CISA, FBI, and NSA Issue Guidance to Tackle PRC Cyber Threats

December 16, 2024

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), along with international partners, have introduced a comprehensive set of guidelines to improve the security of telecommunications infrastructure. This joint publication, titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure,” is geared toward assisting network engineers and defenders in protecting global communications networks from advanced persistent threats (APTs) associated with the People’s Republic of China (PRC). The document aims to combat an ongoing cyber espionage campaign by PRC-affiliated threat actors, who have already managed to infiltrate networks of major telecommunications providers worldwide.

Network engineers need to note the critical advice provided in this guide, especially considering the seriousness of threats posed by these cyber actors. Jeff Greene, Executive Assistant Director for Cybersecurity at CISA, reiterated the gravity of the situation by stating that PRC-affiliated cyber activity poses a substantial threat to critical infrastructure, government agencies, and private businesses. It is this backdrop that the guidelines have been developed to help organizations detect and prevent compromises by the PRC and other cyber actors.

1. Track Configuration Modifications

One of the first recommendations in this guide is for network engineers to meticulously monitor changes to essential network devices, including routers, firewalls, and switches. This becomes particularly crucial for changes occurring outside of established change management protocols. Unusual modifications, such as unauthorized route updates or the activation of weak protocols, should trigger alerts for immediate investigation. By keeping a close watch on these changes, network defenders can quickly identify and respond to potential security threats before they escalate into serious breaches.

In addition, monitoring configuration modifications is not just about detecting unauthorized changes but also involves rigorous adherence to change management processes. Network engineers need to ensure that every configuration change is documented, reviewed, and approved according to established protocols. This level of scrutiny helps create a robust defense mechanism against malicious actors who often target network settings to gain unauthorized access. By implementing this step, organizations can significantly reduce the risk of compromising their telecommunications infrastructure through unauthorized configuration changes.

2. Centralized Configuration Oversight

Another key recommendation involves maintaining centralized configuration management, where all device configurations are stored in a central repository rather than on the devices themselves. This approach ensures a single, trusted source of truth for network settings, making it easier to manage and secure configurations. Regular testing and validation of these configurations are also recommended to ensure they remain secure and effective over time. Centralized configuration oversight not only simplifies management processes but also enhances security by providing a comprehensive view of the network’s current state.

When configurations are stored centrally, it becomes straightforward to implement and enforce configuration baselines, which serve as standards for device settings. Any deviations from these baselines can be quickly detected and addressed. Furthermore, centralized management allows for efficient backup and recovery processes, ensuring that configurations can be restored promptly in case of accidental changes or cyber incidents. By adopting centralized configuration oversight, organizations can strengthen their network defenses and reduce the risk of configuration-related vulnerabilities.

3. Monitor User and Service Accounts

The guide also stresses the importance of monitoring user and service accounts to detect suspicious activities. Network defenders are advised to keep a close eye on logins from unknown or unexpected sources, as these could indicate potential compromise attempts. Regularly reviewing and disabling inactive accounts is another crucial step, as it helps reduce the attack surface by eliminating accounts that are no longer needed or used. By implementing robust monitoring practices, organizations can prevent unauthorized access and better protect their networks from cyber threats.

Additionally, it is essential to implement strong authentication mechanisms, such as multi-factor authentication (MFA), to further secure user and service accounts. MFA adds an extra layer of security by requiring users to provide multiple forms of verification before granting access. This reduces the likelihood of successful account compromise even if credentials are stolen. Ensuring that user and service accounts are closely monitored and protected through strong authentication measures can significantly enhance an organization’s cybersecurity posture.

4. Secure Logging and Data Examination

Implementing centralized logging is another crucial step recommended by the guide. By securely storing log data in a central location, organizations can easily analyze this data to identify security incidents faster. It is essential to ensure that log data is encrypted during transmission to prevent tampering or interception. Centralized logging not only aids in quicker detection of potential threats but also provides valuable insights for forensic analysis in case of a security breach. This proactive approach to logging and data examination can greatly enhance an organization’s ability to respond to cyber incidents.

In addition to centralized logging, network defenders should implement comprehensive data analysis processes to identify patterns and anomalies that could indicate malicious activities. Automated tools can assist in rapidly processing large volumes of log data, enabling quicker detection of potential threats. Regularly reviewing and analyzing log data can help organizations stay ahead of cyber adversaries by identifying unusual behaviors or indicators of compromise early in their lifecycle. Secure logging and data examination are fundamental components of a robust cybersecurity strategy.

5. Out-of-Band Management

Out-of-band management is a highly recommended practice for managing network devices. This involves using a physically separate management network, isolated from the operational data flow, to manage critical devices. This separation limits the potential for attackers to move laterally within the network in the event of a compromised device. By isolating management traffic from regular network traffic, organizations can create a more secure environment for managing their network infrastructure and reduce the risk of unauthorized access.

Furthermore, out-of-band management allows network engineers to perform administrative tasks even if the primary network is compromised or unavailable. This ensures continuous management capabilities and facilitates timely response to security incidents. Implementing out-of-band management helps organizations maintain control over their network devices, even in adverse situations, and significantly enhances the overall security posture by preventing attackers from exploiting management interfaces.

6. Enforce Strict Access Controls

Strict access controls are paramount in safeguarding network systems. The guide recommends implementing default-deny access control lists (ACLs) and network segmentation to block unauthorized traffic and isolate critical systems. Devices with sensitive functions, such as DNS servers or email servers, should be placed in a demilitarized zone (DMZ) to minimize exposure risks. By limiting access to only necessary and authorized entities, organizations can effectively reduce the attack surface and prevent unauthorized access to critical systems.

In addition to ACLs and network segmentation, it is important to enforce the principle of least privilege, granting users and devices only the minimum level of access required to perform their functions. This minimizes the potential impact of a compromised account or device. Regularly reviewing and updating access controls ensures that they remain effective and aligned with the organization’s security policies. Enforcing strict access controls strengthens an organization’s defense mechanisms against unauthorized access and enhances the overall security of the network.

7. Employ Strong Encryption

The guide strongly advocates for the use of strong encryption practices across all network traffic. This is particularly important for virtual private networks (VPNs) and remote management tools. Vulnerabilities in outdated encryption protocols should be mitigated by adopting the latest cryptographic standards, such as AES-256 and TLS 1.3. Employing strong encryption ensures that data transmitted over network connections is protected from interception and unauthorized access, thereby enhancing the overall security of network communications.

Furthermore, organizations should implement encryption at rest to protect sensitive data stored on devices and servers. This adds an additional layer of security, safeguarding data even if physical devices are compromised. Regularly updating cryptographic libraries and protocols ensures that encryption mechanisms remain effective against evolving threats. By employing strong encryption practices, organizations can significantly enhance the confidentiality and integrity of their network communications and data.

8. Disable Unnecessary Services

Disabling unnecessary services is a crucial step in reducing potential entry points for attackers. The guide advises network engineers to disable services like Telnet, FTP, and older versions of SSH, as these are often targeted by cyber actors looking for weak entry points into the network. By eliminating services that are not essential for network operations, organizations can reduce the attack surface and limit opportunities for cyber actors to exploit vulnerabilities.

In addition to disabling unnecessary services, it is important to regularly review and assess the services running on network devices. This helps identify and remove any services that are no longer needed or have become security risks. Ensuring that only necessary services are enabled contributes to a more secure network environment and reduces the likelihood of successful attacks. Disabling unnecessary services is a proactive measure that strengthens an organization’s overall cybersecurity posture.

9. Regular Updates and Patching

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), along with international allies, have released extensive guidelines to enhance the security of telecommunications infrastructure. This joint effort, titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure,” is designed to help network engineers and defenders protect global communication networks from advanced persistent threats (APTs) linked to the People’s Republic of China (PRC). These APTs are part of a cyber espionage campaign that has already breached the networks of several major telecommunications providers worldwide.

In light of these significant threats, network engineers must heed the critical advice outlined in this guidance. Jeff Greene, Executive Assistant Director for Cybersecurity at CISA, emphasized the seriousness of the situation, noting that cyber activities affiliated with the PRC pose a substantial risk to critical infrastructure, government agencies, and private businesses. These guidelines aim to equip organizations with the tools needed to detect and prevent network compromises by the PRC and other cyber actors, ensuring the security and integrity of global communications infrastructure.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later