The Volt Typhoon attack has been called the cyberspace equivalent of “placing bombs on bridges, water treatment facilities and power plants” by Congressman Mike Gallagher, Chair of the House Select Committee on the Chinese Communist Party. It resulted in the compromise of hundreds of critical infrastructure network routers and remained undetected for months using a ‘living off the land (LOTL)’ TTP (tactics, techniques and procedures). This stealthy attack allowed the attacker to maintain a long-term presence on a victim’s network without detection.

Guidance for CNI to identify stealthy adversaries

To assist CNI to adapt to and identify potential LOTL indicators, the US government, alongside several other US agencies and international partners, have published guidance on the use of this TTP and how to identify potential adversaries employing it. The guidance is based on previously published products, red team assessments, and/or observations from incident response activities at critical infrastructure organizations, including those compromised by Volt Typhoon.

Detecting indicators of the LOTL TTP requires organizations to undertake contextual analyses of multiple data sources to identify command executions, file interactions, privilege escalations, and other network activities that differ from normal administrative actions. So, the guidance includes detailed detection recommendations that would enable network defenders to more easily identify potential indicators of compromise (IOCs) amongst all these data.

One of the key indicators of potential compromise are changes to the configuration of network infrastructure devices – such as routers, switches and firewalls – both at the perimeter and in the interior of the network. Organizations require tools that can not only detect configuration changes but also perform a detailed analysis of the change to determine if it could be a result of insidious adversarial activity.

Guidance for hardening networks

As well as recommendations for detecting these types of attacks, the guidance also include recommendations to harden networks against this LOTL TTP as well.

The guidance recommends:

• Reviewing current configurations against a known, secure baseline. This can catch IOCs that may not get reverted through regular group policy updates, such as firewall changes, adding/removing users, and privilege escalation.
• Ensure that device configurations adhere to vendor-provided or industry, sector, or government hardening guidance to reduce the attack surface.
• Properly implement and manage network segmentation, limiting only allowed traffic to systems and protocols that require access, in accordance with zero trust principles.

An essential part of hardening networks and detecting the presence of an adversary is to continually monitor the security posture of all devices within the enterprise. Sampling devices or intermittently checking them is insufficient for critical national infrastructure which is becoming targeted by the most sophisticated attacks.

Continuous Assessment is vital

Adopting technology solutions that continuously assess all network appliances to identify any security vulnerabilities emanating from misconfigured or poorly configured devices is critical to increasing network resilience. Tools that can also automatically detect configuration changes – whether planned or unplanned – are key to identifying IOCs and helping to defend against LOTL TTPs.

Capable of analyzing all infrastructure devices in even the largest networks in a single day, Titania’s Nipper Enterprise solution is designed to identify any configuration changes in near real-time and then proactively analyze those configurations against established baselines, trusted hardening guides and network segmentation whitelists.

These findings are then overlaid with existing operational threat information, enabling network owners to prioritize the remediation of software vulnerabilities and misconfigurations by exposure to TTPs. This means that network and security operations center (NOC and SOC) teams can identify and quickly remediate issues that are present in their network and could be exploited. The detailed findings can equally be forensically examined by hunt teams to detect the presence of an adversary and their avenues for lateral movement across the across the enterprise. And, if an adversary attempts to reopen a closed door, network defenders can identify, remediate and respond just as quickly.

For more information on how this can be achieved, visit the Nipper Enterprise page.