US-CERT- CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks

[Netwörkheäd]

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks

[html]

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture.

Actions to take today to harden your local environment:

• Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.


• Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.


• Enforce https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">phishing-resistant MFA to the greatest extent possible.

In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization's network, moved laterally across the organization's multiple geographically separated sites, and eventually gained access to systems adjacent to the organization's sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.

Despite having a mature cyber posture, the organization did not detect the red team's activity throughout the assessment, including when the team attempted to trigger a security response.

CISA is releasing this CSA detailing the red team's tactics, techniques, and procedures (TTPs) and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors. This CSA highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization's environment is not vulnerable to compromise, regardless of the maturity of its cyber posture.

CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA—including conduct regular testing within their security operations center—to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.

Download the PDF version of this report:

   

    CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
    (PDF,       1.06 MB
  )
 

TECHNICAL DETAILS

Note: This advisory uses the https://attack.mitre.org/versions/v12/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK® for Enterprise framework, version 12. See the appendix for a table of the red team's activity mapped to MITRE ATT&CK tactics and techniques.

Introduction

CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6].) After receiving a request for a red team assessment (RTA) from an organization and coordinating some high-level details of the engagement with certain personnel at the organization, CISA conducted the RTA over a three-month period in 2022.

During RTAs, a CISA red team emulates cyber threat actors to assess an organization's cyber detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization's enterprise network while avoiding detection and evading defenses. During Phase II, the red team attempts to trigger a security response from the organization's people, processes, or technology.

The "victim" for this assessment was a large organization with multiple geographically separated sites throughout the United States. For this assessment, the red team's goal during Phase I was to gain access to certain sensitive business systems (SBSs).

Phase I: Red Team Cyber Threat Activity

Overview

The organization's network was segmented with both logical and geographical boundaries. CISA's red team gained initial access to two organization workstations at separate sites via spearphishing emails. After gaining access and leveraging Active Directory (AD) data, the team gained persistent access to a third host via spearphishing emails. From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization's mobile device management (MDM) server. The team used this root access to move laterally to SBS-connected workstations. However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.

Initial Access and Active Directory Discovery

The CISA red team gained initial access [https://attack.mitre.org/versions/v12/tactics/TA0001/" title="Initial Access">TA0001] to two workstations at geographically separated sites (Site 1 and Site 2) via spearphishing emails. The team first conducted open-source research