23 of 45 | Product ID: AA24-038A
MITIGATIONS
The authoring agencies recommend
organizations implement the mitigations below
to improve your organization’s cybersecurity
posture on the basis of Volt Typhoon activity.
These mitigations align with the Cross-Sector
Cybersecurity Performance Goals (CPGs)
developed by CISA and the National Institute of
Standards and Technology (NIST). The CPGs
provide a minimum set of practices and
protections that CISA and NIST recommend all
organizations implement. CISA and NIST based
the CPGs on existing cybersecurity frameworks
and guidance to protect against the most
common and impactful threats, tactics,
techniques, and procedures. Visit CISA’s
Cross-Sector Cybersecurity Performance Goals
for more information on the CPGs, including
additional recommended baseline protections.
IT Network Administrators and Defenders
Harden the Attack Surface
• Apply patches for internet-facing systems within a risk-informed span of time [CPG 1E].
Prioritize patching critical assets, known exploited vulnerabilities, and vulnerabilities in
appliances known to be frequently exploited by Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR,
Citrix, and Cisco devices).
• Apply vendor-provided or industry standard hardening guidance to strengthen software
and system configurations. Note: As part of CISA’s Secure by Design campaign
, CISA urges
software manufacturers to prioritize secure by default configurations to eliminate the need for
customer implementation of hardening guidelines.
• Maintain and regularly update an inventory of all organizational IT assets [CPG 1A].
• Use third party assessments to validate current system and network security
compliance via security architecture reviews, penetration tests, bug bounties, attack surface
management services, incident simulations, or table-top exercises (both announced and
unannounced) [CPG 1F
].
• Limit internet exposure of systems when not necessary. An organization’s primary attack
surface is the combination of the exposure of all its internet-facing systems. Decrease the
attack surface by not exposing systems or management interfaces to the internet when not
necessary.
These mitigations are intended for IT
administrators in critical infrastructure
organizations. The authoring agencies recommend
that software manufactures incorporate secure by
design and default principles and tactics into their
software development practices to strengthen the
security posture for their customers.
For information on secure by design practices that
may protect customers against common Volt
Typhoon techniques, see joint guide
Identifying
and Mitigating Living off the Land Techniques and
joint Secure by Design Alert Security Design
Improvements for SOHO Device Manufacturers.
For more information on secure by design, see
CISA’s Secure by Design webpage and
joint
guide.