The Salt Typhoon attack served as a wake-up call for Federal networks and the telecommunications industry. This attack infiltrated several large telecom organizations in the US, accessed metadata of millions of users including several notable government officials, and compromised wiretapping systems used by law enforcement and intelligence agencies. As part of the response from this attack, agencies from the US, Australia, Canada, and New Zealand collaborated to release a guide on best practices for minimizing the chances and impact of future attacks. The full guide can be found on CISA’s site although below is a summary of specific areas worthy of additional focus.
Strengthening Network Visibility and Detection
Insights into network traffic, user activity, and data flow is critical to identify vulnerabilities, anomalies, and threats. Faster detection and incident response begins with strong visibility across the network. Here are a few considerations from the guide to improve visibility and monitoring.
Network Flow Monitoring:
The primary use is for monitoring network performance for optimal efficiency. Verify network flow data exporters and collectors are enabled across key ingress and egress points. It’s also important to make sure there is alerting to surface out-of-cycle or unauthorized configuration modifications and processes in place to investigate further.
User and Service Account Logins:
User and service accounts are common entry vectors for malicious actors. Monitor for anomalous login activity where deviations from baseline are surfaced. Baselines should include both normal login behavior by user and by peer group. Service accounts should have credentials rotated regularly and ensure least privilege access.
External Connections:
Verify assets that are supposed to be external facing and closely monitor successful external connections particularly with unexpected Generic Routing Encapsulation (GRE) or IPSec tunnel usage.
Log Management:
Verify the proper logs are being captured in real-time and centrally aggregated with other logs and events. This allows for analysis and correlation which is key for finding stealthy activity by criminal actors. Log analysis should be done daily but it’s often deprioritized so consider outsourcing this function.
Hardening Systems and Networks
Hardening requires a defense in depth strategy. It involves reducing vulnerabilities and implementing secure configurations to minimize entry vectors for malicious actors. This is a continuous process due to the dynamic nature of IT estates.
Secure Protocols:
Management traffic should be separate from network traffic. Use an out-of- band management network and make sure it does not allow lateral management connections between devices. Be sure to disable all unnecessary ports, discovery protocols, and services.
Access Control:
Enforce strict access controls, granting administrative privileges to necessary personnel. Review and update access control lists (ACLs) regularly.
Virtual Private Networks (VPNs):
Ensure end-to-end encryption for traffic. Validate VPNs use only strong cryptography for key exchange, authentication, and encryption. Disable unused features and weak cryptographic algorithms to prevent exploitability. Here are recommended cryptographic building blocks for VPNs.
- Key Exchange: Diffie-Hellman Group 15, 16, or 20
- Encryption: AES-256
- Hashing: SHA-384 or SHA-512
Data in Transit:
Use Transport Layer Security (TLS) v1.3 and configured to only use strong cryptographic ciphers, Public Key Infrastructure (PKI) based certificates, and a robust certificate renewal process. Avoid using self-signed certificates.
Compliance Artifacts:
Various compliance mandates require all networking configurations are stored, tracked and regularly audited. Transmission of networking configurations must be sent using encrypted protocols.
The “Enhanced Visibility and Hardening Guidance for Communications Infrastructure” serves as a crucial resource for telecommunications providers aiming to strengthen their cybersecurity posture. By implementing the recommended practices, organizations can enhance their ability to detect, prevent, and respond to cyber threats effectively.
Organizations need to keep pace and evolve their strategies to include an agile enterprise crypto management platform like Phio TX® from Quantum Xchange. This provides a vital defense layer to help organizations keep pace with the evolving threat landscape.