CISA released in late February a cybersecurity advisory on the key findings from a recent Cybersecurity and Infrastructure Security Agency (CISA) red team assessment to provide organizations recommendations for improving their cyber posture. According to the Agency, the necessary actions to harden their environments include monitoring network activity to spot abnormal behavior, conducting regular assessments and drills, and enforcing phishing-resistant MFA anywhere possible.
What Prompted the CISA Advisory?
In 2022, CISA conducted a red team assessment (RTA) following a request from a large critical infrastructure organization with multiple geographically dispersed sites. During Phase I, the red team attempted to gain and maintain continued access to the corporate network while avoiding detection. During Phase II, the team tried to trigger a security response from the organization's people, processes, or technology.
According to the report, the CISA RTA team gained initial access to two corporate workstations at separate sites leveraging Active Directory (AD) data. It then gained persistent access to a third host via spear phishing emails. “From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC),” reads the report.
“They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server.”
CISA said its red team used the root access to move laterally to workstations adjacent to sensitive business systems (SBS). “However, a multi-factor authentication (MFA) prompt prevented the team from achieving access to one SBS. Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.”
Interestingly, the “victim” organization did not detect illegal activity on its networks even when triggered for a security response. This happened even though the assessed organization had a mature cybersecurity posture.
Key issues and strengths
The CISA red team highlighted several problematic areas concerning the organization’s network security. These discrepancies allowed the team to maintain undetected access for the assessment period.
The most important finding is that the organization failed to detect lateral movement, persistence, and command and control activity even though they had deployed intrusion detection or prevention systems, endpoint protection platforms, or activated event logging. Additionally, throughout Phase I, the CISA team did not receive any deconfliction or confirmation that the organization caught their activity. These findings were related to the need for more effective network monitoring.
Lack of endpoint monitoring was also a root cause for enabling the red team to gain undetected root access to machines and workstations across the network. “Endpoint management systems provide elevated access to thousands of hosts and should be treated as high-value assets (HVAs) with additional restrictions and monitoring,” highlights the advisory.
Another issue was that the organization used default configurations for Windows Server 2012 R2, which allowed non-privileged users to query group membership of local administrator groups. The red team identified and leveraged several standard accounts with administrative access from a Windows SharePoint server. Additional issues noted in the CISA advisory include the ineffective separation of privileged accounts, while specific workstations allowed standard accounts to have local administrator access.
On the positive side of the assessment, CISA noted some strengths, such as controls or defensive mechanisms that prevented or hampered offensive actions. The assessed organization conducts regular, proactive penetration tests and adversarial assessments and invests in hardening its network based on the findings. As a result, the team could not discover any vulnerable services, ports, or web interfaces, resorting to phishing campaigns to gain initial access.
The CISA red team also found that service account passwords were strong, and it was impossible to crack any of the hashes obtained. This critical strength slowed the red team from laterally moving around the network in the initial parts of Phase I. Moreover, the team did not discover user credentials on open file shares or servers.
To help organizations mitigate similar issues, CISA provides several recommendations that align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST.
The top recommendation “highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture.”
CISA recommends establishing “a security baseline of normal network traffic and tuning network appliances to detect anomalous behavior.” From a detection standpoint, organizations should focus on identity and access management (IAM) rather than network traffic or static host alerts. This practice will enable them to consider who is accessing what resource, from where, and when.
In addition, the Agency focuses on providing users with regular training and exercises tailored explicitly to phishing emails since phishing accounts for most initial access intrusion events. Finally, CISA strongly recommends leveraging phishing-resistant MFA since not all forms of MFA are equally secure. Recent incidents have demonstrated the efficiency of MFA fatigue tactics employed by cybercriminals.
In the long run, the Agency recommends that organizations prioritize implementing a Zero Trust network architecture to leverage secure cloud services for crucial enterprise security capabilities and modern IAM practices.
Fortra’s Tripwire has 25+ years of experience building solutions that thousands of companies and critical infrastructure providers worldwide have grown to trust as the foundation of their cybersecurity and compliance programs. Industrial organizations trust Tripwire to accurately detect suspicious changes and prevent future incidents by discovering and prioritizing risks. Our industrial solutions span IT and OT environments, turning raw data into actionable information, providing deep visibility, and integrating seamlessly with other solutions. They also keep ICS operators audit-ready for regulations like NERC CIP, NIST, and the Center for Internet Security’s CIS Controls.