CISA has revealed a red team exercise testing the resilience of an unnamed federal agency in 2023 exposed glaring security failings leaving its most critical assets exposed.
The program, known as SILENTSHIELD, involves a group of red teamers performing a no-notice, long-term simulation of nation state threat actors, mimicking their techniques, tactics, and procedures (TTPs).
The assessment found the organization’s security posture was poor in a number of areas, including inadequate firewalling on its perimeter network, insufficient network segmentation, overly permissive trust relationships, a failure to properly analyze EDR alerts on a daily basis, and more.
The team gained an initial foothold in the target network by exploiting a known vulnerability in an unpatched web server in the agency’s Oracle Solaris enclave.
This access was limited due to a lack of credentials and did not allow the red team to move into the Windows portion of the network.
A simultaneous phishing attack gave the red team access to the Windows network, where they discovered admin credentials that would allow them to pivot freely throughout the Windows environment.
CISA revealed this resulted in the team achieving a full domain compromise with access to tier zero assets, some of the most critical components of an organization's IT infrastructure.
From there, the team discovered a number of trust relationships with external partners and was able to use its existing access to compromise these networks.
CISA red team persisted for five months before revealing themselves
After achieving their initial objectives of compromising the organization’s domain and identifying attack paths to other networks, the red team began mimicking a broader range of less sophisticated threat actors, with the aim of attracting attention from the defenders.
Moreover, they did not clean up or delete any system logs so that the network defenders would be able to investigate all artifacts from the attack and learn how to spot and prevent similar attack chains.
The red team was able to persist on the network for five months, CISA reported, after which point they notified the organization’s SOC and began collaborating with the SOC leadership.
During this collaborative phase, the SILENTSHIELD team highlighted a series of areas where the organization needed to improve its security posture, including lessons for network defenders trying to reduce and respond to cyber risk.
RELATED WHITEPAPER
The assessed organization was found to have insufficient controls in place to prevent and detect malicious activity, and failed to effectively or efficiently collect, retain, and analyze logs.
The assessment also blamed bureaucratic processes and decentralized teams for hindering the organization’s network defenders.
It noted that even after disclosing the known vulnerability is exploited to gain initial access, the organization still took two weeks to address the issue.
“After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch,” the report noted.
Similarly, the agency’s reliance on a known-bad detection approach, which involves watching for established malware signatures or network activity, was also identified as hampering the organization’s ability to detect alternative TTPs.
The red team also found the agency has a number of overly permissive trust relationships with multiple external partners, and was able to exploit and pivot to a third party.
“This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material,” the report explained.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Two notorious infostealer malware operations were just knocked offlineNews Infrastructure linked to two major infostealer malware strains has been seized in a joint law enforcement operation
-
What is the Cybersecurity and Infrastructure Security Agency (CISA) and what does it do?Explainer CISA plays a critical role in keeping US organizations safe from cyber attacks, providing vital advice and threat information
-
This ransomware variant has now been used against 500 targets — here's what you need to knowNews One form of ransomware has become a ‘significant threat’, US authorities have warned - here’s how to protect yourself
-
Nearly 70 software vendors sign up to CISA’s cyber resilience programNews Major software manufacturers pledge to a voluntary framework aimed at boosting cyber resilience of customers across the US
