CISA breached a federal agency as part of its red team program — and nobody noticed for five months
A red team assessment performed by CISA on an unnamed federal agency found a series of critical security weaknesses
CISA has revealed a red team exercise testing the resilience of an unnamed federal agency in 2023 exposed glaring security failings leaving its most critical assets exposed.
The program, known as SILENTSHIELD, involves a group of red teamers performing a no-notice, long-term simulation of nation state threat actors, mimicking their techniques, tactics, and procedures (TTPs).
The assessment found the organization’s security posture was poor in a number of areas, including inadequate firewalling on its perimeter network, insufficient network segmentation, overly permissive trust relationships, a failure to properly analyze EDR alerts on a daily basis, and more.
The team gained an initial foothold in the target network by exploiting a known vulnerability in an unpatched web server in the agency’s Oracle Solaris enclave.
This access was limited due to a lack of credentials and did not allow the red team to move into the Windows portion of the network.
A simultaneous phishing attack gave the red team access to the Windows network, where they discovered admin credentials that would allow them to pivot freely throughout the Windows environment.
CISA revealed this resulted in the team achieving a full domain compromise with access to tier zero assets, some of the most critical components of an organization's IT infrastructure.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
From there, the team discovered a number of trust relationships with external partners and was able to use its existing access to compromise these networks.
CISA red team persisted for five months before revealing themselves
After achieving their initial objectives of compromising the organization’s domain and identifying attack paths to other networks, the red team began mimicking a broader range of less sophisticated threat actors, with the aim of attracting attention from the defenders.
Moreover, they did not clean up or delete any system logs so that the network defenders would be able to investigate all artifacts from the attack and learn how to spot and prevent similar attack chains.
The red team was able to persist on the network for five months, CISA reported, after which point they notified the organization’s SOC and began collaborating with the SOC leadership.
During this collaborative phase, the SILENTSHIELD team highlighted a series of areas where the organization needed to improve its security posture, including lessons for network defenders trying to reduce and respond to cyber risk.
The assessed organization was found to have insufficient controls in place to prevent and detect malicious activity, and failed to effectively or efficiently collect, retain, and analyze logs.
The assessment also blamed bureaucratic processes and decentralized teams for hindering the organization’s network defenders.
It noted that even after disclosing the known vulnerability is exploited to gain initial access, the organization still took two weeks to address the issue.
“After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch,” the report noted.
Similarly, the agency’s reliance on a known-bad detection approach, which involves watching for established malware signatures or network activity, was also identified as hampering the organization’s ability to detect alternative TTPs.
The red team also found the agency has a number of overly permissive trust relationships with multiple external partners, and was able to exploit and pivot to a third party.
“This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material,” the report explained.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.