@chris_c: Only problem with what you're saying is that this new policy leaves all the "old routers" in place and still exposed. NO CURRENTLY INSTALLED LEGACY DEVICES ARE AFFECTED BY THIS NEW POLICY. In short, it won't stop another Volt Typhoon. Wouldn't it be better to block these sorts of attacks upstream rather than just blocking deployment of new, more secure routers at the end-user level??[....]
The problem with banning existing installed old routers is: the internet suddenly stops working at homes and offices. Not a practical solution!
Blocking attacks from sophisticated, nation-state actors, like Volt Typhoon, requires a proactive "defend-forward" strategy, focusing on securing edge devices, implementing Zero Trust architecture, and eliminating "living-off-the-land" (LOTL) techniques.
Volt Typhoon primarily targets critical infrastructure by compromising SOHO routers, VPNs, and firewalls to blend in with legitimate network traffic.
Here is how to block such attacks upstream:
1. Secure Edge Devices and Perimeters
Prioritize patching internet-facing devices (firewalls, routers, VPNs) from targeted vendors, e.g. Cisco, Fortinet, Ivanti, and Netgear.
Disable remote management interfaces on routers and firewalls. Do not expose admin interfaces to the internet.
Identify and replace network technology (routers switches APs etc) that is no longer supported by manufacturers.
If hardware cannot be immediately patched, use virtual patching (e.g., WAF or IPS) to block access to vulnerabilities.
2. Implement Zero Trust and Network Segmentation with VLANs etc
Isolate Operational Technology (OT) and SCADA systems from general business networks using firewalls and demilitarized zones (DMZs).
Assume breach, even from trusted suppliers, and continuously validate all access requests.
Restrict the ability of edge devices to communicate with internal, sensitive servers.
3. Mitigate "Living-off-the-Land" (LOTL) Techniques
Volt Typhoon avoids malware, using built-in system tools (PowerShell, WMI) to stay hidden.
Log and alert on suspicious command-line activity, such as unusual PowerShell scripts or unauthorized use of admin tools.
Allow only approved, trusted (whitelisted) apps and scripts to run on systems.
Turn off unused services such as Telnet, FTP, or HTTP.
4. Beef up Credential Security
Enforce phishing-resistant multi-factor authentication (e.g., FIDO2 keys) for all remote access and admin accounts.
Regularly audit and deactivate unused accounts.
5. Detect and Count first access attemts.
Look for large, unexpected data transfers originating from routers or edge devices, especially those moving to external, non-standard IP address destinations.
Configure Endpoint Detection and Response (EDR) tools, such as Microsoft Defender for Endpoint, to "block mode" to automatically mitigate malicious artifacts.
Monitor for traffic signatrues associated with the "KV-botnet," which uses stolen SOHO routers to hide traffic.
6. Supply Chain and Third-Party Risk Management
Require vendors to provide hardware and software that is secure by design, reducing the need for post-sale hardening.
Use Software Bill Of Materials - including all open source software libraries it uses - to identify if your apps and networking gear are affected by newly disclosed vulnerabilities in third-party software.