SaltTyphoon APT: Unified SASE as a Service to the Rescue

Overview

Events like SaltTyphoon are an excellent reminder of enterprise and users’ susceptibility to breaches because of dependencies on infrastructure that may not be under their control. With increasingly distributed applications serviced by public clouds, SAAS, and global service providers for computing, storage, and networks, attack surfaces are outside their control. And as they say, breaches have become a matter of When vs. If. The most apparent approach to thrive in this environment is to reduce external and internal attack surfaces using Zero Trust principles to secure by design. Ensuring secure network access with Unified SASE as a Service is a huge step forward in offering operational simplicity by removing network and security vendor sprawl. In the event of a breach, it’s even more critical to isolate the problem, reduce the blast zone, and continue to meet the needs of the business. SASE controls the deployment of various security technologies and provides faster response time, which significantly helps with network hygiene and reduces attack surfaces.

Targeted Infrastructure

Most popular infrastructure products like switches and routers are widely used in the industry. It is well known that sometimes the factory default password is not changed. Given the prevalence of Cisco gear, it’s unsurprising that SaltTyphoon targets Cisco devices. Several reasons are discussed below:

• Considering its ubiquity and market dominance, Cisco is one of the largest networking equipment providers worldwide. Its devices are deployed in enterprises, service providers, and critical infrastructure. A successful compromise of Cisco gear can grant attackers access to networks with sensitive and high-value information.
• SaltTyphoon often focuses on government, military, and critical infrastructure, where Cisco gear is widely deployed. Cisco gears such as routers, switches, and firewalls are central to network traffic management, making them ideal points for interception, data exfiltration, or traffic manipulation. Cisco equipment is frequently used in organizations managing politically or economically sensitive operations, making it a perfect espionage target. These devices hold trusted network positions, and a compromise can bypass security measures and disrupt operations, giving attackers leverage over targeted organizations.
• Due to persistent access and stealthy operations, Cisco gear provides a strong foothold for implanting a backdoor. SaltTyphoon often deploys persistent malicious code directly into network infrastructure by targeting Cisco devices as compromised network gear frequently evades endpoint detection systems, giving the group a stealthy foothold.
• SaltTyphoon is known for exploiting unpatched vulnerabilities, and Cisco devices have been associated with high-profile vulnerabilities over the years (e.g., Cisco Smart Install, VPN Flaws). Developing or acquiring advanced exploits targeting Cisco systems is easy. By exploiting Cisco gear in strategic positions, attackers can compromise multiple downstream organizations in a supply chain.

Challenges Associated with Cleaning of IT Systems

The main reason for a lot of work is the stitched-together, fragmented solutions several companies often provide. Additionally, there is very little visibility and no monitoring systems available, meaning the malware could lurk in any part of the infrastructure. Hence, the challenge is to determine what all systems are infected and then find a way to remediate it. Let’s understand technical constraints:

• APTs use stealth tactics (fileless malware, encryption, and obfuscation), persistence mechanisms (hidden registry keys, scheduled tasks, firmware-level modifications), and tailored tools to avoid detection and cleanup attempts.
• There is a lack of visibility due to complex environments such as sprawling IT systems with numerous endpoints, servers, and cloud integrations, which makes monitoring harder. Many organizations don’t log enough data or retain it long enough to trace the full extent of the compromise.
• Human limitations due to skills gaps and slow response time allow attackers to establish a stronger foothold. Many organizations lack specialized skills and resources to respond to APTs. In addition, organizations prioritize operational needs over security, leaving gaps in defenses.
• Detection lag due to dwell time is also a contributing factor, as APTs can remain undetected for months or even years. During this time, they can deploy multiple backdoors and compromise various systems. By the time they’re discovered, the attackers may have infiltrated deeply.

Unified SASE as a Service as Integrated Protection Measure

Unified SASE as a Service, a key solution in Aryaka’s arsenal, is instrumental in the fight against advanced persistent threats (APTs) like SaltTyphoon. Its proactive and reactive defenses are designed to outmaneuver advanced attacks, making them crucial to any organization’s security strategy.

• Enforcing the principle of least privilege is a critical step in the battle against APTs. Organizations must implement granular access controls using ZTNA to ensure that users, devices, and applications can only interact with the specific resources required for their roles. This significantly reduces the potential for an APT to cause widespread damage, making it a key defense strategy.
• Identity and context-aware policies, which consider location, time, and behavior, are crucial in the battle against APTs. By enabling continuous verification of users and devices, these policies significantly reduce the chances of an attacker successfully impersonating a legitimate user. This instills confidence in the security measures, making them an essential part of any organization’s defense strategy.
• Unified SASE as a Service provides containment capabilities using micro-segmentation to isolate workloads, applications, and devices within the network. This strategy restricts an APT’s lateral movement, preventing attackers from compromising additional systems even if they have gained an initial foothold.
• With Unified SASE as a Service, organizations can enhance monitoring and visibility at the networking and security layers to detect anomalies and correlate indicators to identify and respond to potential APT activities early. In addition, security features like SWG, FwaaS, IPS, file scanning, etc., provide real-time alerts and automated responses to suspicious activities, enabling organizations to swiftly detect and contain APT actions.
• It is widely understood that APTs steal sensitive data and intellectual property from the target networks, so attackers need to exfiltrate that information to remote locations. With Unified SASE as a Service, sensitive data leakage and data transference anomalies during exfiltration, including protocol abuse, can be detected using security features such as CASB, DLP, and security engines using ML/AI for anomaly detection.

General Recommendations

One crucial consideration is operational simplicity because these processes can add significant burdens and are hard to maintain sustainably. Creating clear roles and responsibilities for creating and managing security policies and procedures is very helpful. Organizations can do more than what the CISA and FBI suggested. See below:

• Implement a Zero-Trust Architecture to require authentication and authorization for every access request, whether internal or external. When organizations follow the principle of “never trust, always verify,” they help limit lateral movement and reduce the impact of compromise.
• Proactive threat hunting plays a vital role in hunting for APTs as soon as possible. Regularly search for known APT-related Indicators of Compromise (IOCs), such as malicious IPs, file hashes, and domains. Organizations should also focus on the Indicator of Attack (IOA) to detect malicious intent and tactics, such as lateral movement, privilege escalation, and data exfiltration.
• Harness the power of advanced security and networking technologies. First, segmentation divides your network into smaller zones to contain threats and limit attackers’ movement. Second, deception technology such as honeypots and decoys can be used to detect and study attackers’ behavior. Third, AI-driven automation can be used for faster detection, triage, and response to APT activity.
• Organizations should regularly conduct tabletop exercises to determine the effectiveness of their IR plan with realistic scenarios, including APT simulations and attack playbooks for common attack scenarios. In addition, they should test backups frequently to ensure they are functional and can be restored quickly.

By using the power of Unified SASE as a Service, organizations can transform their networks into highly resilient environments where APTs face constant barriers at every stage of the attack lifecycle, from reconnaissance to exploitation and exfiltration.

About the author

Aditya Sood

Aditya K Sood (Ph.D) is the VP of Security Engineering and AI Strategy at Aryaka.. With more than 16 years of experience, he provides strategic leadership in information security, covering products and infrastructure. Dr. Sood is interested in Artificial Intelligence (AI), cloud security, malware automation and analysis, application security, and secure software design. He has authored several papers for various magazines and journals, including IEEE, Elsevier, Crosstalk, ISACA, Virus Bulletin, and Usenix. He has been an active speaker at industry conferences and presented at Blackhat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP, and many others. Dr. Sood obtained his Ph.D. in Computer Sciences from Michigan State University. Dr. Sood is also an author of the "Targeted Cyber Attacks" and “Empirical Cloud Security” books. He held positions such as Senior Director of Threat Research and Security Strategy, Head (Director) of Cloud Security, Chief Architect of Cloud Threat Labs, Lead Architect and Researcher, and others while working for companies such as F5 Networks, Symantec, Blue Coat, Elastica, and KPMG.