The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued specific guidance for network engineers and defenders to patch and secure Cisco network devices in response to the Salt Typhoon cyber-espionage campaign linked to the People's Republic of China (PRC).
Cisco gear has been frequently targeted by PRC-affiliated threat actors, says the CISA guidance, which is developed in collaboration with other cybersecurity agencies from Australia, Canada, and New Zealand.
The guidance titled "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" is a joint publication by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate's Australian Cyber Security Centre (ACSC), Canadian Cyber Security Centre (CCCS), and New Zealand's National Cyber Security Centre (NCSC-NZ).
The guide aims to provide best practices for network engineers and defenders to strengthen visibility and harden network devices against cyber threats, particularly those affiliated with the People's Republic of China (PRC).
CISA has provided Cisco-specific advice, including patching vulnerable devices and following best practices outlined in Cisco's IOS XE Hardening Guide and Guide to Securing NX-OS Software Devices.
Enhancing visibility means having detailed insight into network traffic, user activity, and data flow, which helps in quickly identifying threats and vulnerabilities. Hardening involves implementing measures to secure network devices and reduce potential entry points for cyber threats.
Scope of Attacks: The attacks compromised networks of eight telecommunications providers, exfiltrating customer call records and compromising private communications.
The guide includes recommendations such as patching vulnerable devices, monitoring configuration changes, and implementing strong network flow monitoring solutions.
Enhanced Visibility and Hardening Guidance
Patch Vulnerabilities: Ensure all network devices, including routers, switches, and firewalls, are up-to-date with the latest security patches.Monitor Configuration Changes: Implement comprehensive alerting mechanisms to detect unauthorized changes to network devices. Store configurations centrally and push them to devices.
Network Flow Monitoring: Implement a strong network flow monitoring solution to gain visibility into network traffic and detect anomalies.
Strong Authentication: Use strong passwords and implement two-factor authentication (2FA) to enhance security
End-to-End Encryption: Adopt end-to-end encryption for communications to protect data from interception.
Regular Audits: Conduct regular security audits and penetration tests to identify and address vulnerabilities.
Implementation Steps
Update Systems: Regularly update all network devices and software to the latest versions.Implement Monitoring Tools: Deploy network monitoring tools to track traffic and detect unusual activities.
Centralize Configurations: Store device configurations centrally and push updates to devices to prevent unauthorized changes.
Enable Alerts: Set up alerts for any configuration changes or unusual activities on network devices.
Use Strong Passwords: Enforce the use of strong, unique passwords for all network devices and accounts.
Implement 2FA: Enable two-factor authentication for accessing critical network devices and systems.
Encrypt Communications: Ensure that all sensitive communications are encrypted end-to-end.
Conduct Audits: Perform regular security audits and penetration tests to identify and fix vulnerabilities.
By following these recommendations, telecommunications providers can significantly enhance their network security and protect against sophisticated cyber-espionage campaigns like Salt Typhoon.
Began in 2022, Salt Typhoon has targeted at least eight U.S. telecommunications providers, including major companies like AT&T, Verizon, and Lumen Technologies. The malicious campaign has also affected telecommunications infrastructure in other countries, highlighting the global nature of cybersecurity threats.
Advertisements