Shifting from reactive to proactive: Cyber resilience amid nation-state espionage
In recent years, the cybersecurity industry has made significant strides in securing endpoints with advanced Endpoint Detection and Response (EDR) solutions, and we have been successful in making life more difficult for our adversaries.
While this progress is a victory, it has also produced a predictable and dangerous consequence where threat actors are shifting their focus to the network perimeter, a domain often plagued by technical debt and forgotten hardware.
The recent cyber espionage campaign by the China-linked group Salt Typhoon demonstrates this shift. It is the latest in a series of attacks that highlight a dangerous and common thread connecting them to other major adversaries, including Russia’s Static Tundra and various ransomware groups.
These groups are all exploiting the ghosts in our networks. Old, unpatched, and forgotten routers, VPNs, and firewalls that make up our network perimeter are making very attractive targets.
Leaving reactive defenses behind
As organizations have hardened their endpoints with modern security tools, adversaries are finding equipment that hasn’t been patched in years, allowing them to walk right in, steal credentials, and establish long-term persistence. Salt Typhoon’s “living off the land” tactics are especially difficult to detect and show a level of sophistication aimed at long-term espionage.
Not only does this represent an unprecedented level of tactical threat advancement, but it showcases a deep understanding from our adversaries of how U.S. and allied networks are being defended today. These attackers have shown us that they are now capable of operating invisibly within the systems built to protect against them, compromising our national resilience.
This also highlights a critical lesson: a patch is not a time machine. It cannot undo a previous compromise. End-of-Life (EoL) devices forgotten in time are not forgotten by exploit writers after the patches stop. These “forgotten” devices may be out of sight for network administrators, but they are front and center for our adversaries. We must treat them as the critical risks they are.
The path to a stronger national security posture lies in mastering the fundamentals that are too often neglected and establishing a proactive security program to anticipate and counter threats.
Going back to fundamentals
Proactive cyber defense goes beyond patching. It’s about rigorous asset and lifecycle management. Organizations must know every single device on their network, and they must have a plan to decommission and replace hardware the moment it reaches its end-of-life.
Patches may end, but exploit development lives on.
These recent attacks are highlighting the widespread issue these unpatched or end-of-life devices are creating across the globe. Being aware of the problem is good, but not enough.
Organizations must take action to cut their own risks and to preserve the collective health of the internet. Aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the following steps outline how organizations can proactively address these threats:
● Identify: Maintain a complete inventory of all hardware and software. Enforce a strict policy to decommission and replace any device that reaches its end-of-life.
● Protect: For all supported devices, apply critical patches promptly. Deploy them with secure baseline configurations, disabling any unused or insecure protocols (like Telnet).
● Respond: If a vulnerability is discovered on a critical device, assume it was compromised before it was patched. The only prudent response is to rotate all credentials, passwords, API keys, and OTP seeds associated with that device.
● Detect: Do not trust a device to report on itself. Forward all logs to a centralized, secure SIEM. Monitor for anomalous outbound traffic from network appliances — they should not be making connections to random IP addresses on the internet.
Taking this kind of action is how we will stay ahead of threats that move faster than any human can react. Cyber resilience isn’t just a technology issue; it’s a team sport.
Every cyber incident should serve as a catalyst for strengthening public-private collaboration, investing in threat-informed training, and building muscle memory for cyber defense.
Proactive threat hunting
Cyber hygiene is crucial, but it is not the only step that needs to be taken. Organizations must assume a breach has already occurred and actively hunt for it. This means going beyond waiting for alarms and instead searching for the subtle behavioral anomalies that indicate an adversary is quietly moving through the network, as Salt Typhoon does so effectively.
These types of adversaries are incredibly hard to stop without a strong background in offensive and defensive cyber tactics at the Advanced Persistent Threat (APT) level, and we’re seeing Fortune 500s, global government organizations, critical infrastructure, and even some IT and cyber software-focused companies struggle to combat these rising threats on their own.
Many organizations of all sizes and levels are struggling with technical debt that’s weighing down their cyber defense operations and ruining the ROI that should come from investing in new security tools. New security tools aren’t always the answer, and facing a nation-state-level threat actor on your own can be impossible. A good, trusted partner that knows your operations and knows the operations of your enemies can be critical in combating these threats.
Forgotten network devices are prime targets for our adversaries, and traditional reactive defenses are no longer enough. Organizations can’t protect what they don’t know they have, and they can’t evict an intruder they aren’t actively looking for.
Now is the moment to get serious about cyber resilience. That means going beyond traditional cybersecurity and moving toward a full-spectrum cyber posture as an industry, where offensive insights, defensive operations, and AI-driven capabilities all operate in sync, in real time.
Nick Carroll is a cyber incident response manager at Nightwing.
