The Chinese MSS Is Attacking Us with Our Own Tools


Here’s how to get ahead of the adversary with integrated cyber defenses.

Despite spending more than $120 billion a year on security products and services, adversaries are still moving faster than our organizations and institutions while using the tools we’ve built against us. For some time now the Cybersecurity and Infrastructure Security Agency has released in-depth analysis on key vulnerabilities, but with attacks increasing, cybersecurity programs can hardly keep up and the impacts are becoming more severe every day. 

The good news is that investments to protect our core digital assets—perimeter security, encryption and stronger authentication—are reducing the level of overall incidents across the government and commercial enterprises. Yet most organizations are struggling to operationalize these controls to better anticipate, prevent, detect and respond to rapidly evolving threats who continue to identify and exploit key vulnerabilities in their target’s attack surface. 

Our Adversaries Are Exploiting Flaws

Based on the recent CISA advisory on the Chinese Ministry of State Security, hackers are taking public vulnerability data and using open source tools built for supporting organizational improvements, turning them on their head to highlight holes in an organization’s attack surface and exploiting the unpatched vulnerabilities before they can be remediated. The tools identified in the CISA advisory are used to support foundational cyber hygiene activities inclusive of configuration, vulnerability, and patch management and are critical for many organization’s day to day operations.

Tracking new exposure points across the technology portfolio of any organization can feel like a never-ending uphill battle. This requires a larger focus on proactive and preventative security measures and removing the organizational, process, data and technology silos across the cybersecurity operations space. We need an integrated approach to cyber defense that can push the needle in a positive way and hope to limit the exposure to attacks from these sophisticated and well-funded adversaries.

Getting Left of Boom

A modern approach to cyber defense operations requires greater focus and investment in capabilities to the “left of the boom”—better threat modeling, scanning, patching, controls testing and proactive hunting before an attack. Government and commercial organizations need a more modernized cyber defense operating model that better integrates, automates and increases intelligence through improved data management, and targeted analytics, artificial intelligence and machine learning. To this end, four key capabilities—people, process, data and technology—have shown to be critical for moving “left of the boom” and becoming a truly preventative and proactive security organization.

Threat-Centric Vulnerability Management

Vulnerability management programs continue to struggle to make progress against a mountain of vulnerabilities and patching requirements due to the increased complexity of technology environment. They are also overly reliant on technical vulnerabilities in devices and software and often ignore vulnerabilities in digital identities and end-user behavior. 

Even more concerning is that these are viewed in isolation, instead of in the context of how real-world attacks unfold that touch multiple assets and controls. No matter how many resources are devoted to addressing key risks, organizations continue to fall behind as they struggle to prioritize and focus resources on vulnerabilities that drive down the most risk in their environment. The industry and some of the more advanced security organizations are using real-world threats and enhanced asset discovery techniques to better prioritize key vulnerabilities that are more relevant to the organization. These can be enhanced with context from threat intelligence and modeling tools to understand key exposure points in their attack surface. Incorporating offensive tactics into the vulnerability management process can help teams identify where real-world exploits can be executed. This can be done through extensive purple teaming exercises—bringing red and blue teams together—and attacker-centric tools to drive contextual understanding for prioritization and remediation of critical vulnerabilities. 

Proactive Detection

Detection management programs at most organizations normally rely on out-of-the-box detection analytics, indicators of compromise and indicators of attacks from tools that are not tailored to their organization. Organizations must move from a reactive response security culture to proactive remediation and risk reduction. Continuous offensive testing of controls and assets combined with proactive hunting, deception technologies and detection management brings an organization into a proactive construct that can be used to mature capabilities and allow more resources to be focused on fixing issues before they become incidents. 

Integrated Response and Recovery

Much of the security operations center and incident response team’s time is spent triaging basic security events and not on key analysis and research. Incident response capabilities are ad-hoc and primarily focused on cleaning up already executed attacks with realized consequences and not proactive and automated containment. 

Response and recovery capabilities need to have automation and orchestration components defined and integrated into key tools to fast track containment and quarantine activities. Enterprise resources need to be focused on increasingly complex attacks and not wasted addressing low-level alerts and incidents that tend to be time consuming distractions. This frees up key personnel to develop analytics and automation techniques for response and investigation activities that increases employee retention, minimizes burnout and drives down risk. 

Outmaneuvering Threats Requires Proactive, Preventative Cyber Defense Operations

A review of past attacks reveals that a significant number of incidents could have been avoided through better focus on core security controls like perimeter security, encryption and multi-factor authentication. However, more advanced attacks require an integrated cyber defense operating model that improves mean time to prevent, mean time to detect and mean time to respond. Better anticipating the threats and moving at net speed is key to outmaneuvering advanced threats. This requires more emphasis on cyber fusion, not acquiring more increasingly expensive and complex cybersecurity tools.  

Garrettson Blight is a principal and Clayton Barlow-Wilcox is a senior associate at Booz Allen Hamilton.