Cyber agencies share security guidance for network edge devices

Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches.

Such devices, including firewalls, routers, virtual private networks (VPN) gateways, internet-facing servers and operational technology (OT) systems, and Internet of Things (IoT) devices, have been heavily targeted by both state-sponsored and financially motivated attackers.

Edge devices are often targeted and compromised because they don’t support Endpoint Detection and Response (EDR) solutions, allowing threat actors to gain initial access to the targets’ internal enterprise networks.

In many cases, such devices also lack regular firmware upgrades and strong authentication, come with security vulnerabilities and insecure configurations by default, and provide limited logging, severely reducing security teams’ ability to detect breaches.

Moreover, being positioned at the network’s edge and handling almost all corporate traffic, they attract attention as targets that make it easy to monitor traffic and gather credentials for further access to the network if left unsecured.

“Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations,” CISA said.

“Device manufacturers are encouraged to include and enable standard logging and forensic features that are robust and secure by default, so that network defenders can more easily detect malicious activity and investigate following an intrusion,” the UK’s National Cyber Security Centre (NCSC) added.

The cybersecurity agencies also advised network defenders to consider these recommended minimum requirements for forensic visibility before choosing physical and virtual network devices for their organizations.

Over the last several years, attackers have kept targeting edge networking devices from various manufacturers, including Fortinet, Palo Alto, Ivanti, SonicWall, TP-Link, and Cisco.

In response to threat actor activity, CISA has issued multiple “Secure by Design” alerts, one of them in July 2024 asking vendors to eliminate path OS command injection vulnerabilities exploited by the Chinese state-backed Velvet Ant threat group to hack into Cisco, Palo Alto, and Ivanti network edge devices.

The U.S. cybersecurity agency also urged manufacturers of small office/home office (SOHO) routers to secure their devices against Volt Typhoon attacks and tech vendors to stop shipping software and devices with default passwords.