A Typhoon is coming; Are you ready?
The war is here and companies need to wake up and defend themselves!
By now, unless you have been living in a cave, you should've heard of Volt Typhoon. This is a Chinese state-sponsored hacking group that has been discovered widely targeting critical infrastructure and military targets worldwide, but in particular, the US. The Cybersecurity and Infrastructure Security Agency (CISA), the NSA, the FBI, and Five Eyes agencies claim the group has compromised and then has dwelled on networks of multiple critical infrastructure organizations in the country for at least the past five years.
FBI and CISA officials have been working to make this threat as evident as possible, clearly stating in congressional hearings that China’s intent appears to be to wreak havoc on American infrastructure and “cause societal chaos”. Whether this will be a prelude to an invasion of Taiwan in order to distract the US in the middle of the pending election, which looks likely to be chaotic all on its own, or with the intent to move the war between China and the US from a “warm” economic war to a “hot” kinetic war is still to be seen.
Who is most at risk?
What is vital to understand is that every business is a target, especially those in critical infrastructure sectors, which include:
Chemical Sector
Commercial Facilities Sector
Communications Sector
Critical Manufacturing Sector
Dams Sector
Defense Industrial Base Sector
Emergency Services Sector
Energy Sector
Financial Services Sector
Food and Agriculture Sector
Government Facilities Sector
Healthcare and Public Health Sector
Information Technology Sector
Nuclear Reactors, Materials, and Waste Sector
Transportation Systems Sector
Water and Wastewater Systems
How to protect your organization
So what should businesses do in light of this threat, relative to all of the other vulnerabilities, alerts, threats, and compliance chaos that is life in today’s security organization? I would suggest that all organizations in the above sectors; if they do not have a dedicated IT/IS working group set up to address this threat, that they set one up immediately. This team should be tasked with ensuring that the company is as focused as possible on confirming that the following controls are working effectively in the organization:
Patching. Make sure that you are detecting and patching vulnerabilities promptly. This means scanning at least weekly (if real-time is not available via agents) and patching critical vulnerabilities within three days (target 48 hours for those which are externally accessible), severe within two weeks (again prioritizing externally accessible), and moderate within a month. This is based on the PCI scale for vulnerabilities as documented on Rapid7’s site but is applicable to any vulnerability scanner. Any vulnerability in your environment listed in the CISA’s Known Exploited Vulnerability Catalog should be considered Critical and patched accordingly. Note that this scanning applies not only to the installation of patches by vendors but also to the correction of vulnerable configuration settings detected by the scanning tool you are using. To ensure management awareness, prepare a weekly report summarizing all systems that have not been patched within these guidelines by risk and the business processes/systems that are exposed as a result.
Threat Intelligence. If you are not using a threat intelligence service already, sign up for one (or all, if possible) of these free threat intel feeds, and make sure that someone is assigned to review these daily and escalate relevant news and threats to the team for action. For additional awareness, all the team members should make use of an RSS reader to monitor the following feeds for the latest threat news. A weekly report should be prepared here as well, summarizing threat trends and news for management and any actions taken as a result.
Access Management. Volt Typhoon is using stolen and hacked credentials as part of their attacks, and the team needs to implement whatever controls they can to lower their attack surface. This means ensuring all credentials are disabled immediately when people leave, auditing credentials at least monthly to ensure that they are correct, implementing MFA for at least all admin-level credential access, actively monitoring admin credential access via whatever means you have in place, and immediately following up on anomalous behavior. This also includes stepping up warnings, training, and protections regarding phishing sites and emails, as these are widely used to capture credentials, especially from admins, the most valuable targets.
If you are going to do this, and if you are in a critical infrastructure sector I think you must, be prepared for a hue and cry about the disruption that this will cause. “We can’t patch on this schedule! It will impact our customers (or production)!” “We can’t dedicate people to this; it will delay project X!” “We can’t restrict everyone from having admin access or implement MFA! It will slow people down!”.
When this is raised, your response (as the security leader) should be: “Ok, the Congress, the CISA, the FBI, and the NSA are all warning businesses that this is not an imminent threat but an active one. We are under attack NOW. Do you want to wait until we are out of business when we are attacked, or would you rather reprioritize some people and initiatives to lower our risk and have a better chance of survival should we be attacked? If your answer is we will change nothing, can I please have that in writing!”.
Another point to emphasize is that if you (and all the news from government agencies) are wrong, the downside is that you have only improved your cyber hygiene at the cost of some delays in other areas. If your management team, who denies your request, is wrong, the downside is that you are out of business. Hmm, choices, choices…
Also, please realize that this is a reprioritization of your security efforts as well. While all the other aspects of your security program need to proceed, you will need to look at your prioritization of those initiatives you may have underway. You may need to delay the rollout of new security tools, processes, and procedures so that you can reallocate your own resources to this challenge. There is no hard and fast rule for this - but then again, juggling multiple balls is what being an effective CISO is all about!
Be Aware, Get Prepared, Defend Yourself!