The US federal government recently took an unprecedented step in the fight against cyber espionage, publishing detailed technical guidance on tactics and techniques used by Chinese state-sponsored actors.
The NSA, CISA, and the FBI have done the security community a great favor by making this material public, mapping tactics and techniques to MITRE ATT&CK, and providing a breakdown of specific exploited vulnerabilities.
Notably, instead of cautioning against stealthy zero-days this alert reminds us of the importance of basic security hygiene like prompt patching since these actors typically race to weaponize exploits upon public release of new vulnerabilities. The alert also calls out their usage of popular off-the-shelf tools like Cobalt Strike and common tactics like hopping through proxies to obfuscate country of origin, which has been common in online crime for decades now.
Thus, with the right monitoring and detection technologies and processes in place these attackers can be identified fairly reliably.
In the spirit of the original bulletin and our open-source heritage, Corelight has produced a document breaking down our ability to identify and detect these attackers’ techniques, both in terms of coverage for specific vulnerabilities as well as broader guidance for larger topics like exfiltration and C2 obfuscation. Used in combination with Corelight’s ATT&CK-aligned Threat Hunting Guide and the operational guidance provided by our Technical Account Management team, this new document will help Corelight customers fast-forward their ability to detect and evict these attackers.
Of course, the mitigations from this bulletin apply to other attackers as well. The specific vulnerabilities outlined in the document are all in wide exploitation by an array of attackers, and fundamental strategies such as “Enhance monitoring of network traffic, email, and endpoint systems” are sound advice regardless of whether you’re dealing with a script kiddie or a nation-state. That’s why strategic investments in comprehensive monitoring strategies will pay dividends for your entire security program - making it harder for one attacker makes it harder for all of them.