The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and their international partners have released a comprehensive set of guidelines aimed at enhancing the security of telecommunications infrastructure.
The joint publication, titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure, offers critical advice to network engineers and defenders tasked with protecting global communications networks from advanced persistent threats (APTs) tied to the People’s Republic of China (PRC).
The Cyber Espionage Threat
The new guidance comes in the wake of warnings issued by CISA and the FBI about an ongoing, broad cyber espionage campaign conducted by PRC-affiliated threat actors. These cybercriminals have successfully infiltrated the networks of major telecommunications providers worldwide, compromising sensitive data and potentially jeopardizing national security, critical infrastructure, and private businesses. The objective of the campaign, as detailed by officials, is to extract valuable information for intelligence-gathering purposes.
Jeff Greene, Executive Assistant Director for Cybersecurity at CISA, emphasized the seriousness of the threat: “The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses. This guide will help telecommunications and other organizations detect and prevent compromises by the PRC and other cyber actors.”
A Call to Action for Network Defenders
The newly released guide outlines a series of best practices designed to help organizations strengthen their networks against cyber threats. While tailored primarily for the telecommunications sector, these recommendations are applicable to any organization operating critical infrastructure, including businesses with on-premises enterprise equipment.
One of the central themes of the guidance is the importance of enhancing visibility within networks. This refers to the ability of network defenders to detect and analyze activity across their systems, including network traffic, user behaviors, and data flows. High visibility ensures that potential threats can be quickly identified and mitigated before they lead to serious breaches.
Strengthening Visibility in Communications Infrastructure
To improve visibility, CISA and the FBI recommend that network engineers implement strong monitoring systems and processes to detect anomalous behaviors or unauthorized changes in network configurations. These recommendations include:
- Monitoring Configuration Changes: Network engineers are advised to closely track changes to critical network devices like routers, firewalls, and switches, especially those that occur outside of established change management protocols. Unusual alterations, such as unauthorized route updates or the activation of weak protocols, should trigger alerts for immediate investigation.
- Centralized Configuration Management: Storing device configurations centrally, instead of relying on the devices themselves, helps ensure a single, trusted source of truth for network settings. Frequent testing and validation of configurations are also encouraged to ensure they remain secure and effective.
- Monitoring User and Service Accounts: Suspicious logins, particularly those from unknown or unexpected sources, should be closely monitored. It’s also important to regularly review and disable inactive accounts to reduce the attack surface.
- Secure Logging and Data Analysis: Implementing centralized logging, where log data is securely stored and can be easily analyzed, helps identify security incidents faster. Encrypted log transmission is essential to prevent tampering or interception.
By improving network visibility, defenders can identify threats early in their lifecycle and respond to them more effectively, reducing the risk of a successful compromise.
Hardening Systems and Devices
Alongside increasing visibility, the guide stresses the importance of hardening network systems and devices. This means reducing vulnerabilities through secure configuration practices and implementing defense-in-depth strategies that limit potential entry points for cyber actors.
Key recommendations for hardening devices include:
- Out-of-Band Management: Network engineers should manage devices through a physically separate management network, isolated from the operational data flow. This limits the potential for lateral movement by attackers in case of a compromised device.
- Strict Access Controls: Implementing default-deny access control lists (ACLs) and network segmentation can block unauthorized traffic and isolate critical systems. Devices with sensitive functions, such as DNS servers or email servers, should be placed in a demilitarized zone (DMZ) to further reduce the risk of exposure.
- Use of Strong Encryption: Strong encryption practices should be employed across all traffic, particularly for VPNs and remote management tools. Vulnerabilities in outdated encryption protocols should be mitigated by using the latest cryptographic standards, such as AES-256 and TLS 1.3.
- Disabling Unnecessary Services: Services like Telnet, FTP, and older versions of SSH should be disabled, as they are often targeted by attackers looking for weak entry points into the network.
- Regular Updates and Patching: It is essential to keep all devices and software up-to-date with the latest security patches. Additionally, network defenders should regularly monitor vendor announcements for end-of-life (EOL) notifications and upgrade equipment accordingly.
By hardening network devices and systems, organizations can make it significantly more difficult for threat actors to exploit vulnerabilities and gain unauthorized access to critical networks.
CISA, NSA, and FBI: A Unified Effort to Safeguard Critical Infrastructure
In conclusion, the cybersecurity agencies behind the guide—CISA, NSA, and FBI—are urging all organizations, especially those involved in critical infrastructure, to adopt these best practices. As Jeff Greene highlighted, it is crucial for software manufacturers to integrate Secure by Design principles into their development processes to ensure that future vulnerabilities are minimized.
Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, also stressed the importance of collaborative action: “Together with our interagency partners, the FBI issued guidance to enhance the visibility of network defenders and to harden devices against PRC exploitation.”
Ultimately, this guidance not only aims to defend against PRC-affiliated actors but also to enhance the overall security posture of telecommunications infrastructure and other critical sectors. By implementing these measures, network defenders can better prepare for and respond to evolving cyber threats, helping to protect sensitive data and maintain the integrity of essential services.