The Chinese MSS Is Attacking Us with Our Own Tools

Mehaniq/Shutterstock.com

Here’s how to get ahead of the adversary with integrated cyber defenses.

Despite spending more than $120 billion a year on security products and services, adversaries are still moving faster than our organizations and institutions while using the tools we’ve built against us. For some time now the Cybersecurity and Infrastructure Security Agency has released in-depth analysis on key vulnerabilities, but with attacks increasing, cybersecurity programs can hardly keep up and the impacts are becoming more severe every day. 

The good news is that investments to protect our core digital assets—perimeter security, encryption and stronger authentication—are reducing the level of overall incidents across the government and commercial enterprises. Yet most organizations are struggling to operationalize these controls to better anticipate, prevent, detect and respond to rapidly evolving threats who continue to identify and exploit key vulnerabilities in their target’s attack surface. 

Our Adversaries Are Exploiting Flaws

Based on the recent CISA advisory on the Chinese Ministry of State Security, hackers are taking public vulnerability data and using open source tools built for supporting organizational improvements, turning them on their head to highlight holes in an organization’s attack surface and exploiting the unpatched vulnerabilities before they can be remediated. The tools identified in the CISA advisory are used to support foundational cyber hygiene activities inclusive of configuration, vulnerability, and patch management and are critical for many organization’s day to day operations.

Tracking new exposure points across the technology portfolio of any organization can feel like a never-ending uphill battle. This requires a larger focus on proactive and preventative security measures and removing the organizational, process, data and technology silos across the cybersecurity operations space. We need an integrated approach to cyber defense that can push the needle in a positive way and hope to limit the exposure to attacks from these sophisticated and well-funded adversaries.

Getting Left of Boom

A modern approach to cyber defense operations requires greater focus and investment in capabilities to the “left of the boom”—better threat modeling, scanning, patching, controls testing and proactive hunting before an attack. Government and commercial organizations need a more modernized cyber defense operating model that better integrates, automates and increases intelligence through improved data management, and targeted analytics, artificial intelligence and machine learning. To this end, four key capabilities—people, process, data and technology—have shown to be critical for moving “left of the boom” and becoming a truly preventative and proactive security organization.

Threat-Centric Vulnerability Management

Vulnerability management programs continue to struggle to make progress against a mountain of vulnerabilities and patching requirements due to the increased complexity of technology environment. They are also overly reliant on technical vulnerabilities in devices and software and often ignore vulnerabilities in digital identities and end-user behavior. 

Even more concerning is that these are viewed in isolation, instead of in the context of how real-world attacks unfold that touch multiple assets and controls. No matter how many resources are devoted to addressing key risks, organizations continue to fall behind as they struggle to prioritize and focus resources on vulnerabilities that drive down the most risk in their environment. The industry and some of the more advanced security organizations are using real-world threats and enhanced asset discovery techniques to better prioritize key vulnerabilities that are more relevant to the organization. These can be enhanced with context from threat intelligence and modeling tools to understand key exposure points in their attack surface. Incorporating offensive tactics into the vulnerability management process can help teams identify where real-world exploits can be executed. This can be done through extensive purple teaming exercises—bringing red and blue teams together—and attacker-centric tools to drive contextual understanding for prioritization and remediation of critical vulnerabilities. 

Proactive Detection

Detection management programs at most organizations normally rely on out-of-the-box detection analytics, indicators of compromise and indicators of attacks from tools that are not tailored to their organization. Organizations must move from a reactive response security culture to proactive remediation and risk reduction. Continuous offensive testing of controls and assets combined with proactive hunting, deception technologies and detection management brings an organization into a proactive construct that can be used to mature capabilities and allow more resources to be focused on fixing issues before they become incidents. 

Integrated Response and Recovery

Much of the security operations center and incident response team’s time is spent triaging basic security events and not on key analysis and research. Incident response capabilities are ad-hoc and primarily focused on cleaning up already executed attacks with realized consequences and not proactive and automated containment. 

Response and recovery capabilities need to have automation and orchestration components defined and integrated into key tools to fast track containment and quarantine activities. Enterprise resources need to be focused on increasingly complex attacks and not wasted addressing low-level alerts and incidents that tend to be time consuming distractions. This frees up key personnel to develop analytics and automation techniques for response and investigation activities that increases employee retention, minimizes burnout and drives down risk. 

Outmaneuvering Threats Requires Proactive, Preventative Cyber Defense Operations

A review of past attacks reveals that a significant number of incidents could have been avoided through better focus on core security controls like perimeter security, encryption and multi-factor authentication. However, more advanced attacks require an integrated cyber defense operating model that improves mean time to prevent, mean time to detect and mean time to respond. Better anticipating the threats and moving at net speed is key to outmaneuvering advanced threats. This requires more emphasis on cyber fusion, not acquiring more increasingly expensive and complex cybersecurity tools.  

Garrettson Blight is a principal and Clayton Barlow-Wilcox is a senior associate at Booz Allen Hamilton. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.