The recent Joint Cybersecurity Advisory outlining observations from the US, UK, Australia, Canada, New Zealand and other areas globally of advanced TTPs used by Chinese State-Sponsored Actors is an excellent example of how threat intelligence sharing makes for stronger cyber defences.
The advisory covers industry tracking, case studies, threat hunting guidance, IoC’s and recommended mitigation steps which telecommunications, government, transportation, lodging, and military infrastructure can use to improve network detection and response against these threats.
But positively, the recommended mitigations have a lot of crossover with the CAF v4 Objective C Indicators of Good Practice (IGP).
What does this mean for UK organisations?
CAF is designed for all organisations to assess and improve their cyber security resilience. At current, it is predominantly adopted by the public sector, but with the incoming Cyber Security and Resilience Bill coming into the UK to replicate and improve on the NIS2 standards here in the UK, CAF will become more commonplace with the UK private sector.
The positive impact of such advisories aligning so closely to the CAF IGPs is that it gives UK organisations confidence that following this framework will give them a clear roadmap to improving resilience against a full spectrum of cyber threats.
Advisory Mitigation and CAF alignment
The below table highlights the key alignment between these recommendations and CAF v4 Objective C. Overall, the main areas of alignment are across visibility, log integrity, behavioural detection and anomaly alerting.
| Joint Advisory Mitigation | CAF Objective C IGP Alignment | Notes |
| Prioritise patching of edge devices against known exploited CVEs | C1.f (Threat intelligence), C1.a (Coverage/Detail) | CAF links patching to threat-informed decisions; Advisory stresses prioritising edge devices via KEV catalogue. |
| Regularly review device logs and configs for anomalies (GRE tunnels, AAA changes, unexpected containers) | C1.a (Host + Network monitoring), C1.c (Generating alerts), C1.f (Behavioural detection) | Direct alignment: CAF requires continuous monitoring of abnormalities; advisory provides examples. |
| Employ robust change management, periodic audits, config version control | C1.c (Correlation), C1.d (Triage), C1.a (Coverage/Detail) | Both stress cross-checking changes with approvals; CAF adds triage process and playbooks. |
| Identify full scope of compromise before containment; balance IR with business impact | C1.d (Triage), C1.e (Personnel skills), C1.f (Threat intel contextualisation) | CAF emphasises triage, SOPs, staff capability; advisory highlights strategic IR planning. |
| Disable outbound connections from management interfaces | C1.a (Coverage/Detail – network monitoring), C1.f (Behavioural baselines) | CAF: detect abnormal flows; advisory: proactive isolation. Strong complementary guidance. |
| Disable unused protocols; enforce encrypted/authenticated management (SSH, SNMPv3, HTTPS) | C1.a (Coverage/Detail), C1.c (Generating alerts), C1.b (Securing logs) | CAF less prescriptive on hardening protocols but expects monitoring/alerting; advisory adds specific protocol controls. |
| Strong authentication: remove defaults, require keys, enforce lockouts | C1.a (User/system monitoring), C1.c (Alerts on failed logins) | CAF covers monitoring of access attempts; advisory prescribes technical controls. |
| Management-plane isolation (VRFs, CoPP/ACLs, jump servers) | C1.a (Network monitoring), C1.f (Understanding system behaviour) | Advisory gives operational steps; CAF requires coverage of management traffic. |
| Implement robust logging: enable syslog, forward securely, immutable storage | C1.a (Coverage), C1.b (Securing logs), C1.d (Retention) | Full overlap; CAF defines integrity requirements, advisory specifies syslog levels, encryption, immutability. |
| Enable AAA command accounting | C1.a (Coverage detail), C1.c (Alerts), C1.b (Securing logs) | CAF explicitly mentions per-user traceability and detection of config activity. |
| Routing best practices: authentication, prefix filters, TTL security, BGP monitoring | C1.a (Coverage – network), C1.f (Understanding expected behaviour) | Advisory is prescriptive; CAF expects behavioural baselining and anomaly detection. |
| VPN best practices: strong crypto, delete defaults | C1.a (Coverage/Detail), C1.f (Threat intelligence) | CAF does not specify algorithms; it requires abnormality detection and intelligence-led monitoring. |
| Continuous SNMP monitoring, alerts on config changes (AAA servers, routing, SPAN/ERSPAN) | C1.c (Generating alerts), C1.a (Behavioural monitoring) | Direct overlap: CAF expects real-time alerts on abnormalities; advisory provides protocol examples. |
| Threat hunting to identify scope of compromise, codify detections | C2.a (Threat hunting) | Exact match: CAF requires hypothesis-led hunts, advisory stresses full compromise scoping. |
Can CAF do it all?
This advisory evidences that all organisations can benefit from implementing CAF as part of their cyber security strategy. By aiming to proactively achieve the IGP criteria across the CAF objectives organisations can mature their resilience and get ahead of the Cyber Security and Resilience Bill.
The recent updates to CAF creating the v4 of the framework are said to be closely aligned to the proposed Bill. Providing organisations with a clear structure to achieve both cyber and auditable resilience.
Network Detection Advice
If you’re looking for immediate wins on how to improve your detection against nation state network threat read our CISO Briefing which contains a 4-step guide on how to mitigate these threats based on our experience.