May 22, 2024 at 10:04AM
Chinese threat actors have advanced anti-analysis techniques using operational relay box networks (ORBs) comprised of virtual private servers and compromised devices. Mandiant reports an increase in their use, prompting defenders to reevaluate traditional threat monitoring methods. ORBs are maintained by private companies or the Chinese government and consist of five layers, allowing for diverse and transient attack patterns. Analysts recommend analyzing ORB networks independently to create behavior-based signatures for threat detection.
Based on the meeting notes, the key takeaways are:
– Chinese threat actors are using operational relay box networks (ORBs) comprised of virtual private servers (VPS) and compromised smart devices and routers to hide their malicious activities.
– These ORBs are maintained by private companies or elements within the government of the People’s Republic of China and consist of five layers: Chinese servers, VPSes, traversal nodes, exit nodes, and victim servers.
– ORBs can be provisioned or non-provisioned and are short-lived, with new devices cycled in and out frequently to prevent defenders from tying IPs to their users for extended periods of time.
– Analysts from Mandiant advise that cyber defenders need to upend the fundamental ways they’ve been tracking and blocking threats, as Chinese ORBs have become increasingly common, layered, and active.
– Organizations now need to engage with ORBs as distinct and dynamic entities, analyzing and monitoring them consistently to create behavior-based signatures for identifying threats.
Let me know if you need further information or if there are any additional details you’d like me to include.