During the year 2023, a red team operation was carried out by the Cybersecurity and Infrastructure Security Agency (CISA) against an organization of the Federal Civilian Executive Branch (FCEB). In the month of July 2024, an updated CSA was published by CISA detailing the outcomes of this evaluation, including significant discoveries concerning the organization’s network security.
An interesting discovery from this evaluation by SILENTSHIELD was the increased emphasis on defense-in-depth techniques. This was identified after the FCEB organization struggled to effectively respond to the network breach and lacked adequate controls to trace the staged attack.
What occurred during the SILENTSHIELD red team evaluation by CISA?
At the beginning of the previous year, the red team at CISA executed a SILENTSHIELD evaluation on an FCEB organization, replicating a cyber intrusion to uncover exploitable weaknesses. The evaluation was categorized by CISA into two stages: mimicking adversaries and collaborating.
Throughout the evaluation, the red team effectively breached the organization’s connected networks and systems by exploiting a known vulnerability in an unpatched server. Subsequently, they maneuvered horizontally within the network and gained access to classified information.
Below is a summary illustrating how the red team attained their objectives.
Accessing credentials, controlling commands, and escalating privileges
The red team attained entry by exploiting a flaw in the Solaris enclave, allowing them to procure the required credentials for accessing a privileged server account. This enabled them to advance further within the network.
Additionally, the red team employed successful phishing tactics to gain entry to the Windows operating system of the organization, enabling them to execute further cyber breach activities.
Sideways advancement and continuous presence
Following the initial breach, CISA’s red team proceeded sideways across the network of the FCEB organization by exploiting various trust relations. They managed to create hidden entryways in the network to sustain their access. Using reverse SSH tunnels, the team penetrated deeper into the organization’s systems and utilized a SOCKS proxy to progress.
Explore services for offensive security
Transitioning towards external trusted associates
The red team transitioned their staged breach towards external trustworthy partner organizations, enabling them to retrieve secured assets once again. They examined the trust relations of the organization through lightweight directory access protocol (LDAP) and successfully pinpointed relevant partnership ties, one of which granted them the necessary access to proceed with their intrusion.
Countermeasure evasion strategies
Throughout the evaluation, CISA’s red team deployed multiple strategies to evade detection using the security tools of the FCEB organization. This included impersonating legitimate software access while adjusting file access timestamps and permissions, alongside establishing hidden access points and C2 communication channels.
Approximately five months into the evaluation, CISA alerted the organization’s Security Operations Center (SOC) about the staged breach and cooperated directly with SOC leadership to address the identified concerns.
Four principal discoveries from the simulated security breach
During the collaboration phase, CISA relayed the following findings to the FCEB organization, highlighting the diverse factors that contributed to a successful breakdown of their systems:
1. Inadequate controls for averting and identifying malicious network actions
CISA realized that the perimeter network of the FCEB organization lacked proper firewalls and failed to implement network segmentation to effectively isolate the breach. This permitted easy movement in and out of the Solaris and Windows network areas, leading to crucial data breaches, which included internal servers gaining access to almost all other domain hosts.
The organization also exhibited poorly configured network address translation (NAT) protocols, which masked data streams and hindered efficient incident response.
2. Inability to appropriately gather, retain, and analyze network logs
Upon further examination, the SOC of the FCEB organization lacked crucial information necessary to detect the presence of the red team in their network due to issues in obtaining, storing, and processing network system logs.
In certain instances, critical data was captured but not adequately analyzed as it was moved to inactive storage. While the organization’s network defenders managed to identify certain network irregularities when seeking new forensic data, the impacted servers could not be taken offline for comprehensive review as it would have impacted critical operational segments of the organization.
3. Insufficient internal communication among network defenders due to a decentralized formation
An additional hurdle faced by the FCEB organization was the dispersion of their technical personnel across decentralized teams. This led to ineffective communication and coordination during the management of security challenges.
The SOC team struggled to promptly update or deploy countermeasures with fragmented IT groups and ambiguous lines of responsibility.
4. Detection failure of breaches with new threat actors
While the FCEB organization managed to recognize known threats, they were unprepared to confront novel tactics, techniques, and procedures (TTPs) employed by the red team.
Employing an array of contemporary breach tactics, the red team successfully bypassed detection and utilized a new threat actor to completely bypass all system countermeasures.
What risk mitigation strategies does CISA recommend for businesses based on this evaluation?
Derived from the findings of this recent threat assessment by CISA, it’s evident that organizations should ensure the adoption of a comprehensive defense-in-depth approach within their cybersecurity endeavors. This involves:
-
Implementing defense-in-depth principles: All corporations should embrace a more comprehensive approach towards cybersecurity, incorporating firewalls, intrusion detection and prevention systems, and utilizing antivirus and antimalware solutions.
-
Enforcing robust network segmentation: Network segmentation stands as a verified measure to assist organizations in containing ongoing breaches while significantly impeding an attacker’s ability to move sideways across interconnected networks and systems.
-
Establishing benchmarks for network traffic, application execution, and account authentication: IT administrators need to proactively anticipate malevolent activities on their corporate networks. Establishing current patterns of network traffic facilitates the easier identification of anomalies that may indicate malevolent activities. It provides response teams with the alertness needed to address threats before they escalate.
Ensure your business is primed for a cyber intrusion
The recent SILENTSHIELD evaluation by CISA exemplifies how proactive preparation can substantially benefit IT teams in ensuring their security measures are fortified and capable of countering modern cyber risks.
Business solutions like IBM X-Force Cyber Range can assist organizations in better equipping their defenses by delivering immersive simulations tailored to guide security teams in responding and recovering from significant cyber-related incidents. This aids businesses in accurately assessing their security stance while providing the tactics and tools required to fortify their organization’s security.