Implement CISA Network Monitoring Guidelines for Salt Typhoon with RevealX NDR

To help the critical infrastructure sector monitor its networks for Salt Typhoon and other state-sponsored advanced persistent threats (APTs), CISA, the NSA, FBI, and four international partner agencies issued nine pages of hardening guidance that emphasizes the need for vastly improved network visibility.

“It’s difficult to overstate how damaging the Salt Typhoon APT is,” says Mark Bowling, Chief Information Security and Risk Officer at ExtraHop, speaking about the Chinese state-sponsored threat actor that infiltrated the networks of at least a dozen telecommunications providers, stole customer call records, and accessed the private communications of U.S. government and political officials as part of an effort to harvest encrypted communications.

“From a national security perspective, Salt Typhoon is four to five times worse than SolarWinds,” adds Bowling, who became a CISO following a 20-year career as an FBI agent investigating cybercrime and terrorism. “This attack could irreparably damage, impede, or shut down numerous counter-intelligence, foreign intelligence, and counter-terrorism investigations.”

The guidance from CISA zeros in on the value and primacy of network visibility because Salt Typhoon gained initial access to telecom companies’ environments by compromising vulnerable devices that were exposed to the public internet. The threat actor also exploited known vulnerabilities in network devices to maintain persistence and used legitimate tools, like PowerShell and Windows Management Instrumentation Command-line (WMIC), to evade detection as it conducted reconnaissance, moved laterally, and stole data.

With improved network visibility and monitoring that encompasses the ability to decrypt encrypted traffic and protocols, organizations gain exposure to vulnerable devices, including those they may not realize are exposed to the internet due to misconfigurations and are therefore ripe for hacking. They can also detect lateral movement, living off the land techniques, and other changes in the environment indicative of malicious activity, such as unauthorized configuration changes to network devices and weak ciphers and protocols that have suddenly been enabled.

Below, we break down CISA’s network monitoring and hardening guidance, and we explain how the dual-purpose ExtraHop® RevealX™ platform for network detection and response (NDR) and network performance management (NPM) can help telecommunications and other critical infrastructure providers implement those recommendations and improve their network security posture against Salt Typhoon and other nation-state threats.

The Upshot: How RevealX Helps Organizations Meet CISA Guidance Regarding Salt Typhoon

To sum up the recommendations, CISA advises organizations to implement a strong, out-of-band network monitoring and management tool capable of capturing packets, that:

• provides visibility into inbound, outbound, and internal network traffic;
• enforces configuration management;
• monitors devices exposed to the public internet and making external connections; and
• detects and alerts on a wide range of changes in the environment, including configuration changes to network devices, weak protocols that have been enabled, changes in user behavior and account activity, and modifications to access control lists.

CISA also recommends encrypting as much network traffic end-to-end as possible, limiting exposure of management traffic to the internet, and collecting logs at the network operating system-, application-, and software levels of the environment.

RevealX supports those and many other best practices outlined by CISA. It sits out of band, captures a copy of full packets and NetFlow telemetry, and provides organizations with the broadest visibility into activity taking place on their networks. RevealX provides unparalleled breadth and depth of network visibility by extracting more metadata from full packets than competing solutions, decoding four times more protocols than other NDR offerings, by decrypting encrypted network traffic, and by doing all of this at enterprise speed and cloud scale. Read on for details.

Strengthen Visibility and Monitoring

CISA guidance:

• Gain visibility into north-south and east-west network traffic, user activity, and data flow.
• Implement a strong network flow monitoring solution.
• Use an out-of-band network management tool that is physically separate from the operational data flow network and that does not allow lateral management connections between devices to prevent lateral movement in the event one device becomes compromised.
• Implement a network monitoring and management capability that at a minimum enforces configuration management, automates routine administrative functions, alerts on changes detected within the environment, such as connections, user activity, and account activity, and that is capable of capturing packets.
• Monitor all devices that accept external connections from outside the corporate network.
• Investigate any configurations that do not comply with known good configurations, such as open ports, services, or unexpected Generic Routing Encapsulation (GRE) or IPsec tunnel usage.
• Establish an understanding of the architecture of infrastructure and production enclaves, as well as where the environments meet or are segregated.
• Map and understand boundary and ingress/egress points of the network management enclave.

The RevealX Advantage

RevealX sits out of band (i.e., outside the path of network traffic) and passively monitors all critical transactions taking place across an organization’s network, including incoming, outgoing, and internal lateral network traffic. By taking a copy of an organization’s network traffic at the core, where data is hosted, RevealX can monitor east-west traffic most effectively, without interfering with actual network traffic or performance.

Moreover, RevealX captures full packets and NetFlow telemetry across more layers of the network (OSI layers 2-7) than competing solutions, which only inspect traffic in OSI layers 3 and 4. It also extracts the most comprehensive set of metadata from network traffic of all NDR providers. By monitoring more OSI layers and analyzing more metadata, RevealX is able to provide much richer context about what’s happening on an organization’s network, which helps to accelerate mean time to detect, investigate, and respond and also helps to reduce false positives.

The visibility RevealX provides is lauded by customers and analysts: ExtraHop was named a leader in both the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment and the Forrester Wave: Network Analysis and Visibility Q2 2023.

Lee Chieffalo, Technical Director of ISP Viasat, an ExtraHop customer, says, “With RevealX, I can tell you what every packet is doing anywhere on the network, at any given time: where it’s going, where it came from, and what is being said across both sides of the conversation. This enables my team to make accurate, informed decisions about optimization, security, and troubleshooting on the network.”

Detect Anomalies

CISA guidance:

• Scrutinize and investigate any atypical or unusual configuration modifications or alterations to network devices including switches, routers, and firewalls.
• Implement alerting for unauthorized changes to the network, including unusual route updates, weak protocols that have been enabled, and changes to users and access control lists.
• Monitor user and service account logins for anomalies

The RevealX Advantage

RevealX performs machine learning in the cloud on all the network data it collects to baseline normal network behavior and detect suspicious deviations from it. The benefit of cloud-based machine learning, as opposed to conducting machine learning “on box” or on the appliance,” is that machine learning is a compute-intensive process, and the cloud can scale on the fly to handle and correlate much higher volumes of data. Cloud-based machine learning leads to faster, more efficient training of the model ExtraHop uses to distinguish potential threats from normal network behavior.

RevealX also provides detection alerts for unusual traffic patterns, weak protocol usage, expired and expiring certificates, suspicious inbound and outbound connections, command and control communication, living off the land techniques, use of remote management and monitoring (RMM) software, dual-use software, data exfiltration, and a large portfolio of passively identified device software and attacker tools leveraged for network enumeration, scanning, file manipulation, and other lateral movement activities.

Additionally, RevealX decodes more than 90 network, application, database, and internet protocols, including encrypted authentication protocols such as Kerberos, MSRPC, and NTLM that Salt Typhoon and other threat actors exploit to move laterally and evade detection. Because RevealX captures full packets with decryption capabilities, it can detect living off the land techniques that use encrypted protocols with certainty. It also decrypts payloads to provide security analysts with higher fidelity alerts and far greater context than competing solutions.

The unparalleled protocol fluency built into RevealX allows it to deliver visibility into common authentication protocols and behaviors, and to continuously and comprehensively monitor user logins in the context of devices. In contrast, competing NDR solutions decode about 20 protocols at best.

Security Hygiene

CISA guidance:

• Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring.
• Limit exposure of management traffic to the internet.
• Understand which assets should be forward-facing and remove those that should not be forward-facing.

The RevealX Advantage

RevealX automatically discovers, classifies, and maps transactional relationships and all local participants (devices, users, and files) on a network directionally from network transactions. This automatic asset discovery capability enables RevealX to provide customers with the most up-to-date, real-time inventory of devices connecting to their networks. Even more important, this capability allows RevealX to maintain a historical record of every communication from every device.

RevealX also observes and reports on the devices, including both critical and unmanaged devices, that are exposed to the public internet and making outbound connections, so that organizations can continuously and comprehensively identify the threat surface of management traffic and its exposure.

Security Logging

CISA guidance:

• Implement a SIEM to facilitate secure, centralized logging, with the ability to analyze and correlate large amounts of data from different sources.
• Collect logs at all levels of the environment: network operating system, application, and software levels as it pertains to network devices.
• Enable logging and auditing on devices; ensure logs can be offloaded from devices.
• Establish a baseline of normal network behavior and define rules on security appliances to alert on abnormal behavior.

The RevealX Advantage

RevealX makes SIEM solutions work better by fueling them with contextual network telemetry collected from transaction logs, NetFlow data, and full packets. SIEM solutions that correlate and enrich endpoint and log data with network data produce higher fidelity detections and fewer false positives.

RevealX integrates seamlessly with CrowdStrike Falcon® LogScale and Splunk. All RevealX data types are accessible to SIEM solutions via REST API. Network metadata can also be streamed out of RevealX and into a SIEM. Bottom line: The most comprehensive log data is easily extracted from RevealX and made available to virtually any SIEM.

Harden Systems and Devices

CISA guidance:

• Ensure device management is physically isolated from customer and production networks.
• Ensure that management of network infrastructure devices can only come from an out-of-band network management tool.
• Implement a strict default-deny ACL strategy to control inbound and egressing traffic, and ensure all denied traffic is logged.
• Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs.
• Harden and secure VPN gateways by limiting external exposure and port exposure to minimum requirements (e.g., udp/500, udp/4500, and protocol type 50 - ESP).

The RevealX Advantage

RevealX can be leveraged to continuously monitor observed protocols and management networks in accordance with the segmentation and isolation recommendations from CISA. With respect to VPN gateway security, RevealX dynamically discovers and continuously monitors VPN gateways and users.

More importantly, when critical transactions are transported via encrypted communications and with overlay encapsulation, RevealX decrypts and deencapsulates those transactions, allowing network engineers to see what they can no longer see from routing tables, SNMP counters, and NetFlow logs.

Encrypt Traffic

CISA guidance:

• Ensure that traffic is end-to-end encrypted to the maximum extent possible.
• Confirm that TLSv1.3 is used on any TLS-capable protocols to secure data in transit over a network and that TLS is configured to only use strong cryptographic cipher suites.
• Use PKI-based certificates instead of self-signed certificates.
• Implement a robust process to renew certificates before they expire.

The RevealX Advantage

RevealX delivers TLS header and negotiation analysis on all transactions, allowing for real-time auditing of the cryptographic environment and the ability to identify key exchanges compliant (or not compliant) with post-quantum cryptography.

In addition, RevealX natively decrypts SSL and TLSv1.3 traffic in real time, at speeds up to 100 Gbps, so organizations can maintain visibility while leveraging the latest encryption standards. In contrast, our competitors top out at speeds of about 40 Gpbs. Also, encrypted traffic analysis, the capability offered in competing NDR solutions, can’t detect encrypted Microsoft protocol attacks or other “living off the land” techniques used by Salt Typhoon and other threat actors. Because of its full packet capture capability and ability to decrypt and decode Microsoft protocols including Kerberos, MSRPC, LDAP, WINRM, SMBv3, and NTLM, RevealX can detect living off the land techniques with certainty.

See for Yourself

Want to see RevealX in action? Run simulated attacks in our self-guided demo to see how RevealX detects threats across different stages of the kill chain, or sign up for a personalized live demo with one of our engineers.