Utils, which would have affect also big projects like OpenSSH (this example also reinforce how state actors can wait years).
Also in this case it seems it might have been a state actor.
The target could decide to go for projects with minimal dependencies (to shrink the attack surface) or give up services completely (For example if you need to sync your contacts, you can do it with a file instead of a 24h service).
I would also segment the environment the most I could. Not only the infrastructure, but also dividing work stuff from personal stuff and so on. Sometimes little things as having different users for different things helps a lot.
This way if a computer/service is compromised, the attack might be confined in a smaller area.

On zero-day exploitation, there's so little we can say. No real mitigation and the attack might compromise Browser, OS, Network... pretty much everything. The only things I would do against this (apart from updating everything, of course) is reducing the reach of the attack by (again) using fewer services as I could. I would basically give up what is not necessary, because the power of the attacker is over 9000. I would also try to use some hardened systems; the target already gave up on QubeOS, but they can still choose something better than a plain Debian or Fedora, like SilverBlue or OpenBSD.
OpenBSD will probably be less restrictive than SilverBlue if the target needs to expose some services, and often it is possible to find working software in the official repositories without having to tinker it too much.

On endpoint compromission we could spend a lot of time, but having an hardened system and segmented network is already a good mitigation. Because the compromission can be a lot of things, I would think more of keylogging and data exfiltration. It's useful to follow the least privilege mindset and maybe starting to use live systems from bootable devices (I am not suggesting specifically Tails, just something similiar) to be sure that malware is not permanent.
On network compromission, nothing much to add, except maybe setting every encryption to the highest possible algorithms... Secude DNS, TLS1.3, stuff like these.

Generally speaking, I would say that part of the defense line would be achieved from behaviour more than infrastructure.
The more online the activity will be, more attack surface will be given.
Sometimes stepping back and going some technology back can help more than newer solutions.
I would say that if I had to insert a state actor in my threat model, I will shut down most of my home lab and rely way less on IT in general.
Moving files online will essentially skip all those vulnerabilities introduced by network and would at least remove every remote access.

Overall, would be better to know what are the needs of the targets before deciding what/how to implement.
These are just very generic considerations and might not be possible to tailor something useful to the target.
Maybe we can start from what services are essential for the target and reason on how to implement them.

As a conclusion (finally lol) I would say that to beat an enemy this powerful I would probably give up some convenience. Security is sometimes counterintuitive or not compatible with needs. Sometimes we have to choose and accept risk or give up a service. If we don't take into account physical coercion, a notepad in your pocket is more secure than a sync service.

ZeppelinAmenity

blushinggilda 50 U.S.C. § 1881a protections do not apply

You're not missing out on much anyway. Whatever safeguards that might have been in place could probably be circumvented by a few of the right people without anyone noticing.

blushinggilda for an EU based person ... the justification is neither criminal nor terrorism related

The November 2025 U.S. National Security Strategy all but says outright that the US will actively support far-right pro-Russian parties against the European Union and NATO, and that a "core US interest" is Europe rolling over and appeasing Russia, abandoning Ukraine, and making Europe buy tons of US exports all on our terms. And this document isn't some opinion piece, it's the highest level public document that sets out strategic objectives for the military and intelligence community. From it, specific priority rankings and direct tasking follow, usually in a non-public manner. In other words, this isn't a random rant, but probably the closest thing we'll get to seeing military/intelligence initiatives. So yes, a very different threat landscape for Europe even from a year ago.

blushinggilda Their most feared adversary in this situation is the NSA, specifically the NSA’s TAO division.

They may be very well resourced, but they're not magic. I'd imagine morale is in the shitter there and the talent pool dramatically smaller. There's also probably some sort of risk management framework to balance risk with potential reward. Things to change that balance in your favor might be having robust and resilient logging, frequent PCAP, and active threat hunting. Having layers of different technologies from different vendors would increase the number and quality of exploits required. That being said, I'd also be worried about their industry relationships for things like software supply chain attacks.

blushinggilda valuable infrastructure

Is it on-prem or cloud-based? If you're connecting multiple sites of completely on-prem infrastructure, then the best thing you could do is have a full air gap by using high-assurance hardware VPNs and network diodes to selectively move information in and out of the security domain. Some companies sell these VPNs that have national/EU/NATO security accreditations and the lower end of the assurance levels have very few restrictions. Same with diodes, but you could also make your own diodes and high-assurance-ish hardware VPN too. If your infrastructure is in the cloud, you're basically cooked though unless you purchase and access it very anonymously, rotate it frequently, and store nothing of value on it. It should also go without saying that devices within the air gap network should never leave and have no Bluetooth/WiFi chip.

blushinggilda QubesOS is ruled out due to various reasons which no further details can be provided for.

Does that extend to the Xen hypervisor too or just QubesOS? I think Xen has a noticeably better track record with CVEs than KVM and VMware.

blushinggilda access happens through a WireGuard VPN

Does any information going over that VPN need to remain secret in 3-5 years? If so, post-quantum cryptography is well within the threat model of someone seriously afraid of NSA. StrongSwan IKEv2/IPSec has some good support now and Libreswan should have it soon. Should be default in SSH and Tor already too.

blushinggilda Work-related devices (MacBook) are on their own VLAN

Make sure VLAN ingress filtering is enabled on the switch because a compromized Linux machine (maybe macOS as well) can tag VLANs at will, so an attacker might be able to move laterally unless it's restricted at the switch port. I'd look at true air gap separation though as previously mentioned.

blushinggilda the assumed most likely available attack vector looks like this

I would think close access is a way bigger threat if you're really that high on the US' shit-list. WiFi offline cracking, or a repair person going in, or someone breaking in either undetected or making it look like a sloppy theft. Probably way less work in the end, and either they, or people on their behalf, could surely operate more easily in the EU than in China or Russia - so no Stuxnet required. Obligatory xkcd meme.

blushinggilda A reality check would be appreciated

If you want to defend against a nation state, look into what nation states do to protect their own networks. And then remember that even those systems sometimes get compromized.

blushinggilda Anonymity and privacy is not a strong concern here.

Maybe not the fact that this person/organization exists and general knowledge of their goals. But digital activity, at least a subset of it, absolutely needs to be hard to identify if you don't have the nation-state level of protections alluded to previously.

Overall, sounds like you have a pretty good setup. But if you really are anywhere near the top of the NSA's target list, the cost of achieving a reasonable level of security from targeted attempts by such an actor are almost certainly too high. Best you could hope for is defending against passive and automated attacks, and limiting the damage of a compromize by not storing sensitive information digitally or discussing it around anything with a microphone.

NothingBurgerEsquire

Realistically, if you were at the top of a state actor's shit list, go touch grass/live in a cabin meme. Preferably fake your death before doing so. (For legal reasons, this is a joke.) Or at the very least, become very accustomed to a nomadic digital lifestyle where nothing is stored, and your geographic location is not set in stone.

Everything you've listed would be pretty good for at least keeping companies or services profiling you or getting any meaningful data to sell, which to be fair for most users is the main goal. And while some if not all companies are more than willing to work with governments as a net benefit to both, (Data to collect and sell or train AI for the company, information gathering for the government, etc) said government isn't going to act like it's a manhunt by default for every end user, just to help squeeze more tasty data collection for the company (At least not yet. We'll see if/when the age verification laws play out.)

Flip the switch though, and now YOU'RE now on "the list", then they will break through every blockade, legal or not, to monitor or find you. Aside from the cabin route aforementioned, and I'm going to put the tinfoil hat on now because my answer's more of a thought experiment than anything; the only real chance would be using Amensiac distros, discarding/correctly destroying devices themselves fairly regularly (which is expensive) while relocating yourself physically, purchasing devices only through third party with cash, and running tor by default would be a good "starting point" imo. Frankly, the more complex your setup is, there's a higher chance of making an OPSEC or technical mistake on your end, or simply more vectors to be scratched at to see if someone can push through. The posts above mentioning encryption is a good point. If you're trying not to discard hardware after only a handful of uses and essentially go on living normally just with your setup, if they can manage to get their hands on encrypted data, physically or otherwise, even if it's unbreakable NOW, it could be possible in X amount of years with hardware upgrades or algorithm techniques. They just have to sit on it.

horde

blushinggilda QubesOS is ruled out due to various reasons which no further details can be provided for.

Doesn't make sense, if this is your threat model, QubesOS is probably your best bet. MacOS can't provide the same level of isolation and compartmentalization, let alone for the known fact that VPN leaks by desgin on MacOS for Apple related services.

Revliss

There are still plenty of things to do before air-gapping. But you need the air gap ;)