The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory that describes a CISA red team assessment of a large critical infrastructure organization with a mature cyber posture, with the goal of sharing its key findings to help IT and security professionals improve monitoring and hardening of networks.
According to the advisory, the CISA red team–at the request of the organization–obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems (SBS).
However, multifactor authentication prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBS within the assessment period.
“Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response,” the agency says.
How CISA gained access and moved laterally
According to CISA, the red team gained initial access to two workstations at geographically separated sites by using spearphishing emails. The team first conducted open-source research to identify potential targets, including looking for email addresses and names that could be used to derive email addresses based on identification of the email naming scheme.
Tailored spearphishing emails were sent to seven targets using commercially available email platforms, and the CISA red team used the logging and tracking features of one of the platforms to analyze the organization’s email filtering database and confirm the emails reached the targets’ inbox.
According to the agency, CISA’s red team built a rapport with some of the targeted users through emails, and eventually convinced them to accept a virtual meeting invite. However, the invite took the user to a red team-controlled domain with a button that downloaded a malicious ISO file when clicked. After the download and another button was clicked, the file was executed.
Two of the seven targets responded to the phishing attempt, giving CISA access to two workstations in different locations.
After gaining access and leveraging Active Directory (AD) data, CISA says the team gained persistent access to a third host via spearphishing emails. From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server.
According to the agency, the team used this root access to move laterally to SBS-connected workstations. However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.
Based on the agency’s findings and how its plans for additional activity was thwarted, it recommends:
Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture:
- Provide users with regular training and exercises, specifically related to phishing emails.
- Enforce phishing-resistant MFA to the greatest extent possible.
- Reduce the risk of credential compromise via the following:
- Place domain admin accounts in the protected users group to prevent caching of password hashes locally; this also forces Kerberos AES authentication as opposed to weaker RC4 or NTLM.
- Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
- Refrain from storing plaintext credentials in scripts. The red team discovered a PowerShell script containing plaintext credentials that allowed them to escalate to admin.
- Upgrade to Windows Server 2019 or greater and Windows 10 or greater. These versions have security features not included in older operating systems.
As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that:
- Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, policy enforcement).
- Upgrades applications and infrastructure to leverage modern identity management and network access practices.
- Centralizes and streamlines access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.
- Invests in technology and personnel to achieve these goals.
CISA also recommends exercising, testing and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.
To help organizations do that, the agency released Decider, a new free tool to help make mapping quick and accurate through guided questions, search, filters, and a cart function.
Read the advisory for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply