Topics:
Here’s a lesson about the adaptability of our adversaries in cyberspace.
The security industry, for its perceived shortcomings, does a number of things very well. One of them is endpoint detection and response (EDR). It will catch most ransomware infection attempts. It will block most exploits from detonating. It will deter or block malware installation attempts.
EDR, however, isn’t supported on all enterprise technology. Cyber-physical systems (CPS), for one, often don’t support EDR on the connected sensors, control systems, and medical devices that we’re so desperately trying to protect in order to preserve our way of life.
So naturally, how do our adversaries adapt? For one thing, they adapt quickly. We’ve seen in the last year concerted efforts to develop malware frameworks, exploit kits, and other purpose-built, platform-specific attacks that target edge devices and other technology that does not support EDR such as hypervisors, email gateways, and appliances. For example, malware droppers, backdoors, anti-forensic features, traffic sniffers and redirection tools, and webshells are available for big-iron network providers such as Fortinet, Juniper Networks, VMware, and F5.
Intrusions targeting vulnerabilities in these platforms allow China-based threat actors to map networks, understand traffic routes, and learn where connections into enterprise networks exist. This rapid adaptability in concert with China’s strategic-180 toward pre-positioning offensive tools on critical infrastructure (CI) threatens national security, public safety, and should put security leaders charged with CPS protection on notice. These connected devices could be next.
China’s aggression against U.S.-based critical infrastructure has gone mainstream. 60 Minutes’ recent segment on attacks against energy and water utilities among other CI deposited the issue firmly in the national consciousness.
The PRC—specifically the Volt, Salt, and Silk Typhoon threat actor groups—has strategically shifted from espionage to pre-positioned disruption. Using living-off-the-land techniques—native tools, credentials, and legitimate network operations—to evade detection, these groups are alleged to have installed offensive tools on critical U.S. defense, telecommunications, transportation, and utility systems for the presumed purpose of activating these tools in the event of a kinetic conflict.
This is a 180-degree departure strategically from China veering from intellectual property theft and intelligence collection to a positioning for future conflict. Every one of the 16 CI sectors as identified by the Cybersecurity & Infrastructure Security Agency (CISA) is fair game, putting chief information security officers and other security leaders in a position where even legitimate traffic could be malicious, and their core security and networking supply chain is in the crosshairs.
China’s targeting of the software supply chain vendors merits particular attention as they attempt to gain access to downstream customers in targeted attacks. SaaS vendors and other third parties with remote access to enterprise networks and sensitive CPS devices must be treated as potential entry points for adversaries.
CISOs defending systems whose compromise could affect public safety, national readiness, and the continuity of essential services must focus on resilience as the North star of their programs. The government, in the meantime, must consider revamped strategies for deterrence in cyberspace.
Resilience has many faces, and CISOs must assume compromise as a starting point on the path toward managing systems that keep critical services up and running during inevitable attacks. China’s intent and capability of successful intrusions on networks and devices is forcing defenders to approach protecting these systems with a mindset that adversaries may have established a foothold and the rules of the game have changed.
Resilience starts with asset visibility and access to a comprehensive asset inventory. Visibility enables the remainder of a thorough CPS protection program. Robust logging, endpoint monitoring, anomaly detection, hinge on visibility.
Other strategies include:
Strong segmentation of OT and other CPS from the enterprise network. This allows teams to isolate compromised segments of the network and deny threat actors the lateral movement they covet.
Zero-trust architectures force every access attempt to be verified, limiting the effectiveness of illicit access to critical systems. It also enables microsegmentation, creating granular security zones around specific assets (often prioritized by potential business impact if compromised) that also limits an attacker’s ability to move laterally through the network once they’ve breached it.
Integrate threat intelligence and detection into operational decision-making by linking threat intelligence specific to Chinese state-sponsored campaigns into your detection and response workflows. This includes specific TTPs seen in advisories (e.g., “living off the land”, small office/home office device manipulation, lateral movement, use of routers as stealth infrastructure).
Enterprises rich in CPS, meanwhile, need the support of the government in blunting the impact of China’s activities in cyberspace. To date there hasn’t been sufficient deterrent to this effect that imposes significant consequences on adversarial activity in cyberspace. The U.S. needs to lead here and combine its capabilities in cyberspace with the intent and will to deter adversaries.
We must convince an adversary that our cyber defenses and resilience are so high that intrusion attempts are probably not going to succeed. Or convince them that our capability to respond to that kind of activity is such that you could make this very painful for them if they were to choose some things that you don't want.
The past 12-18 months have shown us our adversaries are not only determined and capable, but are strategically taking aim at critical infrastructure for the purposes of potential disruption or damage to key services. Now is the time for building resilient systems and adopting strategies that not only make it costly for adversaries to target our CI, but also focus on deterrence.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
